Extend the tdx object with the quote-generation-socket as defined in: https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-qom.TdxGuestProperties
Only vsock is included here since it is the most commonly used with TDX attestation. Signed-off-by: Anton Iacobaeus <[email protected]> --- src/PVE/QemuServer.pm | 3 +- src/PVE/QemuServer/CPUConfig.pm | 60 +++++++++++++++++++++++++++++++-- 2 files changed, 60 insertions(+), 3 deletions(-) diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm index ddd30abb..11c7543f 100644 --- a/src/PVE/QemuServer.pm +++ b/src/PVE/QemuServer.pm @@ -3794,7 +3794,8 @@ sub config_to_command { push @$devices, '-object', get_amd_sev_object($conf->{'amd-sev'}, $conf->{bios}); push @$machineFlags, 'confidential-guest-support=sev0'; } elsif ($conf->{'intel-tdx'}) { - push @$devices, '-object', get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios}); + my $tdx_object = get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios}); + push @$devices, '-object', to_json($tdx_object, { canonical => 1 }); push @$machineFlags, 'confidential-guest-support=tdx0'; push @$machineFlags, 'kernel_irqchip=split'; } diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm index 67b05925..dae6f379 100644 --- a/src/PVE/QemuServer/CPUConfig.pm +++ b/src/PVE/QemuServer/CPUConfig.pm @@ -5,7 +5,7 @@ use warnings; use JSON; -use PVE::JSONSchema; +use PVE::JSONSchema qw(json_bool); use PVE::Cluster qw(cfs_register_file cfs_read_file); use PVE::ProcFSTools; use PVE::RESTEnvironment qw(log_warn); @@ -348,6 +348,32 @@ my $tdx_fmt = { format_description => "tdx-type", enum => ['tdx'], }, + 'attestation' => { + description => "Enable TDX attestation by including quote-generation-socket", + type => 'boolean', + default => 1, + }, + 'socket-type' => { + type => 'string', + optional => 1, + enum => ['vsock'], + default => 'vsock', + description => "Socket type to communicate with the Quote Generation Service", + }, + 'vsock-cid' => { + type => 'integer', + minimum => 2, + default => 2, + optional => 1, + description => "CID for vsock of Quote Generation Service", + }, + 'vsock-port' => { + type => 'integer', + minimum => 0, + default => 4050, + optional => 1, + description => "Port for vsock of Quote Generation Service", + }, }; PVE::JSONSchema::register_format('pve-qemu-tdx-fmt', $tdx_fmt); @@ -1088,6 +1114,27 @@ sub get_amd_sev_object { return $sev_mem_object; } +sub get_quote_generation_socket { + my ($conf) = @_; + my $type = $conf->{'socket-type'} + or die "A socket type is required for Quote Generation Socket.\n"; + + my $socket = { + type => $type, + }; + + if ($type eq 'vsock') { + $socket->{'cid'} = $conf->{'vsock-cid'} + or die "Missing cid for vsock.\n"; + $socket->{'port'} = $conf->{'vsock-port'} + or die "Missing port for vsock.\n"; + } else { + die "Unsupported socket type for TDX Quote Generation Socket.\n"; + } + + return $socket; +} + sub get_intel_tdx_object { my ($intel_tdx, $bios) = @_; my $intel_tdx_conf = PVE::JSONSchema::parse_property_string($tdx_fmt, $intel_tdx); @@ -1099,7 +1146,16 @@ sub get_intel_tdx_object { if (!$bios || $bios ne 'ovmf') { die "To use Intel TDX, you need to change the BIOS to OVMF.\n"; } - return 'tdx-guest,id=tdx0'; + + my $tdx_object = { + 'qom-type' => 'tdx-guest', + id => 'tdx0', + }; + + $tdx_object->{'quote-generation-socket'} = get_quote_generation_socket($intel_tdx_conf) + if $intel_tdx_conf->{'attestation'}; + + return $tdx_object; } __PACKAGE__->register(); -- 2.43.0 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
