[pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX
Anton Iacobaeus
anton.iacobaeus at canarybit.eu
Tue Oct 28 13:54:22 CET 2025
This patches series adds support for launching Intel TDX confidential
VMs via QEMU. Basic attestation support is also added.
Intel TDX requires QEMU >= v10.1 and kernel >= 6.16. A TDX compatible
CPU is also required, with TDX enabled in the BIOS. Attestation also
requires a running Quote Generation Service (QGS) on the host (or
dedicated VM) connected to a Provisioning Certificate Caching Service
(PCCS), more information can be found at:
https://cc-enabling.trustedservices.intel.com/intel-tdx-enabling-guide/02/infrastructure_setup/
Only a subset of the possible socket types are implemented with this
patch. Ideally the SocketAddress object as defined in QEMU would be
fully implemented, but for the sake of TDX this is not neccessary. More
information at:
https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-sockets.SocketAddress
The TDX object can also be extended with additional configuration
options, but these are not neccessary for regular usage of TDX. More
information available at:
https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-qom.TdxGuestProperties
Future work can build upon this patch to improve these shortcomings.
Thanks to Fiona for the review.
Changes since v2: https://lists.proxmox.com/pipermail/pve-devel/2025-October/075766.html
* Fixed nits and formatting
* Added reasoning for firmware Config-B
* Added reasoning for kernel_irqchip=split
* Added support for configuration of the quote-generation-socket for attestation.
pve-edk2-firmware:
Philipp Giersfeld (3):
Change name of SEV-related OVMF files
Add firmware target for TDFV
Add SCSI in NCCFV for TD guest
.../patches/Enable_SCSI_IntelTdx_DXEFV.patch | 52 ++++++++++++++++
debian/patches/series | 1 +
debian/pve-edk2-firmware-ovmf.install | 7 ++-
debian/pve-edk2-firmware-ovmf.links | 3 +
debian/rules | 59 +++++++++++++------
5 files changed, 100 insertions(+), 22 deletions(-)
create mode 100644 debian/patches/Enable_SCSI_IntelTdx_DXEFV.patch
create mode 100644 debian/pve-edk2-firmware-ovmf.links
pve-manager:
Anton Iacobaeus (1):
Add support for TDX attestation
Philipp Giersfeld (1):
Add support for Intel TDX
www/manager6/Makefile | 1 +
www/manager6/qemu/Options.js | 12 +++
www/manager6/qemu/TdxEdit.js | 194 +++++++++++++++++++++++++++++++++++
3 files changed, 207 insertions(+)
create mode 100644 www/manager6/qemu/TdxEdit.js
qemu-server:
Anton Iacobaeus (1):
Add support for TDX quote-generation-socket object
Philipp Giersfeld (3):
Adapt AMD SEV code for compatibility with other platforms
Add check for TDX support
Add support for Intel TDX
src/PVE/API2/Qemu.pm | 6 +-
src/PVE/QemuMigrate/Helpers.pm | 1 +
src/PVE/QemuServer.pm | 28 +++-
src/PVE/QemuServer/CPUConfig.pm | 129 ++++++++++++++++--
src/PVE/QemuServer/OVMF.pm | 53 ++++---
.../query-machine-capabilities.c | 98 +++++++++++--
src/test/cfg2cmd/sev-es.conf.cmd | 2 +-
src/test/cfg2cmd/sev-snp.conf.cmd | 2 +-
src/test/cfg2cmd/sev-std.conf.cmd | 2 +-
src/usr/modules-load.conf | 1 +
10 files changed, 270 insertions(+), 52 deletions(-)
--
2.43.0
More information about the pve-devel
mailing list