On 11/13/25 12:35, Fiona Ebner wrote:
Am 28.10.25 um 1:56 PM schrieb Anton Iacobaeus:
@@ -291,6 +291,50 @@ my $tdx_fmt = {
format_description => "tdx-type",
enum => ['tdx'],
},
+ 'attestation' => {
+ description => "Enable TDX attestation by including
quote-generation-socket",
+ type => 'boolean',
+ default => 1,
+ },
+ 'socket-type' => {
+ type => 'string',
+ optional => 1,
+ enum => ['unix', 'vsock'],
+ default => 'vsock',
+ description => "Socket type to communicate with the Quote Generation
Service",
+ },
+ 'vsock-cid' => {
+ type => 'integer',
+ minimum => 2,
+ default => 2,
+ optional => 1,
+ description => "CID for vsock of Quote Generation Service",
+ },
+ 'vsock-port' => {
+ type => 'integer',
+ minimum => 0,
+ default => 4050,
+ optional => 1,
+ description => "Port for vsock of Quote Generation Service",
+ },
+ 'unix-path' => {
+ type => 'string',
+ optional => 1,
+ description => "Path to Unix socket",
+ format_description => "unix-path",
+ },
+ 'unix-abstract' => {
+ description => "Use Linux abstract socket address",
+ type => 'boolean',
+ default => 0,
+ optional => 1,
+ },
+ 'unix-tight' => {
+ description => "Pads the abstract socket address.",
+ type => 'boolean',
+ default => 1,
+ optional => 1,
+ },
Do we really want/need to support all these possible configuration
options to start out? In particular, 'unix-tight' and 'unix-abstract'
seem like we could rather just require users to set it up a certain way.
Maybe vsock+cid+port is enough to begin with and we can add more when
users actually request it? Or are there situations where a vsock cannot
easily be set up?
Yes I agree, vsock+cid+port will be enough for most users and we can add
more if requested. I added Unix sockets since it is the default in
libvirt, but vsock should always be easy to setup. 'unix-tight' and
'unix-abstract' was added to match the QEMU schema, doubt that they are
needed in many cases.
Do you want a v4 with only vsock and the below style nits addressed?
};
PVE::JSONSchema::register_format('pve-qemu-tdx-fmt', $tdx_fmt);
@@ -960,6 +1004,36 @@ sub get_amd_sev_object {
return $sev_mem_object;
}
+sub get_quote_generation_socket {
+ my ($conf) = @_;
+ my $type = $conf->{'socket-type'}
+ or die "A socket type is required for Quote Generation Socket.\n";
+
+ my $socket = {
+ type => $type,
+ };
+
+ if ($type eq 'unix') {
+ my $path = $conf->{'unix-path'}
+ or die "Missing path for unix socket.\n";
+
+ $socket->{'path'} = $path;
+ $socket->{'abstract'} = json_bool($conf->{'unix-abstract'})
+ if defined $conf->{'unix-abstract'};
+ $socket->{'tight'} = json_bool($conf->{'unix-tight'})
+ if defined $conf->{'unix-tight'};
+ } elsif ($type eq 'vsock') {
+ my ($cid, $port) = @{$conf}{ 'vsock-cid', 'vsock-port' };
Style nit: our code base uses the following style:
$conf->@{qw(vsock-cid vsock-port)};
+ die "Missing cid/port for vsock.\n" unless defined $cid && defined
$port;
Style nit: we don't usually use unless [0] and please use parentheses
with defined()
+
+ @$socket{ 'cid', 'port' } = ($cid, $port);
Style nit: again, not really a style seen in our code base, I'd prefer
to just have two assignments
+ } else {
+ die "Unsupported socket type for TDX Quote Generation Socket.\n";
+ }
+
+ return $socket;
+}
+
sub get_intel_tdx_object {
my ($intel_tdx, $bios) = @_;
my $intel_tdx_conf = PVE::JSONSchema::parse_property_string($tdx_fmt,
$intel_tdx);
@@ -971,7 +1045,16 @@ sub get_intel_tdx_object {
if (!$bios || $bios ne 'ovmf') {
die "To use Intel TDX, you need to change the BIOS to OVMF.\n";
}
- return 'tdx-guest,id=tdx0';
+
+ my $tdx_object = {
+ 'qom-type' => 'tdx-guest',
+ id => 'tdx0',
+ };
+
+ $tdx_object->{'quote-generation-socket'} =
get_quote_generation_socket($intel_tdx_conf)
+ unless !$intel_tdx_conf->{'attestation'};
Style nit regarding unless
[0]: https://pve.proxmox.com/wiki/Perl_Style_Guide#Perl_syntax_choices
_______________________________________________
pve-devel mailing list
[email protected]
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
