qemu_firmware: Pick the right firmware for TDX guests

The firmware descriptors have 'intel-tdx' feature which
describes whether firmware is suitable for TDX guests.
Provide necessary implementation to detect the feature and pick
the right firmware if guest is TDX enabled.

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>

diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 6c65a2751b763a437c82578a64b21b6b52b3a020..f10137144e85fc582b41f45609548681297aadf7 100644 (file)
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -149,6 +149,7 @@ typedef enum {
     QEMU_FIRMWARE_FEATURE_AMD_SEV,
     QEMU_FIRMWARE_FEATURE_AMD_SEV_ES,
     QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP,
+    QEMU_FIRMWARE_FEATURE_INTEL_TDX,
     QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS,
     QEMU_FIRMWARE_FEATURE_REQUIRES_SMM,
     QEMU_FIRMWARE_FEATURE_SECURE_BOOT,
@@ -167,6 +168,7 @@ VIR_ENUM_IMPL(qemuFirmwareFeature,
               "amd-sev",
               "amd-sev-es",
               "amd-sev-snp",
+              "intel-tdx",
               "enrolled-keys",
               "requires-smm",
               "secure-boot",
@@ -1158,6 +1160,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
     bool supportsSEV = false;
     bool supportsSEVES = false;
     bool supportsSEVSNP = false;
+    bool supportsTDX = false;
     bool supportsSecureBoot = false;
     bool hasEnrolledKeys = false;
     int reqSecureBoot;
@@ -1209,6 +1212,10 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
             supportsSEVSNP = true;
             break;
 
+        case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
+            supportsTDX = true;
+            break;
+
         case QEMU_FIRMWARE_FEATURE_REQUIRES_SMM:
             requiresSMM = true;
             break;
@@ -1370,9 +1377,18 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
                 return false;
             }
             break;
-        case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+
         case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+            if (!supportsTDX) {
+                VIR_DEBUG("Domain requires TDX, firmware '%s' doesn't support it",
+                          path);
+                return false;
+            }
             break;
+
+        case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+            break;
+
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
         case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
             virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype);
@@ -1490,6 +1506,7 @@ qemuFirmwareEnableFeaturesModern(virDomainDef *def,
         case QEMU_FIRMWARE_FEATURE_AMD_SEV:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
+        case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
         case QEMU_FIRMWARE_FEATURE_NONE:
@@ -1541,6 +1558,7 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
         case QEMU_FIRMWARE_FEATURE_AMD_SEV:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
+        case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
         case QEMU_FIRMWARE_FEATURE_LAST:
@@ -1981,6 +1999,7 @@ qemuFirmwareGetSupported(const char *machine,
             case QEMU_FIRMWARE_FEATURE_AMD_SEV:
             case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
             case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
+            case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
             case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
             case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
             case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:

diff --git a/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json b/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json
index d002ec7386ba98e05fcaf3cb3064a9cb628ca629..2630b57b05cbe9e7bad45ec294457b3480c9da21 100644 (file)
--- a/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json
+++ b/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json
@@ -16,6 +16,7 @@
     ],
     "features": [
         "enrolled-keys",
+        "intel-tdx",
         "secure-boot",
         "verbose-dynamic"
     ]