[pve-devel] [PATCH qemu-server v3 4/4] Add support for TDX quote-generation-socket object

Anton Iacobaeus anton.iacobaeus at canarybit.eu
Fri Nov 14 07:47:18 CET 2025 

On 11/13/25 12:35, Fiona Ebner wrote:
> Am 28.10.25 um 1:56 PM schrieb Anton Iacobaeus:
>> @@ -291,6 +291,50 @@ my $tdx_fmt = {
>>           format_description => "tdx-type",
>>           enum => ['tdx'],
>>       },
>> +    'attestation' => {
>> +        description => "Enable TDX attestation by including quote-generation-socket",
>> +        type => 'boolean',
>> +        default => 1,
>> +    },
>> +    'socket-type' => {
>> +        type => 'string',
>> +        optional => 1,
>> +        enum => ['unix', 'vsock'],
>> +        default => 'vsock',
>> +        description => "Socket type to communicate with the Quote Generation Service",
>> +    },
>> +    'vsock-cid' => {
>> +        type => 'integer',
>> +        minimum => 2,
>> +        default => 2,
>> +        optional => 1,
>> +        description => "CID for vsock of Quote Generation Service",
>> +    },
>> +    'vsock-port' => {
>> +        type => 'integer',
>> +        minimum => 0,
>> +        default => 4050,
>> +        optional => 1,
>> +        description => "Port for vsock of Quote Generation Service",
>> +    },
>> +    'unix-path' => {
>> +        type => 'string',
>> +        optional => 1,
>> +        description => "Path to Unix socket",
>> +        format_description => "unix-path",
>> +    },
>> +    'unix-abstract' => {
>> +        description => "Use Linux abstract socket address",
>> +        type => 'boolean',
>> +        default => 0,
>> +        optional => 1,
>> +    },
>> +    'unix-tight' => {
>> +        description => "Pads the abstract socket address.",
>> +        type => 'boolean',
>> +        default => 1,
>> +        optional => 1,
>> +    },
> 
> Do we really want/need to support all these possible configuration
> options to start out? In particular, 'unix-tight' and 'unix-abstract'
> seem like we could rather just require users to set it up a certain way.
> Maybe vsock+cid+port is enough to begin with and we can add more when
> users actually request it? Or are there situations where a vsock cannot
> easily be set up?
> 

Yes I agree, vsock+cid+port will be enough for most users and we can add
more if requested. I added Unix sockets since it is the default in
libvirt, but vsock should always be easy to setup. 'unix-tight' and
'unix-abstract' was added to match the QEMU schema, doubt that they are
needed in many cases.

Do you want a v4 with only vsock and the below style nits addressed?

>>   };
>>   PVE::JSONSchema::register_format('pve-qemu-tdx-fmt', $tdx_fmt);
>>   
>> @@ -960,6 +1004,36 @@ sub get_amd_sev_object {
>>       return $sev_mem_object;
>>   }
>>   
>> +sub get_quote_generation_socket {
>> +    my ($conf) = @_;
>> +    my $type = $conf->{'socket-type'}
>> +        or die "A socket type is required for Quote Generation Socket.\n";
>> +
>> +    my $socket = {
>> +        type => $type,
>> +    };
>> +
>> +    if ($type eq 'unix') {
>> +        my $path = $conf->{'unix-path'}
>> +            or die "Missing path for unix socket.\n";
>> +
>> +        $socket->{'path'} = $path;
>> +        $socket->{'abstract'} = json_bool($conf->{'unix-abstract'})
>> +            if defined $conf->{'unix-abstract'};
>> +        $socket->{'tight'} = json_bool($conf->{'unix-tight'})
>> +            if defined $conf->{'unix-tight'};
>> +    } elsif ($type eq 'vsock') {
>> +        my ($cid, $port) = @{$conf}{ 'vsock-cid', 'vsock-port' };
> 
> Style nit: our code base uses the following style:
> $conf->@{qw(vsock-cid vsock-port)};
> 
>> +        die "Missing cid/port for vsock.\n" unless defined $cid && defined $port;
> 
> Style nit: we don't usually use unless [0] and please use parentheses
> with defined()
> 
>> +
>> +        @$socket{ 'cid', 'port' } = ($cid, $port);
> 
> Style nit: again, not really a style seen in our code base, I'd prefer
> to just have two assignments
> 
>> +    } else {
>> +        die "Unsupported socket type for TDX Quote Generation Socket.\n";
>> +    }
>> +
>> +    return $socket;
>> +}
>> +
>>   sub get_intel_tdx_object {
>>       my ($intel_tdx, $bios) = @_;
>>       my $intel_tdx_conf = PVE::JSONSchema::parse_property_string($tdx_fmt, $intel_tdx);
>> @@ -971,7 +1045,16 @@ sub get_intel_tdx_object {
>>       if (!$bios || $bios ne 'ovmf') {
>>           die "To use Intel TDX, you need to change the BIOS to OVMF.\n";
>>       }
>> -    return 'tdx-guest,id=tdx0';
>> +
>> +    my $tdx_object = {
>> +        'qom-type' => 'tdx-guest',
>> +        id => 'tdx0',
>> +    };
>> +
>> +    $tdx_object->{'quote-generation-socket'} = get_quote_generation_socket($intel_tdx_conf)
>> +        unless !$intel_tdx_conf->{'attestation'};
> 
> Style nit regarding unless
> 
> [0]: https://pve.proxmox.com/wiki/Perl_Style_Guide#Perl_syntax_choices
>

More information about the pve-devel mailing list