| Message ID | 20241105062408.3533704-61-xiaoyao.li@intel.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | QEMU TDX support | expand |
On Tue, Nov 05, 2024 at 01:24:08AM -0500, Xiaoyao Li wrote: > Add docs/system/i386/tdx.rst for TDX support, and add tdx in > confidential-guest-support.rst > > Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com> > --- > Changes in v6: > - Add more information of "Feature configuration" > - Mark TD Attestation as future work because KVM now drops the support > of it. > > Changes in v5: > - Add TD attestation section and update the QEMU parameter; > > Changes since v1: > - Add prerequisite of private gmem; > - update example command to launch TD; > > Changes since RFC v4: > - add the restriction that kernel-irqchip must be split > --- > docs/system/confidential-guest-support.rst | 1 + > docs/system/i386/tdx.rst | 155 +++++++++++++++++++++ > docs/system/target-i386.rst | 1 + > 3 files changed, 157 insertions(+) > create mode 100644 docs/system/i386/tdx.rst > > diff --git a/docs/system/confidential-guest-support.rst b/docs/system/confidential-guest-support.rst > index 0c490dbda2b7..66129fbab64c 100644 > --- a/docs/system/confidential-guest-support.rst > +++ b/docs/system/confidential-guest-support.rst > @@ -38,6 +38,7 @@ Supported mechanisms > Currently supported confidential guest mechanisms are: > > * AMD Secure Encrypted Virtualization (SEV) (see :doc:`i386/amd-memory-encryption`) > +* Intel Trust Domain Extension (TDX) (see :doc:`i386/tdx`) > * POWER Protected Execution Facility (PEF) (see :ref:`power-papr-protected-execution-facility-pef`) > * s390x Protected Virtualization (PV) (see :doc:`s390x/protvirt`) > > diff --git a/docs/system/i386/tdx.rst b/docs/system/i386/tdx.rst > new file mode 100644 > index 000000000000..60106b29bf72 > --- /dev/null > +++ b/docs/system/i386/tdx.rst > +Feature check > +~~~~~~~~~~~~~ > + > +QEMU checks if the final (CPU) features, determined by given cpu model and > +explicit feature adjustment of "+featureA/-featureB", can be supported or not. > +It can produce feature not supported warnning like Typo in 'warnning' - repeated 'n' > + > + "warning: host doesn't support requested feature: CPUID.07H:EBX.intel-pt [bit 25]" > + > +It will also procude warning like > + > + "warning: TDX forcibly sets the feature: CPUID.80000007H:EDX.invtsc [bit 8]" > + > +if the fixed-1 feature is requested to be disabled explicitly. This is newly > +added to QEMU for TDX because TDX has fixed-1 features that are enfored enabled > +by TDX module and VMM cannot disable them. > + > +Launching a TD (TDX VM) > +----------------------- > + > +To launch a TDX guest, below are new added and required: > + > +.. parsed-literal:: > + > + |qemu_system_x86| \\ > + -object tdx-guest,id=tdx0 \\ > + -machine ...,kernel-irqchip=split,confidential-guest-support=tdx0 \\ > + -bios OVMF.fd \\ > + > +restrictions Capitalize initial "R" > +------------ With regards, Daniel
On Tue, 2024-11-05 at 01:24 -0500, Xiaoyao Li wrote: > diff --git a/docs/system/confidential-guest-support.rst > b/docs/system/confidential-guest-support.rst > index 0c490dbda2b7..66129fbab64c 100644 > --- a/docs/system/confidential-guest-support.rst > +++ b/docs/system/confidential-guest-support.rst > @@ -38,6 +38,7 @@ Supported mechanisms > Currently supported confidential guest mechanisms are: > > * AMD Secure Encrypted Virtualization (SEV) (see :doc:`i386/amd- > memory-encryption`) > +* Intel Trust Domain Extension (TDX) (see :doc:`i386/tdx`) > * POWER Protected Execution Facility (PEF) (see :ref:`power-papr- > protected-execution-facility-pef`) > * s390x Protected Virtualization (PV) (see :doc:`s390x/protvirt`) > > diff --git a/docs/system/i386/tdx.rst b/docs/system/i386/tdx.rst > new file mode 100644 > index 000000000000..60106b29bf72 > --- /dev/null > +++ b/docs/system/i386/tdx.rst > @@ -0,0 +1,155 @@ > +Intel Trusted Domain eXtension (TDX) > +==================================== > + > +Intel Trusted Domain eXtensions (TDX) refers to an Intel technology > that extends > +Virtual Machine Extensions (VMX) and Multi-Key Total Memory > Encryption (MKTME) > +with a new kind of virtual machine guest called a Trust Domain (TD). > A TD runs > +in a CPU mode that is designed to protect the confidentiality of its > memory > +contents and its CPU state from any other software, including the > hosting > +Virtual Machine Monitor (VMM), unless explicitly shared by the TD > itself. > + > +Prerequisites > +------------- > + > +To run TD, the physical machine needs to have TDX module loaded and > initialized > +while KVM hypervisor has TDX support and has TDX enabled. If those > requirements > +are met, the ``KVM_CAP_VM_TYPES`` will report the support of > ``KVM_X86_TDX_VM``. > + > +Trust Domain Virtual Firmware (TDVF) > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + > +Trust Domain Virtual Firmware (TDVF) is required to provide TD > services to boot > +TD Guest OS. TDVF needs to be copied to guest private memory and > measured before > +the TD boots. > + > +KVM vcpu ioctl ``KVM_TDX_INIT_MEM_REGION`` can be used to populates s/populates/populate > the TDVF > +content into its private memory. > + > +Since TDX doesn't support readonly memslot, TDVF cannot be mapped as > pflash > +device and it actually works as RAM. "-bios" option is chosen to > load TDVF. > + > +OVMF is the opensource firmware that implements the TDVF support. > Thus the > +command line to specify and load TDVF is ``-bios OVMF.fd`` > + > +Feature Configuration > +--------------------- > + > +Unlike non-TDX VM, the CPU features (enumerated by CPU or MSR) of a > TD is not s/is/are > +under full control of VMM. VMM can only configure part of features > of a TD on > +``KVM_TDX_INIT_VM`` command of VM scope ``MEMORY_ENCRYPT_OP`` ioctl. > + > +The configurable features have three types: > + > +- Attributes: > + - PKS (bit 30) controls whether Supervisor Protection Keys is > exposed to TD, > + which determines related CPUID bit and CR4 bit; > + - PERFMON (bit 63) controls whether PMU is exposed to TD. > + > +- XSAVE related features (XFAM): > + XFAM is a 64b mask, which has the same format as XCR0 or IA32_XSS > MSR. It > + determines the set of extended features available for use by the > guest TD. > + > +- CPUID features: > + Only some bits of some CPUID leaves are directly configurable by > VMM. > + > +What features can be configured is reported via TDX capabilities. > + > +TDX capabilities > +~~~~~~~~~~~~~~~~ > + > +The VM scope ``MEMORY_ENCRYPT_OP`` ioctl provides command > ``KVM_TDX_CAPABILITIES`` > +to get the TDX capabilities from KVM. It returns a data structure of > +``struct kvm_tdx_capabilities``, which tells the supported > configuration of > +attributes, XFAM and CPUIDs. > + > +TD attributes > +~~~~~~~~~~~~~ > + > +QEMU supports configuring raw 64-bit TD attributes directly via > "attributes" > +property of "tdx-guest" object. Note, it's users' responsibility to > provide a > +valid value because some bits may not supported by current QEMU or > KVM yet. > + > +QEMU also supports the configuration of individual attribute bits > that are > +supported by it, via propertyies of "tdx-guest" object. s/propertyies/properties > +E.g., "sept-ve-disable" (bit 63). > + > +MSR based features > +~~~~~~~~~~~~~~~~ > + > +Current KVM doesn't support MSR based feature (e.g., > MSR_IA32_ARCH_CAPABILITIES) > +configuration for TDX, and it's a future work to enable it in QEMU > when KVM adds > +support of it. > + > +Feature check > +~~~~~~~~~~~~~ > + > +QEMU checks if the final (CPU) features, determined by given cpu > model and > +explicit feature adjustment of "+featureA/-featureB", can be > supported or not. > +It can produce feature not supported warnning like > + > + "warning: host doesn't support requested feature: > CPUID.07H:EBX.intel-pt [bit 25]" > + > +It will also procude warning like s/procude/produce > + > + "warning: TDX forcibly sets the feature: > CPUID.80000007H:EDX.invtsc [bit 8]" > + > +if the fixed-1 feature is requested to be disabled explicitly. This > is newly > +added to QEMU for TDX because TDX has fixed-1 features that are > enfored enabled s/enfored/enforced > +by TDX module and VMM cannot disable them. > + > +Launching a TD (TDX VM) > +----------------------- > + > +To launch a TDX guest, below are new added and required: This sentence is missing a subject (such as "command line options"). > + > +.. parsed-literal:: > + > + |qemu_system_x86| \\ > + -object tdx-guest,id=tdx0 \\ > + -machine ...,kernel-irqchip=split,confidential-guest- > support=tdx0 \\ > + -bios OVMF.fd \\ > + > +restrictions > +------------ > + > + - kernel-irqchip must be split; > + > + - No readonly support for private memory; > + > + - No SMM support: SMM support requires manipulating the guset s/guset/guest > register states > + which is not allowed; > + > +Debugging > +--------- > + > +Bit 0 of TD attributes, is DEBUG bit, which decides if the TD runs > in off-TD > +debug mode. When in off-TD debug mode, TD's VCPU state and private > memory are > +accessible via given SEAMCALLs. This requires KVM to expose APIs to > invoke those > +SEAMCALLs and resonponding QEMU change. s/resonponding/corresponding
diff --git a/docs/system/confidential-guest-support.rst b/docs/system/confidential-guest-support.rst index 0c490dbda2b7..66129fbab64c 100644 --- a/docs/system/confidential-guest-support.rst +++ b/docs/system/confidential-guest-support.rst @@ -38,6 +38,7 @@ Supported mechanisms Currently supported confidential guest mechanisms are: * AMD Secure Encrypted Virtualization (SEV) (see :doc:`i386/amd-memory-encryption`) +* Intel Trust Domain Extension (TDX) (see :doc:`i386/tdx`) * POWER Protected Execution Facility (PEF) (see :ref:`power-papr-protected-execution-facility-pef`) * s390x Protected Virtualization (PV) (see :doc:`s390x/protvirt`) diff --git a/docs/system/i386/tdx.rst b/docs/system/i386/tdx.rst new file mode 100644 index 000000000000..60106b29bf72 --- /dev/null +++ b/docs/system/i386/tdx.rst @@ -0,0 +1,155 @@ +Intel Trusted Domain eXtension (TDX) +==================================== + +Intel Trusted Domain eXtensions (TDX) refers to an Intel technology that extends +Virtual Machine Extensions (VMX) and Multi-Key Total Memory Encryption (MKTME) +with a new kind of virtual machine guest called a Trust Domain (TD). A TD runs +in a CPU mode that is designed to protect the confidentiality of its memory +contents and its CPU state from any other software, including the hosting +Virtual Machine Monitor (VMM), unless explicitly shared by the TD itself. + +Prerequisites +------------- + +To run TD, the physical machine needs to have TDX module loaded and initialized +while KVM hypervisor has TDX support and has TDX enabled. If those requirements +are met, the ``KVM_CAP_VM_TYPES`` will report the support of ``KVM_X86_TDX_VM``. + +Trust Domain Virtual Firmware (TDVF) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Trust Domain Virtual Firmware (TDVF) is required to provide TD services to boot +TD Guest OS. TDVF needs to be copied to guest private memory and measured before +the TD boots. + +KVM vcpu ioctl ``KVM_TDX_INIT_MEM_REGION`` can be used to populates the TDVF +content into its private memory. + +Since TDX doesn't support readonly memslot, TDVF cannot be mapped as pflash +device and it actually works as RAM. "-bios" option is chosen to load TDVF. + +OVMF is the opensource firmware that implements the TDVF support. Thus the +command line to specify and load TDVF is ``-bios OVMF.fd`` + +Feature Configuration +--------------------- + +Unlike non-TDX VM, the CPU features (enumerated by CPU or MSR) of a TD is not +under full control of VMM. VMM can only configure part of features of a TD on +``KVM_TDX_INIT_VM`` command of VM scope ``MEMORY_ENCRYPT_OP`` ioctl. + +The configurable features have three types: + +- Attributes: + - PKS (bit 30) controls whether Supervisor Protection Keys is exposed to TD, + which determines related CPUID bit and CR4 bit; + - PERFMON (bit 63) controls whether PMU is exposed to TD. + +- XSAVE related features (XFAM): + XFAM is a 64b mask, which has the same format as XCR0 or IA32_XSS MSR. It + determines the set of extended features available for use by the guest TD. + +- CPUID features: + Only some bits of some CPUID leaves are directly configurable by VMM. + +What features can be configured is reported via TDX capabilities. + +TDX capabilities +~~~~~~~~~~~~~~~~ + +The VM scope ``MEMORY_ENCRYPT_OP`` ioctl provides command ``KVM_TDX_CAPABILITIES`` +to get the TDX capabilities from KVM. It returns a data structure of +``struct kvm_tdx_capabilities``, which tells the supported configuration of +attributes, XFAM and CPUIDs. + +TD attributes +~~~~~~~~~~~~~ + +QEMU supports configuring raw 64-bit TD attributes directly via "attributes" +property of "tdx-guest" object. Note, it's users' responsibility to provide a +valid value because some bits may not supported by current QEMU or KVM yet. + +QEMU also supports the configuration of individual attribute bits that are +supported by it, via propertyies of "tdx-guest" object. +E.g., "sept-ve-disable" (bit 63). + +MSR based features +~~~~~~~~~~~~~~~~ + +Current KVM doesn't support MSR based feature (e.g., MSR_IA32_ARCH_CAPABILITIES) +configuration for TDX, and it's a future work to enable it in QEMU when KVM adds +support of it. + +Feature check +~~~~~~~~~~~~~ + +QEMU checks if the final (CPU) features, determined by given cpu model and +explicit feature adjustment of "+featureA/-featureB", can be supported or not. +It can produce feature not supported warnning like + + "warning: host doesn't support requested feature: CPUID.07H:EBX.intel-pt [bit 25]" + +It will also procude warning like + + "warning: TDX forcibly sets the feature: CPUID.80000007H:EDX.invtsc [bit 8]" + +if the fixed-1 feature is requested to be disabled explicitly. This is newly +added to QEMU for TDX because TDX has fixed-1 features that are enfored enabled +by TDX module and VMM cannot disable them. + +Launching a TD (TDX VM) +----------------------- + +To launch a TDX guest, below are new added and required: + +.. parsed-literal:: + + |qemu_system_x86| \\ + -object tdx-guest,id=tdx0 \\ + -machine ...,kernel-irqchip=split,confidential-guest-support=tdx0 \\ + -bios OVMF.fd \\ + +restrictions +------------ + + - kernel-irqchip must be split; + + - No readonly support for private memory; + + - No SMM support: SMM support requires manipulating the guset register states + which is not allowed; + +Debugging +--------- + +Bit 0 of TD attributes, is DEBUG bit, which decides if the TD runs in off-TD +debug mode. When in off-TD debug mode, TD's VCPU state and private memory are +accessible via given SEAMCALLs. This requires KVM to expose APIs to invoke those +SEAMCALLs and resonponding QEMU change. + +It's targeted as future work. + +TD attestation +-------------- + +In TD guest, the attestation process is used to verify the TDX guest +trustworthiness to other entities before provisioning secrets to the guest. + +TD attestation is initiated first by calling TDG.MR.REPORT inside TD to get the +REPORT. Then the REPORT data needs to be converted into a remotely verifiable +Quote by SGX Quoting Enclave (QE). + +It's a future work in QEMU to add support of TD attestation since it lacks +support in current KVM. + +Live Migration +-------------- + +Future work. + +References +---------- + +- `TDX Homepage <https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-domain-extensions.html>`__ + +- `SGX QE <https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration>`__ diff --git a/docs/system/target-i386.rst b/docs/system/target-i386.rst index ab7af1a75d6e..43b09c79d6be 100644 --- a/docs/system/target-i386.rst +++ b/docs/system/target-i386.rst @@ -31,6 +31,7 @@ Architectural features i386/kvm-pv i386/sgx i386/amd-memory-encryption + i386/tdx OS requirements ~~~~~~~~~~~~~~~
Add docs/system/i386/tdx.rst for TDX support, and add tdx in confidential-guest-support.rst Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com> --- Changes in v6: - Add more information of "Feature configuration" - Mark TD Attestation as future work because KVM now drops the support of it. Changes in v5: - Add TD attestation section and update the QEMU parameter; Changes since v1: - Add prerequisite of private gmem; - update example command to launch TD; Changes since RFC v4: - add the restriction that kernel-irqchip must be split --- docs/system/confidential-guest-support.rst | 1 + docs/system/i386/tdx.rst | 155 +++++++++++++++++++++ docs/system/target-i386.rst | 1 + 3 files changed, 157 insertions(+) create mode 100644 docs/system/i386/tdx.rst