Re: [PATCH v3 21/21] docs: domain: Add documentation for Intel TDX guest

Tue, 08 Jul 2025 23:52:26 -0700 

On 6/30/2025 2:17 PM, Zhenzhong Duan wrote:

Signed-off-by: Zhenzhong Duan <zhenzhong.d...@intel.com>
---
  docs/formatdomain.rst | 63 +++++++++++++++++++++++++++++++++++++++++++
  1 file changed, 63 insertions(+)

diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index 9a2f065590..5acebefec0 100644
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@@ -9528,6 +9528,69 @@ The ``<launchSecurity/>`` element then accepts the 
following child elements:
     the SNP_LAUNCH_FINISH command in the SEV-SNP firmware ABI.
+The contents of the ``<launchSecurity type='tdx'>`` element is used to provide 
+the guest owners input used for creating an encrypted VM using the Intel TDX
+(Trusted Domain eXtensions). Intel TDX refers to an Intel technology that
+extends Virtual Machine Extensions (VMX) and Multi-Key Total Memory Encryption
+(MKTME) with a new kind of virtual machine guest called a Trust Domain (TD).
+A TD runs in a CPU mode that is designed to protect the confidentiality of its
+memory contents and its CPU state from any other software, including the 
hosting
+Virtual Machine Monitor (VMM), unless explicitly shared by the TD itself.
+Example configuration:
+
+::
+
+   <domain>
+     ...
+     <launchSecurity type='tdx'>
+       <policy>0x10000001</policy>
+       <mrConfigId>xxx</mrConfigId>
+       <mrOwner>xxx</mrOwner>
+       <mrOwnerConfig>xxx</mrOwnerConfig>
+       <quoteGenerationSocket path="/var/run/tdx-qgs/qgs.socket"/>
+     </launchSecurity>
+     ...
+   </domain>
+
+``policy``
+   The optional ``policy`` element provides the guest TD attributes which is
+   passed by the host VMM as a guest TD initialization parameter as part of
+   TD_PARAMS, it exactly matches the definition of TD_PARAMS.ATTRIBUTES in
+   (Intel TDX Module Spec Table 22.2: ATTRIBUTES Definition). It is reported
+   to the guest TD by TDG.VP.INFO and as part of TDREPORT_STRUCT returned by
+   TDG.MR.REPORT. The guest policy is 64bit unsigned with the fields shown
+   in Table:
(It should be commenting on the patch that enables the policy. I'm just too lazy to find that patch)
Could we rename "policy" to "attributes", or more precisely "tdAttributes"? It's not intuitive for users to connect "policy" with "TD attributes".

Reply via email to