src/security/virt-aa-helper.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)
For quote generation and remote attestation, Intel TDX VM
communicates with the QGSD (Quote Generation Service)
on the host via unix socket.
The unix socket can be specified via:
<launchSecurity type='tdx'>
...
<quoteGenerationService path='/var/run/tdx-qgs/qgs.socket'/>
</launchSecurity>
in case the path field is omitted, a default path is used.
This commit generates the needed rule in the dynamic AA profile
for the VM.
Signed-off-by: Hector Cao <hector.cao@canonical.com>
---
src/security/virt-aa-helper.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index e932e79dab..53059ad5fa 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1397,6 +1397,19 @@ get_files(vahControl * ctl)
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+ /* To communicate with the QGSD daemon running on the host, if we use the unix socket,
+ * allow the VM to access to the unix socket.
+ */
+ if (ctl->def->sec->data.tdx.haveQGS) {
+ const char *qgsd_sock_file = QGS_UNIX_SOCKET_FILE;
+ if (ctl->def->sec->data.tdx.qgs_unix_path) {
+ qgsd_sock_file = ctl->def->sec->data.tdx.qgs_unix_path;
+ }
+ if (vah_add_file(&buf, qgsd_sock_file, "rw") != 0) {
+ return -1;
+ }
+ }
+ break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
break;
--
2.43.0On Tue, Mar 17, 2026 at 05:11:26PM +0100, Hector Cao via Devel wrote:
> For quote generation and remote attestation, Intel TDX VM
> communicates with the QGSD (Quote Generation Service)
> on the host via unix socket.
>
> The unix socket can be specified via:
>
> <launchSecurity type='tdx'>
> ...
> <quoteGenerationService path='/var/run/tdx-qgs/qgs.socket'/>
> </launchSecurity>
> in case the path field is omitted, a default path is used.
>
> This commit generates the needed rule in the dynamic AA profile
> for the VM.
>
> Signed-off-by: Hector Cao <hector.cao@canonical.com>
> ---
> src/security/virt-aa-helper.c | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index e932e79dab..53059ad5fa 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1397,6 +1397,19 @@ get_files(vahControl * ctl)
> break;
> case VIR_DOMAIN_LAUNCH_SECURITY_PV:
> case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
> + /* To communicate with the QGSD daemon running on the host, if we use the unix socket,
> + * allow the VM to access to the unix socket.
> + */
> + if (ctl->def->sec->data.tdx.haveQGS) {
> + const char *qgsd_sock_file = QGS_UNIX_SOCKET_FILE;
> + if (ctl->def->sec->data.tdx.qgs_unix_path) {
> + qgsd_sock_file = ctl->def->sec->data.tdx.qgs_unix_path;
> + }
> + if (vah_add_file(&buf, qgsd_sock_file, "rw") != 0) {
> + return -1;
> + }
> + }
> + break;
Code change looks fine, but the indentation has got mixed
up.
> case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
> case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
> break;
> --
> 2.43.0
>
With regards,
Daniel
--
|: https://berrange.com ~~ https://hachyderm.io/@berrange :|
|: https://libvirt.org ~~ https://entangle-photo.org :|
|: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
For quote generation and remote attestation, Intel TDX VM
communicates with the QGSD (Quote Generation Service)
on the host via unix socket.
The unix socket can be specified via:
<launchSecurity type='tdx'>
...
<quoteGenerationService path='/var/run/tdx-qgs/qgs.socket'/>
</launchSecurity>
in case the path field is omitted, a default path is used.
This commit generates the needed rule in the dynamic AA profile
for the VM.
Signed-off-by: Hector Cao <hector.cao@canonical.com>
---
src/security/virt-aa-helper.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index e932e79dab..32f369db11 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1397,6 +1397,19 @@ get_files(vahControl * ctl)
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+ /* To communicate with the QGSD daemon running on the host, if we use the unix socket,
+ * allow the VM to access to the unix socket.
+ */
+ if (ctl->def->sec->data.tdx.haveQGS) {
+ const char *qgsd_sock_file = QGS_UNIX_SOCKET_FILE;
+ if (ctl->def->sec->data.tdx.qgs_unix_path) {
+ qgsd_sock_file = ctl->def->sec->data.tdx.qgs_unix_path;
+ }
+ if (vah_add_file(&buf, qgsd_sock_file, "rw") != 0) {
+ return -1;
+ }
+ }
+ break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
break;
--
2.43.0© 2016 - 2026 Red Hat, Inc.