]> git.ipfire.org Git - thirdparty/systemd.git/commit
vmspawn: add Intel TDX confidential VM support
authorPaul Meyer <katexochen0@gmail.com>
Fri, 26 Jun 2026 09:57:29 +0000 (11:57 +0200)
committerPaul Meyer <katexochen0@gmail.com>
Wed, 1 Jul 2026 12:35:25 +0000 (14:35 +0200)
commita78afc16168bdded6c8376d6bde9121719b24537
tree8beab13a6b67256bc45432dd2d10a54fb1f26699
parent14d0b772872ca276897b29d7c95f9521c51df036
vmspawn: add Intel TDX confidential VM support

Wire up --coco=tdx alongside the existing SEV-SNP path. TDX requires KVM
on x86_64, a raw TDVF firmware loaded via -bios (no pflash/NVRAM split),
kernel-irqchip=split, and the "host" CPU model since QEMU rejects named
models. Sets up the tdx-guest object and confidential-guest-support=tdx0.

TDX measurement is different from QEMU's kernel-hashes injection: TDX
provides runtime measurements via RTMRs, so the initial measurement only
covers the firmware, which then measures the rest of the boot chain into
those RTMRs (done by OVMF today). Therefore a restriction to direct
kernel boot isn't required either.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
man/systemd-vmspawn.xml
src/vmspawn/vmspawn-settings.c
src/vmspawn/vmspawn-settings.h
src/vmspawn/vmspawn.c