[RFC PATCH v2 0/8] LIBVIRT: X86: TDX support

[Duan, Zhenzhong]

> -----Original Message-----
> From: Pavel Hrdina <phrdina at redhat.com>
> Sent: Wednesday, July 21, 2021 10:23 PM
> To: Duan, Zhenzhong <zhenzhong.duan at intel.com>
> Cc: libvir-list at redhat.com; pkrempa at redhat.com; berrange at redhat.com;
> Yamahata, Isaku <isaku.yamahata at intel.com>; Tian, Jun J
> <jun.j.tian at intel.com>; Qiang, Chenyi <chenyi.qiang at intel.com>
> Subject: Re: [RFC PATCH v2 0/8] LIBVIRT: X86: TDX support
> 
> On Fri, Jul 16, 2021 at 11:10:28AM +0800, Zhenzhong Duan wrote:
> > Thanks Peter, Pavel and Daniel's comments on v1 version, now the v2
> comes.
> >
> > * What's TDX?
> > TDX stands for Trust Domain Extensions which isolates VMs from the
> > virtual-machine manager (VMM)/hypervisor and any other software on the
> > platform.
[...]
> > * Misc
> > Just let you know we have released v2 version of TDX qemu in [1], and
> > the API for libvirt is keeping stable. Using these patches we have
> > succesfully booted and tested a guest both with and without TDX enabled.
> 
> Overall looks good. It's missing documentation and the QEMU patches are
> missing documentation as well. I was looking into Intel specification but I
> failed to find the necessary info there as well.
> What are the values `mrconfigid`, `mrowner`, `mrownerconfig` for, what data
> is supposed to be stored there, what are the limitation and so on.
Oh, yes. Thanks for point out. We will add the doc both for qemu and libvirt.

> 
> What I could gather these are exposed in the VM and are used for
> measurement but that's it.
> 
> Another thing that I've missed in v1, QEMU patches are introducing new `-
> machine pic=no` option and for TDX PIC has to be disabled. The libvirt
> patches are putting it on the QEMU command line but it is not reflected in
> the VM XML, so I would say we need to introduce new hypervisor feature [1]:
> 
>   <features>
>     ...
>     <pic state='on|off'/>
>     ...
>   </features>
> 
> [1] <https://libvirt.org/formatdomain.html#hypervisor-features>
Will add this feature.

> 
> > * Diff to v1:
> > - give up using qmp cmd and check TDX directly on host for TDX capabilities.
> > - use launchsecurity framework to support TDX
> > - use <os>.<loader> for general loader
> > - add auto firmware match feature for TDX
> >
> > A example TDVF fimware description file 70-edk2-x86_64-tdx.json:
> > {
> >     "description": "UEFI firmware for x86_64, supporting Intel TDX",
> >     "interface-types": [
> >         "uefi"
> >     ],
> >     "mapping": {
> >         "device": "generic",
> 
> I think using 'loader' as that's the actual device in QEMU used with this
> firmware will be better. The patches posted to QEMU doesn't extend
> `docs/interop/firmware.json` so this example may change once some specific
> format is accepted by QEMU community.
Will do.
> 
> You will most likely need to add the firmware descriptor to QEMU project as
> well (`pc-bios/descriptors/70-edk2-x86_64-tdx.json`). NOTE: The name
> should not use `edk2` if it's not edk2 based firmware.
I see, will do. Thanks very much for your suggestions.

Regards
Zhenzhong