feat(hv): add tdx_init_mem_region for KvmVcpu

Lencerf · Lencerf · commit 19ea0392a50b · 2026-02-13T13:47:41.000-08:00
Signed-off-by: Changyuan Lyu &lt;changyuanl@google.com&gt;
diff --git a/alioth/src/hv/hv.rs b/alioth/src/hv/hv.rs
@@ -111,6 +111,9 @@ pub enum Error {
     #[cfg(target_arch = "x86_64")]
     #[snafu(display("SEV command error code {code:#x?}"))]
     SevErr { code: SevStatus },
+    #[cfg(target_arch = "x86_64")]
+    #[snafu(display("TDX command error code {code:#x?}"))]
+    TdxErr { code: u64 },
 }
 
 impl From<std::sync::mpsc::RecvError> for Error {
@@ -214,6 +217,9 @@ pub trait Vcpu {
         let pc = self.get_reg(Reg::Pc)?;
         self.set_regs(&[(Reg::Pc, pc + 4)])
     }
+
+    #[cfg(target_arch = "x86_64")]
+    fn tdx_init_mem_region(&self, data: &[u8], gpa: u64, measure: bool) -> Result<()>;
 }
 
 #[cfg(not(target_arch = "x86_64"))]
diff --git a/alioth/src/hv/kvm/kvm.rs b/alioth/src/hv/kvm/kvm.rs
@@ -20,6 +20,8 @@ mod x86_64;
 mod device;
 #[cfg(target_arch = "x86_64")]
 mod sev;
+#[cfg(target_arch = "x86_64")]
+mod tdx;
 #[path = "vcpu/vcpu.rs"]
 mod vcpu;
 #[path = "vm/vm.rs"]
diff --git a/alioth/src/hv/kvm/tdx.rs b/alioth/src/hv/kvm/tdx.rs
@@ -0,0 +1,35 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use std::os::fd::OwnedFd;
+
+use snafu::ResultExt;
+
+use crate::hv::{Result, error};
+use crate::sys::kvm::kvm_memory_encrypt_op;
+use crate::sys::tdx::{KvmTdxCmd, KvmTdxCmdId};
+
+pub fn tdx_op<T>(fd: &OwnedFd, cmd: KvmTdxCmdId, flags: u32, data: Option<&mut T>) -> Result<()> {
+    let mut req = KvmTdxCmd {
+        id: cmd,
+        flags,
+        data: data.map(|d| d as *mut _ as _).unwrap_or(0),
+        hw_error: 0,
+    };
+    unsafe { kvm_memory_encrypt_op(fd, &mut req) }.context(error::MemEncrypt)?;
+    if req.hw_error != 0 {
+        return error::TdxErr { code: req.hw_error }.fail();
+    }
+    Ok(())
+}
diff --git a/alioth/src/hv/kvm/vcpu/vcpu.rs b/alioth/src/hv/kvm/vcpu/vcpu.rs
@@ -16,7 +16,7 @@
 #[path = "vcpu_aarch64.rs"]
 mod aarch64;
 #[cfg(target_arch = "x86_64")]
-#[path = "vcpu_x86_64.rs"]
+#[path = "vcpu_x86_64/vcpu_x86_64.rs"]
 mod x86_64;
 
 mod vmentry;
@@ -232,4 +232,9 @@ impl Vcpu for KvmVcpu {
     fn dump(&self) -> Result<(), Error> {
         Ok(())
     }
+
+    #[cfg(target_arch = "x86_64")]
+    fn tdx_init_mem_region(&self, data: &[u8], gpa: u64, measure: bool) -> Result<()> {
+        KvmVcpu::tdx_init_mem_region(self, data, gpa, measure)
+    }
 }
diff --git a/alioth/src/hv/kvm/vcpu/vcpu_x86_64/tdx.rs b/alioth/src/hv/kvm/vcpu/vcpu_x86_64/tdx.rs
@@ -0,0 +1,39 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use crate::hv::Result;
+use crate::hv::kvm::tdx::tdx_op;
+use crate::hv::kvm::vcpu::KvmVcpu;
+use crate::sys::tdx::{KvmTdxCmdId, KvmTdxInitMemRegion, KvmTdxInitMemRegionFlag};
+
+impl KvmVcpu {
+    pub fn tdx_init_mem_region(&self, data: &[u8], gpa: u64, measure: bool) -> Result<()> {
+        let mut region = KvmTdxInitMemRegion {
+            source_addr: data.as_ptr() as u64,
+            nr_pages: data.len() as u64 >> 12,
+            gpa,
+        };
+        let flag = if measure {
+            KvmTdxInitMemRegionFlag::MEASURE_MEMORY_REGION
+        } else {
+            KvmTdxInitMemRegionFlag::empty()
+        };
+        tdx_op(
+            &self.fd,
+            KvmTdxCmdId::INIT_MEM_REGION,
+            flag.bits(),
+            Some(&mut region),
+        )
+    }
+}
diff --git a/alioth/src/hv/kvm/vcpu/vcpu_x86_64/vcpu_x86_64.rs b/alioth/src/hv/kvm/vcpu/vcpu_x86_64/vcpu_x86_64.rs
@@ -12,6 +12,8 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+mod tdx;
+
 use std::arch::x86_64::CpuidResult;
 use std::collections::HashMap;
 use std::iter::zip;
diff --git a/alioth/src/hv/kvm/vcpu/vcpu_x86_64/vcpu_x86_64_test.rs b/alioth/src/hv/kvm/vcpu/vcpu_x86_64/vcpu_x86_64_test.rs

Original file line number	Diff line number	Diff line change
`@@ -111,6 +111,9 @@ pub enum Error {`
`111`	`111`	`#[cfg(target_arch = "x86_64")]`
`112`	`112`	`#[snafu(display("SEV command error code {code:#x?}"))]`
`113`	`113`	`SevErr { code: SevStatus },`
	`114`	`+ #[cfg(target_arch = "x86_64")]`
	`115`	`+ #[snafu(display("TDX command error code {code:#x?}"))]`
	`116`	`+ TdxErr { code: u64 },`
`114`	`117`	`}`
`115`	`118`
`116`	`119`	`impl From<std::sync::mpsc::RecvError> for Error {`
`@@ -214,6 +217,9 @@ pub trait Vcpu {`
`214`	`217`	`let pc = self.get_reg(Reg::Pc)?;`
`215`	`218`	`self.set_regs(&[(Reg::Pc, pc + 4)])`
`216`	`219`	`}`
	`220`	`+`
	`221`	`+ #[cfg(target_arch = "x86_64")]`
	`222`	`+ fn tdx_init_mem_region(&self, data: &[u8], gpa: u64, measure: bool) -> Result<()>;`
`217`	`223`	`}`
`218`	`224`
`219`	`225`	`#[cfg(not(target_arch = "x86_64"))]`