From ece52ee480fb40930cf5002eccf22d790f860590 Mon Sep 17 00:00:00 2001
From: Hsy-Intel <siyuan.hui@intel.com>
Date: Sun, 8 Feb 2026 14:27:52 +0000
Subject: [PATCH] Add TDX support for NixOS QEMU runs and document AsterNixOS
 usage

---
 book/src/osdk/guide/intel-tdx.md | 12 +++++++++++
 tools/nixos/run.sh               | 36 +++++++++++++++-----------------
 tools/qemu_args.sh               |  4 ++++
 3 files changed, 33 insertions(+), 19 deletions(-)

diff --git a/book/src/osdk/guide/intel-tdx.md b/book/src/osdk/guide/intel-tdx.md
index d7109952d..b2c67f552 100644
--- a/book/src/osdk/guide/intel-tdx.md
+++ b/book/src/osdk/guide/intel-tdx.md
@@ -76,3 +76,15 @@ cargo osdk build --scheme tdx
 cargo osdk run --scheme tdx
 cargo osdk test --scheme tdx
 ```
+
+## Run AsterNixOS in Intel TDX
+
+You can also run AsterNixOS with TDX by setting `INTEL_TDX=1`, which switches
+the QEMU scheme in the NixOS run script to TDX.
+
+Build the AsterNixOS image and run the OS:
+
+```bash
+make nixos
+INTEL_TDX=1 make run_nixos
+```
diff --git a/tools/nixos/run.sh b/tools/nixos/run.sh
index 0d8c72659..751f34c76 100755
--- a/tools/nixos/run.sh
+++ b/tools/nixos/run.sh
@@ -24,19 +24,20 @@ ASTERINAS_DIR=$(realpath "${SCRIPT_DIR}/../..")
 # Change to Asterinas root directory to ensure all scripts run from the correct location.
 cd "${ASTERINAS_DIR}"
 
-# Base QEMU arguments
-BASE_QEMU_ARGS="qemu-system-x86_64 \
-    -bios /root/ovmf/release/OVMF.fd \
-"
+if [ "${INTEL_TDX}" = "1" ]; then
+    SCHEME="tdx"
+    BASE_QEMU_ARGS="qemu-system-x86_64"
+else
+    SCHEME="common"
+    BASE_QEMU_ARGS="qemu-system-x86_64 -bios /root/ovmf/release/OVMF.fd"
+fi
 
 # Mode-specific QEMU arguments
 case "$MODE" in
     nixos)
         NIXOS_DIR="${ASTERINAS_DIR}/target/nixos"
-        QEMU_ARGS="${BASE_QEMU_ARGS} \
-            -drive if=none,format=raw,id=u0,file=${NIXOS_DIR}/asterinas.img \
-            -device virtio-blk-pci,drive=u0,disable-legacy=on,disable-modern=off \
-        "
+        DISK_ARGS="-drive if=none,format=raw,id=u0,file=${NIXOS_DIR}/asterinas.img \
+            -device virtio-blk-pci,drive=u0,disable-legacy=on,disable-modern=off"
         ;;
     iso)
         ASTER_IMAGE_PATH=${ASTERINAS_DIR}/target/nixos/asterinas.img
@@ -53,27 +54,24 @@ case "$MODE" in
         dd if=/dev/zero of="${ASTER_IMAGE_PATH}" bs=1M count=${NIXOS_DISK_SIZE_IN_MB} status=none
         echo "Image created successfully!"
 
-        QEMU_ARGS="${BASE_QEMU_ARGS} \
-            -cdrom ${ISO_IMAGE_PATH} -boot d \
+        DISK_ARGS="-cdrom ${ISO_IMAGE_PATH} -boot d \
             -drive if=none,format=raw,id=u0,file=${ASTER_IMAGE_PATH} \
-            -device virtio-blk-pci,drive=u0,disable-legacy=on,disable-modern=off \
-        "
+            -device virtio-blk-pci,drive=u0,disable-legacy=on,disable-modern=off"
         ;;
     *)
         usage
         ;;
 esac
 
+# Fetch architecture specific arguments from qemu_args.sh
+EXTRA_ARGS=$(${ASTERINAS_DIR}/tools/qemu_args.sh ${SCHEME} 2>/dev/null)
+
+QEMU_ARGS="${BASE_QEMU_ARGS} ${DISK_ARGS} ${EXTRA_ARGS}"
+
 if [ "${ENABLE_KVM}" = "1" ]; then
     QEMU_ARGS="${QEMU_ARGS} -accel kvm"
 fi
 
-COMMON_QEMU_ARGS=$(${ASTERINAS_DIR}/tools/qemu_args.sh common 2>/dev/null)
-QEMU_ARGS="
-    ${QEMU_ARGS} \
-    ${COMMON_QEMU_ARGS} \
-"
-
 # The kernel uses a specific value to signal a successful shutdown via the
 # isa-debug-exit device.
 KERNEL_SUCCESS_EXIT_CODE=16 # 0x10 in hexadecimal
@@ -83,7 +81,7 @@ QEMU_SUCCESS_EXIT_CODE=$(((KERNEL_SUCCESS_EXIT_CODE << 1) | 1))
 
 # Execute QEMU
 # shellcheck disable=SC2086
-${QEMU_ARGS} || exit_code=$?
+eval "${QEMU_ARGS}" || exit_code=$?
 exit_code=${exit_code:-0}
 
 # Check if the execution was successful:
diff --git a/tools/qemu_args.sh b/tools/qemu_args.sh
index 1be720403..d33079f9f 100755
--- a/tools/qemu_args.sh
+++ b/tools/qemu_args.sh
@@ -69,6 +69,10 @@ if [ "$1" = "tdx" ]; then
         -cpu host,-kvm-steal-time,pmu=off \
         -machine q35,kernel-irqchip=split,confidential-guest-support=tdx0 \
         -object '$TDX_OBJECT' \
+        -drive if=none,format=raw,id=x0,file=./test/initramfs/build/ext2.img \
+        -drive if=none,format=raw,id=x1,file=./test/initramfs/build/exfat.img \
+        -device virtio-blk-pci,drive=x0,serial=vext2,disable-legacy=on,disable-modern=off,queue-size=64,num-queues=1,request-merging=off,backend_defaults=off,discard=off,write-zeroes=off,event_idx=off,indirect_desc=off,queue_reset=off \
+        -device virtio-blk-pci,drive=x1,serial=vexfat,disable-legacy=on,disable-modern=off,queue-size=64,num-queues=1,request-merging=off,backend_defaults=off,discard=off,write-zeroes=off,event_idx=off,indirect_desc=off,queue_reset=off \
         -device virtio-net-pci,netdev=net01,disable-legacy=on,disable-modern=off$VIRTIO_NET_FEATURES \
         -device virtio-keyboard-pci,disable-legacy=on,disable-modern=off \
         $NETDEV_ARGS \