[pve-devel] [PATCH qemu-server 3/3] Add support for Intel TDX

Tue Sep 16 09:52:53 CEST 2025

From: Philipp Giersfeld <philipp.giersfeld at canarybit.eu>

This commit adds support for setting up an Intel TDX VM. A Intel TDX VM
can be setup similar to AMD SEV but uses a different firmware image.

Signed-off-by: Philipp Giersfeld <philipp.giersfeld at canarybit.eu>
Signed-off-by: Anton Iacobaeus <anton.iacobaeus at canarybit.eu>
---
 src/PVE/QemuMigrate/Helpers.pm  |  1 +
 src/PVE/QemuServer.pm           | 21 +++++++++++++++++++--
 src/PVE/QemuServer/CPUConfig.pm | 31 +++++++++++++++++++++++++++++++
 src/PVE/QemuServer/OVMF.pm      | 13 ++++++++++++-
 4 files changed, 63 insertions(+), 3 deletions(-)

diff --git a/src/PVE/QemuMigrate/Helpers.pm b/src/PVE/QemuMigrate/Helpers.pm
index f191565a..466517da 100644
--- a/src/PVE/QemuMigrate/Helpers.pm
+++ b/src/PVE/QemuMigrate/Helpers.pm
@@ -20,6 +20,7 @@ sub check_non_migratable_resources {
     my @blockers = ();
     if ($state) {
         push @blockers, "amd-sev" if $conf->{"amd-sev"};
+        push @blockers, "intel-tdx" if $conf->{"intel-tdx"};
         push @blockers, "virtiofs" if PVE::QemuServer::Virtiofs::virtiofs_enabled($conf);
     }
 
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index eb2a8c7e..bb5a0a8e 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -60,8 +60,15 @@ use PVE::QemuServer::Helpers
     qw(config_aware_timeout get_iscsi_initiator_name min_version kvm_user_version windows_version);
 use PVE::QemuServer::Cloudinit;
 use PVE::QemuServer::CGroup;
-use PVE::QemuServer::CPUConfig
-    qw(print_cpu_device get_cpu_options get_cpu_bitness is_native_arch get_amd_sev_object get_cvm_type);
+use PVE::QemuServer::CPUConfig qw(
+    print_cpu_device
+    get_cpu_options
+    get_cpu_bitness
+    is_native_arch
+    get_amd_sev_object
+    get_intel_tdx_object
+    get_cvm_type
+  );
 use PVE::QemuServer::Drive qw(
     is_valid_drivename
     checked_volume_format
@@ -323,6 +330,12 @@ my $confdesc = {
         format => 'pve-qemu-sev-fmt',
         type => 'string',
     },
+    'intel-tdx' => {
+        description => "Trusted Domain Extension (TDX) features by Intel CPUs",
+        optional => 1,
+        format => 'pve-qemu-tdx-fmt',
+        type => 'string',
+    },
     balloon => {
         optional => 1,
         type => 'integer',
@@ -3965,6 +3978,10 @@ sub config_to_command {
     if ($conf->{'amd-sev'}) {
         push @$devices, '-object', get_amd_sev_object($conf->{'amd-sev'}, $conf->{bios});
         push @$machineFlags, 'confidential-guest-support=sev0';
+    } elsif ($conf->{'intel-tdx'}) {
+        push @$devices, '-object', get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios});
+        push @$machineFlags, 'confidential-guest-support=tdx0';
+        push @$machineFlags, 'kernel_irqchip=split';
     }
 
     PVE::QemuServer::Virtiofs::config($conf, $vmid, $devices);
diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm
index 65a7b565..bd5540e6 100644
--- a/src/PVE/QemuServer/CPUConfig.pm
+++ b/src/PVE/QemuServer/CPUConfig.pm
@@ -18,6 +18,7 @@ our @EXPORT_OK = qw(
     get_cpu_bitness
     is_native_arch
     get_amd_sev_object
+    get_intel_tdx_object
     get_cvm_type
 );
 
@@ -282,6 +283,18 @@ my $sev_fmt = {
 };
 PVE::JSONSchema::register_format('pve-qemu-sev-fmt', $sev_fmt);
 
+my $tdx_fmt = {
+    type => {
+        description => "Enable TDX",
+        type => 'string',
+        default_key => 1,
+        format_description => "tdx-type",
+        enum => ['tdx'],
+        maxLength => 3,
+    },
+};
+PVE::JSONSchema::register_format('pve-qemu-tdx-fmt', $tdx_fmt);
+
 PVE::JSONSchema::register_format('pve-phys-bits', \&parse_phys_bits);
 
 sub parse_phys_bits {
@@ -887,6 +900,9 @@ sub get_cvm_type {
     if ($conf->{'amd-sev'}) {
         my $sev = PVE::JSONSchema::parse_property_string($sev_fmt, $conf->{'amd-sev'});
         return $sev->{type};
+    } elsif ($conf->{'intel-tdx'}) {
+        my $tdx = PVE::JSONSchema::parse_property_string($tdx_fmt, $conf->{'intel-tdx'});
+        return $tdx->{type};
     } else {
         return undef;
     }
@@ -945,6 +961,21 @@ sub get_amd_sev_object {
     return $sev_mem_object;
 }
 
+sub get_intel_tdx_object {
+    my ($intel_tdx, $bios) = @_;
+    my $intel_tdx_conf = PVE::JSONSchema::parse_property_string($tdx_fmt, $intel_tdx);
+    my $tdx_hw_caps = get_hw_capabilities()->{'intel-tdx'};
+    
+    if (!$tdx_hw_caps->{'tdx-support'}) {
+	    die "Your CPU does not support Intel TDX.\n";
+    }
+    if (!$bios || $bios ne 'ovmf') {
+	    die "To use Intel TDX, you need to change the BIOS to OVMF.\n";
+    }
+    my $tdx_mem_object = 'tdx-guest,id=tdx0';
+    return $tdx_mem_object;
+}
+
 __PACKAGE__->register();
 __PACKAGE__->init();
 
diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm
index df44d3f1..4253914c 100644
--- a/src/PVE/QemuServer/OVMF.pm
+++ b/src/PVE/QemuServer/OVMF.pm
@@ -34,6 +34,9 @@ my $OVMF = {
         '4m-snp' => [
             "$EDK2_FW_BASE/OVMF_SEV_4M.fd",
         ],
+        '4m-tdx' => [
+          "$EDK2_FW_BASE/OVMF_TDX_4M.fd",
+        ],
         # FIXME: These are legacy 2MB-sized images that modern OVMF doesn't supports to build
         # anymore. how can we deperacate this sanely without breaking existing instances, or using
         # older backups and snapshot?
@@ -63,6 +66,11 @@ my sub get_ovmf_files($$$$) {
             return ($ovmf);
         } elsif ($cvm_type && ($cvm_type eq 'std' || $cvm_type eq 'es')) {
             $type = "4m-sev";
+        } elsif ($cvm_type && $cvm_type eq 'tdx') {
+            $type = "4m-tdx";
+            my ($ovmf) = $types->{$type}->@*;
+            die "EFI base image '$ovmf' not found\n" if ! -f $ovmf;
+            return ($ovmf);
         } elsif (defined($efidisk->{efitype}) && $efidisk->{efitype} eq '4m') {
             $type = $smm ? "4m" : "4m-no-smm";
             $type .= '-ms' if $efidisk->{'pre-enrolled-keys'};
@@ -88,6 +96,9 @@ my sub print_ovmf_drive_commandlines {
     die "Attempting to configure SEV-SNP with pflash devices instead of using `-bios`\n"
         if $cvm_type && $cvm_type eq 'snp';
 
+    die "Attempting to configure TDX with pflash devices instead of using `-bios`\n"
+        if $cvm_type && $cvm_type eq 'tdx';
+
     my ($ovmf_code, $ovmf_vars) = get_ovmf_files($arch, $d, $q35, $cvm_type);
 
     my $var_drive_str = "if=pflash,unit=1,id=drive-efidisk0";
@@ -208,7 +219,7 @@ sub print_ovmf_commandline {
     my $cmd = [];
     my $machine_flags = [];
 
-    if ($cvm_type && $cvm_type eq 'snp') {
+    if ($cvm_type && ($cvm_type eq 'snp' || $cvm_type eq 'tdx')) {
         if (defined($conf->{efidisk0})) {
             log_warn("EFI disks are not supported with Confidential Virtual Machines and will be ignored");
         }
-- 
2.43.0


