)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":35307,"name":"Taketani Ryo","email":"taketani.ryo@fujitsu.com","username":"r-taketn0517"},"change_message_id":"3379926285c5c6de446feec3c106dcdbb9ed06ef","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"a7a2c534_c55f25e4","updated":"2026-04-03 09:40:42.000000000","message":"Thank you for your interesting suggestion. I gave some comments and questions.","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"a9d4005a6f101d7bee651e91b297b4c9d42ada87","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"35092502_4c5e7d13","in_reply_to":"a7a2c534_c55f25e4","updated":"2026-04-10 15:31:26.000000000","message":"Thank you for the review!","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"7c9b48a0a4b075faba48bf18c48c73eaed657ecc","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"6849a4ac_00ecbfd8","updated":"2026-05-05 14:21:47.000000000","message":"Great spec Anton, very well written and thorough. I\u0027ve left a few comments\nmostly for clarification. Putting a -1 just to flag them, but overall this\nlooks very good to me.","commit_id":"bb9f74c3714610482accdf599f5000a3cb69ed01"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"e2507a9990cea75dcd9e0097e9964ab85fe1442a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"303afc2a_e5d24187","updated":"2026-05-12 15:42:09.000000000","message":"Still minor things to amend. But the specs looks good to me.","commit_id":"bb9f74c3714610482accdf599f5000a3cb69ed01"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"692e18cce7c49146a859e944b26bdede4f80dd24","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"bfa14976_d76ec276","updated":"2026-05-27 14:47:02.000000000","message":"I have couple of questions","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"d7672b3d2c2382091be5bd7ae38a590b677dfc6c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"b71bb0d0_0a023fef","updated":"2026-05-13 13:51:51.000000000","message":"Thanks Anton for the latest updates.\nBig +1 from my side.","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"d67474d728b9a190e87c697b97d2953eebdee4d2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"1b6983d6_f1ab6856","updated":"2026-06-02 10:58:58.000000000","message":"This looks pretty good now. If we can clear up the cold-migraton / live-migration confusion and get a statement about whitebox testing (even  negative one) then I\u0027m OK to +2 this.","commit_id":"3792f5a89ce189698ead591921f28d2e58474357"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"765736e3e548a101dd08f1cf54fac7a223ec83f8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"f6d0f577_04498e7e","updated":"2026-06-02 15:45:48.000000000","message":"+2 with comments, please reply on those (at least about the qemu/libvirt versions checks)","commit_id":"cd6e8f8a9b1c62fa622ce3bd0e5661d91c9d7904"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"b19020a1349f2a997a41f16aee26409bf0fe5018","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"6020e032_1eece94f","updated":"2026-06-03 11:58:20.000000000","message":"The comments by Sylvain needs to be answered, but the other part looks quite good to me.","commit_id":"cd6e8f8a9b1c62fa622ce3bd0e5661d91c9d7904"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"12d0861c92600e142071a5dc54bb5383f80b76bc","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"7c856ac0_6cd82952","updated":"2026-06-04 10:00:09.000000000","message":"thanks for the replies, let\u0027s see on the implementation whether we need new version checks for TDX.\nThanks for this effort !","commit_id":"cd6e8f8a9b1c62fa622ce3bd0e5661d91c9d7904"}],"specs/2026.2/approved/intel-tdx-libvirt-support.rst":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"0ed5e51ee328bb8c61d00ec9fc0dc0671c2d446e","unresolved":true,"context_lines":[{"line_number":68,"context_line":""},{"line_number":69,"context_line":"Extend the libvirt driver to detect support for Intel TDX on the host through"},{"line_number":70,"context_line":"libvirt host and dom capabilities, as well as kernel kvm parameters. This is"},{"line_number":71,"context_line":"very similar to current capabilities checks for AMD SEV/SEV-ES."},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"2. **Resource tracking**:"},{"line_number":74,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"609a8a5e_c9619d1b","line":71,"range":{"start_line":71,"start_character":16,"end_line":71,"end_character":63},"updated":"2026-04-05 14:30:40.000000000","message":"So do we have to check any kvm_intel module parameter in addition to domain capabilities ? I found the tdx element in https://libvirt.org/formatdomaincaps.html#features but am not too sure about the module parameter.","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"a9d4005a6f101d7bee651e91b297b4c9d42ada87","unresolved":false,"context_lines":[{"line_number":68,"context_line":""},{"line_number":69,"context_line":"Extend the libvirt driver to detect support for Intel TDX on the host through"},{"line_number":70,"context_line":"libvirt host and dom capabilities, as well as kernel kvm parameters. This is"},{"line_number":71,"context_line":"very similar to current capabilities checks for AMD SEV/SEV-ES."},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"2. **Resource tracking**:"},{"line_number":74,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"802ff540_a90e0de3","line":71,"range":{"start_line":71,"start_character":16,"end_line":71,"end_character":63},"in_reply_to":"609a8a5e_c9619d1b","updated":"2026-04-10 15:31:26.000000000","message":"Yes the kvm_intel module parameter is also needed. It is ``/sys/module/kvm_intel/parameters/tdx`` and should be ``Y`` for when TDX is enabled. There are also some MSR fields that can be checked, but they only show if it is configured in BIOS.\n\nThe domain capabilities, as far as I know, only indicates whether Libvirt/QEMU supports TDX.\n\nWill clarify in the spec.","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"0ed5e51ee328bb8c61d00ec9fc0dc0671c2d446e","unresolved":true,"context_lines":[{"line_number":76,"context_line":"key slot tracking using resource provider inventory. The maximum number of"},{"line_number":77,"context_line":"TDX key slots is also needed for this, which depends on hardware and BIOS"},{"line_number":78,"context_line":"settings. For SEV maximum key slots are reported as a part of libvirt dom"},{"line_number":79,"context_line":"capabilities, this is not yet implemented for TDX, and thus a host"},{"line_number":80,"context_line":"configuration option is instead proposed. ``num_memory_encrypted_guests``"},{"line_number":81,"context_line":"already exists but has been deprecated since SEV implementation instead uses"},{"line_number":82,"context_line":"dom capabilities."}],"source_content_type":"text/x-rst","patch_set":2,"id":"8d973a27_5b4d4454","line":79,"range":{"start_line":79,"start_character":14,"end_line":79,"end_character":49},"updated":"2026-04-05 14:30:40.000000000","message":"Do you know if there is any on-going work to implement it ? I\u0027m asking these to understand if we eventually have to use that deprecated option for long term.","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"bd88fae950bfae9bccce61558883dffb8f778214","unresolved":true,"context_lines":[{"line_number":76,"context_line":"key slot tracking using resource provider inventory. The maximum number of"},{"line_number":77,"context_line":"TDX key slots is also needed for this, which depends on hardware and BIOS"},{"line_number":78,"context_line":"settings. For SEV maximum key slots are reported as a part of libvirt dom"},{"line_number":79,"context_line":"capabilities, this is not yet implemented for TDX, and thus a host"},{"line_number":80,"context_line":"configuration option is instead proposed. ``num_memory_encrypted_guests``"},{"line_number":81,"context_line":"already exists but has been deprecated since SEV implementation instead uses"},{"line_number":82,"context_line":"dom capabilities."}],"source_content_type":"text/x-rst","patch_set":2,"id":"1c859874_fa27ec4d","line":79,"range":{"start_line":79,"start_character":14,"end_line":79,"end_character":49},"in_reply_to":"0d451816_6a194ec1","updated":"2026-04-23 14:38:24.000000000","message":"Can confirm this is in 6.16, which is when TDX was introduced.\n\nSee:\nhttps://elixir.bootlin.com/linux/v6.16/source/arch/x86/kvm/vmx/tdx.c#L3514","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"d67474d728b9a190e87c697b97d2953eebdee4d2","unresolved":false,"context_lines":[{"line_number":76,"context_line":"key slot tracking using resource provider inventory. The maximum number of"},{"line_number":77,"context_line":"TDX key slots is also needed for this, which depends on hardware and BIOS"},{"line_number":78,"context_line":"settings. For SEV maximum key slots are reported as a part of libvirt dom"},{"line_number":79,"context_line":"capabilities, this is not yet implemented for TDX, and thus a host"},{"line_number":80,"context_line":"configuration option is instead proposed. ``num_memory_encrypted_guests``"},{"line_number":81,"context_line":"already exists but has been deprecated since SEV implementation instead uses"},{"line_number":82,"context_line":"dom capabilities."}],"source_content_type":"text/x-rst","patch_set":2,"id":"f72a720a_2f3db882","line":79,"range":{"start_line":79,"start_character":14,"end_line":79,"end_character":49},"in_reply_to":"1c859874_fa27ec4d","updated":"2026-06-02 10:58:58.000000000","message":"Acknowledged","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"d9ee4e71aea4d42c012ee86d34c873ec680ee1cc","unresolved":true,"context_lines":[{"line_number":76,"context_line":"key slot tracking using resource provider inventory. The maximum number of"},{"line_number":77,"context_line":"TDX key slots is also needed for this, which depends on hardware and BIOS"},{"line_number":78,"context_line":"settings. For SEV maximum key slots are reported as a part of libvirt dom"},{"line_number":79,"context_line":"capabilities, this is not yet implemented for TDX, and thus a host"},{"line_number":80,"context_line":"configuration option is instead proposed. ``num_memory_encrypted_guests``"},{"line_number":81,"context_line":"already exists but has been deprecated since SEV implementation instead uses"},{"line_number":82,"context_line":"dom capabilities."}],"source_content_type":"text/x-rst","patch_set":2,"id":"bf980303_ba43fa03","line":79,"range":{"start_line":79,"start_character":14,"end_line":79,"end_character":49},"in_reply_to":"77601b87_07c48af8","updated":"2026-04-22 12:46:39.000000000","message":"That\u0027s a good news ! However if we solely rely on this interface we should bump the min kernel version.\n\nAs far as I read the web articles Ubuntu 26.04 is supposed to include kernel 7.0 so this requirement may be acceptable, or in case anyone wants this with lower version of kernel then we can use the option for transition period.","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"a9d4005a6f101d7bee651e91b297b4c9d42ada87","unresolved":true,"context_lines":[{"line_number":76,"context_line":"key slot tracking using resource provider inventory. The maximum number of"},{"line_number":77,"context_line":"TDX key slots is also needed for this, which depends on hardware and BIOS"},{"line_number":78,"context_line":"settings. For SEV maximum key slots are reported as a part of libvirt dom"},{"line_number":79,"context_line":"capabilities, this is not yet implemented for TDX, and thus a host"},{"line_number":80,"context_line":"configuration option is instead proposed. ``num_memory_encrypted_guests``"},{"line_number":81,"context_line":"already exists but has been deprecated since SEV implementation instead uses"},{"line_number":82,"context_line":"dom capabilities."}],"source_content_type":"text/x-rst","patch_set":2,"id":"bcb567b0_6d0f34ff","line":79,"range":{"start_line":79,"start_character":14,"end_line":79,"end_character":49},"in_reply_to":"8d973a27_5b4d4454","updated":"2026-04-10 15:31:26.000000000","message":"No on-going work as of now. Will bring it up with maintainers and see if there are some alternative solutions or paths forward.\n\nThe current alternatives are: \n- parse dmesg \n- read MSR\n- host config option","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"111068522e218bc59b3c09ea2b635e3cc761067f","unresolved":true,"context_lines":[{"line_number":76,"context_line":"key slot tracking using resource provider inventory. The maximum number of"},{"line_number":77,"context_line":"TDX key slots is also needed for this, which depends on hardware and BIOS"},{"line_number":78,"context_line":"settings. For SEV maximum key slots are reported as a part of libvirt dom"},{"line_number":79,"context_line":"capabilities, this is not yet implemented for TDX, and thus a host"},{"line_number":80,"context_line":"configuration option is instead proposed. ``num_memory_encrypted_guests``"},{"line_number":81,"context_line":"already exists but has been deprecated since SEV implementation instead uses"},{"line_number":82,"context_line":"dom capabilities."}],"source_content_type":"text/x-rst","patch_set":2,"id":"77601b87_07c48af8","line":79,"range":{"start_line":79,"start_character":14,"end_line":79,"end_character":49},"in_reply_to":"bcb567b0_6d0f34ff","updated":"2026-04-17 09:06:30.000000000","message":"Some good news on this! Turns out the kernel is already exposing these values via a simple interface:\n\ncat /sys/fs/cgroup/misc.capacity \u003c-- Total TD capacity\n\nIt also tracks the number of currently used keys\ncat /sys/fs/cgroup/misc.current  \u003c-- Used TD capacity\n\nThis does all the hard work for us and can be read without elevated privileges\n\nRelated position in the kernel: https://elixir.bootlin.com/linux/v7.0-rc7/source/arch/x86/kvm/vmx/tdx.c#L3473","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"54369fab5409a7de7f60158718d7b833134249ab","unresolved":true,"context_lines":[{"line_number":76,"context_line":"key slot tracking using resource provider inventory. The maximum number of"},{"line_number":77,"context_line":"TDX key slots is also needed for this, which depends on hardware and BIOS"},{"line_number":78,"context_line":"settings. For SEV maximum key slots are reported as a part of libvirt dom"},{"line_number":79,"context_line":"capabilities, this is not yet implemented for TDX, and thus a host"},{"line_number":80,"context_line":"configuration option is instead proposed. ``num_memory_encrypted_guests``"},{"line_number":81,"context_line":"already exists but has been deprecated since SEV implementation instead uses"},{"line_number":82,"context_line":"dom capabilities."}],"source_content_type":"text/x-rst","patch_set":2,"id":"0d451816_6a194ec1","line":79,"range":{"start_line":79,"start_character":14,"end_line":79,"end_character":49},"in_reply_to":"bf980303_ba43fa03","updated":"2026-04-22 12:54:06.000000000","message":"Apologies, that link was just a reference to the latest kernel code. It was introduced in an older version. Will take some digging to identify exactly when it was introduced, but for instance using canonical/tdx patches on ubuntu 24.04 also works.\n\nWill do some digging to make sure it is included with the suggested kernel version.","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":35307,"name":"Taketani Ryo","email":"taketani.ryo@fujitsu.com","username":"r-taketn0517"},"change_message_id":"3379926285c5c6de446feec3c106dcdbb9ed06ef","unresolved":true,"context_lines":[{"line_number":83,"context_line":""},{"line_number":84,"context_line":"3. **Image and flavor**:"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Use the existing ``hw:mem_encryption\u003dTrue`` flavor extra spec and"},{"line_number":87,"context_line":"``hw_mem_encryption\u003dtrue`` image property, and introduce"},{"line_number":88,"context_line":"``hw:mem_encryption_model\u003dintel-tdx`` to specify TDX encryption, following the"},{"line_number":89,"context_line":"pattern used for SEV (``amd-sev``, ``amd-sev-es``)."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"4. **XML generation**:"},{"line_number":92,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"288b1ad0_5d8dbee0","line":89,"range":{"start_line":86,"start_character":0,"end_line":89,"end_character":51},"updated":"2026-04-03 09:40:42.000000000","message":"In the current Nova implementation, if a user specifies only hw:mem_encryption\u003dTrue without hw:mem_encryption_model, Nova defaults to AMD SEV ([scheduler.utils._translate_mem_encryption_request()](https://github.com/openstack/nova/blob/327c790ec87e95e81900118537b68ed94e8e4475/nova/scheduler/utils.py#L319) and [hardware.get_mem_encryption_constraint()](https://github.com/openstack/nova/blob/327c790ec87e95e81900118537b68ed94e8e4475/nova/virt/hardware.py#L1252). The [generalize-sev-code patches](https://review.opendev.org/q/topic:%22bp/generalize-sev-code%22) do not change this behavior. \n\nThis creates an issue in an environment where the compute nodes are composed only of Intel TDX-capable nodes and there are no nodes supporting AMD SEV. In such a case, users may expect that hw:mem_encryption\u003dTrue without mem_encryption_model is sufficient for TDX-based VMs but Nova would still attempt to boot an SEV-based VM and fail, even though the infrastructure is fully capable of providing memory encryption via TDX.\n\nIdeally, hw:mem_encryption\u003dTrue without hw:mem_encryption_model should be a generic trigger that allows Nova to automatically select the appropriate encryption model based on the resource providers for MEM_ENCRYPTION_CONTEXT.\n\nIt would be great if we solve this issue when TDX support is implemented in Nova, but adding a note that hw:mem_encryption_model\u003dintel-tdx is required for booting a TDX VM might be sufficient so far.  I think this point requires discussion including other reviewers.","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"0ed5e51ee328bb8c61d00ec9fc0dc0671c2d446e","unresolved":true,"context_lines":[{"line_number":83,"context_line":""},{"line_number":84,"context_line":"3. **Image and flavor**:"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Use the existing ``hw:mem_encryption\u003dTrue`` flavor extra spec and"},{"line_number":87,"context_line":"``hw_mem_encryption\u003dtrue`` image property, and introduce"},{"line_number":88,"context_line":"``hw:mem_encryption_model\u003dintel-tdx`` to specify TDX encryption, following the"},{"line_number":89,"context_line":"pattern used for SEV (``amd-sev``, ``amd-sev-es``)."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"4. **XML generation**:"},{"line_number":92,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"99ba4ab1_f6ed1fd5","line":89,"range":{"start_line":86,"start_character":0,"end_line":89,"end_character":51},"in_reply_to":"288b1ad0_5d8dbee0","updated":"2026-04-05 14:30:40.000000000","message":"We discussed this when we introduced SEV-ES support but we decided to use SEV as \"the default\" model to avoid breaking existing usage of AMD SEV, without explicit memory-model. It\u0027s highly possible that an old image with only SEV capability doesn\u0027t work with TDX.\n\nA possible option is to make the default model configurable, but AFAIK we generally avoid changing behavior of the API according to a config option for cross-cloud operability.","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"a9d4005a6f101d7bee651e91b297b4c9d42ada87","unresolved":true,"context_lines":[{"line_number":83,"context_line":""},{"line_number":84,"context_line":"3. **Image and flavor**:"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Use the existing ``hw:mem_encryption\u003dTrue`` flavor extra spec and"},{"line_number":87,"context_line":"``hw_mem_encryption\u003dtrue`` image property, and introduce"},{"line_number":88,"context_line":"``hw:mem_encryption_model\u003dintel-tdx`` to specify TDX encryption, following the"},{"line_number":89,"context_line":"pattern used for SEV (``amd-sev``, ``amd-sev-es``)."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"4. **XML generation**:"},{"line_number":92,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"a09b8055_beef55fc","line":89,"range":{"start_line":86,"start_character":0,"end_line":89,"end_character":51},"in_reply_to":"99ba4ab1_f6ed1fd5","updated":"2026-04-10 15:31:26.000000000","message":"I noticed this was not addressed when going over the generalize-sev-code, although I didn\u0027t entirely capture the implications for TDX yet. Great to get some context. I was more or less assuming that when TDX is requested, ``hw:mem_encryption_model\u003dintel-tdx`` should be used and I think a note about it is a reasonable solution. This limitation can also be addressed in this spec if it is considered in scope.","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":35307,"name":"Taketani Ryo","email":"taketani.ryo@fujitsu.com","username":"r-taketn0517"},"change_message_id":"d097f35366855b3a4f0c27dfa106b51af8352288","unresolved":false,"context_lines":[{"line_number":83,"context_line":""},{"line_number":84,"context_line":"3. **Image and flavor**:"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Use the existing ``hw:mem_encryption\u003dTrue`` flavor extra spec and"},{"line_number":87,"context_line":"``hw_mem_encryption\u003dtrue`` image property, and introduce"},{"line_number":88,"context_line":"``hw:mem_encryption_model\u003dintel-tdx`` to specify TDX encryption, following the"},{"line_number":89,"context_line":"pattern used for SEV (``amd-sev``, ``amd-sev-es``)."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"4. **XML generation**:"},{"line_number":92,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"b032f5d2_a8dca309","line":89,"range":{"start_line":86,"start_character":0,"end_line":89,"end_character":51},"in_reply_to":"a09b8055_beef55fc","updated":"2026-04-23 01:05:28.000000000","message":"We agreed in the PTG that do not address the default logic, and force hw:mem_encryption_model to be set.","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":35307,"name":"Taketani Ryo","email":"taketani.ryo@fujitsu.com","username":"r-taketn0517"},"change_message_id":"3379926285c5c6de446feec3c106dcdbb9ed06ef","unresolved":true,"context_lines":[{"line_number":108,"context_line":"the options. Therefore, for an initial implementation of TDX the following is"},{"line_number":109,"context_line":"proposed:"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"- Hardcode policy to ``0x00000001``, which disables debugging."},{"line_number":112,"context_line":"- Expose quoteGenerationSocket path as a host config (nova.conf)."},{"line_number":113,"context_line":"- Remaining fields are meant for user configuration and will be left as"},{"line_number":114,"context_line":"  default (empty)."}],"source_content_type":"text/x-rst","patch_set":2,"id":"084e705b_df44cb50","line":111,"updated":"2026-04-03 09:40:42.000000000","message":"I agree that bit 0 could be fixed for now, since debug mode is still considered future work according to [the QEMU documentation](https://www.qemu.org/docs/master/system/i386/tdx.html#debugging). However, it appears that `0x00000001` enables debug mode (off-TD debug) rather than disable it([other reference](https://github.com/canonical/tdx/issues/384)). If the intention is to disable debugging, would `0x00000000` be a appropriate instead?","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":35307,"name":"Taketani Ryo","email":"taketani.ryo@fujitsu.com","username":"r-taketn0517"},"change_message_id":"3379926285c5c6de446feec3c106dcdbb9ed06ef","unresolved":true,"context_lines":[{"line_number":108,"context_line":"the options. Therefore, for an initial implementation of TDX the following is"},{"line_number":109,"context_line":"proposed:"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"- Hardcode policy to ``0x00000001``, which disables debugging."},{"line_number":112,"context_line":"- Expose quoteGenerationSocket path as a host config (nova.conf)."},{"line_number":113,"context_line":"- Remaining fields are meant for user configuration and will be left as"},{"line_number":114,"context_line":"  default (empty)."}],"source_content_type":"text/x-rst","patch_set":2,"id":"8bbf3355_329d0c14","line":111,"range":{"start_line":111,"start_character":25,"end_line":111,"end_character":26},"updated":"2026-04-03 09:40:42.000000000","message":"My understanding is that the current libvirt implementations allows configurating bit 28(`SEPT_VE_DISABLE`) via `\u003cpolicy\u003e`, in addition to bit 0.\n\n[This QEMU patch](https://patchew.org/QEMU/20240229063726.610065-1-xiaoyao.li@intel.com/20240229063726.610065-26-xiaoyao.li@intel.com/) mentions that some guest OSes (e.g., Linux TD guest) may require bit28(sept-ve-disable) as 1, otherwise refuse to boot. Given this, I\u0027m wondering whether it is appropriate to always unset bit 28 ([Other reference](https://github.com/asterinas/asterinas/issues/2902)).","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"a9d4005a6f101d7bee651e91b297b4c9d42ada87","unresolved":false,"context_lines":[{"line_number":108,"context_line":"the options. Therefore, for an initial implementation of TDX the following is"},{"line_number":109,"context_line":"proposed:"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"- Hardcode policy to ``0x00000001``, which disables debugging."},{"line_number":112,"context_line":"- Expose quoteGenerationSocket path as a host config (nova.conf)."},{"line_number":113,"context_line":"- Remaining fields are meant for user configuration and will be left as"},{"line_number":114,"context_line":"  default (empty)."}],"source_content_type":"text/x-rst","patch_set":2,"id":"72933043_b0f72a39","line":111,"in_reply_to":"084e705b_df44cb50","updated":"2026-04-10 15:31:26.000000000","message":"Yes indeed, I had this all flipped. My intention was for bit 0 to be 0 to\ndisable debug and bit 28 to be 1 for SEPT_VE_DISABLE, so ``0x10000000``.","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"a9d4005a6f101d7bee651e91b297b4c9d42ada87","unresolved":false,"context_lines":[{"line_number":108,"context_line":"the options. Therefore, for an initial implementation of TDX the following is"},{"line_number":109,"context_line":"proposed:"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"- Hardcode policy to ``0x00000001``, which disables debugging."},{"line_number":112,"context_line":"- Expose quoteGenerationSocket path as a host config (nova.conf)."},{"line_number":113,"context_line":"- Remaining fields are meant for user configuration and will be left as"},{"line_number":114,"context_line":"  default (empty)."}],"source_content_type":"text/x-rst","patch_set":2,"id":"8bdfea4e_3731bbd5","line":111,"range":{"start_line":111,"start_character":25,"end_line":111,"end_character":26},"in_reply_to":"8bbf3355_329d0c14","updated":"2026-04-10 15:31:26.000000000","message":"Same as above. Will update policy to `0x10000000` which sets bit 28.","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":35307,"name":"Taketani Ryo","email":"taketani.ryo@fujitsu.com","username":"r-taketn0517"},"change_message_id":"3379926285c5c6de446feec3c106dcdbb9ed06ef","unresolved":true,"context_lines":[{"line_number":109,"context_line":"proposed:"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"- Hardcode policy to ``0x00000001``, which disables debugging."},{"line_number":112,"context_line":"- Expose quoteGenerationSocket path as a host config (nova.conf)."},{"line_number":113,"context_line":"- Remaining fields are meant for user configuration and will be left as"},{"line_number":114,"context_line":"  default (empty)."},{"line_number":115,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"fef21377_b2d2dbd8","line":112,"range":{"start_line":112,"start_character":0,"end_line":112,"end_character":65},"updated":"2026-04-03 09:40:42.000000000","message":"According to [this libvirt patch](https://www.mail-archive.com/devel%40lists.libvirt.org/msg11392.html), If this option is not specified, `/var/run/tdx-qgs/qgs.socket` is used.\nIs it necessary to expose this as a configurable option within nova.conf because the socket path differs across host environments and there\u0027s no way to detect this path automatically?","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"a9d4005a6f101d7bee651e91b297b4c9d42ada87","unresolved":true,"context_lines":[{"line_number":109,"context_line":"proposed:"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"- Hardcode policy to ``0x00000001``, which disables debugging."},{"line_number":112,"context_line":"- Expose quoteGenerationSocket path as a host config (nova.conf)."},{"line_number":113,"context_line":"- Remaining fields are meant for user configuration and will be left as"},{"line_number":114,"context_line":"  default (empty)."},{"line_number":115,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"400debd1_625d2189","line":112,"range":{"start_line":112,"start_character":0,"end_line":112,"end_character":65},"in_reply_to":"fef21377_b2d2dbd8","updated":"2026-04-10 15:31:26.000000000","message":"The quoteGenerationSocket object is optional, but has to be declared in order to use attestation. The path field of the quoteGenerationSocket object is also optional and will indeed default to ``/var/run/tdx-qgs/qgs.socket``. I agree that this default is probably enough in most cases.\n\nThere are some cases where it could be useful to have it configurable, but not really from the host perspective but rather the user. There could for example be multiple Quote Generation Services running on the same node and a user could want to choose which one to use for that particular VM. If we manage to create a good interface for user supplied options the path should be included there.\n\nWill update the spec accordingly.","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":35307,"name":"Taketani Ryo","email":"taketani.ryo@fujitsu.com","username":"r-taketn0517"},"change_message_id":"3379926285c5c6de446feec3c106dcdbb9ed06ef","unresolved":true,"context_lines":[{"line_number":175,"context_line":"  interface for user provided options for confidential computing is implemented"},{"line_number":176,"context_line":"  in Nova. TDX will function without the user provided data and getting partial"},{"line_number":177,"context_line":"  TDX support is considered better than none."},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"Data model impact"},{"line_number":180,"context_line":"-----------------"},{"line_number":181,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"34b0c420_d4e5e5ff","line":178,"updated":"2026-04-03 09:40:42.000000000","message":"Are there additional limitations or specification differences compared to [SEV](https://docs.openstack.org/nova/latest/admin/sev.html#limitations)? \n\nsuch as:\n\n* Are there restrictions on `hw_disk_bus`?\n* Is `memlocked` required to specify in the domain XML?\n* Can `hw_page_size` option be used together with TDX?","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"a9d4005a6f101d7bee651e91b297b4c9d42ada87","unresolved":true,"context_lines":[{"line_number":175,"context_line":"  interface for user provided options for confidential computing is implemented"},{"line_number":176,"context_line":"  in Nova. TDX will function without the user provided data and getting partial"},{"line_number":177,"context_line":"  TDX support is considered better than none."},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"Data model impact"},{"line_number":180,"context_line":"-----------------"},{"line_number":181,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"74e11e7a_02211704","line":178,"in_reply_to":"34b0c420_d4e5e5ff","updated":"2026-04-10 15:31:26.000000000","message":"Good question! I will update the spec with some clarifications here. In general TDX inherits many of the limitations from SEV, but mainly has similar limitations as SEV-SNP.\n\nRight now I can confirm:\n- memlocked is not required for Intel TDX\n- Hugepages (hw:mem_page_size) support is ongoing, but not merged, and can be tracked here:\nhttps://lore.kernel.org/kvm/20260106101646.24809-1-yan.y.zhao@intel.com/","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"aa20b1882ea4a9901155b01d48cb6afd8fe230be","unresolved":true,"context_lines":[{"line_number":175,"context_line":"  interface for user provided options for confidential computing is implemented"},{"line_number":176,"context_line":"  in Nova. TDX will function without the user provided data and getting partial"},{"line_number":177,"context_line":"  TDX support is considered better than none."},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"Data model impact"},{"line_number":180,"context_line":"-----------------"},{"line_number":181,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"7c16a773_8ce7e216","line":178,"in_reply_to":"390577dd_6c2e78b9","updated":"2026-05-07 14:55:11.000000000","message":"Briefly mentioned under \"Other end user impact\". The limitations there will also be documented, can clarify in the spec.","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"7c9b48a0a4b075faba48bf18c48c73eaed657ecc","unresolved":true,"context_lines":[{"line_number":175,"context_line":"  interface for user provided options for confidential computing is implemented"},{"line_number":176,"context_line":"  in Nova. TDX will function without the user provided data and getting partial"},{"line_number":177,"context_line":"  TDX support is considered better than none."},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"Data model impact"},{"line_number":180,"context_line":"-----------------"},{"line_number":181,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"390577dd_6c2e78b9","line":178,"in_reply_to":"74e11e7a_02211704","updated":"2026-05-05 14:21:47.000000000","message":"Hugepages, it could be good to document that later in the doc patch.","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"e2507a9990cea75dcd9e0097e9964ab85fe1442a","unresolved":false,"context_lines":[{"line_number":175,"context_line":"  interface for user provided options for confidential computing is implemented"},{"line_number":176,"context_line":"  in Nova. TDX will function without the user provided data and getting partial"},{"line_number":177,"context_line":"  TDX support is considered better than none."},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"Data model impact"},{"line_number":180,"context_line":"-----------------"},{"line_number":181,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"d0578159_82e39be3","line":178,"in_reply_to":"7c16a773_8ce7e216","updated":"2026-05-12 15:42:09.000000000","message":"Acknowledged","commit_id":"32a6cde45bb96313f6cd8779c5cb9f8ba495daf8"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"234b770c9406837118cd202c43fe8843bf162a3e","unresolved":true,"context_lines":[{"line_number":141,"context_line":""},{"line_number":142,"context_line":"Internally these properties will be translated into"},{"line_number":143,"context_line":"``resources:MEM_ENCRYPTION_CONTEXT\u003d1`` and"},{"line_number":144,"context_line":"``trait:HW_CPU_X86_INTEL_TDX\u003drequired``. Conflicting requests between flavor"},{"line_number":145,"context_line":"and image will be rejected."},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"The current implementation defaults to ``trait:HW_CPU_X86_AMD_SEV\u003drequired`` if"},{"line_number":148,"context_line":"no ``hw:mem_encryption_model`` is configured but ``hw:mem_encryption\u003dTrue`` is."}],"source_content_type":"text/x-rst","patch_set":3,"id":"f533ccef_188a2396","line":145,"range":{"start_line":144,"start_character":41,"end_line":145,"end_character":27},"updated":"2026-04-22 15:51:21.000000000","message":"Can we also require hw_firmware_stateless\u003dTrue in image, based on the discussion we had for SEV-SNP ? (assuming firmware for tdx should be also stateless always)","commit_id":"70031334b0cd2938caa8a49b7822c6b9d7d2948b"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"692e18cce7c49146a859e944b26bdede4f80dd24","unresolved":false,"context_lines":[{"line_number":141,"context_line":""},{"line_number":142,"context_line":"Internally these properties will be translated into"},{"line_number":143,"context_line":"``resources:MEM_ENCRYPTION_CONTEXT\u003d1`` and"},{"line_number":144,"context_line":"``trait:HW_CPU_X86_INTEL_TDX\u003drequired``. Conflicting requests between flavor"},{"line_number":145,"context_line":"and image will be rejected."},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"The current implementation defaults to ``trait:HW_CPU_X86_AMD_SEV\u003drequired`` if"},{"line_number":148,"context_line":"no ``hw:mem_encryption_model`` is configured but ``hw:mem_encryption\u003dTrue`` is."}],"source_content_type":"text/x-rst","patch_set":3,"id":"48e9b0ea_f4ec47b5","line":145,"range":{"start_line":144,"start_character":41,"end_line":145,"end_character":27},"in_reply_to":"93eaf8c1_6dc067a7","updated":"2026-05-27 14:47:02.000000000","message":"Done","commit_id":"70031334b0cd2938caa8a49b7822c6b9d7d2948b"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"bd88fae950bfae9bccce61558883dffb8f778214","unresolved":true,"context_lines":[{"line_number":141,"context_line":""},{"line_number":142,"context_line":"Internally these properties will be translated into"},{"line_number":143,"context_line":"``resources:MEM_ENCRYPTION_CONTEXT\u003d1`` and"},{"line_number":144,"context_line":"``trait:HW_CPU_X86_INTEL_TDX\u003drequired``. Conflicting requests between flavor"},{"line_number":145,"context_line":"and image will be rejected."},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"The current implementation defaults to ``trait:HW_CPU_X86_AMD_SEV\u003drequired`` if"},{"line_number":148,"context_line":"no ``hw:mem_encryption_model`` is configured but ``hw:mem_encryption\u003dTrue`` is."}],"source_content_type":"text/x-rst","patch_set":3,"id":"93eaf8c1_6dc067a7","line":145,"range":{"start_line":144,"start_character":41,"end_line":145,"end_character":27},"in_reply_to":"f533ccef_188a2396","updated":"2026-04-23 14:38:24.000000000","message":"Updated the spec to include it","commit_id":"70031334b0cd2938caa8a49b7822c6b9d7d2948b"},{"author":{"_account_id":35307,"name":"Taketani Ryo","email":"taketani.ryo@fujitsu.com","username":"r-taketn0517"},"change_message_id":"4d0b676ff5f7c065a45a44212895f37f3797f224","unresolved":true,"context_lines":[{"line_number":199,"context_line":""},{"line_number":200,"context_line":"Introduce MemEncryptionConfigTdx (based on MemEncryptionConfig) to verify"},{"line_number":201,"context_line":"instance flavor and image configuration. Intel TDX requires machine_type q35"},{"line_number":202,"context_line":"and UEFI firmware. CPU type of host-passthrough is also required, there is no"},{"line_number":203,"context_line":"model in Libvirt which is compatible with TDX."},{"line_number":204,"context_line":""},{"line_number":205,"context_line":"TDX also does not currently support features like migration, and will thus need"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9d6c00a9_b1272bed","line":202,"range":{"start_line":202,"start_character":19,"end_line":202,"end_character":65},"updated":"2026-04-22 12:00:31.000000000","message":"My understanding is that we should specify this in nova.conf and there is no option in flavor and image, right?\nhttps://docs.openstack.org/nova/latest/configuration/extra-specs.html#hw","commit_id":"70031334b0cd2938caa8a49b7822c6b9d7d2948b"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"f6eb297ef95836d7a3cbfbc44eea83040ca672d6","unresolved":true,"context_lines":[{"line_number":199,"context_line":""},{"line_number":200,"context_line":"Introduce MemEncryptionConfigTdx (based on MemEncryptionConfig) to verify"},{"line_number":201,"context_line":"instance flavor and image configuration. Intel TDX requires machine_type q35"},{"line_number":202,"context_line":"and UEFI firmware. CPU type of host-passthrough is also required, there is no"},{"line_number":203,"context_line":"model in Libvirt which is compatible with TDX."},{"line_number":204,"context_line":""},{"line_number":205,"context_line":"TDX also does not currently support features like migration, and will thus need"}],"source_content_type":"text/x-rst","patch_set":3,"id":"cc8f5f2c_53bc0fda","line":202,"range":{"start_line":202,"start_character":19,"end_line":202,"end_character":65},"in_reply_to":"9d6c00a9_b1272bed","updated":"2026-04-22 12:38:58.000000000","message":"Yes that seems to be the case, good catch!\n\nnova.conf option for reference:\nhttps://docs.openstack.org/nova/latest/configuration/config.html#libvirt.cpu_mode","commit_id":"70031334b0cd2938caa8a49b7822c6b9d7d2948b"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"7c9b48a0a4b075faba48bf18c48c73eaed657ecc","unresolved":false,"context_lines":[{"line_number":166,"context_line":"  ``/var/run/tdx-qgs/qgs.socket``. This default should not conflict with other"},{"line_number":167,"context_line":"  sockets and will integrate directly with the Quote Generation Service (QGS)"},{"line_number":168,"context_line":"  for attestation."},{"line_number":169,"context_line":"- Remaining fields are meant for user configuration and will be left as"},{"line_number":170,"context_line":"  default (empty)."},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"The resulting launchSecurity:"},{"line_number":173,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"17c227a4_3c5f56ad","line":170,"range":{"start_line":169,"start_character":2,"end_line":170,"end_character":18},"updated":"2026-05-05 14:21:47.000000000","message":"The approach of leaving these fields empty for now and deferring user-facing configuration to a future generic API (covering TDX, SEV-SNP, ARM CCA) sounds like the right call to me.","commit_id":"bb9f74c3714610482accdf599f5000a3cb69ed01"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"7c9b48a0a4b075faba48bf18c48c73eaed657ecc","unresolved":true,"context_lines":[{"line_number":202,"context_line":"Block device mappings configuration with ``hw_disk_bus\u003dscsi`` also needs to be"},{"line_number":203,"context_line":"rejected. Only needed if the block device is intended to be booted from."},{"line_number":204,"context_line":""},{"line_number":205,"context_line":"TDX also does not currently support features like migration, and will thus need"},{"line_number":206,"context_line":"a reject function like ``reject_sev_instances``."},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":4,"id":"d0e71732_d9dbe09a","line":205,"range":{"start_line":205,"start_character":50,"end_line":205,"end_character":59},"updated":"2026-05-05 14:21:47.000000000","message":"It would be helpful to have an explicit list of the operations that will be\nblocked for TDX instances. For example: live migration, cold migration, resize,\nshelve, etc. Just saying \"migration\" is a bit vague, knowing exactly which\nactions are rejected makes it easier to review the implementation later.","commit_id":"bb9f74c3714610482accdf599f5000a3cb69ed01"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"aa20b1882ea4a9901155b01d48cb6afd8fe230be","unresolved":true,"context_lines":[{"line_number":202,"context_line":"Block device mappings configuration with ``hw_disk_bus\u003dscsi`` also needs to be"},{"line_number":203,"context_line":"rejected. Only needed if the block device is intended to be booted from."},{"line_number":204,"context_line":""},{"line_number":205,"context_line":"TDX also does not currently support features like migration, and will thus need"},{"line_number":206,"context_line":"a reject function like ``reject_sev_instances``."},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":4,"id":"f602620b_06ad5c0e","line":205,"range":{"start_line":205,"start_character":50,"end_line":205,"end_character":59},"in_reply_to":"d0e71732_d9dbe09a","updated":"2026-05-07 14:55:11.000000000","message":"Live migration is the main blocked operation. In general it matches what ``reject_sev_instances`` already targets (live-migration and suspend). Will clarify in the spec.\n\nReboot also isn\u0027t supported, but Libvirt adds ``\u003con_reboot\u003erestart\u003c/on_reboot\u003e`` to handle this.","commit_id":"bb9f74c3714610482accdf599f5000a3cb69ed01"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"e2507a9990cea75dcd9e0097e9964ab85fe1442a","unresolved":false,"context_lines":[{"line_number":202,"context_line":"Block device mappings configuration with ``hw_disk_bus\u003dscsi`` also needs to be"},{"line_number":203,"context_line":"rejected. Only needed if the block device is intended to be booted from."},{"line_number":204,"context_line":""},{"line_number":205,"context_line":"TDX also does not currently support features like migration, and will thus need"},{"line_number":206,"context_line":"a reject function like ``reject_sev_instances``."},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":4,"id":"074daa13_a0d6c682","line":205,"range":{"start_line":205,"start_character":50,"end_line":205,"end_character":59},"in_reply_to":"f602620b_06ad5c0e","updated":"2026-05-12 15:42:09.000000000","message":"Acknowledged","commit_id":"bb9f74c3714610482accdf599f5000a3cb69ed01"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"7c9b48a0a4b075faba48bf18c48c73eaed657ecc","unresolved":true,"context_lines":[{"line_number":236,"context_line":""},{"line_number":237,"context_line":"      tdx 3"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"This could be used to account for TDX guests started outside of Nova\u0027s control."},{"line_number":240,"context_line":"This is, however, not necessary and the pattern of letting the operator"},{"line_number":241,"context_line":"configure the ``reserved`` field manually is preferred."},{"line_number":242,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"ed968fa4_29197bb4","line":239,"range":{"start_line":239,"start_character":37,"end_line":239,"end_character":78},"updated":"2026-05-05 14:21:47.000000000","message":"Minor note: running guests outside of Nova\u0027s control is not a supported scenario — Nova expects to be the sole manager of compute resources on the host.","commit_id":"bb9f74c3714610482accdf599f5000a3cb69ed01"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"aa20b1882ea4a9901155b01d48cb6afd8fe230be","unresolved":false,"context_lines":[{"line_number":236,"context_line":""},{"line_number":237,"context_line":"      tdx 3"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"This could be used to account for TDX guests started outside of Nova\u0027s control."},{"line_number":240,"context_line":"This is, however, not necessary and the pattern of letting the operator"},{"line_number":241,"context_line":"configure the ``reserved`` field manually is preferred."},{"line_number":242,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"ef7df6fe_78f9de8b","line":239,"range":{"start_line":239,"start_character":37,"end_line":239,"end_character":78},"in_reply_to":"ed968fa4_29197bb4","updated":"2026-05-07 14:55:11.000000000","message":"Acknowledged","commit_id":"bb9f74c3714610482accdf599f5000a3cb69ed01"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"7c9b48a0a4b075faba48bf18c48c73eaed657ecc","unresolved":true,"context_lines":[{"line_number":342,"context_line":""},{"line_number":343,"context_line":"https://github.com/tianocore/edk2/commit/c3f4f5a949a9e94bafe081c24dbd4110834b11ea"},{"line_number":344,"context_line":""},{"line_number":345,"context_line":"* VNC is not supported, but configuring VNC will not prevent the VM from"},{"line_number":346,"context_line":"  starting."},{"line_number":347,"context_line":""},{"line_number":348,"context_line":"Performance Impact"},{"line_number":349,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"04cb2c28_284d770e","line":346,"range":{"start_line":345,"start_character":2,"end_line":346,"end_character":11},"updated":"2026-05-05 14:21:47.000000000","message":"I\u0027m not sure I understand the VNC limitation. QEMU provides the VNC server\nand handles the rendering through the emulated graphics device, so I\u0027m\nunclear why VNC wouldn\u0027t work with TDX. Could you clarify what this means\nin practice for end users? Does that mean the console will not work at all?","commit_id":"bb9f74c3714610482accdf599f5000a3cb69ed01"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"aa20b1882ea4a9901155b01d48cb6afd8fe230be","unresolved":true,"context_lines":[{"line_number":342,"context_line":""},{"line_number":343,"context_line":"https://github.com/tianocore/edk2/commit/c3f4f5a949a9e94bafe081c24dbd4110834b11ea"},{"line_number":344,"context_line":""},{"line_number":345,"context_line":"* VNC is not supported, but configuring VNC will not prevent the VM from"},{"line_number":346,"context_line":"  starting."},{"line_number":347,"context_line":""},{"line_number":348,"context_line":"Performance Impact"},{"line_number":349,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"336246ce_0dea95ed","line":346,"range":{"start_line":345,"start_character":2,"end_line":346,"end_character":11},"in_reply_to":"04cb2c28_284d770e","updated":"2026-05-07 14:55:11.000000000","message":"I am not completely versed in the details of this limitation, but I suspect it has to do with that TDX encrypts, or otherwise prevents access to, memory regions that the graphics device exposes to the VNC server. \n\nPreviously a TDX VM would crash if VNC was added by QEMU/Libvirt. This was then fixed but VNC is still not supported [1][2].\n\nCanonical lists this as a limitation [3], also other cloud implementations [4][5]. In practice it means that VNC will not work at all but the VM still operates as expected. From my experience when trying to use a VNC viewer it gets stuck in \"Guest has not initialized display (yet).\" and it is unable to show anything.\n\n[1] https://github.com/canonical/tdx/issues/202#issuecomment-2783650038\n[2] https://lore.kernel.org/all/20250226195529.2314580-28-pbonzini@redhat.com/\n[3] https://github.com/canonical/tdx/releases/tag/3.3\n[4] https://cloud.ibm.com/docs/vpc?topic\u003dvpc-about-confidential-computing-vpc\n[5] https://www.alibabacloud.com/help/en/ecs/user-guide/build-a-tdx-confidential-computing-environment?spm\u003da2c63.p38356.help-menu-25365.d_0_8_7_2_1.312822dedpKuEf","commit_id":"bb9f74c3714610482accdf599f5000a3cb69ed01"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"e2507a9990cea75dcd9e0097e9964ab85fe1442a","unresolved":true,"context_lines":[{"line_number":342,"context_line":""},{"line_number":343,"context_line":"https://github.com/tianocore/edk2/commit/c3f4f5a949a9e94bafe081c24dbd4110834b11ea"},{"line_number":344,"context_line":""},{"line_number":345,"context_line":"* VNC is not supported, but configuring VNC will not prevent the VM from"},{"line_number":346,"context_line":"  starting."},{"line_number":347,"context_line":""},{"line_number":348,"context_line":"Performance Impact"},{"line_number":349,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"a13069c5_a4aef3c2","line":346,"range":{"start_line":345,"start_character":2,"end_line":346,"end_character":11},"in_reply_to":"336246ce_0dea95ed","updated":"2026-05-12 15:42:09.000000000","message":"From my understanding with the link provided, I would say `VNC console is not supported`....","commit_id":"bb9f74c3714610482accdf599f5000a3cb69ed01"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"2959850a14d8c4ffb8002940dca7df7a72bab340","unresolved":false,"context_lines":[{"line_number":342,"context_line":""},{"line_number":343,"context_line":"https://github.com/tianocore/edk2/commit/c3f4f5a949a9e94bafe081c24dbd4110834b11ea"},{"line_number":344,"context_line":""},{"line_number":345,"context_line":"* VNC is not supported, but configuring VNC will not prevent the VM from"},{"line_number":346,"context_line":"  starting."},{"line_number":347,"context_line":""},{"line_number":348,"context_line":"Performance Impact"},{"line_number":349,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"434484d9_78242fbb","line":346,"range":{"start_line":345,"start_character":2,"end_line":346,"end_character":11},"in_reply_to":"a13069c5_a4aef3c2","updated":"2026-05-13 13:47:08.000000000","message":"Yes meant the VNC console, clarified in the spec","commit_id":"bb9f74c3714610482accdf599f5000a3cb69ed01"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"692e18cce7c49146a859e944b26bdede4f80dd24","unresolved":true,"context_lines":[{"line_number":208,"context_line":""},{"line_number":209,"context_line":"Other operations, like cold migration, can also be impacted since"},{"line_number":210,"context_line":"host-passthrough is a prerequisite for TDX. This will not be explicitly checked"},{"line_number":211,"context_line":"for TDX."},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Alternatives"},{"line_number":214,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"916a921a_3026e40b","line":211,"updated":"2026-05-27 14:47:02.000000000","message":"* I don\u0027t see how host-passthrough affects cold migration. Could you elaborate?\n \n* If host-passthrough is mandatory for TDX then nova-compute can check its config an only expose the MEM_CONTEXT inventory if for TDX if host-passthrough is configured.","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"8595ce88a0c96783ee51f5eb474d784e60d684c6","unresolved":false,"context_lines":[{"line_number":208,"context_line":""},{"line_number":209,"context_line":"Other operations, like cold migration, can also be impacted since"},{"line_number":210,"context_line":"host-passthrough is a prerequisite for TDX. This will not be explicitly checked"},{"line_number":211,"context_line":"for TDX."},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Alternatives"},{"line_number":214,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"83d96c70_63ae3c38","line":211,"in_reply_to":"09e51ad7_a54fe45e","updated":"2026-06-02 14:17:16.000000000","message":"Acknowledged","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"3f71431fe1da52c4874f12ae06736a2bee7272f6","unresolved":true,"context_lines":[{"line_number":208,"context_line":""},{"line_number":209,"context_line":"Other operations, like cold migration, can also be impacted since"},{"line_number":210,"context_line":"host-passthrough is a prerequisite for TDX. This will not be explicitly checked"},{"line_number":211,"context_line":"for TDX."},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Alternatives"},{"line_number":214,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"09e51ad7_a54fe45e","line":211,"in_reply_to":"4ff42331_f331c2b6","updated":"2026-06-02 14:02:51.000000000","message":"Yes apologies, you are completely right. I was under the impression that cold-migration would be impacted in the same way.\n\nSpec has been updated accordingly.","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"b8f7699cc12b72d2d6097593943688e79d472a4e","unresolved":true,"context_lines":[{"line_number":208,"context_line":""},{"line_number":209,"context_line":"Other operations, like cold migration, can also be impacted since"},{"line_number":210,"context_line":"host-passthrough is a prerequisite for TDX. This will not be explicitly checked"},{"line_number":211,"context_line":"for TDX."},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Alternatives"},{"line_number":214,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"e14c7828_a54fa6f9","line":211,"in_reply_to":"916a921a_3026e40b","updated":"2026-06-01 17:10:21.000000000","message":"Yes this was quite vague. host-passthrough exposes the exact host CPU which is more limiting in terms of cold-migration than the default host-model or a specific model. This then applies to instances without TDX on a TDX enabled node since host-passthrough is a host wide configuration in Nova. Rephrased this paragraph to clarify the impact.\n\n\u003e If host-passthrough is mandatory for TDX then nova-compute can check its config an only expose the MEM_CONTEXT inventory if for TDX if host-passthrough is configured.\n\nThat would be ideal! Added to the spec.","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"d67474d728b9a190e87c697b97d2953eebdee4d2","unresolved":true,"context_lines":[{"line_number":208,"context_line":""},{"line_number":209,"context_line":"Other operations, like cold migration, can also be impacted since"},{"line_number":210,"context_line":"host-passthrough is a prerequisite for TDX. This will not be explicitly checked"},{"line_number":211,"context_line":"for TDX."},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Alternatives"},{"line_number":214,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"4ff42331_f331c2b6","line":211,"in_reply_to":"e14c7828_a54fa6f9","updated":"2026-06-02 10:58:58.000000000","message":"I think you are mixing cold and live migration regarding host-passthrough. https://docs.openstack.org/nova/latest/admin/cpu-models.html#host-passthrough In case of live migration it is indeed very limiting to have host-passthrough configured.\n\nHowever intel TDX does not actually support live migration so host-passthrough will only be a limitation once live-migration is added.","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"692e18cce7c49146a859e944b26bdede4f80dd24","unresolved":true,"context_lines":[{"line_number":209,"context_line":"Other operations, like cold migration, can also be impacted since"},{"line_number":210,"context_line":"host-passthrough is a prerequisite for TDX. This will not be explicitly checked"},{"line_number":211,"context_line":"for TDX."},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Alternatives"},{"line_number":214,"context_line":"------------"},{"line_number":215,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"af045496_9993fefd","line":212,"updated":"2026-05-27 14:47:02.000000000","message":"Could you state in the spec if a new child resouce provider will be created for TDX like for SEV and SEV-ES?","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"b8f7699cc12b72d2d6097593943688e79d472a4e","unresolved":true,"context_lines":[{"line_number":209,"context_line":"Other operations, like cold migration, can also be impacted since"},{"line_number":210,"context_line":"host-passthrough is a prerequisite for TDX. This will not be explicitly checked"},{"line_number":211,"context_line":"for TDX."},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Alternatives"},{"line_number":214,"context_line":"------------"},{"line_number":215,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"d82f84c9_fb6f3418","line":212,"in_reply_to":"af045496_9993fefd","updated":"2026-06-01 17:10:21.000000000","message":"Yes a new child resource provider will be created for TDX. Clarified with a diagram in the spec.","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"d67474d728b9a190e87c697b97d2953eebdee4d2","unresolved":false,"context_lines":[{"line_number":209,"context_line":"Other operations, like cold migration, can also be impacted since"},{"line_number":210,"context_line":"host-passthrough is a prerequisite for TDX. This will not be explicitly checked"},{"line_number":211,"context_line":"for TDX."},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Alternatives"},{"line_number":214,"context_line":"------------"},{"line_number":215,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"ff2de3f8_578e0ab5","line":212,"in_reply_to":"d82f84c9_fb6f3418","updated":"2026-06-02 10:58:58.000000000","message":"Done","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"692e18cce7c49146a859e944b26bdede4f80dd24","unresolved":true,"context_lines":[{"line_number":335,"context_line":""},{"line_number":336,"context_line":"Other limitations:"},{"line_number":337,"context_line":""},{"line_number":338,"context_line":"* Hugepages (hw:mem_page_size) support is ongoing but not merged, see patches:"},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"https://lore.kernel.org/kvm/20260106101646.24809-1-yan.y.zhao@intel.com/"},{"line_number":341,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"6fac963e_96e88e59","line":338,"updated":"2026-05-27 14:47:02.000000000","message":"So we somehow need to prevent exposing TDX MEM_ENCRYPTION_CONTEXT resources if the host if configured with huge pages?","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"d67474d728b9a190e87c697b97d2953eebdee4d2","unresolved":false,"context_lines":[{"line_number":335,"context_line":""},{"line_number":336,"context_line":"Other limitations:"},{"line_number":337,"context_line":""},{"line_number":338,"context_line":"* Hugepages (hw:mem_page_size) support is ongoing but not merged, see patches:"},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"https://lore.kernel.org/kvm/20260106101646.24809-1-yan.y.zhao@intel.com/"},{"line_number":341,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"ac183e84_93a99983","line":338,"in_reply_to":"47750390_cd8d0201","updated":"2026-06-02 10:58:58.000000000","message":"Acknowledged","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"b8f7699cc12b72d2d6097593943688e79d472a4e","unresolved":true,"context_lines":[{"line_number":335,"context_line":""},{"line_number":336,"context_line":"Other limitations:"},{"line_number":337,"context_line":""},{"line_number":338,"context_line":"* Hugepages (hw:mem_page_size) support is ongoing but not merged, see patches:"},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"https://lore.kernel.org/kvm/20260106101646.24809-1-yan.y.zhao@intel.com/"},{"line_number":341,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"47750390_cd8d0201","line":338,"in_reply_to":"6fac963e_96e88e59","updated":"2026-06-01 17:10:21.000000000","message":"I believe that shouldn\u0027t be necessary. Using huge pages on the host, transparent or not, will not affect Intel TDX instances. Current implementation of Intel TDX downgrades huge pages to standard size (4kB) silently and still boots as normal. The patch mentioned enables larger sizes in the mapping. Expanded the spec to include this.","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"692e18cce7c49146a859e944b26bdede4f80dd24","unresolved":true,"context_lines":[{"line_number":382,"context_line":"More info at:"},{"line_number":383,"context_line":"https://github.com/canonical/tdx"},{"line_number":384,"context_line":""},{"line_number":385,"context_line":"- **Quote Generation Service (QGS)**"},{"line_number":386,"context_line":""},{"line_number":387,"context_line":"For attestation the Quote Generation Service needs to run on the host. This is"},{"line_number":388,"context_line":"distributed by Intel, but has to be setup by the operator."},{"line_number":389,"context_line":""},{"line_number":390,"context_line":"The platform also needs to be registered with Intel."},{"line_number":391,"context_line":""},{"line_number":392,"context_line":"- **Configure Nova**:"},{"line_number":393,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"673f2c2d_c8c7594a","line":390,"range":{"start_line":385,"start_character":0,"end_line":390,"end_character":52},"updated":"2026-05-27 14:47:02.000000000","message":"What happens if this is not done? will VM fail to boot? If so then can nova-compute check if the host is properly configured before exposing the TDX resource to placement?","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"d67474d728b9a190e87c697b97d2953eebdee4d2","unresolved":false,"context_lines":[{"line_number":382,"context_line":"More info at:"},{"line_number":383,"context_line":"https://github.com/canonical/tdx"},{"line_number":384,"context_line":""},{"line_number":385,"context_line":"- **Quote Generation Service (QGS)**"},{"line_number":386,"context_line":""},{"line_number":387,"context_line":"For attestation the Quote Generation Service needs to run on the host. This is"},{"line_number":388,"context_line":"distributed by Intel, but has to be setup by the operator."},{"line_number":389,"context_line":""},{"line_number":390,"context_line":"The platform also needs to be registered with Intel."},{"line_number":391,"context_line":""},{"line_number":392,"context_line":"- **Configure Nova**:"},{"line_number":393,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"4380c138_ba1b0872","line":390,"range":{"start_line":385,"start_character":0,"end_line":390,"end_character":52},"in_reply_to":"54b7ea73_dacb6225","updated":"2026-06-02 10:58:58.000000000","message":"Acknowledged","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"b8f7699cc12b72d2d6097593943688e79d472a4e","unresolved":true,"context_lines":[{"line_number":382,"context_line":"More info at:"},{"line_number":383,"context_line":"https://github.com/canonical/tdx"},{"line_number":384,"context_line":""},{"line_number":385,"context_line":"- **Quote Generation Service (QGS)**"},{"line_number":386,"context_line":""},{"line_number":387,"context_line":"For attestation the Quote Generation Service needs to run on the host. This is"},{"line_number":388,"context_line":"distributed by Intel, but has to be setup by the operator."},{"line_number":389,"context_line":""},{"line_number":390,"context_line":"The platform also needs to be registered with Intel."},{"line_number":391,"context_line":""},{"line_number":392,"context_line":"- **Configure Nova**:"},{"line_number":393,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"54b7ea73_dacb6225","line":390,"range":{"start_line":385,"start_character":0,"end_line":390,"end_character":52},"in_reply_to":"673f2c2d_c8c7594a","updated":"2026-06-01 17:10:21.000000000","message":"This only affects attestation. The VM will boot with memory encryption but remote attestation (verification) of the VM will fail when attempted. Attestation is not necessarily needed to launch a confidential VM, but it is arguably what makes it useful.\n\nFor this initial support I would say that checking this is out of scope. End users that require attestation will have it fail unless configured correctly and will require the operator to amend it.\n\nSpec now includes more context.","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"47cd6bf9a0992a93b9bb381888be1a7babd856b3","unresolved":true,"context_lines":[{"line_number":483,"context_line":"- Resource tracking for TDX key slots"},{"line_number":484,"context_line":""},{"line_number":485,"context_line":"Tempest and integration tests will require Intel TDX hardware, if made"},{"line_number":486,"context_line":"available through third-party CI."},{"line_number":487,"context_line":""},{"line_number":488,"context_line":"Documentation Impact"},{"line_number":489,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"ec1700ed_6651b613","line":486,"updated":"2026-06-01 14:33:08.000000000","message":"I assume you are testing the feature locally with real HW maybe with devstack. I\u0027m wondering if such testing can be automated via https://github.com/openstack/whitebox-tempest-plugin and therefore shared, so that others can run the same test locally with capable hardware too.\n\nObviously these test will not run in our first party CI due to HW limitations. But would help our local verification effort.\n\nHow do you feel about this? (Feel free to say no, I won\u0027t block on this)","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"765736e3e548a101dd08f1cf54fac7a223ec83f8","unresolved":true,"context_lines":[{"line_number":483,"context_line":"- Resource tracking for TDX key slots"},{"line_number":484,"context_line":""},{"line_number":485,"context_line":"Tempest and integration tests will require Intel TDX hardware, if made"},{"line_number":486,"context_line":"available through third-party CI."},{"line_number":487,"context_line":""},{"line_number":488,"context_line":"Documentation Impact"},{"line_number":489,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"4f7393d6_a1610b21","line":486,"in_reply_to":"1c295563_f3cbddb9","updated":"2026-06-02 15:45:48.000000000","message":"all good indeed, you can provide a follow-up patch for modifying the spec if you want.","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"8595ce88a0c96783ee51f5eb474d784e60d684c6","unresolved":true,"context_lines":[{"line_number":483,"context_line":"- Resource tracking for TDX key slots"},{"line_number":484,"context_line":""},{"line_number":485,"context_line":"Tempest and integration tests will require Intel TDX hardware, if made"},{"line_number":486,"context_line":"available through third-party CI."},{"line_number":487,"context_line":""},{"line_number":488,"context_line":"Documentation Impact"},{"line_number":489,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1c295563_f3cbddb9","line":486,"in_reply_to":"37f7b12a_e7b97576","updated":"2026-06-02 14:17:16.000000000","message":"Sounds good. Thanks. If you need to respin the spec for any other reason then please mention this in the spec.","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"5849e6d1da173a1d01a3760022a8d5cb94ec1317","unresolved":false,"context_lines":[{"line_number":483,"context_line":"- Resource tracking for TDX key slots"},{"line_number":484,"context_line":""},{"line_number":485,"context_line":"Tempest and integration tests will require Intel TDX hardware, if made"},{"line_number":486,"context_line":"available through third-party CI."},{"line_number":487,"context_line":""},{"line_number":488,"context_line":"Documentation Impact"},{"line_number":489,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"59d34b12_458affd1","line":486,"in_reply_to":"4f7393d6_a1610b21","updated":"2026-06-04 09:44:06.000000000","message":"Acknowledged","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"3f71431fe1da52c4874f12ae06736a2bee7272f6","unresolved":true,"context_lines":[{"line_number":483,"context_line":"- Resource tracking for TDX key slots"},{"line_number":484,"context_line":""},{"line_number":485,"context_line":"Tempest and integration tests will require Intel TDX hardware, if made"},{"line_number":486,"context_line":"available through third-party CI."},{"line_number":487,"context_line":""},{"line_number":488,"context_line":"Documentation Impact"},{"line_number":489,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"37f7b12a_e7b97576","line":486,"in_reply_to":"ec1700ed_6651b613","updated":"2026-06-02 14:02:51.000000000","message":"This seems like a good fit. From what I can tell, it looks technically feasible and reasonably straightforward, although it will likely involve some additional work.\n\nI believe I should have the capacity for this. In the worst case, I can initially limit the scope to a smaller subset of the most relevant TDX tests if that is sufficient to start with.\n\nThat said, this would probably be treated as a secondary priority at first.","commit_id":"78929519c10b5ac2230237fa2f932459dac87ca7"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"765736e3e548a101dd08f1cf54fac7a223ec83f8","unresolved":true,"context_lines":[{"line_number":84,"context_line":""},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"- kvm_intel parameter (should be set to Y):"},{"line_number":87,"context_line":"  ``/sys/module/kvm_intel/parameters/tdx``"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"TDX requires ``libvirt.cpu_mode`` to be host-passthrough. This will be checked"},{"line_number":90,"context_line":"along with the above and disable TDX if it is not configured, logged"}],"source_content_type":"text/x-rst","patch_set":7,"id":"dfb7867a_4748dd3a","line":87,"updated":"2026-06-02 15:45:48.000000000","message":"to be clear, this parameter only is set to yes once the TDX BIOS option is enabled, right?","commit_id":"cd6e8f8a9b1c62fa622ce3bd0e5661d91c9d7904"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"12d0861c92600e142071a5dc54bb5383f80b76bc","unresolved":false,"context_lines":[{"line_number":84,"context_line":""},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"- kvm_intel parameter (should be set to Y):"},{"line_number":87,"context_line":"  ``/sys/module/kvm_intel/parameters/tdx``"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"TDX requires ``libvirt.cpu_mode`` to be host-passthrough. This will be checked"},{"line_number":90,"context_line":"along with the above and disable TDX if it is not configured, logged"}],"source_content_type":"text/x-rst","patch_set":7,"id":"6d2f74a6_fd327e20","line":87,"in_reply_to":"a626e86f_313c5027","updated":"2026-06-04 10:00:09.000000000","message":"Acknowledged","commit_id":"cd6e8f8a9b1c62fa622ce3bd0e5661d91c9d7904"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"5849e6d1da173a1d01a3760022a8d5cb94ec1317","unresolved":true,"context_lines":[{"line_number":84,"context_line":""},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"- kvm_intel parameter (should be set to Y):"},{"line_number":87,"context_line":"  ``/sys/module/kvm_intel/parameters/tdx``"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"TDX requires ``libvirt.cpu_mode`` to be host-passthrough. This will be checked"},{"line_number":90,"context_line":"along with the above and disable TDX if it is not configured, logged"}],"source_content_type":"text/x-rst","patch_set":7,"id":"a626e86f_313c5027","line":87,"in_reply_to":"dfb7867a_4748dd3a","updated":"2026-06-04 09:44:06.000000000","message":"Yes correct. In conjunction with the Libvirt domcapabilities check you get the complete chain:\n- libvirt: Successfully probed QEMU and confirmed Intel TDX support\n- QEMU: Confirmed Intel TDX support in KVM\n- KVM: Confirmed Intel TDX support in the host kernel and hardware\n- Firmware/BIOS: Intel TDX is enabled and properly configured in the system firmware\n- CPU hardware: The processor supports Intel TDX\n\nLibvirt domcapabilties actually covers all of this and the kernel parameter check is somewhat redundant.","commit_id":"cd6e8f8a9b1c62fa622ce3bd0e5661d91c9d7904"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"765736e3e548a101dd08f1cf54fac7a223ec83f8","unresolved":false,"context_lines":[{"line_number":138,"context_line":"Use the existing ``hw:mem_encryption\u003dTrue`` flavor extra spec and"},{"line_number":139,"context_line":"``hw_mem_encryption\u003dtrue`` image property, and introduce"},{"line_number":140,"context_line":"``hw:mem_encryption_model\u003dintel-tdx`` to specify TDX encryption, following the"},{"line_number":141,"context_line":"pattern used for SEV (``amd-sev``, ``amd-sev-es``)."},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"Internally these properties will be translated into"},{"line_number":144,"context_line":"``resources:MEM_ENCRYPTION_CONTEXT\u003d1`` and"}],"source_content_type":"text/x-rst","patch_set":7,"id":"ad0ad841_767f7118","line":141,"updated":"2026-06-02 15:45:48.000000000","message":"++","commit_id":"cd6e8f8a9b1c62fa622ce3bd0e5661d91c9d7904"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"765736e3e548a101dd08f1cf54fac7a223ec83f8","unresolved":false,"context_lines":[{"line_number":181,"context_line":"  sockets and will integrate directly with the Quote Generation Service (QGS)"},{"line_number":182,"context_line":"  for attestation."},{"line_number":183,"context_line":"- Remaining fields are meant for user configuration and will be left as"},{"line_number":184,"context_line":"  default (empty)."},{"line_number":185,"context_line":""},{"line_number":186,"context_line":"The resulting launchSecurity:"},{"line_number":187,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"2ab179e7_44aaae6c","line":184,"updated":"2026-06-02 15:45:48.000000000","message":"all good with the proposal, let\u0027s keep it simple until other people want new features.","commit_id":"cd6e8f8a9b1c62fa622ce3bd0e5661d91c9d7904"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"765736e3e548a101dd08f1cf54fac7a223ec83f8","unresolved":false,"context_lines":[{"line_number":232,"context_line":"TDX also exposes values in MSR that indicates if it is enabled on the host, it"},{"line_number":233,"context_line":"essentially just reports what is configured in BIOS. Using MSR requires"},{"line_number":234,"context_line":"elevated privileges and is thus not preferred. Kernel logs also contains some"},{"line_number":235,"context_line":"information."},{"line_number":236,"context_line":""},{"line_number":237,"context_line":"The minimum required Libvirt, QEMU and kernel versions could also be included"},{"line_number":238,"context_line":"in these capabilities checks. However, these are implicitly checked already"}],"source_content_type":"text/x-rst","patch_set":7,"id":"40c173c7_9fd80711","line":235,"updated":"2026-06-02 15:45:48.000000000","message":"yup, let no go into that route.","commit_id":"cd6e8f8a9b1c62fa622ce3bd0e5661d91c9d7904"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"765736e3e548a101dd08f1cf54fac7a223ec83f8","unresolved":true,"context_lines":[{"line_number":337,"context_line":"sequence for Intel TDX. Many of the limitations with AMD SEV are also present"},{"line_number":338,"context_line":"in Intel TDX:"},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"https://docs.openstack.org/nova/latest/admin/sev.html#limitations"},{"line_number":341,"context_line":""},{"line_number":342,"context_line":"Notable differences:"},{"line_number":343,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"d3f206e8_61c7279b","line":340,"updated":"2026-06-02 15:45:48.000000000","message":"implementation nit : the API decorator is named @reject_sev_instances(), we should rename it if it goes checking for TDX instances as well.","commit_id":"cd6e8f8a9b1c62fa622ce3bd0e5661d91c9d7904"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"5849e6d1da173a1d01a3760022a8d5cb94ec1317","unresolved":false,"context_lines":[{"line_number":337,"context_line":"sequence for Intel TDX. Many of the limitations with AMD SEV are also present"},{"line_number":338,"context_line":"in Intel TDX:"},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"https://docs.openstack.org/nova/latest/admin/sev.html#limitations"},{"line_number":341,"context_line":""},{"line_number":342,"context_line":"Notable differences:"},{"line_number":343,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"34e224ed_4a568c51","line":340,"in_reply_to":"d3f206e8_61c7279b","updated":"2026-06-04 09:44:06.000000000","message":"Acknowledged","commit_id":"cd6e8f8a9b1c62fa622ce3bd0e5661d91c9d7904"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"765736e3e548a101dd08f1cf54fac7a223ec83f8","unresolved":true,"context_lines":[{"line_number":394,"context_line":""},{"line_number":395,"context_line":"   - Linux kernel \u003e\u003d 6.16 with TDX host support"},{"line_number":396,"context_line":"   - QEMU \u003e\u003d 10.1"},{"line_number":397,"context_line":"   - libvirt \u003e\u003d 11.6.0"},{"line_number":398,"context_line":"   - TDX module firmware"},{"line_number":399,"context_line":""},{"line_number":400,"context_line":"These requirements can be fulfilled with Ubuntu 25.10 and later"}],"source_content_type":"text/x-rst","patch_set":7,"id":"57c3e95d_d971f2c6","line":397,"updated":"2026-06-02 15:45:48.000000000","message":"do those requirements match with the other AMD SEV supports ? I saw your point in the alternatives section, you probably don\u0027t want to doublecheck the same requirements (which is fine by me) but I want to make we correctly cover that (and in case AMD SEV SNP requires newer versions, we could still potentially a separate list of variables for TDX).\nCan you please clarify that ?","commit_id":"cd6e8f8a9b1c62fa622ce3bd0e5661d91c9d7904"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"12d0861c92600e142071a5dc54bb5383f80b76bc","unresolved":true,"context_lines":[{"line_number":394,"context_line":""},{"line_number":395,"context_line":"   - Linux kernel \u003e\u003d 6.16 with TDX host support"},{"line_number":396,"context_line":"   - QEMU \u003e\u003d 10.1"},{"line_number":397,"context_line":"   - libvirt \u003e\u003d 11.6.0"},{"line_number":398,"context_line":"   - TDX module firmware"},{"line_number":399,"context_line":""},{"line_number":400,"context_line":"These requirements can be fulfilled with Ubuntu 25.10 and later"}],"source_content_type":"text/x-rst","patch_set":7,"id":"11fc47f3_5726a58b","line":397,"in_reply_to":"2117d4a6_7d6415c3","updated":"2026-06-04 10:00:09.000000000","message":"let\u0027s keep this comment open and discuss about this on the implementation series.","commit_id":"cd6e8f8a9b1c62fa622ce3bd0e5661d91c9d7904"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"5849e6d1da173a1d01a3760022a8d5cb94ec1317","unresolved":true,"context_lines":[{"line_number":394,"context_line":""},{"line_number":395,"context_line":"   - Linux kernel \u003e\u003d 6.16 with TDX host support"},{"line_number":396,"context_line":"   - QEMU \u003e\u003d 10.1"},{"line_number":397,"context_line":"   - libvirt \u003e\u003d 11.6.0"},{"line_number":398,"context_line":"   - TDX module firmware"},{"line_number":399,"context_line":""},{"line_number":400,"context_line":"These requirements can be fulfilled with Ubuntu 25.10 and later"}],"source_content_type":"text/x-rst","patch_set":7,"id":"2117d4a6_7d6415c3","line":397,"in_reply_to":"57c3e95d_d971f2c6","updated":"2026-06-04 09:44:06.000000000","message":"AMD SEV-SNP also requires similar upstream support, but it was introduced earlier than TDX. For SNP it was already in kernel 6.12 and QEMU 9.1 for instance. ARM CCA will have similar requirements but will require newer versions.\n\nSomewhat unique to TDX is that Canonical had a preview for Ubuntu 24.04 which means that there are some backported versions of the kernel, qemu and libvirt which support it. Having versions as hard requirements would therefore exclude them. Libvirt domcapabilities and the kernel parameter checks do a better job of checking the support anyway. The TDX kernel module also has to be loaded explicitly, so even if the support is there in the version we still have to check if it is enabled properly. \n\nI think a separate list for Intel TDX is good to have, but as documentation and not hard requirements.","commit_id":"cd6e8f8a9b1c62fa622ce3bd0e5661d91c9d7904"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"765736e3e548a101dd08f1cf54fac7a223ec83f8","unresolved":true,"context_lines":[{"line_number":462,"context_line":"- Add TDX key slot resource tracking"},{"line_number":463,"context_line":"- Add constraint checks for TDX flavors/images"},{"line_number":464,"context_line":""},{"line_number":465,"context_line":"All work items will also include unit testing."},{"line_number":466,"context_line":""},{"line_number":467,"context_line":"Dependencies"},{"line_number":468,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":7,"id":"14d129ea_acd502ec","line":465,"updated":"2026-06-02 15:45:48.000000000","message":"functional tests are also worth to be written.","commit_id":"cd6e8f8a9b1c62fa622ce3bd0e5661d91c9d7904"},{"author":{"_account_id":38744,"name":"Anton Iacobaeus","display_name":"antia","email":"anton.iacobaeus@canarybit.eu","username":"antia","status":"Canary Bit"},"change_message_id":"5849e6d1da173a1d01a3760022a8d5cb94ec1317","unresolved":true,"context_lines":[{"line_number":462,"context_line":"- Add TDX key slot resource tracking"},{"line_number":463,"context_line":"- Add constraint checks for TDX flavors/images"},{"line_number":464,"context_line":""},{"line_number":465,"context_line":"All work items will also include unit testing."},{"line_number":466,"context_line":""},{"line_number":467,"context_line":"Dependencies"},{"line_number":468,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":7,"id":"2e60748a_8d881d11","line":465,"in_reply_to":"14d129ea_acd502ec","updated":"2026-06-04 09:44:06.000000000","message":"Yes agreed! If another version is needed I can outline some of the functional tests.","commit_id":"cd6e8f8a9b1c62fa622ce3bd0e5661d91c9d7904"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"12d0861c92600e142071a5dc54bb5383f80b76bc","unresolved":false,"context_lines":[{"line_number":462,"context_line":"- Add TDX key slot resource tracking"},{"line_number":463,"context_line":"- Add constraint checks for TDX flavors/images"},{"line_number":464,"context_line":""},{"line_number":465,"context_line":"All work items will also include unit testing."},{"line_number":466,"context_line":""},{"line_number":467,"context_line":"Dependencies"},{"line_number":468,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3bdad0c8_dbedc4e9","line":465,"in_reply_to":"2e60748a_8d881d11","updated":"2026-06-04 10:00:09.000000000","message":"Acknowledged","commit_id":"cd6e8f8a9b1c62fa622ce3bd0e5661d91c9d7904"}]}
