Skip to content

TDX KVM

yamahata edited this page Aug 23, 2023 · 26 revisions

TDX KVM

documentation on TDX KVM

How to test TDX KVM

You need the four following component, TDX KVM, TDX qemu, TDX guest, TDVF(guest OS) and kvm-unit-tests.

Repository combinations

minimal patches for upstreaming

Feature branches

note: tdx grub is needed if you would like to boot with grub. If qemu direct boot(-kernel -append, -initrd options) is used, tdx grub isn't needed.

Repositories, Branches and Tags

TDX KVM:

configurations

enable following configs

  • CONFIG_INTEL_TDX_HOST=y
  • CONFIG_KVM=y
  • CONFIG_KVM_INTEL=y
  • CONFIG_KVM_MMU_PRIVATE=y When loading kvm_intel, use module parameter "kvm_intel.tdx=on". By default TDX support is disabled. For automation, add it to kernel command line, or edit modules.conf.

TDX qemu

configurations

  • configure --enable-kvm --target-list=x86_64-softmmu

command line

  • create TDX confidential computing object
  • specify KVM (and KVM vm_type)
  • specify q35 chipset (At this point only q35 is supported. piix4 and microvm aren't supported.)
  • specify TDVF as guest BIOS
  • specify split ircqhip
  • disable PIC and PIT
  • for tdx-upstream qemu-system-x86_64
    -object tdx-guest,id=tdx0,debug=off,sept-ve-disable=on
    -machine confidential-guest-support=tdx0
    -machine q35,accel=kvm
    -bios ${PATH_TO_TDVF}
    -machine kernel-irqchip=split,pic=off,pit=off
    (add more qemu command line you want)

  • for tdx -object tdx-guest,id=tdx0,debug=off,sept-ve-disable=on
    -machine confidential-guest-support=tdx0
    -machine q35,accel=kvm,kvm-type=tdx
    -device loader,file=${OVMF}
    -machine kernel-irqchip=split,pic=off,pit=off

If UPM is wanted

  • UPM (Unmapping Process Memory): create memfd-private backend -object memory-backend-memfd-private,id=ram1,size=${MEM}
    -machine memory-backend=ram1

If KVM gmem is wanted: Any memory backend is usable. Add "private=on" property

  • kvm gmem: create gmem fd for backend -object memory-backend-xxx,id=ram1,size=${MEM},private=on
    -machine memory-backend=ram1

guest TD

configurations

  • CONFIG_INTEL_TDX_GUEST=y
  • CONFIG_INTEL_TDX_ATTESTATION=y

TDVF

TDX grub

kvm-unit-tests

how to run TDX related tests

Please refer to https://github.com/intel/kvm-unit-tests-tdx#unit-test-in-tdx-environment

libvirt

tdx-tools

TDX shims

SEAMLDR (NP-SEAMLDR, P-SEAMLDR)

TDX module

Clone this wiki locally