runtime-rs: Prepare Tdx protection device in start sandbox

During the prepare for `start sandbox` phase, this commit ensures the correct `ProtectionDeviceConfig` is prepared based on the `GuestProtection` type in a TEE platform. Specifically, for the TDX platform, this commit sets the essential parameters within the ProtectionDeviceConfig, including the TDX ID, firmware path, and the default QGS port (4050). This information is then passed to the underlying VMM for further processing using the existing ResourceManager and DeviceManager infrastructure. Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
2025-09-17 14:58:16 +00:00 · 2025-04-23 17:09:45 +08:00
parent bab77e2d65
commit 49ced4d43c
2 changed files with 11 additions and 2 deletions
--- a/src/runtime-rs/crates/hypervisor/src/device/driver/mod.rs
+++ b/src/runtime-rs/crates/hypervisor/src/device/driver/mod.rs
@@ -16,7 +16,7 @@ mod virtio_net;
 mod virtio_vsock;

 pub use port_device::{PCIePortDevice, PortDeviceConfig};
-pub use protection_device::{ProtectionDevice, ProtectionDeviceConfig, SevSnpConfig};
+pub use protection_device::{ProtectionDevice, ProtectionDeviceConfig, SevSnpConfig, TdxConfig};
 pub use vfio::{
    bind_device_to_host, bind_device_to_vfio, get_vfio_device, HostDevice, VfioBusMode, VfioConfig,
    VfioDevice,
--- a/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs
+++ b/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs
@@ -30,7 +30,7 @@ use hypervisor::{dragonball::Dragonball, HYPERVISOR_DRAGONBALL};
 use hypervisor::{qemu::Qemu, HYPERVISOR_QEMU};
 use hypervisor::{utils::get_hvsock_path, HybridVsockConfig, DEFAULT_GUEST_VSOCK_CID};
 use hypervisor::{BlockConfig, Hypervisor};
-use hypervisor::{ProtectionDeviceConfig, SevSnpConfig};
+use hypervisor::{ProtectionDeviceConfig, SevSnpConfig, TdxConfig};
 use kata_sys_util::hooks::HookStates;
 use kata_sys_util::protection::{available_guest_protection, GuestProtection};
 use kata_types::capabilities::CapabilityBits;
@@ -398,6 +398,15 @@ impl VirtSandbox {
            GuestProtection::Se => {
                Ok(Some(ProtectionDeviceConfig::Se))
            }
+            GuestProtection::Tdx(_details) => {
+                Ok(Some(ProtectionDeviceConfig::Tdx(TdxConfig {
+                    id: "tdx".to_owned(),
+                    firmware: hypervisor_config.boot_info.firmware.clone(),
+                    qgs_port: 4050,
+                    mrconfigid: None,
+                    debug: false,
+                })))
+            },
            _ => Err(anyhow!("confidential_guest requested by configuration but no supported protection available"))
        }
    }