Merge pull request #12390 from mythi/tdx-updates-2026-2

runtime: tdx QEMU configuration changes

src/runtime/Makefile

@@ -174,10 +174,6 @@ HYPERVISORS := $(HYPERVISOR_FC) $(HYPERVISOR_QEMU) $(HYPERVISOR_CLH) $(HYPERVISO
 QEMUPATH := $(QEMUBINDIR)/$(QEMUCMD)
 QEMUVALIDHYPERVISORPATHS := [\"$(QEMUPATH)\"]
 
-#QEMUTDXPATH := $(QEMUBINDIR)/$(QEMUTDXCMD)
-QEMUTDXPATH := PLACEHOLDER_FOR_DISTRO_QEMU_WITH_TDX_SUPPORT
-QEMUTDXVALIDHYPERVISORPATHS := [\"$(QEMUTDXPATH)\"]
-
 QEMUTDXEXPERIMENTALPATH := $(QEMUBINDIR)/$(QEMUTDXEXPERIMENTALCMD)
 QEMUTDXEXPERIMENTALVALIDHYPERVISORPATHS := [\"$(QEMUTDXEXPERIMENTALPATH)\"]
 
@@ -702,18 +698,15 @@ USER_VARS += PROJECT_TYPE
 USER_VARS += PROJECT_URL
 USER_VARS += QEMUBINDIR
 USER_VARS += QEMUCMD
-USER_VARS += QEMUTDXCMD
 USER_VARS += QEMUTDXEXPERIMENTALCMD
 USER_VARS += QEMUCCAEXPERIMENTALCMD
 USER_VARS += QEMUSNPCMD
 USER_VARS += QEMUPATH
-USER_VARS += QEMUTDXPATH
 USER_VARS += QEMUTDXEXPERIMENTALPATH
 USER_VARS += QEMUTDXQUOTEGENERATIONSERVICESOCKETPORT
 USER_VARS += QEMUSNPPATH
 USER_VARS += QEMUCCAEXPERIMENTALPATH
 USER_VARS += QEMUVALIDHYPERVISORPATHS
-USER_VARS += QEMUTDXVALIDHYPERVISORPATHS
 USER_VARS += QEMUTDXEXPERIMENTALVALIDHYPERVISORPATHS
 USER_VARS += QEMUCCAVALIDHYPERVISORPATHS
 USER_VARS += QEMUCCAEXPERIMENTALVALIDHYPERVISORPATHS

src/runtime/config/configuration-qemu-tdx.toml.in

@@ -12,7 +12,7 @@
 # XXX:   Type: @PROJECT_TYPE@
 
 [hypervisor.qemu]
-path = "@QEMUTDXPATH@"
+path = "@QEMUPATH@"
 kernel = "@KERNELCONFIDENTIALPATH@"
 image = "@IMAGECONFIDENTIALPATH@"
 machine_type = "@MACHINETYPE@"
@@ -54,7 +54,7 @@ enable_annotations = @DEFENABLEANNOTATIONS_COCO@
 # Each member of the list is a path pattern as described by glob(3).
 # The default if not set is empty (all annotations rejected.)
 # Your distribution recommends: @QEMUVALIDHYPERVISORPATHS@
-valid_hypervisor_paths = @QEMUTDXVALIDHYPERVISORPATHS@
+valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@
 
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having

tools/packaging/kata-deploy/binary/src/artifacts/install.rs

@@ -325,10 +325,6 @@ async fn configure_shim_config(config: &Config, shim: &str) -> Result<()> {
         configure_experimental_force_guest_pull(&kata_config_file).await?;
     }
 
-    if shim.contains("tdx") {
-        configure_tdx(config, shim, &kata_config_file).await?;
-    }
-
     if config.dest_dir != "/opt/kata" {
         adjust_installation_prefix(config, shim, &kata_config_file).await?;
     }
@@ -593,138 +589,6 @@ async fn configure_experimental_force_guest_pull(config_file: &Path) -> Result<(
     set_toml_bool_to_true(config_file, "runtime.experimental_force_guest_pull")
 }
 
-async fn configure_tdx(config: &Config, _shim: &str, config_file: &Path) -> Result<()> {
-    let os_release_paths = ["/host/etc/os-release", "/host/usr/lib/os-release"];
-    let mut os_release_content = String::new();
-    for path in &os_release_paths {
-        if Path::new(path).exists() {
-            os_release_content = fs::read_to_string(path)?;
-            break;
-        }
-    }
-
-    let id = extract_os_release_field(&os_release_content, "ID");
-    let version_id = extract_os_release_field(&os_release_content, "VERSION_ID");
-
-    match (id.as_deref(), version_id.as_deref()) {
-        (Some("ubuntu"), Some(v @ ("24.04" | "25.04" | "25.10"))) => {
-            tdx_supported(config, "ubuntu", v, config_file).await?;
-        }
-        (Some("ubuntu"), Some(v)) => {
-            log::warn!(
-                "Distro ubuntu {} does not support TDX and the TDX related runtime classes will not work in your cluster!",
-                v
-            );
-        }
-        (Some("ubuntu"), None) => {
-            log::warn!(
-                "Distro ubuntu does not have VERSION_ID and the TDX related runtime classes will not work in your cluster!"
-            );
-        }
-        (Some("centos"), Some("9")) => {
-            tdx_supported(config, "centos", "9", config_file).await?;
-        }
-        (Some("centos"), Some(v)) => {
-            log::warn!(
-                "Distro centos {} does not support TDX and the TDX related runtime classes will not work in your cluster!",
-                v
-            );
-        }
-        (Some("centos"), None) => {
-            log::warn!(
-                "Distro centos does not have VERSION_ID and the TDX related runtime classes will not work in your cluster!"
-            );
-        }
-        (Some(distro), _) => {
-            log::warn!(
-                "Distro {} does not support TDX and the TDX related runtime classes will not work in your cluster!",
-                distro
-            );
-        }
-        (None, _) => {
-            log::warn!(
-                "Could not determine OS distro and the TDX related runtime classes will not work in your cluster!"
-            );
-        }
-    }
-
-    Ok(())
-}
-
-fn extract_os_release_field(content: &str, field: &str) -> Option<String> {
-    for line in content.lines() {
-        if let Some((key, value)) = line.split_once('=') {
-            if key == field {
-                return Some(value.trim_matches('"').to_string());
-            }
-        }
-    }
-    None
-}
-
-async fn tdx_supported(
-    _config: &Config,
-    distro: &str,
-    version: &str,
-    config_file: &Path,
-) -> Result<()> {
-    let qemu_path = match distro {
-        "ubuntu" => "/usr/bin/qemu-system-x86_64",
-        "centos" => "/usr/libexec/qemu-kvm",
-        _ => return Ok(()),
-    };
-
-    let ovmf_path = match distro {
-        "ubuntu" => "/usr/share/ovmf/OVMF.fd",
-        "centos" => "/usr/share/edk2/ovmf/OVMF.inteltdx.fd",
-        _ => return Ok(()),
-    };
-
-    let current_qemu =
-        toml_utils::get_toml_value(config_file, "hypervisor.qemu.path").unwrap_or_default();
-    if current_qemu.contains("PLACEHOLDER_FOR_DISTRO_QEMU_WITH_TDX_SUPPORT") {
-        log::debug!(
-            "Updating hypervisor.qemu.path in {}: old=\"{}\" new=\"{}\"",
-            config_file.display(),
-            current_qemu,
-            qemu_path
-        );
-        toml_utils::set_toml_value(
-            config_file,
-            "hypervisor.qemu.path",
-            &format!("\"{qemu_path}\""),
-        )?;
-    }
-
-    let current_ovmf =
-        toml_utils::get_toml_value(config_file, "hypervisor.qemu.firmware").unwrap_or_default();
-    if current_ovmf.contains("PLACEHOLDER_FOR_DISTRO_OVMF_WITH_TDX_SUPPORT") {
-        log::debug!(
-            "Updating hypervisor.qemu.firmware in {}: old=\"{}\" new=\"{}\"",
-            config_file.display(),
-            current_ovmf,
-            ovmf_path
-        );
-        toml_utils::set_toml_value(
-            config_file,
-            "hypervisor.qemu.firmware",
-            &format!("\"{ovmf_path}\""),
-        )?;
-    }
-
-    let instructions = match distro {
-        "ubuntu" => "https://github.com/canonical/tdx/tree/3.3",
-        "centos" => "https://sigs.centos.org/virt/tdx",
-        _ => "",
-    };
-
-    info!(
-        "In order to use the tdx related runtime classes, ensure TDX is properly configured for {distro} {version} by following the instructions provided at: {instructions}"
-    );
-
-    Ok(())
-}
-
 async fn adjust_installation_prefix(config: &Config, shim: &str, config_file: &Path) -> Result<()> {
     let content = fs::read_to_string(config_file)?;
 
@@ -895,27 +759,6 @@ mod tests {
         }
     }
 
-    #[test]
-    fn test_extract_os_release_field() {
-        let content = r#"ID=ubuntu
-VERSION_ID="24.04"
-"#;
-        assert_eq!(extract_os_release_field(content, "ID"), Some("ubuntu".to_string()));
-        assert_eq!(extract_os_release_field(content, "VERSION_ID"), Some("24.04".to_string()));
-    }
-
-    #[test]
-    fn test_extract_os_release_field_empty() {
-        let content = "";
-        assert_eq!(extract_os_release_field(content, "ID"), None);
-    }
-
-    #[test]
-    fn test_extract_os_release_field_missing() {
-        let content = "ID=ubuntu\n";
-        assert_eq!(extract_os_release_field(content, "VERSION_ID"), None);
-    }
-
     #[test]
     fn test_get_hypervisor_name_qemu_variants() {
         // Test all QEMU variants
@@ -976,50 +819,6 @@ VERSION_ID="24.04"
         );
     }
 
-    #[test]
-    fn test_tdx_qemu_path_ubuntu() {
-        // Test TDX QEMU path resolution for Ubuntu
-        let qemu_path = match "ubuntu" {
-            "ubuntu" => "/usr/bin/qemu-system-x86_64",
-            "centos" => "/usr/libexec/qemu-kvm",
-            _ => "",
-        };
-        assert_eq!(qemu_path, "/usr/bin/qemu-system-x86_64");
-    }
-
-    #[test]
-    fn test_tdx_qemu_path_centos() {
-        // Test TDX QEMU path resolution for CentOS
-        let qemu_path = match "centos" {
-            "ubuntu" => "/usr/bin/qemu-system-x86_64",
-            "centos" => "/usr/libexec/qemu-kvm",
-            _ => "",
-        };
-        assert_eq!(qemu_path, "/usr/libexec/qemu-kvm");
-    }
-
-    #[test]
-    fn test_tdx_ovmf_path_ubuntu() {
-        // Test TDX OVMF path resolution for Ubuntu
-        let ovmf_path = match "ubuntu" {
-            "ubuntu" => "/usr/share/ovmf/OVMF.fd",
-            "centos" => "/usr/share/edk2/ovmf/OVMF.inteltdx.fd",
-            _ => "",
-        };
-        assert_eq!(ovmf_path, "/usr/share/ovmf/OVMF.fd");
-    }
-
-    #[test]
-    fn test_tdx_ovmf_path_centos() {
-        // Test TDX OVMF path resolution for CentOS
-        let ovmf_path = match "centos" {
-            "ubuntu" => "/usr/share/ovmf/OVMF.fd",
-            "centos" => "/usr/share/edk2/ovmf/OVMF.inteltdx.fd",
-            _ => "",
-        };
-        assert_eq!(ovmf_path, "/usr/share/edk2/ovmf/OVMF.inteltdx.fd");
-    }
-
     #[test]
     fn test_copy_artifacts_overwrites_existing_files() {
         use std::fs;