[pve-devel] [PATCH qemu-server v2 3/3] Add support for Intel TDX
Fiona Ebner
f.ebner at proxmox.com
Tue Oct 14 09:50:52 CEST 2025
Am 13.10.25 um 4:25 PM schrieb Anton Iacobaeus:
> On 10/13/25 11:30, Fiona Ebner wrote:
>> Am 08.10.25 um 12:21 PM schrieb Fiona Ebner:
>>> Am 04.10.25 um 3:23 PM schrieb Anton Iacobaeus:
>>>> From: Philipp Giersfeld <philipp.giersfeld at canarybit.eu>
>>>>
>>>> This commit adds support for setting up an Intel TDX VM. A Intel TDX VM
>>>> can be setup similar to AMD SEV but uses a different firmware image.
>>>>
>>>> Signed-off-by: Philipp Giersfeld <philipp.giersfeld at canarybit.eu>
>>>> Signed-off-by: Anton Iacobaeus <anton.iacobaeus at canarybit.eu>
>>>
>>> Apart from a few nits, see below:
>>> Reviewed-by: Fiona Ebner <f.ebner at proxmox.com>
>>>> @@ -3965,6 +3978,10 @@ sub config_to_command {
>>>> if ($conf->{'amd-sev'}) {
>>>> push @$devices, '-object', get_amd_sev_object($conf-
>>>> >{'amd-sev'}, $conf->{bios});
>>>> push @$machineFlags, 'confidential-guest-support=sev0';
>>>> + } elsif ($conf->{'intel-tdx'}) {
>>>> + push @$devices, '-object', get_intel_tdx_object($conf-
>>>> >{'intel-tdx'}, $conf->{bios});
>>>> + push @$machineFlags, 'confidential-guest-support=tdx0';
>>>> + push @$machineFlags, 'kernel_irqchip=split';
>>
>> One more thing I noticed/remembered:
>>
>> Don't we also need something like
>> -device vhost-vsock-pci,guest-cid=3
>>
>> for communication between QGS and TD VM like described in the docs:
>> https://cc-enabling.trustedservices.intel.com/intel-tdx-enabling-
>> guide/05/host_os_setup/#setup-communication-path-between-qgs-and-td
>>
>> ?
> Yes you are correct, but it is only required for attestation support,
> which was initially out of scope for this series. The changes are
> however quite small and they could fit in this series.
>
> Note that TDX memory encryption works without any communication between
> the QGS and TD VM. The QGS is only contacted for quote generation.
>
> In terms of this particular device, it was only used in TDX Early
> Preview. Today a quote-generation-socket should instead be included
> directly in the TDX object, like this:
> -object '{"qom-type":"tdx-guest","id":"tdx","quote-generation-socket":
> {"type": "vsock", "cid":"2","port":"4050"}}'
>
> I think this change can be included in this series, but it adds some
> additional scope since the type, cid and port can be configured
> differently from these defaults.
Thanks for the explanation! I'm fine with either way, but yes, if we do
include it, it should be made configurable via the intel-tdx property
string/$tdx_fmt.
More information about the pve-devel
mailing list