On Mon, Feb 19, 2024 at 01:50:12PM +0100, Markus Armbruster wrote:
> Xiaoyao Li <xiaoyao.li@xxxxxxxxx> writes:
>
> > From: Isaku Yamahata <isaku.yamahata@xxxxxxxxx>
> >
> > Add property "quote-generation-socket" to tdx-guest, which is a property
> > of type SocketAddress to specify Quote Generation Service(QGS).
> >
> > On request of GetQuote, it connects to the QGS socket, read request
> > data from shared guest memory, send the request data to the QGS,
> > and store the response into shared guest memory, at last notify
> > TD guest by interrupt.
> >
> > command line example:
> > qemu-system-x86_64 \
> > -object '{"qom-type":"tdx-guest","id":"tdx0","quote-generation-socket":{"type": "vsock", "cid":"1","port":"1234"}}' \
> > -machine confidential-guest-support=tdx0
> >
> > Note, above example uses vsock type socket because the QGS we used
> > implements the vsock socket. It can be other types, like UNIX socket,
> > which depends on the implementation of QGS.
> >
> > To avoid no response from QGS server, setup a timer for the transaction.
> > If timeout, make it an error and interrupt guest. Define the threshold of
> > time to 30s at present, maybe change to other value if not appropriate.
> >
> > Signed-off-by: Isaku Yamahata <isaku.yamahata@xxxxxxxxx>
> > Codeveloped-by: Chenyi Qiang <chenyi.qiang@xxxxxxxxx>
> > Signed-off-by: Chenyi Qiang <chenyi.qiang@xxxxxxxxx>
> > Codeveloped-by: Xiaoyao Li <xiaoyao.li@xxxxxxxxx>
> > Signed-off-by: Xiaoyao Li <xiaoyao.li@xxxxxxxxx>
> > ---
> > Changes in v4:
> > - merge next patch "i386/tdx: setup a timer for the qio channel";
> >
> > Changes in v3:
> > - rename property "quote-generation-service" to "quote-generation-socket";
> > - change the type of "quote-generation-socket" from str to
> > SocketAddress;
> > - squash next patch into this one;
> > ---
> > qapi/qom.json | 6 +-
> > target/i386/kvm/meson.build | 2 +-
> > target/i386/kvm/tdx-quote-generator.c | 170 ++++++++++++++++++++
> > target/i386/kvm/tdx-quote-generator.h | 95 +++++++++++
> > target/i386/kvm/tdx.c | 216 ++++++++++++++++++++++++++
> > target/i386/kvm/tdx.h | 6 +
> > 6 files changed, 493 insertions(+), 2 deletions(-)
> > create mode 100644 target/i386/kvm/tdx-quote-generator.c
> > create mode 100644 target/i386/kvm/tdx-quote-generator.h
> >
> > diff --git a/qapi/qom.json b/qapi/qom.json
> > index 15445f9e41fc..c60fb5710961 100644
> > --- a/qapi/qom.json
> > +++ b/qapi/qom.json
> > @@ -914,13 +914,17 @@
> > # e.g., specific to the workload rather than the run-time or OS.
> > # base64 encoded SHA384 digest.
> > #
> > +# @quote-generation-socket: socket address for Quote Generation
> > +# Service(QGS)
>
> Space between "Service" and "(QGS)", please.
>
> The description feels too terse. What is the "Quote Generation
> Service", and why should I care?
The "Quote Generation Service" is a daemon running on the host.
The reference implementation is at
https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration/quote_wrapper/qgs
If you don't provide this, then quests won't bet able to generate
quotes needed for attestation. So although this is technically
optional, in practice for a sane deployment, an admin should always
provide this
>
> > +#
> > # Since: 9.0
> > ##
> > { 'struct': 'TdxGuestProperties',
> > 'data': { '*sept-ve-disable': 'bool',
> > '*mrconfigid': 'str',
> > '*mrowner': 'str',
> > - '*mrownerconfig': 'str' } }
> > + '*mrownerconfig': 'str',
> > + '*quote-generation-socket': 'SocketAddress' } }
> >
> > ##
> > # @ThreadContextProperties:
>
> [...]
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
