This is a tracking bug for Change: Confidential Virtualization Host for Intel TDX For more details, see: https://fedoraproject.org/wiki/Changes/ConfidentialVirtHostIntelTDX This change will introduce support for Fedora virtualization hosts to run confidential guests on suitable Intel TDX hardware. If you encounter a bug related to this Change, please do not comment here. Instead create a new bug and set it to block this bug.
Current status: - TDX host support merged in upstream kernel. Fedora already rebased to latest kernel, however....... TDX config is mutually exclusive with KEXEC config, so it can't be turned on in Fedora kernel builds yet. This is pending a patch from Intel to make it compatiblre with kexec - QEMU support is merged in upstream QEMU. Fedora intends to rebase to the rc release in late July - Libvirt support is under review upstream - virt-install support is pending submission
Dear change owner, this is a reminder that your change is required to be 100% code complete by August 26, which is the start of beta freeze. Please provide a status update on your change in the Incomplete Changes Report if you are not able to move your change to 'ON_QA' before this date. If you need to defer your change to the next Fedora release, please let me know and I will reassign this bug and the change page. Thank you kindly.
Latest status: - kernel: TDX included in 6.16 kernel currently in Fedora, however, CONFIG_KVM_INTEL_TDX=y cannot be enabled due to incompatibility with KEXEC. Upstream works to fix the KEXEC compat issue with latest posting https://lkml.org/lkml/2025/8/14/76 - qemu: 10.1.0 rc3 release is built in Fedora with TDX support - libvirt: 11.6.0 release is built in Fedora with TDX support - virt-install: TDX merged upstream. New upstream release & rebase in Fedora expected before Aug 26th IOW, the key gap is the kernel support for KEXEC+TDX compat. It is hoped that this will be merged in time for 6.17, which while missing feature freeze date, would still be prior to F43 GA, or very soon thereafter. It should be viable to backport the changes to 6.16 in Fedora 43 as a short-term solution, to make this feature complete.
> - virt-install: TDX merged upstream. New upstream release & rebase in Fedora expected before Aug 26th virt-manager 5.1.0 is now in rawhide / f43, giving TDX support in virt-install
(In reply to Daniel Berrangé from comment #3) > Latest status: > > - kernel: TDX included in 6.16 kernel currently in Fedora, however, > CONFIG_KVM_INTEL_TDX=y cannot be enabled due to incompatibility with KEXEC. > Upstream works to fix the KEXEC compat issue with latest posting > https://lkml.org/lkml/2025/8/14/76 snip > IOW, the key gap is the kernel support for KEXEC+TDX compat. > > It is hoped that this will be merged in time for 6.17, which while missing > feature freeze date, would still be prior to F43 GA, or very soon thereafter. > > It should be viable to backport the changes to 6.16 in Fedora 43 as a > short-term solution, to make this feature complete. The required KEXEC fixes are now merged into tip.git, which should make it viable to backport them to Fedora in time for 43, unless they merge into 6.17 unexpectedly quickly https://lore.kernel.org/all/20250901160930.1785244-1-pbonzini@redhat.com/ https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=fc1ded58808520a1ced0c4e2e5fb0dbd33b33612 Working to make a MR proposal to kernel ARK.
(In reply to Daniel Berrangé from comment #5) > The required KEXEC fixes are now merged into tip.git, which should make it > viable to backport them to Fedora in time for 43, unless they merge into > 6.17 unexpectedly quickly > > https://lore.kernel.org/all/20250901160930.1785244-1-pbonzini@redhat.com/ > > https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/ > ?id=fc1ded58808520a1ced0c4e2e5fb0dbd33b33612 > > Working to make a MR proposal to kernel ARK. MR proposed for backport at https://gitlab.com/cki-project/kernel-ark/-/merge_requests/4101
Kernel support built into kernel-6.17.0-63.fc43.x86_64.rpm