On Tue, Mar 17, 2026 at 05:11:26PM +0100, Hector Cao via Devel wrote:
For quote generation and remote attestation, Intel TDX VM communicates with the QGSD (Quote Generation Service) on the host via unix socket.
The unix socket can be specified via:
<launchSecurity type='tdx'> ... <quoteGenerationService path='/var/run/tdx-qgs/qgs.socket'/> </launchSecurity> in case the path field is omitted, a default path is used.
This commit generates the needed rule in the dynamic AA profile for the VM.
Signed-off-by: Hector Cao <hector.cao@canonical.com> --- src/security/virt-aa-helper.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index e932e79dab..53059ad5fa 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1397,6 +1397,19 @@ get_files(vahControl * ctl) break; case VIR_DOMAIN_LAUNCH_SECURITY_PV: case VIR_DOMAIN_LAUNCH_SECURITY_TDX: + /* To communicate with the QGSD daemon running on the host, if we use the unix socket, + * allow the VM to access to the unix socket. + */ + if (ctl->def->sec->data.tdx.haveQGS) { + const char *qgsd_sock_file = QGS_UNIX_SOCKET_FILE; + if (ctl->def->sec->data.tdx.qgs_unix_path) { + qgsd_sock_file = ctl->def->sec->data.tdx.qgs_unix_path; + } + if (vah_add_file(&buf, qgsd_sock_file, "rw") != 0) { + return -1; + } + } + break;
Code change looks fine, but the indentation has got mixed up.
case VIR_DOMAIN_LAUNCH_SECURITY_NONE: case VIR_DOMAIN_LAUNCH_SECURITY_LAST: break; -- 2.43.0
With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|