From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 391401FF17E for ; Thu, 13 Nov 2025 12:35:28 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id BE33B1921C; Thu, 13 Nov 2025 12:36:20 +0100 (CET) Message-ID: <9e7f7269-d718-4854-9594-b87f42afb4c6@proxmox.com> Date: Thu, 13 Nov 2025 12:35:44 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Proxmox VE development discussion , Anton Iacobaeus References: <20251028125459.287308-1-anton.iacobaeus@canarybit.eu> <20251028125459.287308-10-anton.iacobaeus@canarybit.eu> Content-Language: en-US From: Fiona Ebner In-Reply-To: <20251028125459.287308-10-anton.iacobaeus@canarybit.eu> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1763033719346 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.020 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH qemu-server v3 4/4] Add support for TDX quote-generation-socket object X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Am 28.10.25 um 1:56 PM schrieb Anton Iacobaeus: > @@ -291,6 +291,50 @@ my $tdx_fmt = { > format_description => "tdx-type", > enum => ['tdx'], > }, > + 'attestation' => { > + description => "Enable TDX attestation by including quote-generation-socket", > + type => 'boolean', > + default => 1, > + }, > + 'socket-type' => { > + type => 'string', > + optional => 1, > + enum => ['unix', 'vsock'], > + default => 'vsock', > + description => "Socket type to communicate with the Quote Generation Service", > + }, > + 'vsock-cid' => { > + type => 'integer', > + minimum => 2, > + default => 2, > + optional => 1, > + description => "CID for vsock of Quote Generation Service", > + }, > + 'vsock-port' => { > + type => 'integer', > + minimum => 0, > + default => 4050, > + optional => 1, > + description => "Port for vsock of Quote Generation Service", > + }, > + 'unix-path' => { > + type => 'string', > + optional => 1, > + description => "Path to Unix socket", > + format_description => "unix-path", > + }, > + 'unix-abstract' => { > + description => "Use Linux abstract socket address", > + type => 'boolean', > + default => 0, > + optional => 1, > + }, > + 'unix-tight' => { > + description => "Pads the abstract socket address.", > + type => 'boolean', > + default => 1, > + optional => 1, > + }, Do we really want/need to support all these possible configuration options to start out? In particular, 'unix-tight' and 'unix-abstract' seem like we could rather just require users to set it up a certain way. Maybe vsock+cid+port is enough to begin with and we can add more when users actually request it? Or are there situations where a vsock cannot easily be set up? > }; > PVE::JSONSchema::register_format('pve-qemu-tdx-fmt', $tdx_fmt); > > @@ -960,6 +1004,36 @@ sub get_amd_sev_object { > return $sev_mem_object; > } > > +sub get_quote_generation_socket { > + my ($conf) = @_; > + my $type = $conf->{'socket-type'} > + or die "A socket type is required for Quote Generation Socket.\n"; > + > + my $socket = { > + type => $type, > + }; > + > + if ($type eq 'unix') { > + my $path = $conf->{'unix-path'} > + or die "Missing path for unix socket.\n"; > + > + $socket->{'path'} = $path; > + $socket->{'abstract'} = json_bool($conf->{'unix-abstract'}) > + if defined $conf->{'unix-abstract'}; > + $socket->{'tight'} = json_bool($conf->{'unix-tight'}) > + if defined $conf->{'unix-tight'}; > + } elsif ($type eq 'vsock') { > + my ($cid, $port) = @{$conf}{ 'vsock-cid', 'vsock-port' }; Style nit: our code base uses the following style: $conf->@{qw(vsock-cid vsock-port)}; > + die "Missing cid/port for vsock.\n" unless defined $cid && defined $port; Style nit: we don't usually use unless [0] and please use parentheses with defined() > + > + @$socket{ 'cid', 'port' } = ($cid, $port); Style nit: again, not really a style seen in our code base, I'd prefer to just have two assignments > + } else { > + die "Unsupported socket type for TDX Quote Generation Socket.\n"; > + } > + > + return $socket; > +} > + > sub get_intel_tdx_object { > my ($intel_tdx, $bios) = @_; > my $intel_tdx_conf = PVE::JSONSchema::parse_property_string($tdx_fmt, $intel_tdx); > @@ -971,7 +1045,16 @@ sub get_intel_tdx_object { > if (!$bios || $bios ne 'ovmf') { > die "To use Intel TDX, you need to change the BIOS to OVMF.\n"; > } > - return 'tdx-guest,id=tdx0'; > + > + my $tdx_object = { > + 'qom-type' => 'tdx-guest', > + id => 'tdx0', > + }; > + > + $tdx_object->{'quote-generation-socket'} = get_quote_generation_socket($intel_tdx_conf) > + unless !$intel_tdx_conf->{'attestation'}; Style nit regarding unless [0]: https://pve.proxmox.com/wiki/Perl_Style_Guide#Perl_syntax_choices _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel