[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v5 49/65] i386/tdx: handle TDG.VP.VMCALL<GetQuote>
From: |
Daniel P . Berrangé |
Subject: |
Re: [PATCH v5 49/65] i386/tdx: handle TDG.VP.VMCALL<GetQuote> |
Date: |
Wed, 13 Mar 2024 15:31:36 +0000 |
User-agent: |
Mutt/2.2.12 (2023-09-09) |
On Tue, Mar 12, 2024 at 03:44:32PM +0800, Xiaoyao Li wrote:
> On 3/11/2024 5:27 PM, Daniel P. Berrangé wrote:
> > On Thu, Feb 29, 2024 at 01:37:10AM -0500, Xiaoyao Li wrote:
> > > From: Isaku Yamahata <isaku.yamahata@intel.com>
> > >
> > > Add property "quote-generation-socket" to tdx-guest, which is a property
> > > of type SocketAddress to specify Quote Generation Service(QGS).
> > >
> > > On request of GetQuote, it connects to the QGS socket, read request
> > > data from shared guest memory, send the request data to the QGS,
> > > and store the response into shared guest memory, at last notify
> > > TD guest by interrupt.
> > >
> > > command line example:
> > > qemu-system-x86_64 \
> > > -object
> > > '{"qom-type":"tdx-guest","id":"tdx0","quote-generation-socket":{"type":
> > > "vsock", "cid":"1","port":"1234"}}' \
> >
> > Can you illustrate this with 'unix' sockets, not 'vsock'.
>
> Are you suggesting only updating the commit message to an example of unix
> socket? Or you want the code to test with some unix socket QGS?
>
> (It seems the QGS I got for testing, only supports vsock socket. Because at
> the time when it got developed, it was supposed to communicate with drivers
> inside TD guest directly not via VMM (KVM+QEMU). Anyway, I will talk to
> internal folks to see if any plan to support unix socket.)
The QGS provided as part of DCAP supports running with both
UNIX sockets and VSOCK, and I would expect QEMU to be made
to work with this, since its is Intel's OSS reference impl.
Exposing QGS to the guest when we only intend for it to be
used by the host QEMU is needlessly expanding the attack
surface.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|