Missing AVX flags

[marchrap]

Hello! I have successfully enabled TDX by following the README on my Granite Rapid, Ubuntu 24.04 machine with sudo dmesg | grep -i tdx returning:

[    1.936253] virt/tdx: BIOS enabled: private KeyID range [32, 64)
[    1.936257] virt/tdx: Disable ACPI S3. Turn off TDX in the BIOS to use ACPI S3.
[   10.410892] virt/tdx: TDX module: attributes 0x0, vendor_id 0x8086, major_version 1, minor_version 5, build_date 20231008, build_num 595
[   10.410903] virt/tdx: CMR: [0x100000, 0x6f800000)
[   10.410908] virt/tdx: CMR: [0x100000000, 0x205e000000)
[   10.410911] virt/tdx: CMR: [0x2080000000, 0x4060000000)
[   10.410913] virt/tdx: CMR: [0x4080000000, 0x6060000000)
[   10.410915] virt/tdx: CMR: [0x6080000000, 0x8060000000)
[   12.504801] virt/tdx: 2101268 KB allocated for PAMT
[   12.504813] virt/tdx: module initialized

When booting the TD using the default virsh .xml definition, I also see that the TD is working with sudo dmesg | grep -i tdx returning:

[    0.000000] tdx: Guest detected
[    0.000000] DMI: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 2024.02-3+tdx1.0 07/03/2024
[    0.506246] process: using TDX aware idle routine
[    0.598454] Memory Encryption Features active: Intel TDX

However, I end up with a system with only partial AVX flags:

Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat clflush 
dts mmx fxsr sse sse2 syscall nx pdpe1gb rdtscp lm constant_tsc bts rep_good nopl tsc_reliable 
nonstop_tsc cpuid tsc_known_freq pni pclmulqdq dtes64 ds_cpl ssse3 fma cx16 pdcm pcid sse4_1 
sse4_2 x2apic movbe popcnt aes xsave rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault 
ssbd ibrs ibpb stibp ibrs_enhanced tdx_guest fsgsbase **avx2** smep invpcid rdseed smap clflushopt 
clwb sha_ni xsaveopt xsavec xgetbv1 xsaves **avx512vbmi** pku ospke bus_lock_detect movdiri 
movdir64b md_clear amx_bf16 **avx512_fp16** amx_tile amx_int8 flush_l1d arch_capabilities

It is surprising that some AVX flags are enabled, but some are not. If I spawn a normal VM using the same image but without:

<launchSecurity type='tdx'>
    <policy>0x10000000</policy>
</launchSecurity>

I get the expected flags:

Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush
 dts mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs
 bts rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq dtes64 vmx ssse3 fma
 cx16 pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave **avx**
 f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault ssbd ibrs ibpb stibp
 ibrs_enhanced tpr_shadow flexpriority ept vpid ept_ad fsgsbase tsc_adjust sgx
 bmi1 **avx2** smep bmi2 erms invpcid **avx512f** **avx512dq** rdseed adx smap **avx512ifma**
 clflushopt clwb **avx512cd** sha_ni **avx512bw** **avx512vl** xsaveopt xsavec xgetbv1 xsaves **avx_vnni**
 **avx512_bf16** wbnoinvd arat vnmi **avx512vbmi** umip pku ospke waitpkg **avx512_vbmi2**
 gfni vaes vpclmulqdq **avx512_vnni** **avx512_bitalg** **avx512_vpopcntdq** la57 rdpid bus_lock_detect
 cldemote movdiri movdir64b sgx_lc fsrm md_clear serialize tsxldtrk amx_bf16 **avx512_fp16**
 amx_tile amx_int8 flush_l1d arch_capabilities

Adding statements in the .xml definition, such as <feature name='avx' policy='force'/> does not help. I also do not see any related errors in debug logs (/var/log/libvirt/qemu). The AVX flags are also not visible if I boot the TD using pure QEMU without libvirt (run_td.sh).

Thanks for any recommendations/help on how to debug this further or reasons why I might be seeing such behavior.

[syncronize-issues-to-jira[bot]]

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/PEK-849.

This message was autogenerated

[fanchen2]

It should be caused by old tdx module(you are using the old version built in 2023) doesn't match the new KVM code here, could you update your tdx module to latest version?

[marchrap]

@fanchen2, thanks, the update of the TDX module solved the issue.

[nanometerzhu]

@fanchen2 I have similar issue. Could you provide info about how to update TDX module?

[fanchen2]

@fanchen2 I have similar issue. Could you provide info about how to update TDX module?

Generally, you can ask your vendor for newer IFWI(BIOS). @hector-cao Any other idea?