[pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX
Anton Iacobaeus
anton.iacobaeus at canarybit.eu
Mon Nov 10 16:03:07 CET 2025
Hi,
I understand review time can vary but just wanted to check on the status
of this series. Seems like it got formatted incorrectly in the archives,
but it looks fine in my mail client. If a resend or other clarifications
is needed before review I am happy to do so.
On 10/28/25 13:54, Anton Iacobaeus wrote:
> This patches series adds support for launching Intel TDX confidential
> VMs via QEMU. Basic attestation support is also added.
>
> Intel TDX requires QEMU >= v10.1 and kernel >= 6.16. A TDX compatible
> CPU is also required, with TDX enabled in the BIOS. Attestation also
> requires a running Quote Generation Service (QGS) on the host (or
> dedicated VM) connected to a Provisioning Certificate Caching Service
> (PCCS), more information can be found at:
> https://cc-enabling.trustedservices.intel.com/intel-tdx-enabling-guide/02/infrastructure_setup/
>
> Only a subset of the possible socket types are implemented with this
> patch. Ideally the SocketAddress object as defined in QEMU would be
> fully implemented, but for the sake of TDX this is not neccessary. More
> information at:
> https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-sockets.SocketAddress
>
> The TDX object can also be extended with additional configuration
> options, but these are not neccessary for regular usage of TDX. More
> information available at:
> https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-qom.TdxGuestProperties
>
> Future work can build upon this patch to improve these shortcomings.
>
> Thanks to Fiona for the review.
>
> Changes since v2: https://lists.proxmox.com/pipermail/pve-devel/2025-October/075766.html
> * Fixed nits and formatting
> * Added reasoning for firmware Config-B
> * Added reasoning for kernel_irqchip=split
> * Added support for configuration of the quote-generation-socket for attestation.
>
> pve-edk2-firmware:
>
> Philipp Giersfeld (3):
> Change name of SEV-related OVMF files
> Add firmware target for TDFV
> Add SCSI in NCCFV for TD guest
>
> .../patches/Enable_SCSI_IntelTdx_DXEFV.patch | 52 ++++++++++++++++
> debian/patches/series | 1 +
> debian/pve-edk2-firmware-ovmf.install | 7 ++-
> debian/pve-edk2-firmware-ovmf.links | 3 +
> debian/rules | 59 +++++++++++++------
> 5 files changed, 100 insertions(+), 22 deletions(-)
> create mode 100644 debian/patches/Enable_SCSI_IntelTdx_DXEFV.patch
> create mode 100644 debian/pve-edk2-firmware-ovmf.links
>
> pve-manager:
>
> Anton Iacobaeus (1):
> Add support for TDX attestation
>
> Philipp Giersfeld (1):
> Add support for Intel TDX
>
> www/manager6/Makefile | 1 +
> www/manager6/qemu/Options.js | 12 +++
> www/manager6/qemu/TdxEdit.js | 194 +++++++++++++++++++++++++++++++++++
> 3 files changed, 207 insertions(+)
> create mode 100644 www/manager6/qemu/TdxEdit.js
>
> qemu-server:
>
> Anton Iacobaeus (1):
> Add support for TDX quote-generation-socket object
>
> Philipp Giersfeld (3):
> Adapt AMD SEV code for compatibility with other platforms
> Add check for TDX support
> Add support for Intel TDX
>
> src/PVE/API2/Qemu.pm | 6 +-
> src/PVE/QemuMigrate/Helpers.pm | 1 +
> src/PVE/QemuServer.pm | 28 +++-
> src/PVE/QemuServer/CPUConfig.pm | 129 ++++++++++++++++--
> src/PVE/QemuServer/OVMF.pm | 53 ++++---
> .../query-machine-capabilities.c | 98 +++++++++++--
> src/test/cfg2cmd/sev-es.conf.cmd | 2 +-
> src/test/cfg2cmd/sev-snp.conf.cmd | 2 +-
> src/test/cfg2cmd/sev-std.conf.cmd | 2 +-
> src/usr/modules-load.conf | 1 +
> 10 files changed, 270 insertions(+), 52 deletions(-)
>
More information about the pve-devel
mailing list