1. Patchew
  2. Libvirt
  3. [PATCH v3 00/21] LIBVIRT: X86: TDX support
  4. View patch

[PATCH v3 08/21] conf: Validate TDX launchSecurity element mrConfigId/mrOwner/mrOwnerConfig

Zhenzhong Duan posted 21 patches 5 months, 2 weeks ago
There is a newer version of this series
[PATCH v3 08/21] conf: Validate TDX launchSecurity element mrConfigId/mrOwner/mrOwnerConfig
Posted by Zhenzhong Duan 5 months, 2 weeks ago 
mrConfigId/mrOwner/mrOwnerConfig are base64 encoded SHA384 digest,
can be provided for TDX attestation.

Check their decoded lengths to ensure they are 48 bytes.

Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
---
 src/conf/domain_validate.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c
index 7d68ea2478..14c00f3d1b 100644
--- a/src/conf/domain_validate.c
+++ b/src/conf/domain_validate.c
@@ -1915,10 +1915,13 @@ virDomainDefValidateIOThreads(const virDomainDef *def)
     } \
 }
 
+#define SHA384_DIGEST_SIZE  48
+
 static int
 virDomainDefLaunchSecurityValidate(const virDomainDef *def)
 {
     virDomainSEVSNPDef *sev_snp;
+    virDomainTDXDef *tdx;
 
     if (!def->sec)
         return 0;
@@ -1933,10 +1936,17 @@ virDomainDefLaunchSecurityValidate(const virDomainDef *def)
         CHECK_BASE64_LEN(sev_snp->host_data, "hostData", 32);
         break;
 
+    case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+        tdx = &def->sec->data.tdx;
+
+        CHECK_BASE64_LEN(tdx->mrconfigid, "mrConfigId", SHA384_DIGEST_SIZE);
+        CHECK_BASE64_LEN(tdx->mrowner, "mrOwner", SHA384_DIGEST_SIZE);
+        CHECK_BASE64_LEN(tdx->mrownerconfig, "mrOwnerConfig", SHA384_DIGEST_SIZE);
+        break;
+
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
-    case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
         break;
     }
-- 
2.34.1
Re: [PATCH v3 08/21] conf: Validate TDX launchSecurity element mrConfigId/mrOwner/mrOwnerConfig
Posted by Daniel P. Berrangé via Devel 5 months, 1 week ago 
On Mon, Jun 30, 2025 at 02:17:19PM +0800, Zhenzhong Duan wrote:
> mrConfigId/mrOwner/mrOwnerConfig are base64 encoded SHA384 digest,
> can be provided for TDX attestation.
> 
> Check their decoded lengths to ensure they are 48 bytes.
> 
> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
> ---
>  src/conf/domain_validate.c | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.