qemu: tdx: Adapt to the TDX 1.5 stack

QEMU for TDX 1.5 makes use of private memory map/unmap. Make changes to govmm to support this. Support for private backing fd for memory is added as knob to the qemu config. Userspace's map/unmap operations are done by fallocate() ioctl on the backing store fd. Reference: https://lore.kernel.org/linux-mm/20220519153713.819591-1-chao.p.peng@linux.intel.com/ Fixes: #7770 Signed-off-by: Archana Shinde <archana.m.shinde@intel.com> Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2025-09-19 15:58:25 +00:00 · 2023-08-24 01:41:47 -07:00
parent 8115a0522d
commit 1e34220c41
4 changed files with 63 additions and 3 deletions
--- a/src/runtime/virtcontainers/qemu.go
+++ b/src/runtime/virtcontainers/qemu.go
@@ -604,6 +604,23 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi
 		return err
 	}

+	if q.config.ConfidentialGuest {
+		// At this point we're safe to just check for the protection field
+		// on the hypervisor specific code, as availableGuestProtection()
+		// has been called earlier and we know we have the value stored.
+		if q.arch.getProtection() == tdxProtection {
+			knobs.MemFDPrivate = true
+
+			// In case Nydus or VirtioFS is used, which may become a reality
+			// in the future, whenever we get those hardened for TDX, those
+			// knobs below would be automatically set.  Let's make sure we
+			// pre-emptively disable them, and with that we can avoid some
+			// headaches in the future.
+			knobs.FileBackedMem = false
+			knobs.MemShared = false
+		}
+	}
+
 	kernelPath, err := q.config.KernelAssetPath()
 	if err != nil {
 		return err
--- a/src/runtime/virtcontainers/qemu_arch_base.go
+++ b/src/runtime/virtcontainers/qemu_arch_base.go
@@ -71,6 +71,9 @@ type qemuArch interface {
 	// memoryTopology returns the memory topology using the given amount of memoryMb and hostMemoryMb
 	memoryTopology(memoryMb, hostMemoryMb uint64, slots uint8) govmmQemu.Memory

+	// protection returns platform protection
+	getProtection() guestProtection
+
 	// appendConsole appends a console to devices
 	appendConsole(ctx context.Context, devices []govmmQemu.Device, path string) ([]govmmQemu.Device, error)

@@ -280,6 +283,10 @@ func (q *qemuArchBase) machine() govmmQemu.Machine {
 	return q.qemuMachine
 }

+func (q *qemuArchBase) getProtection() guestProtection {
+	return q.protection
+}
+
 func (q *qemuArchBase) qemuPath() string {
 	return q.qemuExePath
 }