Add TDX support

Makefile

@@ -14,6 +14,8 @@ SNP_INIT_SRC =	init/tee/snp_attest.c		\
 		init/tee/snp_attest.h		\
 		$(KBS_INIT_SRC)			\
 
+TDX_INIT_SRC = $(KBS_INIT_SRC)
+
 KBS_LD_FLAGS =	-lcurl -lidn2 -lssl -lcrypto -lzstd -lz -lbrotlidec-static \
 		-lbrotlicommon-static
 
@@ -27,6 +29,14 @@ ifeq ($(SEV),1)
     INIT_SRC += $(SNP_INIT_SRC)
 	BUILD_INIT = 0
 endif
+ifeq ($(TDX),1)
+    VARIANT = -tdx
+    FEATURE_FLAGS := --features intel-tdx,tee,blk,kbs-types,serde,serde_json,curl
+    INIT_DEFS += -DTDX=1
+    INIT_DEFS += $(KBS_LD_FLAGS)
+    INIT_SRC += $(KBS_INIT_SRC)
+    BUILD_INIT = 0
+endif
 ifeq ($(GPU),1)
     FEATURE_FLAGS += --features gpu
 endif
@@ -91,6 +101,9 @@ $(LIBRARY_RELEASE_$(OS)): $(INIT_BINARY)
 ifeq ($(SEV),1)
 	mv target/release/libkrun.so target/release/$(KRUN_BASE_$(OS))
 endif
+ifeq ($(TDX),1)
+	mv target/release/libkrun.so target/release/$(KRUN_BASE_$(OS))
+endif
 ifeq ($(OS),Darwin)
 ifeq ($(EFI),1)
 	install_name_tool -id libkrun-efi.dylib target/release/libkrun.dylib
@@ -103,6 +116,9 @@ $(LIBRARY_DEBUG_$(OS)): $(INIT_BINARY)
 	cargo build $(FEATURE_FLAGS)
 ifeq ($(SEV),1)
 	mv target/debug/libkrun.so target/debug/$(KRUN_BASE_$(OS))
+endif
+ifeq ($(TDX),1)
+	mv target/debug/libkrun.so target/debug/$(KRUN_BASE_$(OS))
 endif
 	cp target/debug/$(KRUN_BASE_$(OS)) $(LIBRARY_DEBUG_$(OS))
 

examples/Makefile

@@ -4,6 +4,7 @@ LDFLAGS_x86_64_Linux = -lkrun
 LDFLAGS_aarch64_Linux = -lkrun
 LDFLAGS_arm64_Darwin = -L/opt/homebrew/lib -lkrun
 LDFLAGS_sev = -lkrun-sev
+LDFLAGS_tdx = -lkrun-tdx
 LDFLAGS_efi = -L/opt/homebrew/lib -lkrun-efi
 CFLAGS = -O2 -g -I../include
 ROOTFS_DISTRO := fedora
@@ -15,6 +16,9 @@ EXAMPLES := chroot_vm external_kernel
 ifeq ($(SEV),1)
     EXAMPLES := launch-tee
 endif
+ifeq ($(TDX),1)
+    EXAMPLES := launch-tee
+endif
 ifeq ($(EFI),1)
     EXAMPLES := boot_efi
 endif
@@ -28,7 +32,12 @@ ifeq ($(OS),Darwin)
 endif
 
 launch-tee: launch-tee.c
+ifeq ($(SEV),1)
 	gcc -o $@ $< $(CFLAGS) $(LDFLAGS_sev)
+endif
+ifeq ($(TDX),1)
+	gcc -o $@ $< $(CFLAGS) $(LDFLAGS_tdx)
+endif
 
 boot_efi: boot_efi.c
 	gcc -o $@ $< $(CFLAGS) $(LDFLAGS_efi)

examples/launch-tee.c

@@ -120,6 +120,12 @@ int main(int argc, char *const argv[])
         return -1;
     }
 
+    if (err = krun_split_irqchip(ctx_id, true)) {
+        errno = -err;
+        perror("Error setting split IRQCHIP property");
+        return -1;
+    }
+
     // Start and enter the microVM. Unless there is some error while creating the microVM
     // this function never returns.
     if (err = krun_start_enter(ctx_id)) {

examples/tdx-config-noattest.json

@@ -0,0 +1,8 @@
+{
+    "workload_id": "tdxtest",
+    "cpus": 1,
+    "ram_mib": 2048,
+    "tee": "tdx",
+    "tee_data": "{\"vendor_chain\": \"\", \"attestation_server_pubkey\": \"\"}",    
+    "attestation_url": ""
+}

src/arch/Cargo.toml

@@ -7,6 +7,7 @@ edition = "2021"
 [features]
 tee = []
 amd-sev = [ "tee" ]
+intel-tdx = [ "tee", "tdx" ]
 efi = []
 
 [dependencies]
@@ -18,8 +19,9 @@ smbios = { path = "../smbios" }
 utils = { path = "../utils" }
 
 [target.'cfg(target_os = "linux")'.dependencies]
-kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] }
-kvm-ioctls = ">=0.17"
+kvm-bindings = { git = "https://github.com/jakecorrenti/kvm-bindings.git", branch = "tdx", features = ["fam-wrappers"]}
+kvm-ioctls = { git = "https://github.com/jakecorrenti/kvm-ioctls.git", branch = "tdx"}
+tdx = { git = "https://github.com/jakecorrenti/tdx.git", branch = "libkrun-modifications", optional = true }
 
 [dev-dependencies]
 utils = { path = "../utils" }

src/arch/src/x86_64/mod.rs

@@ -51,7 +51,10 @@ pub enum Error {
 
 // Where BIOS/VGA magic would live on a real PC.
 const EBDA_START: u64 = 0x9fc00;
+#[cfg(not(feature = "intel-tdx"))]
 pub const RESET_VECTOR: u64 = 0xfff0;
+#[cfg(feature = "intel-tdx")]
+pub const RESET_VECTOR: u64 = 0xffff_fff0;
 pub const RESET_VECTOR_SEV_AP: u64 = 0xfff3;
 pub const BIOS_START: u64 = 0xffff_0000;
 pub const BIOS_SIZE: usize = 65536;
@@ -268,12 +271,20 @@ pub fn configure_system(
         params.0.hdr.ramdisk_size = initrd_config.size as u32;
     }
 
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", not(feature = "intel-tdx")))]
     {
         params.0.hdr.syssize = num_cpus as u32;
     }
 
-    add_e820_entry(&mut params.0, 0, EBDA_START, E820_RAM)?;
+    #[cfg(feature = "intel-tdx")]
+    {
+        // number of 4k pages
+        params.0.hdr.syssize = (arch_memory_info.ram_last_addr / 4096) as u32;
+        // nuymber of vCPUs
+        params.0.hdr.root_flags = num_cpus as u16;
+    }
+
+    add_e820_entry(&mut params.0, 0, EBDA_START - 0x10000, E820_RAM)?;
 
     let last_addr = GuestAddress(arch_memory_info.ram_last_addr);
     if last_addr < end_32bit_gap_start {

src/cpuid/Cargo.toml

@@ -8,5 +8,5 @@ edition = "2021"
 vmm-sys-util = ">=0.11"
 
 [target.'cfg(target_os = "linux")'.dependencies]
-kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] }
-kvm-ioctls = ">=0.17"
+kvm-bindings = { git = "https://github.com/jakecorrenti/kvm-bindings.git", branch = "tdx", features = ["fam-wrappers"]}
+kvm-ioctls = { git = "https://github.com/jakecorrenti/kvm-ioctls.git", branch = "tdx"}

src/cpuid/src/transformer/intel.rs

@@ -17,11 +17,56 @@ pub fn update_feature_info_entry(
 
     common::update_feature_info_entry(entry, vm_spec)?;
 
+    if entry.index == 0x1 {
+        println!("adjusting 0x1 index feature");
+        entry.ecx &= (1 << 21);
+    }
+
     entry.ecx.write_bit(ecx::TSC_DEADLINE_TIMER_BITINDEX, true);
 
     Ok(())
 }
 
+pub fn update_kvm_features(entry: &mut kvm_cpuid_entry2, vm_spec: &VmSpec) -> Result<(), Error> {
+    // KVM feature bits
+    const NOP_IO_RELAY: u32 = 1;
+    const PV_UNHALT: u32 = 1;
+    const PV_TLB_FLUSH: u32 = 9;
+    const PV_SEND_IPI: u32 = 11;
+    const POLL_CONTROL: u32 = 12;
+    const PV_SCHED_YIELD: u32 = 13;
+    const MSI_EXT_DEST_ID: u32 = 15;
+
+    // These features are not supported by TDX
+    entry.eax &= (1 << NOP_IO_RELAY)
+        | (1 << PV_UNHALT)
+        | (1 << PV_TLB_FLUSH)
+        | (1 << PV_SEND_IPI)
+        | (1 << POLL_CONTROL)
+        | (1 << PV_SCHED_YIELD)
+        | (1 << MSI_EXT_DEST_ID);
+    Ok(())
+}
+
+pub fn update_0xd_for_tdx(entry: &mut kvm_cpuid_entry2, vm_spec: &VmSpec) -> Result<(), Error> {
+    if entry.function == 0xD && entry.index == 0 {
+        const XFEATURE_MASK_XTILE: u32 = (1 << 17) | (1 << 18);
+        if (entry.eax & XFEATURE_MASK_XTILE) != XFEATURE_MASK_XTILE {
+            entry.eax &= !XFEATURE_MASK_XTILE;
+        }
+    }
+
+    if entry.function == 0xD && entry.index == 1 {
+        entry.ecx &= !(1 << 15);
+        const XFEATURE_MASK_CET: u32 = (1 << 11) | (1 << 12);
+        if entry.ecx & XFEATURE_MASK_CET > 0 {
+            entry.ecx |= XFEATURE_MASK_CET;
+        }
+    }
+
+    Ok(())
+}
+
 fn update_deterministic_cache_entry(
     entry: &mut kvm_cpuid_entry2,
     vm_spec: &VmSpec,
@@ -146,6 +191,8 @@ impl CpuidTransformer for IntelCpuidTransformer {
             leaf_0x6::LEAF_NUM => Some(intel::update_power_management_entry),
             leaf_0xa::LEAF_NUM => Some(intel::update_perf_mon_entry),
             leaf_0xb::LEAF_NUM => Some(intel::update_extended_cache_topology_entry),
+            leaf_0xd::LEAF_NUM => Some(intel::update_0xd_for_tdx),
+            0x4000_0001 => Some(intel::update_kvm_features),
             0x8000_0002..=0x8000_0004 => Some(common::update_brand_string_entry),
             _ => None,
         }

src/devices/Cargo.toml

@@ -43,8 +43,8 @@ lru = ">=0.9"
 [target.'cfg(target_os = "linux")'.dependencies]
 rutabaga_gfx = { path = "../rutabaga_gfx", features = ["x"], optional = true }
 caps = "0.5.5"
-kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] }
-kvm-ioctls = ">=0.17"
+kvm-bindings = { git = "https://github.com/jakecorrenti/kvm-bindings.git", branch = "tdx", features = ["fam-wrappers"]}
+kvm-ioctls = { git = "https://github.com/jakecorrenti/kvm-ioctls.git", branch = "tdx"}
 
 [target.'cfg(target_arch = "aarch64")'.dependencies]
-vm-fdt = ">= 0.2.0"
+vm-fdt = ">= 0.2.0"

src/libkrun/Cargo.toml

@@ -8,6 +8,7 @@ build = "build.rs"
 [features]
 tee = []
 amd-sev = [ "blk", "tee" ]
+intel-tdx = [ "blk", "tee" ]
 net = []
 blk = []
 efi = [ "blk", "net" ]
@@ -22,6 +23,7 @@ libc = ">=0.2.39"
 libloading = "0.8"
 log = "0.4.0"
 once_cell = "1.4.1"
+vm-memory = { version = ">=0.13", features = ["backend-mmap"] }
 
 devices = { path = "../devices" }
 polly = { path = "../polly" }
@@ -32,8 +34,8 @@ vmm = { path = "../vmm" }
 hvf = { path = "../hvf" }
 
 [target.'cfg(target_os = "linux")'.dependencies]
-kvm-bindings = { version = ">=0.10", features = ["fam-wrappers"] }
-kvm-ioctls = ">=0.17"
+kvm-bindings = { git = "https://github.com/jakecorrenti/kvm-bindings.git", branch = "tdx", features = ["fam-wrappers"]}
+kvm-ioctls = { git = "https://github.com/jakecorrenti/kvm-ioctls.git", branch = "tdx"}
 
 [lib]
 name = "krun"