[pve-devel] [PATCH qemu-server v2 3/3] Add support for Intel TDX

[Fiona Ebner]

Am 08.10.25 um 12:21 PM schrieb Fiona Ebner:
> Am 04.10.25 um 3:23 PM schrieb Anton Iacobaeus:
>> From: Philipp Giersfeld <philipp.giersfeld at canarybit.eu>
>>
>> This commit adds support for setting up an Intel TDX VM. A Intel TDX VM
>> can be setup similar to AMD SEV but uses a different firmware image.
>>
>> Signed-off-by: Philipp Giersfeld <philipp.giersfeld at canarybit.eu>
>> Signed-off-by: Anton Iacobaeus <anton.iacobaeus at canarybit.eu>
> 
> Apart from a few nits, see below:
> Reviewed-by: Fiona Ebner <f.ebner at proxmox.com>
>> @@ -3965,6 +3978,10 @@ sub config_to_command {
>>      if ($conf->{'amd-sev'}) {
>>          push @$devices, '-object', get_amd_sev_object($conf->{'amd-sev'}, $conf->{bios});
>>          push @$machineFlags, 'confidential-guest-support=sev0';
>> +    } elsif ($conf->{'intel-tdx'}) {
>> +        push @$devices, '-object', get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios});
>> +        push @$machineFlags, 'confidential-guest-support=tdx0';
>> +        push @$machineFlags, 'kernel_irqchip=split';

One more thing I noticed/remembered:

Don't we also need something like
-device vhost-vsock-pci,guest-cid=3

for communication between QGS and TD VM like described in the docs:
https://cc-enabling.trustedservices.intel.com/intel-tdx-enabling-guide/05/host_os_setup/#setup-communication-path-between-qgs-and-td

?

> 
> Nit: would be nice to have a comment describing the rationale behind the
> kernel_irqchip option and/or a sentence in the commit message.
> 
>>      }
>>  
>>      PVE::QemuServer::Virtiofs::config($conf, $vmid, $devices);