[PATCH v1 10/18] conf: Add Intel TDX Quote Generation Service(QGS) support
Add element "quoteGenerationSocket" to tdx launch security type.
It contains only an optional unix socket address attribute,
when omitted, libvirt will use default QGS server address
"/var/run/tdx-qgs/qgs.socket".
UNIX sockets offer the required functionality with greater
security than vsock, so libvirt only provides support for unix
socket.
XML example:
<launchSecurity type='tdx'>
<policy>0x0</policy>
<mrConfigId>xxx</mrConfigId>
<mrOwner>xxx</mrOwner>
<mrOwnerConfig>xxx</mrOwnerConfig>
<quoteGenerationSocket path="/var/run/tdx-qgs/qgs.socket"/>
</launchSecurity>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan(a)intel.com>
---
src/conf/domain_conf.c | 35 ++++++++++++++++++++++++++++++-
src/conf/domain_conf.h | 2 ++
src/conf/schemas/domaincommon.rng | 9 ++++++++
3 files changed, 45 insertions(+), 1 deletion(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 458852854b..f2bf980e5f 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -3954,6 +3954,7 @@ virDomainSecDefFree(virDomainSecDef *def)
g_free(def->data.tdx.mrconfigid);
g_free(def->data.tdx.mrowner);
g_free(def->data.tdx.mrownerconfig);
+ g_free(def->data.tdx.qgs_unix_path);
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
@@ -14180,6 +14181,33 @@ virDomainSEVSNPDefParseXML(virDomainSEVSNPDef *def,
}
+static int
+virDomainTDXQGSDefParseXML(virDomainTDXDef *def, xmlXPathContextPtr ctxt)
+{
+ g_autofree xmlNodePtr *nodes = NULL;
+ xmlNodePtr node;
+ int n;
+
+ if ((n = virXPathNodeSet("./quoteGenerationSocket", ctxt, &nodes)) <
0)
+ return -1;
+
+ if (!n)
+ return 0;
+
+ if (n > 1) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("only a single QGS element is supported"));
+ return -1;
+ }
+ node = nodes[0];
+
+ def->haveQGS = true;
+ def->qgs_unix_path = virXMLPropString(node, "path");
+
+ return 0;
+}
+
+
static int
virDomainTDXDefParseXML(virDomainTDXDef *def,
xmlXPathContextPtr ctxt)
@@ -14199,7 +14227,7 @@ virDomainTDXDefParseXML(virDomainTDXDef *def,
def->mrowner = virXPathString("string(./mrOwner)", ctxt);
def->mrownerconfig = virXPathString("string(./mrOwnerConfig)", ctxt);
- return 0;
+ return virDomainTDXQGSDefParseXML(def, ctxt);
}
@@ -27639,6 +27667,11 @@ virDomainTDXDefFormat(virBuffer *childBuf, virDomainTDXDef *def)
virBufferEscapeString(childBuf,
"<mrConfigId>%s</mrConfigId>\n", def->mrconfigid);
virBufferEscapeString(childBuf, "<mrOwner>%s</mrOwner>\n",
def->mrowner);
virBufferEscapeString(childBuf,
"<mrOwnerConfig>%s</mrOwnerConfig>\n", def->mrownerconfig);
+ if (def->haveQGS) {
+ virBufferAddLit(childBuf, "<quoteGenerationSocket");
+ virBufferEscapeString(childBuf, " path='%s'",
def->qgs_unix_path);
+ virBufferAddLit(childBuf, "/>\n");
+ }
}
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 030e6baab8..93f8d0f960 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2997,6 +2997,8 @@ struct _virDomainTDXDef {
char *mrconfigid;
char *mrowner;
char *mrownerconfig;
+ bool haveQGS;
+ char *qgs_unix_path;
};
diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincommon.rng
index 4581a7288d..00ae1deae0 100644
--- a/src/conf/schemas/domaincommon.rng
+++ b/src/conf/schemas/domaincommon.rng
@@ -673,6 +673,15 @@
<data type="string"/>
</element>
</optional>
+ <optional>
+ <element name="quoteGenerationSocket">
+ <optional>
+ <attribute name="path">
+ <ref name="absFilePath"/>
+ </attribute>
+ </optional>
+ </element>
+ </optional>
</interleave>
</define>
--
2.34.1