Lines Matching +full:qemu +full:- +full:kvm
5 Virtual Machine Extensions (VMX) and Multi-Key Total Memory Encryption (MKTME)
12 -------------
15 while KVM hypervisor has TDX support and has TDX enabled. If those requirements
25 KVM vcpu ioctl ``KVM_TDX_INIT_MEM_REGION`` can be used to populate the TDVF
29 device and it actually works as RAM. "-bios" option is chosen to load TDVF.
32 command line to specify and load TDVF is ``-bios OVMF.fd``
35 ---------------------
37 Unlike non-TDX VM, the CPU features (enumerated by CPU or MSR) of a TD are not
43 - Attributes:
44 - PKS (bit 30) controls whether Supervisor Protection Keys is exposed to TD,
46 - PERFMON (bit 63) controls whether PMU is exposed to TD.
48 - XSAVE related features (XFAM):
52 - CPUID features:
61 to get the TDX capabilities from KVM. It returns a data structure of
68 QEMU supports configuring raw 64-bit TD attributes directly via "attributes"
69 property of "tdx-guest" object. Note, it's users' responsibility to provide a
70 valid value because some bits may not supported by current QEMU or KVM yet.
72 QEMU also supports the configuration of individual attribute bits that are
73 supported by it, via properties of "tdx-guest" object.
74 E.g., "sept-ve-disable" (bit 28).
79 Current KVM doesn't support MSR based feature (e.g., MSR_IA32_ARCH_CAPABILITIES)
80 configuration for TDX, and it's a future work to enable it in QEMU when KVM adds
86 QEMU checks if the final (CPU) features, determined by given cpu model and
87 explicit feature adjustment of "+featureA/-featureB", can be supported or not.
90 "warning: host doesn't support requested feature: CPUID.07H:EBX.intel-pt [bit 25]"
96 if the fixed-1 feature is requested to be disabled explicitly. This is newly
97 added to QEMU for TDX because TDX has fixed-1 features that are forcibly enabled
101 -----------------------
103 To launch a TD, the necessary command line options are tdx-guest object and
104 split kernel-irqchip, as below:
106 .. parsed-literal::
109 -accel kvm \\
110 -cpu host \\
111 -object tdx-guest,id=tdx0 \\
112 -machine ...,confidential-guest-support=tdx0 \\
113 -bios OVMF.fd \\
116 ------------
118 - kernel-irqchip must be split;
120 This is set by default for TDX guest if kernel-irqchip is left on its default
123 - No readonly support for private memory;
125 - No SMM support: SMM support requires manipulating the guest register states
129 ---------
131 Bit 0 of TD attributes, is DEBUG bit, which decides if the TD runs in off-TD
132 debug mode. When in off-TD debug mode, TD's VCPU state and private memory are
133 accessible via given SEAMCALLs. This requires KVM to expose APIs to invoke those
134 SEAMCALLs and corresonponding QEMU change.
139 --------------
148 It's a future work in QEMU to add support of TD attestation since it lacks
149 support in current KVM.
152 --------------
157 ----------
159 - `TDX Homepage <https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-d…
161 - `SGX QE <https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration>…