Lines Matching +full:- +full:- +full:disable +full:- +full:kvm
5 Virtual Machine Extensions (VMX) and Multi-Key Total Memory Encryption (MKTME)
12 -------------
15 while KVM hypervisor has TDX support and has TDX enabled. If those requirements
25 KVM vcpu ioctl ``KVM_TDX_INIT_MEM_REGION`` can be used to populate the TDVF
29 device and it actually works as RAM. "-bios" option is chosen to load TDVF.
32 command line to specify and load TDVF is ``-bios OVMF.fd``
35 ---------------------
37 Unlike non-TDX VM, the CPU features (enumerated by CPU or MSR) of a TD are not
43 - Attributes:
44 - PKS (bit 30) controls whether Supervisor Protection Keys is exposed to TD,
46 - PERFMON (bit 63) controls whether PMU is exposed to TD.
48 - XSAVE related features (XFAM):
52 - CPUID features:
61 to get the TDX capabilities from KVM. It returns a data structure of
68 QEMU supports configuring raw 64-bit TD attributes directly via "attributes"
69 property of "tdx-guest" object. Note, it's users' responsibility to provide a
70 valid value because some bits may not supported by current QEMU or KVM yet.
73 supported by it, via properties of "tdx-guest" object.
74 E.g., "sept-ve-disable" (bit 28).
79 Current KVM doesn't support MSR based feature (e.g., MSR_IA32_ARCH_CAPABILITIES)
80 configuration for TDX, and it's a future work to enable it in QEMU when KVM adds
87 explicit feature adjustment of "+featureA/-featureB", can be supported or not.
90 "warning: host doesn't support requested feature: CPUID.07H:EBX.intel-pt [bit 25]"
96 if the fixed-1 feature is requested to be disabled explicitly. This is newly
97 added to QEMU for TDX because TDX has fixed-1 features that are forcibly enabled
98 by TDX module and VMM cannot disable them.
101 -----------------------
103 To launch a TD, the necessary command line options are tdx-guest object and
104 split kernel-irqchip, as below:
106 .. parsed-literal::
109 -accel kvm \\
110 -cpu host \\
111 -object tdx-guest,id=tdx0 \\
112 -machine ...,confidential-guest-support=tdx0 \\
113 -bios OVMF.fd \\
116 ------------
118 - kernel-irqchip must be split;
120 This is set by default for TDX guest if kernel-irqchip is left on its default
123 - No readonly support for private memory;
125 - No SMM support: SMM support requires manipulating the guest register states
129 ---------
131 Bit 0 of TD attributes, is DEBUG bit, which decides if the TD runs in off-TD
132 debug mode. When in off-TD debug mode, TD's VCPU state and private memory are
133 accessible via given SEAMCALLs. This requires KVM to expose APIs to invoke those
139 --------------
149 support in current KVM.
152 --------------
157 ----------
159 - `TDX Homepage <https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-d…
161 - `SGX QE <https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration>…