[v6,60/60] docs: Add TDX documentation

Message ID	20241105062408.3533704-61-xiaoyao.li@intel.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: Xiaoyao Li <xiaoyao.li@intel.com> To: Paolo Bonzini <pbonzini@redhat.com>, Riku Voipio <riku.voipio@iki.fi>, Richard Henderson <richard.henderson@linaro.org>, Zhao Liu <zhao1.liu@intel.com>, "Michael S. Tsirkin" <mst@redhat.com>, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>, Igor Mammedov <imammedo@redhat.com>, Ani Sinha <anisinha@redhat.com> Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>, Yanan Wang <wangyanan55@huawei.com>, Cornelia Huck <cohuck@redhat.com>, =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= <berrange@redhat.com>, Eric Blake <eblake@redhat.com>, Markus Armbruster <armbru@redhat.com>, Marcelo Tosatti <mtosatti@redhat.com>, rick.p.edgecombe@intel.com, kvm@vger.kernel.org, qemu-devel@nongnu.org, xiaoyao.li@intel.com Subject: [PATCH v6 60/60] docs: Add TDX documentation Date: Tue, 5 Nov 2024 01:24:08 -0500 Message-Id: <20241105062408.3533704-61-xiaoyao.li@intel.com> In-Reply-To: <20241105062408.3533704-1-xiaoyao.li@intel.com> References: <20241105062408.3533704-1-xiaoyao.li@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=198.175.65.18; envelope-from=xiaoyao.li@intel.com; helo=mgamail.intel.com X-Spam_score_int: -39 X-Spam_score: -4.0 X-Spam_bar: ---- X-Spam_report: (-4.0 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.34, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.781, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Series	QEMU TDX support \| expand [v6,00/60] QEMU TDX support [v6,01/60] * HACK * linux-headers: Update headers to pull in TDX API changes [v6,02/60] i386: Introduce tdx-guest object [v6,03/60] i386/tdx: Implement tdx_kvm_type() for TDX [v6,04/60] i386/tdx: Implement tdx_kvm_init() to initialize TDX VM context [v6,05/60] i386/tdx: Get tdx_capabilities via KVM_TDX_CAPABILITIES [v6,06/60] i386/tdx: Introduce is_tdx_vm() helper and cache tdx_guest object [v6,07/60] kvm: Introduce kvm_arch_pre_create_vcpu() [v6,08/60] i386/kvm: Export cpuid_entry_get_reg() and cpuid_find_entry() [v6,09/60] i386/tdx: Initialize TDX before creating TD vcpus [v6,10/60] i386/tdx: Add property sept-ve-disable for tdx-guest object [v6,11/60] i386/tdx: Make sept_ve_disable set by default [v6,12/60] i386/tdx: Wire CPU features up with attributes of TD guest [v6,13/60] i386/tdx: Validate TD attributes [v6,14/60] i386/tdx: Support user configurable mrconfigid/mrowner/mrownerconfig [v6,15/60] i386/tdx: Set APIC bus rate to match with what TDX module enforces [v6,16/60] i386/tdx: Implement user specified tsc frequency [v6,17/60] i386/tdx: load TDVF for TD guest [v6,18/60] i386/tdvf: Introduce function to parse TDVF metadata [v6,19/60] i386/tdx: Parse TDVF metadata for TDX VM [v6,20/60] i386/tdx: Don't initialize pc.rom for TDX VMs [v6,21/60] i386/tdx: Track mem_ptr for each firmware entry of TDVF [v6,22/60] i386/tdx: Track RAM entries for TDX VM [v6,23/60] headers: Add definitions from UEFI spec for volumes, resources, etc... [v6,24/60] i386/tdx: Setup the TD HOB list [v6,25/60] i386/tdx: Add TDVF memory via KVM_TDX_INIT_MEM_REGION [v6,26/60] i386/tdx: Call KVM_TDX_INIT_VCPU to initialize TDX vcpu [v6,27/60] i386/tdx: Finalize TDX VM [v6,28/60] i386/tdx: Enable user exit on KVM_HC_MAP_GPA_RANGE [v6,29/60] i386/tdx: Handle KVM_SYSTEM_EVENT_TDX_FATAL [v6,30/60] i386/tdx: Wire TDX_REPORT_FATAL_ERROR with GuestPanic facility [v6,31/60] i386/cpu: introduce x86_confidential_guest_cpu_instance_init() [v6,32/60] i386/tdx: implement tdx_cpu_instance_init() [v6,33/60] i386/cpu: introduce x86_confidenetial_guest_cpu_realizefn() [v6,34/60] i386/tdx: implement tdx_cpu_realizefn() [v6,35/60] i386/cpu: Introduce enable_cpuid_0x1f to force exposing CPUID 0x1f [v6,36/60] i386/tdx: Force exposing CPUID 0x1f [v6,37/60] i386/tdx: Set kvm_readonly_mem_enabled to false for TDX VM [v6,38/60] i386/tdx: Disable SMM for TDX VMs [v6,39/60] i386/tdx: Disable PIC for TDX VMs [v6,40/60] hw/i386: add eoi_intercept_unsupported member to X86MachineState [v6,41/60] hw/i386: add option to forcibly report edge trigger in acpi tables [v6,42/60] i386/tdx: Don't synchronize guest tsc for TDs [v6,43/60] i386/tdx: Only configure MSR_IA32_UCODE_REV in kvm_init_msrs() for TDs [v6,44/60] i386/tdx: Skip kvm_put_apicbase() for TDs [v6,45/60] i386/tdx: Don't get/put guest state for TDX VMs [v6,46/60] i386/cgs: Rename mask_cpuid_features() to adjust_cpuid_features() [v6,47/60] i386/tdx: Implement adjust_cpuid_features() for TDX [v6,48/60] i386/tdx: Apply TDX fixed0 and fixed1 information to supported CPUIDs [v6,49/60] i386/tdx: Mask off CPUID bits by unsupported TD Attributes [v6,50/60] i386/cpu: Move CPUID_XSTATE_XSS_MASK to header file and introduce CPUID_XSTATE_MASK [v6,51/60] i386/tdx: Mask off CPUID bits by unsupported XFAM [v6,52/60] i386/cpu: Expose mark_unavailable_features() for TDX [v6,53/60] i386/cpu: introduce mark_forced_on_features() [v6,54/60] i386/cgs: Introduce x86_confidential_guest_check_features() [v6,55/60] i386/tdx: Fetch and validate CPUID of TD guest [v6,56/60] i386/tdx: Don't treat SYSCALL as unavailable [v6,57/60] i386/tdx: Make invtsc default on [v6,58/60] cpu: Introduce qemu_early_init_vcpu() [v6,59/60] i386/cpu: Set up CPUID_HT in x86_cpu_realizefn() instead of cpu_x86_cpuid() [v6,60/60] docs: Add TDX documentation

Message ID

20241105062408.3533704-61-xiaoyao.li@intel.com

State

New

Headers

From: Xiaoyao Li <xiaoyao.li@intel.com>
To: Paolo Bonzini <pbonzini@redhat.com>, Riku Voipio <riku.voipio@iki.fi>,
 Richard Henderson <richard.henderson@linaro.org>,
 Zhao Liu <zhao1.liu@intel.com>, "Michael S. Tsirkin" <mst@redhat.com>,
 Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
 Igor Mammedov <imammedo@redhat.com>, Ani Sinha <anisinha@redhat.com>
Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Yanan Wang <wangyanan55@huawei.com>, Cornelia Huck <cohuck@redhat.com>,
	=?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= <berrange@redhat.com>,
 Eric Blake <eblake@redhat.com>, Markus Armbruster <armbru@redhat.com>,
 Marcelo Tosatti <mtosatti@redhat.com>, rick.p.edgecombe@intel.com,
 kvm@vger.kernel.org, qemu-devel@nongnu.org, xiaoyao.li@intel.com
Subject: [PATCH v6 60/60] docs: Add TDX documentation
Date: Tue,  5 Nov 2024 01:24:08 -0500
Message-Id: <20241105062408.3533704-61-xiaoyao.li@intel.com>
In-Reply-To: <20241105062408.3533704-1-xiaoyao.li@intel.com>
References: <20241105062408.3533704-1-xiaoyao.li@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=198.175.65.18;
 envelope-from=xiaoyao.li@intel.com;
 helo=mgamail.intel.com
X-Spam_score_int: -39
X-Spam_score: -4.0
X-Spam_bar: ----
X-Spam_report: (-4.0 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.34,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.781, RCVD_IN_DNSWL_MED=-2.3,
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Series

QEMU TDX support | expand

Commit Message

Xiaoyao Li Nov. 5, 2024, 6:24 a.m. UTC

Add docs/system/i386/tdx.rst for TDX support, and add tdx in
confidential-guest-support.rst

Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
Changes in v6:
 - Add more information of "Feature configuration"
 - Mark TD Attestation as future work because KVM now drops the support
   of it.

Changes in v5:
 - Add TD attestation section and update the QEMU parameter;

Changes since v1:
 - Add prerequisite of private gmem;
 - update example command to launch TD;

Changes since RFC v4:
 - add the restriction that kernel-irqchip must be split
---
 docs/system/confidential-guest-support.rst |   1 +
 docs/system/i386/tdx.rst                   | 155 +++++++++++++++++++++
 docs/system/target-i386.rst                |   1 +
 3 files changed, 157 insertions(+)
 create mode 100644 docs/system/i386/tdx.rst

diff --git a/docs/system/confidential-guest-support.rst b/docs/system/confidential-guest-support.rst
index 0c490dbda2b7..66129fbab64c 100644
--- a/docs/system/confidential-guest-support.rst
+++ b/docs/system/confidential-guest-support.rst
@@ -38,6 +38,7 @@  Supported mechanisms
 Currently supported confidential guest mechanisms are:
 
 * AMD Secure Encrypted Virtualization (SEV) (see :doc:`i386/amd-memory-encryption`)
+* Intel Trust Domain Extension (TDX) (see :doc:`i386/tdx`)
 * POWER Protected Execution Facility (PEF) (see :ref:`power-papr-protected-execution-facility-pef`)
 * s390x Protected Virtualization (PV) (see :doc:`s390x/protvirt`)
 
diff --git a/docs/system/i386/tdx.rst b/docs/system/i386/tdx.rst
new file mode 100644
index 000000000000..60106b29bf72
--- /dev/null
+++ b/docs/system/i386/tdx.rst
@@ -0,0 +1,155 @@ 
+Intel Trusted Domain eXtension (TDX)
+====================================
+
+Intel Trusted Domain eXtensions (TDX) refers to an Intel technology that extends
+Virtual Machine Extensions (VMX) and Multi-Key Total Memory Encryption (MKTME)
+with a new kind of virtual machine guest called a Trust Domain (TD). A TD runs
+in a CPU mode that is designed to protect the confidentiality of its memory
+contents and its CPU state from any other software, including the hosting
+Virtual Machine Monitor (VMM), unless explicitly shared by the TD itself.
+
+Prerequisites
+-------------
+
+To run TD, the physical machine needs to have TDX module loaded and initialized
+while KVM hypervisor has TDX support and has TDX enabled. If those requirements
+are met, the ``KVM_CAP_VM_TYPES`` will report the support of ``KVM_X86_TDX_VM``.
+
+Trust Domain Virtual Firmware (TDVF)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Trust Domain Virtual Firmware (TDVF) is required to provide TD services to boot
+TD Guest OS. TDVF needs to be copied to guest private memory and measured before
+the TD boots.
+
+KVM vcpu ioctl ``KVM_TDX_INIT_MEM_REGION`` can be used to populates the TDVF
+content into its private memory.
+
+Since TDX doesn't support readonly memslot, TDVF cannot be mapped as pflash
+device and it actually works as RAM. "-bios" option is chosen to load TDVF.
+
+OVMF is the opensource firmware that implements the TDVF support. Thus the
+command line to specify and load TDVF is ``-bios OVMF.fd``
+
+Feature Configuration
+---------------------
+
+Unlike non-TDX VM, the CPU features (enumerated by CPU or MSR) of a TD is not
+under full control of VMM. VMM can only configure part of features of a TD on
+``KVM_TDX_INIT_VM`` command of VM scope ``MEMORY_ENCRYPT_OP`` ioctl.
+
+The configurable features have three types:
+
+- Attributes:
+  - PKS (bit 30) controls whether Supervisor Protection Keys is exposed to TD,
+  which determines related CPUID bit and CR4 bit;
+  - PERFMON (bit 63) controls whether PMU is exposed to TD.
+
+- XSAVE related features (XFAM):
+  XFAM is a 64b mask, which has the same format as XCR0 or IA32_XSS MSR. It
+  determines the set of extended features available for use by the guest TD.
+
+- CPUID features:
+  Only some bits of some CPUID leaves are directly configurable by VMM.
+
+What features can be configured is reported via TDX capabilities.
+
+TDX capabilities
+~~~~~~~~~~~~~~~~
+
+The VM scope ``MEMORY_ENCRYPT_OP`` ioctl provides command ``KVM_TDX_CAPABILITIES``
+to get the TDX capabilities from KVM. It returns a data structure of
+``struct kvm_tdx_capabilities``, which tells the supported configuration of
+attributes, XFAM and CPUIDs.
+
+TD attributes
+~~~~~~~~~~~~~
+
+QEMU supports configuring raw 64-bit TD attributes directly via "attributes"
+property of "tdx-guest" object. Note, it's users' responsibility to provide a
+valid value because some bits may not supported by current QEMU or KVM yet.
+
+QEMU also supports the configuration of individual attribute bits that are
+supported by it, via propertyies of "tdx-guest" object.
+E.g., "sept-ve-disable" (bit 63).
+
+MSR based features
+~~~~~~~~~~~~~~~~
+
+Current KVM doesn't support MSR based feature (e.g., MSR_IA32_ARCH_CAPABILITIES)
+configuration for TDX, and it's a future work to enable it in QEMU when KVM adds
+support of it.
+
+Feature check
+~~~~~~~~~~~~~
+
+QEMU checks if the final (CPU) features, determined by given cpu model and
+explicit feature adjustment of "+featureA/-featureB", can be supported or not.
+It can produce feature not supported warnning like
+
+  "warning: host doesn't support requested feature: CPUID.07H:EBX.intel-pt [bit 25]"
+
+It will also procude warning like
+
+  "warning: TDX forcibly sets the feature: CPUID.80000007H:EDX.invtsc [bit 8]"
+
+if the fixed-1 feature is requested to be disabled explicitly. This is newly
+added to QEMU for TDX because TDX has fixed-1 features that are enfored enabled
+by TDX module and VMM cannot disable them.
+
+Launching a TD (TDX VM)
+-----------------------
+
+To launch a TDX guest, below are new added and required:
+
+.. parsed-literal::
+
+    |qemu_system_x86| \\
+        -object tdx-guest,id=tdx0 \\
+        -machine ...,kernel-irqchip=split,confidential-guest-support=tdx0 \\
+        -bios OVMF.fd \\
+
+restrictions
+------------
+
+ - kernel-irqchip must be split;
+
+ - No readonly support for private memory;
+
+ - No SMM support: SMM support requires manipulating the guset register states
+   which is not allowed;
+
+Debugging
+---------
+
+Bit 0 of TD attributes, is DEBUG bit, which decides if the TD runs in off-TD
+debug mode. When in off-TD debug mode, TD's VCPU state and private memory are
+accessible via given SEAMCALLs. This requires KVM to expose APIs to invoke those
+SEAMCALLs and resonponding QEMU change.
+
+It's targeted as future work.
+
+TD attestation
+--------------
+
+In TD guest, the attestation process is used to verify the TDX guest
+trustworthiness to other entities before provisioning secrets to the guest.
+
+TD attestation is initiated first by calling TDG.MR.REPORT inside TD to get the
+REPORT. Then the REPORT data needs to be converted into a remotely verifiable
+Quote by SGX Quoting Enclave (QE).
+
+It's a future work in QEMU to add support of TD attestation since it lacks
+support in current KVM.
+
+Live Migration
+--------------
+
+Future work.
+
+References
+----------
+
+- `TDX Homepage <https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-domain-extensions.html>`__
+
+- `SGX QE <https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration>`__
diff --git a/docs/system/target-i386.rst b/docs/system/target-i386.rst
index ab7af1a75d6e..43b09c79d6be 100644
--- a/docs/system/target-i386.rst
+++ b/docs/system/target-i386.rst
@@ -31,6 +31,7 @@  Architectural features
    i386/kvm-pv
    i386/sgx
    i386/amd-memory-encryption
+   i386/tdx
 
 OS requirements
 ~~~~~~~~~~~~~~~

[v6,60/60] docs: Add TDX documentation

Commit Message

Patch