[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v1 00/40] TDX QEMU support
|
From: |
Daniel P . Berrangé |
|
Subject: |
Re: [PATCH v1 00/40] TDX QEMU support |
|
Date: |
Wed, 3 Aug 2022 18:44:10 +0100 |
|
User-agent: |
Mutt/2.2.6 (2022-06-05) |
On Tue, Aug 02, 2022 at 06:55:48PM +0800, Xiaoyao Li wrote:
> On 8/2/2022 5:49 PM, Daniel P. Berrangé wrote:
> > On Tue, Aug 02, 2022 at 03:47:10PM +0800, Xiaoyao Li wrote:
>
> > > - CPU model
> > >
> > > We cannot create a TD with arbitrary CPU model like what for non-TDX
> > > VMs,
> > > because only a subset of features can be configured for TD.
> > > - It's recommended to use '-cpu host' to create TD;
> > > - '+feature/-feature' might not work as expected;
> > >
> > > future work: To introduce specific CPU model for TDs and enhance
> > > +/-features
> > > for TDs.
> >
> > Which features are incompatible with TDX ?
>
> TDX enforces some features fixed to 1 (e.g., CPUID_EXT_X2APIC,
> CPUID_EXT_HYPERVISOR)and some fixed to 0 (e.g., CPUID_EXT_VMX ).
>
> Details can be found in patch 8 and TDX spec chapter "CPUID virtualization"
>
> > Presumably you have such a list, so that KVM can block them when
> > using '-cpu host' ?
>
> No, KVM doesn't do this. The result is no error reported from KVM but what
> TD OS sees from CPUID might be different what user specifies in QEMU.
>
> > If so, we should be able to sanity check the
> > use of these features in QEMU for the named CPU models / feature
> > selection too.
>
> This series enhances get_supported_cpuid() for TDX. If named CPU models are
> used to boot a TDX guest, it likely gets warning of "xxx feature is not
> available"
If the ',check=on' arg is given to -cpu, does it ensure that the
guest fails to startup with an incompatible feature set ? That's
really the key thing to protect the user from mistakes.
> We have another series to enhance the "-feature" for TDX, to warn out if
> some fixed1 is specified to be removed. Besides, we will introduce specific
> named CPU model for TDX. e.g., TDX-SapphireRapids which contains the maximum
> feature set a TDX guest can have on SPR host.
I don't know if this is the right approach or not, but we should at least
consider making use of CPU versioning here. ie have a single "SapphireRapids"
alias, which resolves to a suitable specific CPU version depending on whether
TDX is used or not.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- Re: [PATCH v1 38/40] i386/tdx: Skip kvm_put_apicbase() for TDs, (continued)
- [PATCH v1 35/40] hw/i386: add option to forcibly report edge trigger in acpi tables, Xiaoyao Li, 2022/08/02
- [PATCH v1 37/40] i386/tdx: Only configure MSR_IA32_UCODE_REV in kvm_init_msrs() for TDs, Xiaoyao Li, 2022/08/02
- [PATCH v1 39/40] i386/tdx: Don't get/put guest state for TDX VMs, Xiaoyao Li, 2022/08/02
- [PATCH v1 40/40] docs: Add TDX documentation, Xiaoyao Li, 2022/08/02
- Re: [PATCH v1 00/40] TDX QEMU support, Daniel P . Berrangé, 2022/08/02