On 3/13/2024 11:31 PM, Daniel P. Berrangé wrote:
On Tue, Mar 12, 2024 at 03:44:32PM +0800, Xiaoyao Li wrote:
On 3/11/2024 5:27 PM, Daniel P. Berrangé wrote:
On Thu, Feb 29, 2024 at 01:37:10AM -0500, Xiaoyao Li wrote:
From: Isaku Yamahata <isaku.yamahata@xxxxxxxxx>
Add property "quote-generation-socket" to tdx-guest, which is a property
of type SocketAddress to specify Quote Generation Service(QGS).
On request of GetQuote, it connects to the QGS socket, read request
data from shared guest memory, send the request data to the QGS,
and store the response into shared guest memory, at last notify
TD guest by interrupt.
command line example:
qemu-system-x86_64 \
-object '{"qom-type":"tdx-guest","id":"tdx0","quote-generation-socket":{"type": "vsock", "cid":"1","port":"1234"}}' \
Can you illustrate this with 'unix' sockets, not 'vsock'.
Are you suggesting only updating the commit message to an example of unix
socket? Or you want the code to test with some unix socket QGS?
(It seems the QGS I got for testing, only supports vsock socket. Because at
the time when it got developed, it was supposed to communicate with drivers
inside TD guest directly not via VMM (KVM+QEMU). Anyway, I will talk to
internal folks to see if any plan to support unix socket.)
The QGS provided as part of DCAP supports running with both
UNIX sockets and VSOCK, and I would expect QEMU to be made
to work with this, since its is Intel's OSS reference impl.
After synced with internal folks, yes, the QGS I used does support unix
socket. I tested it and it worked.
-object
'{"qom-type":"tdx-guest","id":"tdx","quote-generation-socket":{"type":"unix",
"path":"/var/run/tdx-qgs/qgs.socket"}}'
Exposing QGS to the guest when we only intend for it to be
used by the host QEMU is needlessly expanding the attack
surface.
With regards,
Daniel
