feat(tdx): configure required KVM capabilities for TDX VMs

Lencerf · Lencerf · commit c523bca32de8 · 2026-02-22T21:11:07.000-08:00
Signed-off-by: Changyuan Lyu &lt;changyuanl@google.com&gt;
diff --git a/alioth/src/hv/kvm/vm/vm_x86_64/tdx.rs b/alioth/src/hv/kvm/vm/vm_x86_64/tdx.rs
@@ -0,0 +1,26 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use crate::hv::Result;
+use crate::hv::kvm::vm::KvmVm;
+use crate::sys::kvm::{KvmCap, KvmHypercall};
+
+impl KvmVm {
+    pub fn tdx_init(&self) -> Result<()> {
+        let map_gpa_range = 1 << KvmHypercall::MAP_GPA_RANGE.raw();
+        self.vm.enable_cap(KvmCap::EXIT_HYPERCALL, map_gpa_range)?;
+        self.vm.enable_cap(KvmCap::X86_APIC_BUS_CYCLES_NS, 40)?;
+        Ok(())
+    }
+}
diff --git a/alioth/src/hv/kvm/vm/vm_x86_64/vm_x86_64.rs b/alioth/src/hv/kvm/vm/vm_x86_64/vm_x86_64.rs
@@ -12,7 +12,8 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-pub mod sev;
+mod sev;
+mod tdx;
 
 use std::os::fd::{FromRawFd, OwnedFd};
 use std::path::Path;
@@ -58,7 +59,7 @@ impl VmArch {
                 let fd = SevFd::new(dev_sev)?;
                 Ok(VmArch { sev_fd: Some(fd) })
             }
-            Coco::IntelTdx { attr } => todo!("Intel TDX {attr:?}"),
+            Coco::IntelTdx { .. } => Ok(VmArch::default()),
         }
     }
 }
@@ -91,14 +92,6 @@ impl KvmVm {
     }
 
     pub fn init(&self, config: &VmConfig) -> Result<()> {
-        if let Some(coco) = &config.coco {
-            match coco {
-                Coco::AmdSev { policy } => self.sev_init(*policy),
-                Coco::AmdSnp { .. } => self.snp_init(),
-                Coco::IntelTdx { attr } => todo!("Intel TDX {attr:?}"),
-            }?;
-        }
-
         let x2apic_caps =
             KvmX2apicApiFlag::USE_32BIT_IDS | KvmX2apicApiFlag::DISABLE_BROADCAST_QUIRK;
         if let Err(e) = self.vm.enable_cap(KvmCap::X2APIC_API, x2apic_caps.bits()) {
@@ -109,6 +102,15 @@ impl KvmVm {
         unsafe { kvm_set_tss_addr(&self.vm.fd, 0xf000_0000) }.context(error::SetVmParam)?;
         unsafe { kvm_set_identity_map_addr(&self.vm.fd, &0xf000_3000) }
             .context(error::SetVmParam)?;
+
+        if let Some(coco) = &config.coco {
+            match coco {
+                Coco::AmdSev { policy } => self.sev_init(*policy),
+                Coco::AmdSnp { .. } => self.snp_init(),
+                Coco::IntelTdx { .. } => self.tdx_init(),
+            }?;
+        }
+
         Ok(())
     }
 }
diff --git a/alioth/src/sys/linux/kvm.rs b/alioth/src/sys/linux/kvm.rs
@@ -530,6 +530,7 @@ consts! {
         EXIT_HYPERCALL = 201;
         // GUEST_MEMFD = 234;
         // VM_TYPES = 235;
+        X86_APIC_BUS_CYCLES_NS = 237;
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -530,6 +530,7 @@ consts! {`
`530`	`530`	`EXIT_HYPERCALL = 201;`
`531`	`531`	`// GUEST_MEMFD = 234;`
`532`	`532`	`// VM_TYPES = 235;`
	`533`	`+ X86_APIC_BUS_CYCLES_NS = 237;`
`533`	`534`	`}`
`534`	`535`	`}`
`535`	`536`