kata-types: Introduce QGS port for TD attestation in Hypervisor config

Currently, the TDX Quote Generation Service (QGS) connection in QEMU is hardcoded to vsock port 4050, which limits flexibility for TD attestation. While the users will be able to modify the QGS port. To address this inflexibility, this commit introduces a new qgs_port field within security info and make it default with 4050. Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
2025-09-16 06:18:58 +00:00 · 2025-05-27 13:56:08 +08:00
parent 49ced4d43c
commit f8d1ee8b1c
2 changed files with 12 additions and 1 deletions
--- a/src/libs/kata-types/src/config/hypervisor/mod.rs
+++ b/src/libs/kata-types/src/config/hypervisor/mod.rs
@@ -890,6 +890,17 @@ pub struct SecurityInfo {
    /// e.g. "path" for io.katacontainers.config.hypervisor.path"
    #[serde(default)]
    pub enable_annotations: Vec<String>,
+
+    /// qgs_port defines Intel Quote Generation Service port exposed from the host
+    #[serde(
+        default = "default_qgs_port",
+        rename = "tdx_quote_generation_service_socket_port"
+    )]
+    pub qgs_port: u32,
+}
+
+fn default_qgs_port() -> u32 {
+    4050
 }

 impl SecurityInfo {
--- a/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs
+++ b/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs
@@ -402,7 +402,7 @@ impl VirtSandbox {
                Ok(Some(ProtectionDeviceConfig::Tdx(TdxConfig {
                    id: "tdx".to_owned(),
                    firmware: hypervisor_config.boot_info.firmware.clone(),
-                    qgs_port: 4050,
+                    qgs_port: hypervisor_config.security_info.qgs_port,
                    mrconfigid: None,
                    debug: false,
                })))