From f8d1ee8b1c9c575765f9c7bb12ad3c0b07f3104b Mon Sep 17 00:00:00 2001 From: "alex.lyn" Date: Tue, 27 May 2025 13:56:08 +0800 Subject: [PATCH] kata-types: Introduce QGS port for TD attestation in Hypervisor config Currently, the TDX Quote Generation Service (QGS) connection in QEMU is hardcoded to vsock port 4050, which limits flexibility for TD attestation. While the users will be able to modify the QGS port. To address this inflexibility, this commit introduces a new qgs_port field within security info and make it default with 4050. Signed-off-by: alex.lyn --- src/libs/kata-types/src/config/hypervisor/mod.rs | 11 +++++++++++ .../crates/runtimes/virt_container/src/sandbox.rs | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/libs/kata-types/src/config/hypervisor/mod.rs b/src/libs/kata-types/src/config/hypervisor/mod.rs index b5b0a26251..7c18d69143 100644 --- a/src/libs/kata-types/src/config/hypervisor/mod.rs +++ b/src/libs/kata-types/src/config/hypervisor/mod.rs @@ -890,6 +890,17 @@ pub struct SecurityInfo { /// e.g. "path" for io.katacontainers.config.hypervisor.path" #[serde(default)] pub enable_annotations: Vec, + + /// qgs_port defines Intel Quote Generation Service port exposed from the host + #[serde( + default = "default_qgs_port", + rename = "tdx_quote_generation_service_socket_port" + )] + pub qgs_port: u32, +} + +fn default_qgs_port() -> u32 { + 4050 } impl SecurityInfo { diff --git a/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs b/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs index 09a6766aee..2e5936d850 100644 --- a/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs +++ b/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs @@ -402,7 +402,7 @@ impl VirtSandbox { Ok(Some(ProtectionDeviceConfig::Tdx(TdxConfig { id: "tdx".to_owned(), firmware: hypervisor_config.boot_info.firmware.clone(), - qgs_port: 4050, + qgs_port: hypervisor_config.security_info.qgs_port, mrconfigid: None, debug: false, })))