[PATCH v2 0/5] qemu-options cleanup and deprecate memory-encryption

[PATCH v2 0/5] qemu-options cleanup and deprecate memory-encryption

[Xiaoyao Li]

This is the v2 of previous "[PATCH 0/5] qemu-optios: Fix, cleanup and
add description of tdx-guest"[1] (Sorry that long time went)

Patch 1 in previous v1 is dropped because a similar patch has been
merged already.

Patch 5 to deprecate memory-encryption is added in this v2, following
Daniel's suggestion.


- v1 [1]
https://lore.kernel.org/qemu-devel/20250714091953.448226-1-xiaoyao.li@intel.com/

Xiaoyao Li (5):
  i386/sev: Remove the example that references memory-encryption
  qemu-options: Change memory-encryption to confidential-guest-support
    in the example
  qemu-options: Add confidential-guest-support to machine options
  qemu-options: Add description of tdx-guest object
  machine: Deprecate memory-encryption

 docs/about/deprecated.rst |  7 ++++++
 hw/core/machine.c         |  2 ++
 qemu-options.hx           | 52 ++++++++++++++++++++++++++++++++++++---
 target/i386/sev.c         |  4 ---
 4 files changed, 58 insertions(+), 7 deletions(-)

-- 
2.43.0

[PATCH v2 1/5] i386/sev: Remove the example that references memory-encryption

[Xiaoyao Li]

"confidential-guest-support" is the recommended property to configure
sev for the machine, and amd-memory-encryption.rst has already switched
to use "confidential-guest-support" in the example.

Instead of changing "memory-encryption" to "confidential-guest-support"
in the comment of struct SevGuestState, just drop the example for
simplicity.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
 target/i386/sev.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/target/i386/sev.c b/target/i386/sev.c
index b44b5a1c2b94..f70f2ab4497f 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -160,10 +160,6 @@ struct SevCommonStateClass {
  *
  * The SevGuestState object is used for creating and managing a SEV
  * guest.
- *
- * # $QEMU \
- *         -object sev-guest,id=sev0 \
- *         -machine ...,memory-encryption=sev0
  */
 struct SevGuestState {
     SevCommonState parent_obj;
-- 
2.43.0

[PATCH v2 2/5] qemu-options: Change memory-encryption to confidential-guest-support in the example

[Xiaoyao Li]

"confidential-guest-support" is the recommended property instead of
"memory-encryption". Switch to "confidential-guest-support" in the
example of sev-guest.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
 qemu-options.hx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qemu-options.hx b/qemu-options.hx
index 96ae41f787ba..25ed486ff5d2 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -6343,7 +6343,7 @@ SRST
              # |qemu_system_x86| \\
                  ...... \\
                  -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1 \\
-                 -machine ...,memory-encryption=sev0 \\
+                 -machine ...,confidential-guest-support=sev0 \\
                  .....
 
     ``-object igvm-cfg,file=file``
-- 
2.43.0

[PATCH v2 3/5] qemu-options: Add confidential-guest-support to machine options

[Xiaoyao Li]

"confidential-guest-support" is the recommended property to configure
machine with confidential computing technology instead of
"memory-encryption".

Add "confidential-guest-support" to machine options and call out
explicitly "memory-encryption" is the alias of it and not recommended.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
 qemu-options.hx | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/qemu-options.hx b/qemu-options.hx
index 25ed486ff5d2..ea4ae26b8d72 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -36,7 +36,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \
     "                dea-key-wrap=on|off controls support for DEA key wrapping (default=on)\n"
     "                suppress-vmdesc=on|off disables self-describing migration (default=off)\n"
     "                nvdimm=on|off controls NVDIMM support (default=off)\n"
-    "                memory-encryption=<id> memory encryption object to use (default=none)\n"
+    "                confidential-guest-support=<id> specifies confidential guest support object (default=none)\n"
+    "                memory-encryption=<id> (memory-encryption is the alias of confidential-guest-support, recommend to use confidential-guest-support)\n"
     "                hmat=on|off controls ACPI HMAT support (default=off)\n"
     "                spcr=on|off controls ACPI SPCR support (default=on)\n"
 #ifdef CONFIG_POSIX
@@ -100,8 +101,12 @@ SRST
     ``nvdimm=on|off``
         Enables or disables NVDIMM support. The default is off.
 
+    ``confidential-guest-support=<id>``
+        confidential guest support object to use. The default is none.
+
     ``memory-encryption=<id>``
-        Memory encryption object to use. The default is none.
+        The alias of ``confidential-guest-support``. Recommend to use
+        confidential-guest-support.
 
     ``hmat=on|off``
         Enables or disables ACPI Heterogeneous Memory Attribute Table
-- 
2.43.0

[PATCH v2 4/5] qemu-options: Add description of tdx-guest object

[Xiaoyao Li]

Add description of tdx-guest object so that QEMU doc page can have the
description.

Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
Changes in v2:
- fix typo and add property after each property name; (Daniel)
- include how 'quote-generation-socket' is configured in the example; (Daniel)
---
 qemu-options.hx | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/qemu-options.hx b/qemu-options.hx
index ea4ae26b8d72..f13ce0a3aa22 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -6351,6 +6351,47 @@ SRST
                  -machine ...,confidential-guest-support=sev0 \\
                  .....
 
+    ``-object tdx-guest,id=id,[attributes=attrs,sept-ve-disable=on|off,mrconfigid=sha384_digest,mrowner=sha384_digest,mrownerconfig=sha384_digest,quote-generation-socket=socketaddr]``
+        Create an Intel Trusted Domain eXtensions (TDX) guest object, which is
+        the type of ``confidential-guest-support`` object. When pass the object
+        ID to machine's ``confidential-guest-support`` property, it can create
+        a TDX guest.
+
+        The ``attributes`` property is a 64-bit integer, which specifies the
+        TD attributes of the TD.
+
+        The ``sept-ve-disable`` property controls the bit 28 of TD attributes
+        specifically. When it's on, the EPT violation conversion to #VE on
+        guest access of PENDING pages is disabled. Some guest OS (e.g., Linux
+        TD guest) may require this to be set, otherwise they refuse to boot.
+        The default value is on.
+
+        The ``mrconfigid`` property is base64 encoded SHA384 digest, which
+        provides the ID for non-owner-defined configuration of the guest TD,
+        e.g., run-time or OS configuration. The default value is all zeros.
+
+        The ``mrowner`` property is base64 encoded SHA384 digest, which
+        provides the ID for guest TD's owner. The default value is all zeros.
+
+        The ``mrownerconfig`` property is base64 encoded SHA384 digest, which
+        provides the ID for owner-defined configuration of the guest TD, e.g.,
+        the configuration specific to the workload rather than the run-time of
+        OS. The default value is all zeros.
+
+        The ``quote-generation-socket`` property specifies the socket address
+        of the Quote Generation Service (QGS). QGS is a daemon running on the
+        host. QEMU forwards the <GetQuote> request from TD guest to QGS and
+        sents the reply (which contains generated QUOTE on success) from QGS
+        to guest TD.
+
+        .. parsed-literal::
+
+             # |qemu_system_x86| \\
+                 ...... \\
+                 -object '{"qom-type":"tdx-guest","id":"tdx","quote-generation-socket":{"type":"unix","path":"/var/run/qgs.socket"}}' \\
+                 -machine ...,confidential-guest-support=tdx \\
+                 ......
+
     ``-object igvm-cfg,file=file``
         Create an IGVM configuration object that defines the initial state
         of the guest using a file in that conforms to the Independent Guest
-- 
2.43.0

[PATCH v2 5/5] machine: Deprecate memory-encryption

[Xiaoyao Li]

We've had 'confidential-guest-support' for long enough that no one should
be using 'memory-encryption' anymore.

Deprecate 'memory-encryption' by adding notes in docs/about/deprecated.rst
and print a warning when 'memory-encryptio' is used.

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Link: https://lore.kernel.org/qemu-devel/aMPYkUsytGxLPIM7@redhat.com/
---
 docs/about/deprecated.rst | 7 +++++++
 hw/core/machine.c         | 2 ++
 2 files changed, 9 insertions(+)

diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst
index 5551bd12ad83..d60c7206ec4d 100644
--- a/docs/about/deprecated.rst
+++ b/docs/about/deprecated.rst
@@ -305,6 +305,13 @@ they want to use and avoids confusion.  Existing users of the ``spike``
 machine must ensure that they're setting the ``spike`` machine in the
 command line (``-M spike``).
 
+``memory-encryption`` machine property (since 11.1)
+'''''''''''''''''''''''''''''''''''''''''''''''''''
+
+Use ``confidential-guest-support`` instead. The ``memory-encryption`` object
+was an early implementation of memory encryption support in QEMU, but it has
+been superseded by the more comprehensive ``confidential-guest-support``
+object.
 
 Backend options
 ---------------
diff --git a/hw/core/machine.c b/hw/core/machine.c
index 63baff859f3d..baa275b87dcc 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -490,6 +490,8 @@ static void machine_set_memory_encryption(Object *obj, const char *value,
     Object *cgs =
         object_resolve_path_component(object_get_objects_root(), value);
 
+    warn_report("memory-encryption is deprecated, use confidential-guest-support instead");
+
     if (!cgs) {
         error_setg(errp, "No such memory encryption object '%s'", value);
         return;
-- 
2.43.0

Re: [PATCH v2 5/5] machine: Deprecate memory-encryption

[Daniel P. Berrangé]

On Tue, May 12, 2026 at 04:44:58PM +0800, Xiaoyao Li wrote:
> We've had 'confidential-guest-support' for long enough that no one should
> be using 'memory-encryption' anymore.
> 
> Deprecate 'memory-encryption' by adding notes in docs/about/deprecated.rst
> and print a warning when 'memory-encryptio' is used.
> 
> Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
> Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
> Link: https://lore.kernel.org/qemu-devel/aMPYkUsytGxLPIM7@redhat.com/
> ---
>  docs/about/deprecated.rst | 7 +++++++
>  hw/core/machine.c         | 2 ++
>  2 files changed, 9 insertions(+)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|