From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 07:21:04 +0000 (-0400)
Subject: qemu: Check if INTEL Trust Domain Extention support is enabled
X-Git-Tag: v11.6.0-rc1~33
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d7c96e809d2c446830930790db5206168aedef81;p=thirdparty%2Flibvirt.git

qemu: Check if INTEL Trust Domain Extention support is enabled

Implement TDX check in order to generate domain feature capability
correctly in case the availability of the feature changed.

For INTEL TDX the verification is:
 - checking if "/sys/module/kvm_intel/parameters/tdx" contains the
   value 'Y': meaning TDX is enabled in the host kernel.

Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
---

diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index b02f8e7a01..732c89fe29 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -5322,6 +5322,24 @@ virQEMUCapsKVMSupportsSecureGuestAMD(void)
 }
 
 
+/*
+ * Check whether INTEL Trust Domain Extention (x86) is enabled
+ */
+static bool
+virQEMUCapsKVMSupportsSecureGuestTDX(void)
+{
+    g_autofree char *modValue = NULL;
+
+    if (virFileReadValueString(&modValue, "/sys/module/kvm_intel/parameters/tdx") < 0)
+        return false;
+
+    if (modValue[0] != 'Y')
+        return false;
+
+    return true;
+}
+
+
 /*
  * Check whether the secure guest functionality is enabled.
  * See the specific architecture function for details on the verifications made.
@@ -5335,7 +5353,8 @@ virQEMUCapsKVMSupportsSecureGuest(void)
         return virQEMUCapsKVMSupportsSecureGuestS390();
 
     if (ARCH_IS_X86(arch))
-        return virQEMUCapsKVMSupportsSecureGuestAMD();
+        return virQEMUCapsKVMSupportsSecureGuestAMD() ||
+               virQEMUCapsKVMSupportsSecureGuestTDX();
 
     return false;
 }