search

canonical / tdx

Intel confidential computing - TDX
GNU General Public License v3.0
80 stars 31 forks source link

TDX guest undetected when booting with virsh #172

Open BastienFaivre opened 1 month ago

BastienFaivre commented 1 month ago

Hi,

After setting up the environment, I tried to boot the TD image with QEMU, which worked perfectly. Indeed, in the TD image, I get the following:

root@tdx-guest:~# dmesg | grep -i tdx
[    0.000000] tdx: Guest detected
[    1.776700] Memory Encryption Features active: Intel TDX
[   13.166341] systemd[1]: Detected confidential virtualization tdx.
[   13.168137] systemd[1]: Hostname set to <tdx-guest>.
root@tdx-guest:~#

However, when I try to boot the TD image with virsh using the given tdvirsh script, the TDX guest is undetected. Here is what I got:

$ ./tdvirsh new
Create and run new TD ...
---
Id:             1
Name:           td_guest-0fabd9d1-0e72-478d-aeb4-30ef6769c111
UUID:           0fabd9d1-0e72-478d-aeb4-30ef6769c111
OS Type:        hvm
State:          running
CPU(s):         16
CPU time:       0.2s
Max memory:     2097152 KiB
Used memory:    2097152 KiB
Persistent:     yes
Autostart:      disable
Managed save:   no
Security model: none
Security DOI:   0
Messages:       tainted: custom configuration parameters specified

$ ./tdvirsh list --all
Id   Name                                            State
---------------------------------------------------------------
1    td_guest-0fabd9d1-0e72-478d-aeb4-30ef6769c111   running (ssh:43479, cid:3)

$ ssh -p 43479 root@localhost

...

root@tdx-guest:~# dmesg | grep -i tdx
[    0.000000] DMI: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 2023.05-2+tdx1.0 11/05/2023
[    3.646648] systemd[1]: Hostname set to <tdx-guest>.
root@tdx-guest:~#

Am I missing something in the configuration or execution with virsh?

Furthermore, with the version of virsh I am using,

$ virsh version
Compiled against library: libvirt 10.4.0
Using library: libvirt 10.4.0
Using API: QEMU 10.4.0
Running hypervisor: QEMU 8.2.50
$

I had to modify the provided td_guest.xml.template file because the tag launchSecurity does not recognize the type value tdx. After some research, I tried to rename the tag to launchSecurityTDX as mentioned here, and it works. I am a bit surprised since this documentation is from 3 years ago, and the most updated one does not mention this tag at all...

What version of virsh are you using to have the template from the repository working?

Thank you in advance for your support!

syncronize-issues-to-jira[bot] commented 1 month ago

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/PEK-898.

This message was autogenerated

hector-cao commented 1 month ago

@BastienFaivre Hello, could you provide the package version of libvirt ? dpkg -l | grep libvirt and the kernel version of the 2 guests uname -a

BastienFaivre commented 1 month ago

Hi @hector-cao, I have installed libvirt from source, here is what I've done:

$ git clone https://github.com/intel/libvirt-tdx.git
$ cd libvirt-tdx
$ git checkout tdx_for_upstream_v1
$ meson setup build -Dsystem=true -Ddriver_qemu=enabled -Ddriver_libvirtd=enabled -Ddriver_remote=enabled
$ ninja -C build
$ sudo ninja -C build install

But here is still the command output:

$ sudo dpkg -l | grep libvirt
ii  libsys-virt-perl                         10.0.0-1build2                             amd64        Perl module providing an extension for the libvirt library
rc  libvirt-daemon-config-network            10.0.0-2ubuntu8.3                          all          Libvirt daemon configuration files (default network)
rc  libvirt-daemon-config-nwfilter           10.0.0-2ubuntu8.3                          all          Libvirt daemon configuration files (default network filters)
rc  libvirt-daemon-driver-qemu               10.0.0-2ubuntu8.3                          amd64        Virtualization daemon QEMU connection driver
rc  libvirt-daemon-system-systemd            10.0.0-2ubuntu8.3                          all          Libvirt daemon configuration files (systemd)
ii  libvirt-dev:amd64                        10.0.0-2ubuntu8.3                          amd64        development files for the libvirt library
ii  libvirt-glib-1.0-0:amd64                 5.0.0-2build3                              amd64        libvirt GLib and GObject mapping library
ii  libvirt-glib-1.0-data                    5.0.0-2build3                              all          Common files for libvirt GLib library
ii  libvirt-l10n                             10.0.0-2ubuntu8.3                          all          localization for the libvirt library
ii  libvirt0:amd64                           10.0.0-2ubuntu8.3                          amd64        library for interfacing with different virtualization systems
ii  python3-libvirt                          10.0.0-1build1                             amd64        libvirt Python 3 bindings

Furthermore, here is the kernel version of the host and guest (I use the same guest for both QEMU and virsh):

# host
Linux <host name> 6.8.1-rt8+ #1 SMP PREEMPT_RT Wed May 29 16:23:24 CEST 2024 x86_64 x86_64 x86_64 GNU/Linux
# guest
Linux tdx-guest 6.8.1-rt8 #3 SMP PREEMPT_RT Thu Jul  4 14:46:19 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
hector-cao commented 1 month ago

@BastienFaivre None of these components seem to come from our release, did you follow the setup process ?

BastienFaivre commented 1 week ago

Hi @hector-cao, sorry for the delay, I was on vacation. We are currently looking into the origin of the components we use. We will get back to you as soon as we have an update to share.