[pve-devel] [PATCH qemu-server 1/1] Add support for TDX quote-generation-socket object
Anton Iacobaeus
anton.iacobaeus at canarybit.eu
Mon Nov 17 11:48:00 CET 2025
Extend the tdx object with the quote-generation-socket as defined in:
https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-qom.TdxGuestProperties
Only vsock is included here since it is the most commonly used with TDX
attestation.
Signed-off-by: Anton Iacobaeus <anton.iacobaeus at canarybit.eu>
---
src/PVE/QemuServer.pm | 3 +-
src/PVE/QemuServer/CPUConfig.pm | 60 +++++++++++++++++++++++++++++++--
2 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index ddd30abb..11c7543f 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -3794,7 +3794,8 @@ sub config_to_command {
push @$devices, '-object', get_amd_sev_object($conf->{'amd-sev'}, $conf->{bios});
push @$machineFlags, 'confidential-guest-support=sev0';
} elsif ($conf->{'intel-tdx'}) {
- push @$devices, '-object', get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios});
+ my $tdx_object = get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios});
+ push @$devices, '-object', to_json($tdx_object, { canonical => 1 });
push @$machineFlags, 'confidential-guest-support=tdx0';
push @$machineFlags, 'kernel_irqchip=split';
}
diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm
index 67b05925..dae6f379 100644
--- a/src/PVE/QemuServer/CPUConfig.pm
+++ b/src/PVE/QemuServer/CPUConfig.pm
@@ -5,7 +5,7 @@ use warnings;
use JSON;
-use PVE::JSONSchema;
+use PVE::JSONSchema qw(json_bool);
use PVE::Cluster qw(cfs_register_file cfs_read_file);
use PVE::ProcFSTools;
use PVE::RESTEnvironment qw(log_warn);
@@ -348,6 +348,32 @@ my $tdx_fmt = {
format_description => "tdx-type",
enum => ['tdx'],
},
+ 'attestation' => {
+ description => "Enable TDX attestation by including quote-generation-socket",
+ type => 'boolean',
+ default => 1,
+ },
+ 'socket-type' => {
+ type => 'string',
+ optional => 1,
+ enum => ['vsock'],
+ default => 'vsock',
+ description => "Socket type to communicate with the Quote Generation Service",
+ },
+ 'vsock-cid' => {
+ type => 'integer',
+ minimum => 2,
+ default => 2,
+ optional => 1,
+ description => "CID for vsock of Quote Generation Service",
+ },
+ 'vsock-port' => {
+ type => 'integer',
+ minimum => 0,
+ default => 4050,
+ optional => 1,
+ description => "Port for vsock of Quote Generation Service",
+ },
};
PVE::JSONSchema::register_format('pve-qemu-tdx-fmt', $tdx_fmt);
@@ -1088,6 +1114,27 @@ sub get_amd_sev_object {
return $sev_mem_object;
}
+sub get_quote_generation_socket {
+ my ($conf) = @_;
+ my $type = $conf->{'socket-type'}
+ or die "A socket type is required for Quote Generation Socket.\n";
+
+ my $socket = {
+ type => $type,
+ };
+
+ if ($type eq 'vsock') {
+ $socket->{'cid'} = $conf->{'vsock-cid'}
+ or die "Missing cid for vsock.\n";
+ $socket->{'port'} = $conf->{'vsock-port'}
+ or die "Missing port for vsock.\n";
+ } else {
+ die "Unsupported socket type for TDX Quote Generation Socket.\n";
+ }
+
+ return $socket;
+}
+
sub get_intel_tdx_object {
my ($intel_tdx, $bios) = @_;
my $intel_tdx_conf = PVE::JSONSchema::parse_property_string($tdx_fmt, $intel_tdx);
@@ -1099,7 +1146,16 @@ sub get_intel_tdx_object {
if (!$bios || $bios ne 'ovmf') {
die "To use Intel TDX, you need to change the BIOS to OVMF.\n";
}
- return 'tdx-guest,id=tdx0';
+
+ my $tdx_object = {
+ 'qom-type' => 'tdx-guest',
+ id => 'tdx0',
+ };
+
+ $tdx_object->{'quote-generation-socket'} = get_quote_generation_socket($intel_tdx_conf)
+ if $intel_tdx_conf->{'attestation'};
+
+ return $tdx_object;
}
__PACKAGE__->register();
--
2.43.0
More information about the pve-devel
mailing list