Skip to content

TDX KVM

Xiaoyao Li edited this page Dec 12, 2023 · 26 revisions

TDX KVM

documentation on TDX KVM

How to test TDX KVM

You need the four following component, TDX KVM, TDX qemu, TDX guest, TDVF(guest OS) and kvm-unit-tests.

Repository combinations

minimal patches for upstreaming

Feature branches

note: tdx grub is needed if you would like to boot with grub. If qemu direct boot(-kernel -append, -initrd options) is used, tdx grub isn't needed.

Repositories, Branches and Tags

TDX KVM:

configurations

enable following configs

  • CONFIG_INTEL_TDX_HOST=y
  • CONFIG_KVM=y
  • CONFIG_KVM_INTEL=y
  • CONFIG_KVM_MMU_PRIVATE=y When loading kvm_intel, use module parameter "kvm_intel.tdx=on". By default TDX support is disabled. For automation, add it to kernel command line, or edit modules.conf.

TDX qemu

QEMU -upstream-* tags KVM tags
tdx-qemu-upstream-2023.12.08-v8.2.0 kvm-upstream-2023.11.15.v6.7-rc1
tdx-qemu-upstream-2023.12.06-v8.2.0 kvm-upstream-2023.11.15.v6.7-rc1
tdx-qemu-upstream-2023.10.20-v8.1.0 no matched kvm, please use tdx-qemu-next-* variant because even corresponding kvm-upstream-2023.10.16-v6.6-rc2 dumps the IOCTLs numbers
tdx-qemu-upstream-2023.9.21-v8.1.0 kvm-upstream-2023.09.18-v6.6-rc1
QEMU -next-* tags KVM tags
tdx-qemu-next-2023.12.08-v8.2.0 kvm-upstream-next-2023.11.15.v6.7-rc1
tdx-qemu-next-2023.12.06-v8.2.0 kvm-upstream-next-2023.11.15.v6.7-rc1
tdx-qemu-next-2023.10.20-v8.1.0 kvm-upstream-2023.10.16-v6.6-rc2 / kvm-upstream-next-2023.10.16-v6.6-rc2
tdx-qemu-next-2023.9.21-v8.1.0 kvm-upstream-next-2023.09.18-v6.6-rc1

configurations

  • configure --enable-kvm --target-list=x86_64-softmmu

command line

  • create TDX confidential computing object
  • specify KVM
  • specify q35 chipset (At this point only q35 is supported. piix4 and microvm aren't supported.)
  • specify TDVF as guest BIOS
  • specify split ircqhip
  • disable PIC and PIT
  • for tdx-upstream qemu-system-x86_64
    -object tdx-guest,id=tdx0
    -machine q35,accel=kvm,confidential-guest-support=tdx0,kernel-irqchip=split,pic=off,pit=off
    -bios ${PATH_TO_TDVF} \

    (add more qemu command line you want)

guest TD

configurations

  • CONFIG_INTEL_TDX_GUEST=y
  • CONFIG_INTEL_TDX_ATTESTATION=y

TDVF

TDX grub

kvm-unit-tests

how to run TDX related tests

Please refer to https://github.com/intel/kvm-unit-tests-tdx#unit-test-in-tdx-environment

libvirt

tdx-tools

TDX shims

SEAMLDR (NP-SEAMLDR, P-SEAMLDR)

TDX module

Clone this wiki locally