[PATCH] virt-aa-helper : grant access to unix socket for qgsd
For quote generation and remote attestation, Intel TDX VM communicates with the QGSD (Quote Generation Service) on the host via unix socket. The unix socket can be specified via: <launchSecurity type='tdx'> ... <quoteGenerationService path='/var/run/tdx-qgs/qgs.socket'/> </launchSecurity> in case the path field is omitted, a default path is used. This commit generates the needed rule in the dynamic AA profile for the VM. Signed-off-by: Hector Cao <hector.cao@canonical.com> --- src/security/virt-aa-helper.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index e932e79dab..53059ad5fa 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1397,6 +1397,19 @@ get_files(vahControl * ctl) break; case VIR_DOMAIN_LAUNCH_SECURITY_PV: case VIR_DOMAIN_LAUNCH_SECURITY_TDX: + /* To communicate with the QGSD daemon running on the host, if we use the unix socket, + * allow the VM to access to the unix socket. + */ + if (ctl->def->sec->data.tdx.haveQGS) { + const char *qgsd_sock_file = QGS_UNIX_SOCKET_FILE; + if (ctl->def->sec->data.tdx.qgs_unix_path) { + qgsd_sock_file = ctl->def->sec->data.tdx.qgs_unix_path; + } + if (vah_add_file(&buf, qgsd_sock_file, "rw") != 0) { + return -1; + } + } + break; case VIR_DOMAIN_LAUNCH_SECURITY_NONE: case VIR_DOMAIN_LAUNCH_SECURITY_LAST: break; -- 2.43.0
On Tue, Mar 17, 2026 at 05:11:26PM +0100, Hector Cao via Devel wrote:
For quote generation and remote attestation, Intel TDX VM communicates with the QGSD (Quote Generation Service) on the host via unix socket.
The unix socket can be specified via:
<launchSecurity type='tdx'> ... <quoteGenerationService path='/var/run/tdx-qgs/qgs.socket'/> </launchSecurity> in case the path field is omitted, a default path is used.
This commit generates the needed rule in the dynamic AA profile for the VM.
Signed-off-by: Hector Cao <hector.cao@canonical.com> --- src/security/virt-aa-helper.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index e932e79dab..53059ad5fa 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1397,6 +1397,19 @@ get_files(vahControl * ctl) break; case VIR_DOMAIN_LAUNCH_SECURITY_PV: case VIR_DOMAIN_LAUNCH_SECURITY_TDX: + /* To communicate with the QGSD daemon running on the host, if we use the unix socket, + * allow the VM to access to the unix socket. + */ + if (ctl->def->sec->data.tdx.haveQGS) { + const char *qgsd_sock_file = QGS_UNIX_SOCKET_FILE; + if (ctl->def->sec->data.tdx.qgs_unix_path) { + qgsd_sock_file = ctl->def->sec->data.tdx.qgs_unix_path; + } + if (vah_add_file(&buf, qgsd_sock_file, "rw") != 0) { + return -1; + } + } + break;
Code change looks fine, but the indentation has got mixed up.
case VIR_DOMAIN_LAUNCH_SECURITY_NONE: case VIR_DOMAIN_LAUNCH_SECURITY_LAST: break; -- 2.43.0
With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
For quote generation and remote attestation, Intel TDX VM communicates with the QGSD (Quote Generation Service) on the host via unix socket. The unix socket can be specified via: <launchSecurity type='tdx'> ... <quoteGenerationService path='/var/run/tdx-qgs/qgs.socket'/> </launchSecurity> in case the path field is omitted, a default path is used. This commit generates the needed rule in the dynamic AA profile for the VM. Signed-off-by: Hector Cao <hector.cao@canonical.com> --- src/security/virt-aa-helper.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index e932e79dab..32f369db11 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1397,6 +1397,19 @@ get_files(vahControl * ctl) break; case VIR_DOMAIN_LAUNCH_SECURITY_PV: case VIR_DOMAIN_LAUNCH_SECURITY_TDX: + /* To communicate with the QGSD daemon running on the host, if we use the unix socket, + * allow the VM to access to the unix socket. + */ + if (ctl->def->sec->data.tdx.haveQGS) { + const char *qgsd_sock_file = QGS_UNIX_SOCKET_FILE; + if (ctl->def->sec->data.tdx.qgs_unix_path) { + qgsd_sock_file = ctl->def->sec->data.tdx.qgs_unix_path; + } + if (vah_add_file(&buf, qgsd_sock_file, "rw") != 0) { + return -1; + } + } + break; case VIR_DOMAIN_LAUNCH_SECURITY_NONE: case VIR_DOMAIN_LAUNCH_SECURITY_LAST: break; -- 2.43.0
participants (3)
-
Daniel P. Berrangé -
Hector CAO -
Hector Cao