From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 093BC1FF15C for ; Fri, 14 Nov 2025 07:46:59 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5DC2F7D29; Fri, 14 Nov 2025 07:47:53 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1763102839; x=1763707639; d=canarybit.eu; s=rsa1; h=content-transfer-encoding:content-type:in-reply-to:from:references:to:subject: mime-version:date:message-id:from; bh=KVEUDwsgAPZdFGFUvOou4sOI+UxvMqCfIeCn48ckH2s=; b=Coq86dTHPPRdSwKee9NKlv4HSJm7LBEIqCHhuhfK6FSMoaZ1PJS3qAuhv5Ly2dEpe9WPGiTOyMr5r 5gSWEhbX05BuC1uovR3FZof9z8cwh0311ba9EUnQc5mbr5r1jZubRYr851jE0FYGqU5Yhk5E7oQcV2 auvJCjojrphd7QfVecg/I8fQMj8PT8knEK82RV94IfY47ml9aiiinn1Xa11JlpRIaRKVku6e9ncoF6 zsNDVWTq5gFMWpubOrEqML6Gl7QqlVhnTUiHtSgXiFgVLKlpskruYYuPbZcF83T1fhxlrQwGfCKA28 0sOx/N0QXzeZr/5dhu8C8aoJ1bdZH5w== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; t=1763102839; x=1763707639; d=canarybit.eu; s=ed1; h=content-transfer-encoding:content-type:in-reply-to:from:references:to:subject: mime-version:date:message-id:from; bh=KVEUDwsgAPZdFGFUvOou4sOI+UxvMqCfIeCn48ckH2s=; b=xpOe4On55LTHC31aYL8vY85N4tMeTgundrBMhZPx6h+uDzqx7Pk0xelZPScwT/c3WYcwDPyiMA8gn 6V9vWM2Aw== X-HalOne-ID: c2a8bb4e-c125-11f0-8077-632fe8569f3f Message-ID: <9c701bd2-f62f-47cc-b90a-c9d9be779b96@canarybit.eu> Date: Fri, 14 Nov 2025 07:47:18 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Fiona Ebner , Proxmox VE development discussion References: <20251028125459.287308-1-anton.iacobaeus@canarybit.eu> <20251028125459.287308-10-anton.iacobaeus@canarybit.eu> <9e7f7269-d718-4854-9594-b87f42afb4c6@proxmox.com> Content-Language: en-US From: Anton Iacobaeus In-Reply-To: <9e7f7269-d718-4854-9594-b87f42afb4c6@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain DMARC_MISSING 0.1 Missing DMARC policy RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust SPF_HELO_PASS -0.001 SPF: HELO matches SPF record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com, canarybit.eu] Subject: Re: [pve-devel] [PATCH qemu-server v3 4/4] Add support for TDX quote-generation-socket object X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" On 11/13/25 12:35, Fiona Ebner wrote: > Am 28.10.25 um 1:56 PM schrieb Anton Iacobaeus: >> @@ -291,6 +291,50 @@ my $tdx_fmt = { >> format_description => "tdx-type", >> enum => ['tdx'], >> }, >> + 'attestation' => { >> + description => "Enable TDX attestation by including quote-generation-socket", >> + type => 'boolean', >> + default => 1, >> + }, >> + 'socket-type' => { >> + type => 'string', >> + optional => 1, >> + enum => ['unix', 'vsock'], >> + default => 'vsock', >> + description => "Socket type to communicate with the Quote Generation Service", >> + }, >> + 'vsock-cid' => { >> + type => 'integer', >> + minimum => 2, >> + default => 2, >> + optional => 1, >> + description => "CID for vsock of Quote Generation Service", >> + }, >> + 'vsock-port' => { >> + type => 'integer', >> + minimum => 0, >> + default => 4050, >> + optional => 1, >> + description => "Port for vsock of Quote Generation Service", >> + }, >> + 'unix-path' => { >> + type => 'string', >> + optional => 1, >> + description => "Path to Unix socket", >> + format_description => "unix-path", >> + }, >> + 'unix-abstract' => { >> + description => "Use Linux abstract socket address", >> + type => 'boolean', >> + default => 0, >> + optional => 1, >> + }, >> + 'unix-tight' => { >> + description => "Pads the abstract socket address.", >> + type => 'boolean', >> + default => 1, >> + optional => 1, >> + }, > > Do we really want/need to support all these possible configuration > options to start out? In particular, 'unix-tight' and 'unix-abstract' > seem like we could rather just require users to set it up a certain way. > Maybe vsock+cid+port is enough to begin with and we can add more when > users actually request it? Or are there situations where a vsock cannot > easily be set up? > Yes I agree, vsock+cid+port will be enough for most users and we can add more if requested. I added Unix sockets since it is the default in libvirt, but vsock should always be easy to setup. 'unix-tight' and 'unix-abstract' was added to match the QEMU schema, doubt that they are needed in many cases. Do you want a v4 with only vsock and the below style nits addressed? >> }; >> PVE::JSONSchema::register_format('pve-qemu-tdx-fmt', $tdx_fmt); >> >> @@ -960,6 +1004,36 @@ sub get_amd_sev_object { >> return $sev_mem_object; >> } >> >> +sub get_quote_generation_socket { >> + my ($conf) = @_; >> + my $type = $conf->{'socket-type'} >> + or die "A socket type is required for Quote Generation Socket.\n"; >> + >> + my $socket = { >> + type => $type, >> + }; >> + >> + if ($type eq 'unix') { >> + my $path = $conf->{'unix-path'} >> + or die "Missing path for unix socket.\n"; >> + >> + $socket->{'path'} = $path; >> + $socket->{'abstract'} = json_bool($conf->{'unix-abstract'}) >> + if defined $conf->{'unix-abstract'}; >> + $socket->{'tight'} = json_bool($conf->{'unix-tight'}) >> + if defined $conf->{'unix-tight'}; >> + } elsif ($type eq 'vsock') { >> + my ($cid, $port) = @{$conf}{ 'vsock-cid', 'vsock-port' }; > > Style nit: our code base uses the following style: > $conf->@{qw(vsock-cid vsock-port)}; > >> + die "Missing cid/port for vsock.\n" unless defined $cid && defined $port; > > Style nit: we don't usually use unless [0] and please use parentheses > with defined() > >> + >> + @$socket{ 'cid', 'port' } = ($cid, $port); > > Style nit: again, not really a style seen in our code base, I'd prefer > to just have two assignments > >> + } else { >> + die "Unsupported socket type for TDX Quote Generation Socket.\n"; >> + } >> + >> + return $socket; >> +} >> + >> sub get_intel_tdx_object { >> my ($intel_tdx, $bios) = @_; >> my $intel_tdx_conf = PVE::JSONSchema::parse_property_string($tdx_fmt, $intel_tdx); >> @@ -971,7 +1045,16 @@ sub get_intel_tdx_object { >> if (!$bios || $bios ne 'ovmf') { >> die "To use Intel TDX, you need to change the BIOS to OVMF.\n"; >> } >> - return 'tdx-guest,id=tdx0'; >> + >> + my $tdx_object = { >> + 'qom-type' => 'tdx-guest', >> + id => 'tdx0', >> + }; >> + >> + $tdx_object->{'quote-generation-socket'} = get_quote_generation_socket($intel_tdx_conf) >> + unless !$intel_tdx_conf->{'attestation'}; > > Style nit regarding unless > > [0]: https://pve.proxmox.com/wiki/Perl_Style_Guide#Perl_syntax_choices > _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel