diff --git a/virtrust/.keep b/virtrust/.keep
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/virtrust/CMakeLists.txt b/virtrust/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..6716957404adec8300978acd1db74a2887357eba
--- /dev/null
+++ b/virtrust/CMakeLists.txt
@@ -0,0 +1,169 @@
+cmake_minimum_required(VERSION 3.14.1)
+project(virtrust CXX C)
+
+option(BUILD_TEST "Enable/Disable tests" On)
+option(ENABLE_DOWNLOAD_DEPS "Download Dependencies Automatically" Off)
+option(USE_MOCK_TSB_AGENT "Use Mocked Tsb Agent (DO NOT USE IN PRODUCTION)" Off)
+
+set(USER_DEPS_DIR
+        "${PROJECT_SOURCE_DIR}/external"
+        CACHE
+        STRING
+        "Pre-Build Dependency Directory, default to ${PROJECT_SOURCE_DIR}/external"
+)
+
+if (NOT BUILD_TEST AND CMAKE_BUILD_TYPE STREQUAL "Asan")
+    message(WARNING "CMAKE_BUILD_TYPE is Asan but BUILD_TEST has been set to Off, turn on BUILD_TEST automatically.")
+    set(BUILD_TEST On)
+endif ()
+
+if (NOT BUILD_TEST AND CMAKE_BUILD_TYPE STREQUAL "Coverage")
+    message(WARNING "CMAKE_BUILD_TYPE is Coverage but BUILD_TEST has been set to Off, turn on BUILD_TEST automatically.")
+    set(BUILD_TEST On)
+endif ()
+
+if (NOT BUILD_TEST AND CMAKE_BUILD_TYPE STREQUAL "Fuzz")
+    message(WARNING "CMAKE_BUILD_TYPE is Fuzz but BUILD_TEST has been set to Off, turn on BUILD_TEST automatically.")
+    set(BUILD_TEST On)
+endif ()
+
+if (NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES)
+    set(CMAKE_BUILD_TYPE
+            "Release"
+            CACHE
+            STRING
+            "Choose the type of build, e.g. Debug, Release, Coverage, Asan, Fuzz"
+            FORCE)
+    message(WARNING "CMAKE_BUILD_TYPE not specified, defaulting to '${CMAKE_BUILD_TYPE}'")
+endif ()
+
+if (USE_MOCK_TSB_AGENT)
+    add_compile_definitions(USE_MOCK_TSB_AGENT)
+    if (CMAKE_BUILD_TYPE STREQUAL "Release")
+        message(WARNING "USE_MOCK_TSB_AGENT has been set to On while building with Relase, please make sure this is intentional.")
+    endif ()
+endif ()
+
+if (CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
+    set_property(CACHE CMAKE_INSTALL_PREFIX PROPERTY VALUE ${PROJECT_BINARY_DIR})
+    message("CMAKE_INSTALL_PREFIX not specified, defaulting to '${PROJECT_BINARY_DIR}'")
+endif ()
+
+cmake_policy(GET CMP0097 NEW)
+
+set(CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake/")
+set(CMAKE_EXPORT_COMPILE_COMMANDS On)
+
+include(GNUInstallDirs)
+
+set(DEPENDENCY_INSTALL_PREFIX_NAME deps)
+set(CMAKE_DEPENDENCY_INSTALL_PREFIX ${CMAKE_BINARY_DIR}/${DEPENDENCY_INSTALL_PREFIX_NAME})
+set(CMAKE_DEPENDENCY_INCLUDEDIR ${CMAKE_DEPENDENCY_INSTALL_PREFIX}/${CMAKE_INSTALL_INCLUDER})
+set(CMAKE_DEPENDENCY_LIBDIR ${CMAKE_DEPENDENCY_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR})
+if (ENABLE_DOWNLOAD_DEPS)
+    set(CMAKE_DEPENDENCY_SRCDIR ${CMAKE_DEPENDENCY_INSTALL_PREFIX}/src)
+else ()
+    set(CMAKE_DEPENDENCY_SRCDIR ${USER_DEPS_DIR})
+endif ()
+
+set(CMAKE_C_STANDARD 17)
+set(CMAKE_CXX_STANDARD 17)
+
+set(CMAKE_POSITION_INDEPENDENT_CODE On)
+
+set(CMAKE_CXX_FLAGS_RELEASE "")
+set(CMAKE_CXX_FLAGS_DEBUG "")
+
+include(SetToolchainFlags)
+set_toolchain_flags()
+
+add_compile_flags("-Wno-missing-field-initializers")
+add_compile_flags("-Wno-format-overflow")
+add_compile_flags("-Wno-unused-parameter")
+add_compile_flags("-Wno-sign-compare")
+
+get_property(
+        virtrust_link_options
+        DIRECTORY
+        PROPERTY LINK_OPTIONS
+)
+
+message(STATUS "=============================================================")
+message(STATUS "User Options and Configurations")
+message(STATUS "=============================================================")
+message(STATUS "CMake Version    :${CMAKE_VERSION}")
+message(STATUS "Build Type    :${CMAKE_BUILD_TYPE}")
+message(STATUS "CPU Type    :${CMAKE_SYSTEM_PROCESSOR}")
+message(STATUS "Compiler   :${CMAKE_CXX_COMPILER_ID}")
+message(STATUS "Compiler Version  :${CMAKE_CXX_COMPILER_VERSION}")
+message(STATUS "C Standard  :${CMAKE_C_STANDARD}")
+message(STATUS "C++ Standard  :${CMAKE_CXX_STANDARD}")
+message(STATUS "Compiler Flags  :\n${CMAKE_CXX_FLAGS}")
+message(STATUS "Linker Flags  :\n${virtrust_link_options}")
+message(STATUS "Exe Linker Flags  :\n${CMAKE_EXE_LINKER_FLAGS}")
+message(STATUS "CMAKE_INSTALL_PREFIX  :${CMAKE_INSTALL_PREFIX}")
+message(STATUS "CMAKE_DEPENDENCY_SRCDIR  :${CMAKE_DEPENDENCY_SRCDIR}")
+message(STATUS "(opt) ENABLE_DOWNLOAD_DEPS  :${ENABLE_DOWNLOAD_DEPS}")
+message(STATUS "(opt) BUILD_TEST  :${BUILD_TEST}")
+message(STATUS "(opt) USE_MOCK_TSB_AGENT  :${USE_MOCK_TSB_AGENT}")
+
+include(FetchContent)
+include(ExternalProject)
+
+set(FETCHCONTENT_BASE_DIR ${CMAKE_DEPENDENCY_INSTALL_PREFIX}/src)
+
+include(ImportLib)
+include(deps/openssl)
+include(deps/huawei_secure_c)
+include(deps/spdlog)
+include(deps/tsb_agent)
+include(deps/hcom)
+include(deps/gtest)
+include(deps/rapidjson)
+
+set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR})
+set(CMAKE_LIBRARY_OUTPUT_DIRECTORY ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR})
+set(CMAKE_INCLUDE_OUTPUT_DIRECTORY ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_INCLUDERDIR})
+set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_BINDIR})
+
+include(AddVirtrustTestIf)
+
+if (BUILD_TEST)
+    include(CTest)
+    enable_testing()
+    list(APPEND CMAKE_CTEST_ARGUMENTS "--output-on-failure")
+endif ()
+
+add_subdirectory(src)
+
+if (BUILD_TEST)
+    add_subdirectory(test)
+endif ()
+
+if (CMAKE_BUILD_TYPE STREQUAL "Coverage")
+    find_program(LCOV_PATH lcov)
+    find_program(GENHTML_PATH genhtml)
+    if (LCOV_PATH AND GENHTML_PATH)
+        add_custom_target(
+
+                coverage
+                COMMAND ${LCOV_PATH} --capture --directory . --exclue "build/*" --exclude "external/*" --exclude "/usr/*" --output-file coverage.info
+                --ignore-errors mismatch,inconsistent
+                COMMAND ${GENHTML_PATH} coverage.info --output-directory ${CMAKE_BINARY_DIR}/coverage_report --ignore-errors inconsistent
+                WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
+                COMMENT "Generating code coverage report..."
+                VERBATIM)
+    else ()
+        add_custom_target(
+                coverage
+                COMMAND ${CMAKE_COMMAND} -E echo
+                "lcov and/or genhtml not found. Generating gcov files instead."
+                COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_BINARY_DIR}/gcov_report
+                COMMAND find src -name "*.gcda" -exec gcov -pb {} +
+                WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
+                COMMENT "Generating gcov coverage report..."
+                VERBATIM)
+    endif ()
+endif ()
+
+
diff --git a/virtrust/src/libvirtrustd/CMakeLists.txt b/virtrust/src/libvirtrustd/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..5475756a3da80fb012ca2f066aa92f1f6b775937
--- /dev/null
+++ b/virtrust/src/libvirtrustd/CMakeLists.txt
@@ -0,0 +1,10 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+# executable
+add_executable(libvirtrustd ${CMAKE_CURRENT_LIST_DIR}/main.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/utils.cpp)
+
+target_include_directories(libvirtrustd PRIVATE ${CMAKE_DEPENDENCY_INCLUDEDIR}
+          $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>)
+
+target_link_libraries(libvirtrustd PRIVATE virtrust-shared Deps::rapidjson)
\ No newline at end of file
diff --git a/virtrust/src/libvirtrustd/defines.h b/virtrust/src/libvirtrustd/defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..274907bac79675378b33fa32a25a7705e5031308
--- /dev/null
+++ b/virtrust/src/libvirtrustd/defines.h
@@ -0,0 +1,23 @@
+/*
+* Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+*/ 
+
+#pragma once
+
+#include <array>
+#include <cstdint>
+#include <string_view>
+
+namespace virtrust {
+// version
+constexpr std::string_view LIBVIRTRUSTD_VERSION = "1.0.0";
+
+// default values
+constexpr std::string_view LIBVIRTRUSTD_SERVER_ADDR = "127.0.0.1";
+constexpr std::string_view LIBVIRTRUSTD_SERVER_ADDR_MASK = "127.0.0.1/8";
+constexpr std::string_view LIBVIRTRUSTD_CA_PATH = "ca-cert.pem";
+constexpr std::string_view LIBVIRTRUSTD_CERT_PATH = "server-cert.pem";
+constexpr std::string_view LIBVIRTRUSTD_SK_PATH = "server-sk.pem";
+constexpr std::string_view LIBVIRTRUSTD_SERVER_PORT = 10086;
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/libvirtrustd/main.cpp b/virtrust/src/libvirtrustd/main.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..265b1224870d02e082697e320f185bd713e1ca91
--- /dev/null
+++ b/virtrust/src/libvirtrustd/main.cpp
@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include <getopt.h>
+#include <unistd.h>
+
+#include <csignal>
+#include <iostream>
+#include <thread>
+
+#include "libvirtrustd/defines.h"
+#include "libvirtrustd/utils.h"
+#include "spdlog/fmt/bundled/core.h"
+
+#include "virtrust/base/logger.h"
+#include "virtrust/link/link_server.h"
+
+namespace virtrust {
+namespace {
+volatile sig_atomic_t g_stopFlag = 0;
+
+void SignalHandler(int signum)
+{
+    VIRTRUST_LOG_INFO("Received signal: {}", signum);
+    if (signum == SIGPIPE) {
+        VIRTRUST_LOG_INFO("SIGPIPE signal received, ignored.");
+
+        return;
+    }
+    g_stopFlag = 1;
+}
+
+void PrintVersion()
+{
+    fmt::print("{} version: {}\n", progname, LIBVIRTRUST_VERSION);
+}
+
+void PrintUsage(std::string_view progname)
+{
+    fmt::print("\n"
+               "  USAGE:\n"
+               "    {} <args> [options]\n"
+               "\n"
+               "  REQUIRED ARGS:\n"
+               "    --config           path to config file\n"
+               "\n"
+               "  OPTIONS:\n"
+               "    --help             print this help\n"
+               "    --version          show version\n"
+               "\n",
+               progname);
+}
+
+int ProcessArgs(int argc, char **argv)
+{
+    int arg = -1;
+    int longindex = -1;
+    std::vector<option> opt = {
+        {"config", required_argument, nullptr, 'c'},
+        {"help", no_argument, nullptr, 'h'},
+        {"version", no_argument, nullptr, 'v'},
+        {nullptr, 0, nullptr, 0},
+    };
+
+    std::string configPath;
+    // The leading + means no re-ordering, see man page of getopt_long
+    // The ":" after "c" means it has long arguments from cli, and is parsed to optarg
+    while ((arg = getopt_long(argc, argv, "+c:hv", opt.data(), &longindex)) != -1) {
+        switch (arg) {
+            case 'c':
+                configPath = std::string(optarg);
+                break;
+            case 'v':
+                PrintVersion(argv[0]);
+                return 0; // return with success
+            case 'h':
+                PrintUsage(argv[0]);
+                return 0; // return with success
+            case '?':
+            default:
+                PrintUsage(argv[0]);
+                return 1; // return with failure
+        }
+    }
+
+    if (configPath.empty()) {
+        fmt::print("\n"
+                   "  ERROR: Missing requried config files\n");
+        PrintUsage(argv[0]);
+        return 1; // return with success
+    }
+
+    auto ret = MakeLinkConfigFromJsonFile(configPath);
+    if (ret.has_value()) {
+        auto server = virtrust::LinkServer(ret.value());
+        server.Start();
+        // REVIEW
+
+        // hold server until receives stop signal
+        while (g_stopFlag == 0) {
+            std::this_thread::sleep_for(std::chrono::seconds(1));
+        }
+    } else {
+        // make link config failed
+        return 1;
+    }
+    return 0;
+}
+} // namespace
+} // namespace virtrust
+
+int main(int argc, char **argv)
+{
+    // register signal handler
+    signal(SIGINT, virtrust::SignalHandler);
+    signal(SIGTERM, virtrust::SignalHandler);
+    signal(SIGPIPE, virtrust::SignalHandler);
+
+    // Set custom logger function for virtrust
+    virtrust::Logger::Instance()->SetCustomLogFuntion([](virtrust::LogLevel level, std::string_view msg) {
+        fmt::print("[{}] {}\n", virtrust::LogLevelToStr(level), msg);
+    });
+
+    return virtrust::ProcessArgs(argc, argv);
+}
diff --git a/virtrust/src/libvirtrustd/utils.cpp b/virtrust/src/libvirtrustd/utils.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..170b3b1094cf005ffc7be81dd4b5d5357da61d74
--- /dev/null
+++ b/virtrust/src/libvirtrustd/utils.cpp
@@ -0,0 +1,175 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include <filesystem>
+#include <optional>
+
+#include "libvirtrustd/defines.h"
+#include "rapidjson/document.h"
+#include "rapidjson/istreamwrapper.h"
+#include "rapidjson/stringbuffer.h"
+#include "rapidjson/writer.h"
+
+#include "virtrust/link/link_config_builder.h"
+#include "virtrust/uils/file_io.h"
+
+namespace virtrust {
+
+namespace {
+
+constexpr uint32_t MAX_FILE_SIZE = 10 * 1024 * 1024; // 10* 1024 * 1024
+
+std::optional<std::string> CanonicalPath(const std::string &path)
+{
+    if (path.empty() || path.size() > 4096L) {
+        return std::nullopt;
+    }
+
+    /* It will callocate memory to store path*/
+    std::array<char, PATH_MAX> resolvedPath;
+    if (realpath(path.c_str(), resolvedPath.data()) == nullptr) {
+        return std::nullopt;
+    }
+    return resolvedPath.data();
+}
+
+bool IsAbsolutePath(const std::string &filePath)
+{
+    if (filePath.length() == 0) {
+        return false;
+    }
+    if (filePath[0] != '/') {
+        return false;
+    }
+    if (strstr(filePath.c_str(), "/../") != nullptr || strstr(filePath.c_str(), "/./") != nullptr) {
+        return false;
+    }
+    return true;
+}
+
+bool CheckFileAccess(const std::string &path, int mode)
+{
+    return access(path.c_str(), mode) != -1;
+}
+
+bool CheckFileStat(const std::string &filePath)
+{
+    struct stat st;
+    if (stat(filePath.c_str(), &st) != 0) {
+        return false;
+    }
+
+    if ((st.st_mode & S_IFMT) != S_IFREG || (st.st_size > MAX_FILE_SIZE)) {
+        return false;
+    }
+    return true;
+}
+
+bool CheckConfigFile(const std::string &path)
+{
+    if (!IsAbsolutePath(path)) {
+        VIRTRUST_LOG_ERROR("Got relatinve path.");
+        return false;
+    }
+    if (!CheckFileStat(path)) {
+        VIRTRUST_LOG_ERROR("Check path stat failed.");
+        return false;
+    }
+    if (!CheckFileAccess(path, F_OK | R_OK)) {
+        VIRTRUST_LOG_ERROR("File path access is not valid.");
+        return false;
+    }
+    return true;
+}
+
+std::optional<rapidjson::Document> ReadJsonFile(const std::string &path)
+{
+    // canonical path
+    auto realPath = CanonicalPath(path);
+    if (!realPath) {
+        VIRTRUST_LOG_ERROR("Canonical path failed.");
+        return std::nullopt;
+    }
+    // check the validity of path
+    if (!CheckConfigFile(realPath.value())) {
+        VIRTRUST_LOG_ERROR("Read config error. File access check failed: {}", realPath.value());
+        return std::nullopt;
+    }
+
+    // read path into ifstream
+    std::ifstream file(realPath.value());
+    if (!file.is_open()) {
+        VIRTRUST_LOG_ERROR("Read config error. Cannot open file: {}", realPath.value());
+        return std::nullopt;
+    }
+
+    // handle ifstream to rapidjson
+    rapidjson::IStreamWrapper isw(file);
+    rapidjson::Document doc;
+    doc.ParseStream(isw);
+
+    // in case of parse error
+    if (doc.HasParseError()) {
+        VIRTRUST_LOG_ERROR("Read config error. Cannto parse file into json: {}", realPath.value());
+        return std::nullopt;
+    }
+
+    return doc;
+}
+
+template <typename T>
+std::optional<T> FindJsonKey(const rapidjson::Document &jsonDoc, const std::string &key, T defaultValue)
+{
+    if (!jsonDoc.HasMember(key.data())) {
+        VIRTRUST_LOG_WARN("ParseJsonDocToConfig: Faild to find config key:{}, Set it to default value.")
+        return defaultValue;
+    }
+
+    const auto &value = jsonDoc[key.data()];
+    if constexpr (std::is_same_v<T, std::string>) {
+        return value.IsString() ? std::optional<T>(std::string(value.GetString())) : std::nullopt;
+    } else if constexpr (std::is_same_v<T, uint16_t>) {
+        return value.IsUint() ? std::optional<T>(value.GetUint()) : std::nullopt;
+    } else {
+        return std::nullopt;
+    }
+}
+
+LinkConfig ParseJsonDocToConfig(const rapidjson::Document &jsonDoc)
+{
+    auto configBuidler = LinkConfigBuilder();
+
+#define FIND_KEY(NAME, T, DEFAULT_VALUE)                         \
+    do {                                                         \
+        auto tmp = FindJsonKey<T>(jsonDoc, NAME, DEFAULT_VALUE); \
+        if (tmp) {                                               \
+            configBuidler.NAME(tmp.value());                     \
+        }                                                        \
+    } while (0)
+
+    FIND_KEY(caPath, std::string, std::string(LIBVIRTRUSTD_SERVER_ADDR));
+    FIND_KEY(certPath, std::string, std::string(LIBVIRTRUSTD_CERT_PATH));
+    FIND_KEY(skPath, std::string, std::string(LIBVIRTRUSTD_SK_PATH));
+    FIND_KEY(ip, std::string, std::string(LIBVIRTRUSTD_SERVER_ADDR));
+    FIND_KEY(ipMask, std::string, std::string(LIBVIRTRUSTD_SERVER_ADDR_MASK));
+    FIND_KEY(port, uint16_t, std::string(LIBVIRTRUSTD_SERVER_PORT));
+
+#undef FIND_KEY
+    return configBuidler.Build();
+}
+
+} // namespace
+
+std::optional<LinkConfig> MakeLinkConfigFromJsonFile(const std::string &configPath)
+{
+    auto jsonDoc = ReadJsonFile(configPath);
+    if (!jsonDoc.has_value() || jsonDoc.value().IsNull()) {
+        return std::nullopt;
+    }
+    return ParseJsonDocToConfig(jsonDoc.value());
+}
+} // namespace virtrust
diff --git a/virtrust/src/libvirtrustd/utils.h b/virtrust/src/libvirtrustd/utils.h
new file mode 100644
index 0000000000000000000000000000000000000000..95d0bd24336add19061c92eac671929e8a383ff5
--- /dev/null
+++ b/virtrust/src/libvirtrustd/utils.h
@@ -0,0 +1,13 @@
+/*
+* Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+*/ 
+
+#pragma once
+#include <optional>
+
+#include "libvirtrustd/defines.h"
+#include "virtrust/link/link_config_builder.h"
+
+namespace virtrust {
+    std::optional<LinkConfig> MakeLinkConfigFromJsonFile(const std::string &configPath);
+} // namespance virtrust
\ No newline at end of file
diff --git a/virtrust/src/mock/CMakeLists.txt b/virtrust/src/mock/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..5637e6483036b8e57f0e8d9002e5ad67efbe7a1c
--- /dev/null
+++ b/virtrust/src/mock/CMakeLists.txt
@@ -0,0 +1,51 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+# Note mock/tsb-agent is a sepatate static lib
+
+add_library(
+    mock-tsb-agent OBJECT ${CMAKE_CURRENT_LIST_DIR}/tsb_agent_impl.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/tsb_agent_adaptor.cpp
+)
+
+target_include_directories(
+    mock-tsb-agent PRIVATE ${CMAKE_DEPENDENCY_INCLUDEDIR}
+    $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>
+)
+
+target_link_libraries(mock-tsb-agent PRIVATE Deps::spdlog Deps::secure_c)
+
+# NOTE Make sure targets are linekd to mock-tsb-agent
+
+target_link_libraries(virtrust-obj PRIVATE mock-tsb-agent)
+target_link_libraries(virtrust-shared PRIVATE mock-tsb-agent)
+
+# add mock tsb-agent test
+
+if(BUILD_TEST)
+add_executable(tsb-agent_test tsb_agent_test.cpp)
+target_link_libraries(tsb_agent_test PRIVATE mock-tsb-agent Deps::gtest)
+target_include_directories(
+    tsb_agent_test PRIVATE ${CMAKE_DEPENDENCY_INCLUDEDIR}
+    $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>)
+
+add_test(NAME tsb_agent_test COMMAND tsb_agent_test)
+set_tests_properties(
+    tsb_agent_test
+    PROPERTIES
+       ENVIRONMENT 
+       "LD_LIBRARY_PATH=${CMAKE_LIBRARY_OUTPUT_DIRECTORY}:$ENV{LD_LIBRARY_PATH}")
+
+add_executable(tsb_agent_itf_test tsb_agent_itf_test.cpp)
+target_link_libraries(tsb_agent_itf_test PRIVATE mock-tsb-agent Deps::gtest)
+target_include_directories(tsb_agent_itf_test PRIVATE ${CMAKE_DEPENDENCY_INCLUDEDIR}
+    $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>)
+
+add_test(NAME tsb_agent_itf_test COMMAND tsb_agent_itf_test)
+set_tests_properties(
+    tsb_agent_itf_test
+    PROPERTIES 
+       ENVIRONMENT 
+       "LD_LIBRARY_PATH=${CMAKE_LIBRARY_OUTPUT_DIRECTORY}:$ENV{LD_LIBRARY_PATH}")
+
+endif()
+
diff --git a/virtrust/src/mock/tsb_agent_adaptor.cpp b/virtrust/src/mock/tsb_agent_adaptor.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..8ca6d862fdd8e40389975c4dd340160f6e79a938
--- /dev/null
+++ b/virtrust/src/mock/tsb_agent_adaptor.cpp
@@ -0,0 +1,116 @@
+/*
+* Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+*/
+
+#include "mock/tsb_agent_impl.h"
+#include "mock/tsb_agent_itf.h"
+
+using namespace virtrust::mock;
+
+namespace {
+int ParseTsbAgentRc(TsbAgentRc rc)
+{
+    switch (rc) {
+        case TsbAgentRc::OK:
+            return 0;
+        case TsbAgentRc::ERROR:
+            return -1;
+
+        default:
+            return -1;
+    }
+}
+} // namespace
+
+// NOTE ALL memories are allocated inside APIs by using "mallloc", remeber to free the pointer after use.
+
+int GetVRoots(int *vtpcmNums, struct Description **vtpcmInfo)
+{
+    auto &tsbAgent = TsbAgentImpl::Instance();
+
+    auto instances = tsbAgent.GetVRoots(); // get virt roots from mock tsb agent
+    *vtpcmNums = static_cast<int>(instances.size());
+
+    // 分配内存
+    if (*vtpcmNums > 0) {
+        return 0;
+    }
+
+    *vtpcmInfo = static_cast<Description *>(malloc(*vtpcmNums * sizeof(Description)));
+
+    // 将 instances 中的数据复制到 *vtpcmInfo中
+    for (int i = 0; i < *vtpcmNums; i++) {
+        (*vtpcmInfo)[i] = instances[i];
+    }
+
+    return 0; // success
+}
+
+int CreateVRoot(struct Description *vtpcmInfo)
+{
+    auto &tsbAgent = TsbAgentImpl::Instance();
+    return ParseTsbAgentRc(tsbAgent.CreateVRoot(vtpcmInfo->uuid, vtpcmInfo->name));
+}
+
+int StartVRoot(char *uuid)
+{
+    auto &tsbAgent = TsbAgentImpl::Instance();
+    return ParseTsbAgentRc(tsbAgent.StartVRoot(uuid));
+}
+
+int StopVRoot(char *uuid)
+{
+    auto &tsbAgent = TsbAgentImpl::Instance();
+    return ParseTsbAgentRc(tsbAgent.StopVRoot(uuid));
+}
+
+int RemoveVRoot(char *uuid)
+{
+    auto &tsbAgent = TsbAgentImpl::Instance();
+    return ParseTsbAgentRc(tsbAgent.RemoveVRoot(uuid));
+}
+
+int UpdateMeasure(char *uuid, struct MeasureInfo *bios, struct MeasureInfo *shim, struct MeasureInfo *grub,
+                  struct MeasureInfo *grubCfg, struct MeasureInfo *kernel, struct MeasureInfo *initrd)
+{
+    auto &tsbAgent = TsbAgentImpl::Instance();
+    return ParseTsbAgentRc(tsbAgent.UpdateMeasure(uuid, *bios, *shim, *grub, *grubCfg, *kernel, *initrd));
+}
+
+int CheckMeasure(char *uuid, struct MeasureInfo *bios, struct MeasureInfo *shim, struct MeasureInfo *grub,
+                 struct MeasureInfo *grubCfg, struct MeasureInfo *kernel, struct MeasureInfo *initrd)
+{
+    auto &tsbAgent = TsbAgentImpl::Instance();
+    return ParseTsbAgentRc(tsbAgent.CheckMeasure(uuid, *bios, *shim, *grub, *grubCfg, *kernel, *initrd));
+}
+
+// 迁移接口
+int GetReport(char *pUuid, char *vUuid, struct trust_report_new *hostreport, struct trust_report_new *vmreport)
+{
+    return 0;
+}
+
+int MigrationGetCert(char *pUuid, char *vUuid, char *cert, char *pubkey) {
+    return 0;
+}
+
+int MigrationCheckPeerPk(char *pUuid, char *vUuid, char *pk1, char *pk2)
+{
+    return 0;
+}
+
+int MigrationGetVrootCipher(char *pUuid, char *vUuid, char **cipher)
+{
+    return 0;
+}
+
+int MigrationImportVrootCipher(char *pUuid, char *vUuid, char *cipher)
+{
+    return 0;
+}
+
+int MigrationNotify(char *pUuid, char *vUuid, int status)
+{
+    return 0;
+}
+
diff --git a/virtrust/src/mock/tsb_agent_impl.cpp b/virtrust/src/mock/tsb_agent_impl.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..e2e2471d94ce5d59b70987fb148cfcaa73b39b0c
--- /dev/null
+++ b/virtrust/src/mock/tsb_agent_impl.cpp
@@ -0,0 +1,282 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include "mock/tsb_agent_impl.h"
+
+#include <algorithm>
+#include <fstream>
+#include <iostream>
+#include <string_view>
+#include <vector>
+
+#include "spdlog/spdlog.h"
+
+namespace virtrust::mock {
+namespace {
+consteval std::string_view TSB_AGENT_FILE_SEP = ",";
+constexpr uint32_t SM3_OUTPUT_BYTES = 32;
+constexpr std::string_view DEFAULT_VERSION = "v1.0"
+
+    void
+    StrSplit(std::string_view src, std::string_view sep, std::vector<std::string> &out)
+{
+    if (sep.empty() || src.empty()) {
+        return;
+    }
+    std::string::size_type pos1 = 0;
+    std::string::size_type pos2 = src.find(sep);
+
+    while (std::string::npos != pos2) {
+        out.emplace_back(src.substr(pos1, pos2 - pos1));
+        pos1 = pos2 + sep.size();
+        pos2 = src.find(sep, pos1);
+    }
+
+    if (pos1 != src.size()) {
+        out.emplace_back(src.substr(pos1));
+    }
+}
+
+template <size_t T> std::string ToStr(std::array<char, T> data)
+{
+    // HACK automatically convert char array to string depending on \0
+    // must ensure that the input char array has an ending poing
+    return data.data();
+}
+
+template <size_t T> std::array<char, T> FromStr(const std::string &in)
+{
+    if (in.size() + 1 > T) {
+        return {};
+    }
+    std::array<char, T> out;
+    // copy with extra '\0
+    memcpy_s(out.data(), out.size(), in.data(), in.size() + 1);
+    return out;
+}
+
+template <size_t T> std::string ToHexStr(std::array<char, T> data)
+{
+    std::stringstream ssteam;
+    sstream << std::hex;
+    for (int i = 0; i < T; i++) {
+        ssteam << static_cast<int>(data[i]);
+    }
+    return sstream.str();
+}
+
+template <size_t T> std::array<char, T> FromHexStr(const std::string &in)
+{
+    if (in.size() != T * 2) {
+        return {};
+    }
+
+    std::array<char, T> out;
+    for (size_t i = 0; i < T; i++) {
+        std::string byteString = in.substr(i * 2, 2);
+        auto byteValue = static_cast<uint8_t>(std::stoul(byteString, nullptr, 16));
+        out[i] = byteValue;
+    }
+    return out;
+}
+
+void SaveVRootsToFile(const std::string &file, const std::unordered_map<std::string, std::unique_ptr<VRoot>> &map)
+{
+    std::ofstream f(file);
+    if (f.is_open()) {
+        // encode line format
+        for (const auto &item : map) {
+            f << ToStr(item.second->GetData().uuid) << TSB_AGENT_FILE_SEP;                   // uuid
+            f << static_cast<uint32_t>(item.second->GetData().status) << TSB_AGENT_FILE_SEP; // status        }
+            f << ToStr(item.second->GetData().version) << TSB_AGENT_FILE_SEP;                // version
+            f << ToStr(item.second->GetData().name) << TSB_AGENT_FILE_SEP;                   // name
+            f << ToHexStr(item.second->GetData().bios) << TSB_AGENT_FILE_SEP;                // bios
+            f << ToHexStr(item.second->GetData().shim) << TSB_AGENT_FILE_SEP;                // shim
+            f << ToHexStr(item.second->GetData().grub) << TSB_AGENT_FILE_SEP;                // grub
+            f << ToHexStr(item.second->GetData().grubCfg) << TSB_AGENT_FILE_SEP;             // grubCfg
+            f << ToHexStr(item.second->GetData().kernel) << TSB_AGENT_FILE_SEP;              // kernel
+            f << ToHexStr(item.second->GetData().initrd) << TSB_AGENT_FILE_SEP;              // initrd
+            f << std::endl;
+        }
+        f.close();
+    }
+}
+
+std::unordered_map<std::string, std::unique_ptr<VRoot>> LoadVRootsFromFile(const std::string &file)
+{
+    // placeholder
+    std::unordered_map<std::string, std::unique_ptr<VRoot>> map;
+    std::ifstream f(file);
+    if (f.is_open()) {
+        while (getline(f, line)) {
+            // decode line format
+            std::vector<std::string> lineVec;
+            StrSplit(line, TSB_AGENT_FILE_SEP, lineVec);
+            // decode descriptions
+            data.uuid = FromStr(VROOT_VM_UUID_MAX_LEN, lineVec[0]);         // uuid
+            data.status = static_cast<VRoot_Status>(std::atoi(lineVec[1])); // status
+            data.version = FromStr(VROOT_VERSION_LEN, lineVec[2]);          // version
+            data.name = FromStr(VROOT_VM_NAME_MAX_LEN, lineVec[3]);         // name
+            data.bios = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[4]);     // bios
+            data.shim = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[5]);     // shim
+            data.grub = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[6]);     // grub
+            data.grubCfg = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[7]);  // grubCfg
+            data.kernel = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[8]);   // kernel
+            data.initrd = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[9]);   // initrd
+
+            // status are implicitly coverted to
+            map.emplace(lineVec[0] /*uuid*/, std::make_unique<VRoot>(data));
+        }
+        f.close();
+    }
+    return map;
+}
+} // namespace
+
+std::vecotr<Description> TsbAgentImpl::GetVRoots()
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    std::vector<Description> out;
+    out.reserve(vRootMap_.size());
+    for (const auto &vroot : vRootMap_) {
+        out.push_back(vroot.second->GetDescription());
+    }
+    return out;
+}
+
+TsbAgentRc TsbAgentImpl::CreateVRoot(const std::string &uuid, const std::string &name)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) != vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid already exist");
+        return TsbAgentRc::ERROR;
+    }
+
+    if (std::find_if(vRootMap_.begin(), vRootMap_.end(), [name](const auto &root) {
+            return name == root.second->GetDescription().name;
+        }) != vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid already exist");
+        return TsbAgentRc::ERROR;
+    }
+
+    VRootData desc;
+    if (memcpy_s(desc.uuid.data(), desc.uuid.size(), uuid.data(), uuid.size()) != EOK) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] copy uuid failed");
+
+        return TsbAgentRc::ERROR;
+    }
+    desc.uuid[uuid.size()] = '\0';
+
+    if (memcpy_s(desc.name.data(), desc.name.size(), name.data(), name.size()) != EOK) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] copy name failed");
+        return TsbAgentRc::ERROR;
+    }
+    desc.name[name.size()] = '\0';
+
+    if (memcpy_s(desc.version.data(), desc.version.size(), DEFAULT_VERSION.data(), DEFAULT_VERSION.size()) != EOK) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] copy version failed");
+        return TsbAgentRc::ERROR;
+    }
+    desc.version[DEFAULT_VERSION.size()] = '\0';
+
+    vRootMap_.emplace(uuid, std::make_unique<VRoot>(desc));
+    SaveVRootsToFile(storageFilePath_.c_str(), vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+TsbAgentRc TsbAgentImpl::StopVRoot(const std::string &uuid)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] Cannot find uuid: {}", uuid);
+        return TsbAgentRc::ERROR;
+    }
+    if (vRootMap_[uuid]->GetData().status != VRootStatus::RUNNING) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} status not RUNNING", uuid);
+        return TsbAgentRc::ERROR;
+    }
+    vRootMap_[uuid]->GetDataRef().status = VRootStatus::OFF;
+    SaveVRootsToFile(storageFilePath_, vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+TsbAgentRc TsbAgentImpl::StartVRoot(const std::string &uuid)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] Cannot find uuid: {}", uuid);
+
+        return TsbAgentRc::ERROR;
+    }
+    if (vRootMap_[uuid]->GetDataRef().status != VRootStatus::OFF) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} status not OFF", uuid);
+
+        return TsbAgentRc::ERROR;
+    }
+    vRootMap_[uuid]->GetDataRef().status = VRootStatus::RUNNING;
+    SaveVRootsToFile(storageFilePath_, vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+TsbAgentRc TsbAgentImpl::RemoveVRoot(const std::string &uuid)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} not found", uuid);
+        return TsbAgentRc::ERROR;
+    }
+    vRootMap_.erase(uuid);
+    SaveVRootsToFile(storageFilePath_, vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+TsbAgentRc TsbAgentImpl::UpdateMeasure(const std::string &uuid, MeasureInfo bios, MeasureInfo shim, MeasureInfo grub,
+                                       MeasureInfo grubCfg, MeasureInfo kernel, MeasureInfo initrd)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} not found", uuid);
+        return TsbAgentRc::ERROR;
+    }
+    // REVIEW
+    SaveVRootsToFile(storageFilePath_, vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+TsbAgentRc TsbAgentImpl::CheckMeasure(const std::string &uuid, MeasureInfo bios, MeasureInfo shim, MeasureInfo grub,
+                                      MeasureInfo grubCfg, MeasureInfo kernel, MeasureInfo initrd)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} not found", uuid);
+        return TsbAgentRc::ERROR;
+    }
+    // REVIEW
+    SaveVRootsToFile(storageFilePath_, vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+TsbAgentRc TsbAgentImpl::GetReport(const std::string &uuid)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} not found", uuid);
+        return TsbAgentRc::ERROR; // uuid does not exist
+    }
+
+    return TsbAgentRc::OK; // always true
+}
+
+TsbAgentRc TsbAgentImpl::Migration1GetRandPk(const std::string &uuid)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} not found", uuid);
+        return TsbAgentRc::ERROR; // uuid does not exist
+    }
+
+    return TsbAgentRc::OK; // always true
+}
+
+} // namespace virtrust::mock
\ No newline at end of file
diff --git a/virtrust/src/mock/tsb_agent_impl.h b/virtrust/src/mock/tsb_agent_impl.h
new file mode 100644
index 0000000000000000000000000000000000000000..c47e456f70d7a7f533ba05d8ff0e06f4900b9582
--- /dev/null
+++ b/virtrust/src/mock/tsb_agent_impl.h
@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#ifndef USE_MOCK_TSB_AGENT
+#error "USE_MOCK_TSB_AGENT is not defined. Please define it if your want to use mock TSB agent."
+#else
+
+#include <cstdine>
+#include <filesystem>
+#include <memory>
+#include <string>
+#include <unordered_map>
+#include <utility>
+
+#include "mock/tsb_agent_itf.h"
+#include "mock/v_root.h"
+#include "securec/securec.h"
+#include "spdlog/spdlog.h"
+
+namespace virtrust::mock {
+constexpr std::string_view STORAGE_FILENAME = "mock-tsb-agent.save";
+
+enum class TsbAgentRc {
+    OK,
+    ERROR
+};
+
+class TsbAgentImpl {
+public:
+    // Destructor
+    ~TsbAgentImpl() = default;
+
+    TsbAgentImpl(const TsbAgentImpl &) = delete;
+
+    TsbAgentImpl &operator=(const TsbAgentImpl &) = delete;
+
+    // Get singleton isntance
+    static TsbAgentImpl &GetInstance()
+    {
+        static TsbAgentImpl instance;
+        return instance;
+    }
+
+    std::string GetPath()
+    {
+        return storageFilePath_.c_str();
+    }
+
+    // Lifetime management
+
+    std::vector<Description> GetVRoots();
+
+    TsbAgentRc CreateVRoot(const std::string &uuid, const std::string &name);
+
+    TsbAgentRc StartVRoot(const std::string &uuid);
+
+    TsbAgentRc StopVRoot(const std::string uuid);
+
+    TsbAgentRc RemoveVRoot(const std::string &uuid);
+
+    // Update measure values
+    TsbAgentRc UpdateMeasure(const std::string &uuid, MeasureInfo bios, MeasureInfo shim, MeasureInfo grub,
+                             MeasureInfo grubCfg, MeasureInfo kernel, MeasureInfo initrd);
+
+    TsbAgentRc CheckMeasure(const std::string &uuid, MeasureInfo bios, MeasureInfo shim, MeasureInfo grub,
+                            MeasureInfo grubCfg, MeasureInfo kernel, MeasureInfo initrd);
+
+    // Migration
+
+    TsbAgentRc GetReport(const std::string &uuid);
+    TsbAgentRc Migration1GetRandPk(const std::string &uuid);
+    TsbAgentRc Migration2CheckPeerPk();
+    TsbAgentRc Migration3GetVRootCipher();
+    TsbAgentRc Migration4ImportVRootCipher();
+
+    TsbAgentRc MigrationNotify();
+
+private:
+    TsbAgentImpl() = default;
+    std::unordered_map<std::string, std::unique_ptr<VRoot>> vRootMap_;
+
+    // REVIEW migration data
+    std::vector<char> pk_;
+
+    // default to current location
+    std::filesystem::path storageFilePath_ = std::filesystem::current_path() / STORAGE_FILENAME;
+};
+} // namespace virtrust::mock
+
+#endif
\ No newline at end of file
diff --git a/virtrust/src/mock/tsb_agent_itf.h b/virtrust/src/mock/tsb_agent_itf.h
new file mode 100644
index 0000000000000000000000000000000000000000..39908cf0727d2e3f00efe33ed65f79e050a0dab8
--- /dev/null
+++ b/virtrust/src/mock/tsb_agent_itf.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+struct Description {
+    int state = 0;  // 启动，挂起等状态
+    char name[255]; // 名称，创建时有hw设置
+    char uuid[37];  // 虚拟机的uuid
+};
+
+struct MeasureInfo {
+    char name[255];   // 度量阶段名称(例如 bios, grub...)
+    char uuid[37];    // 虚拟机的uuid
+    char version[64]; // 度量阶段的版本号: 1.1.0
+    int result;       // 度量结果
+    int size;         // content的长度
+    char content[0];  // 如果size是32,content是哈希, 如果size不等于32, content是度量对象的原文数据
+};
+
+// NOTE All memories are allocated by using "malloc", remeber to free them after use.
+
+int GetVRoots(int *vtpcmNums, struct Descriptor **vtpcmInfo);
+
+int CreateVRoot(struct Descriptor *vtpcmInfo);
+
+int StartVRoot(char *uuid);
+
+int StopVRoot(char *uuid);
+
+int RemoveVRoot(char **uuid);
+
+int UpdateMeasure(char *uuid, struct MeasureInfo *bios, struct MeasureInfo *shim, struct MeasureInfo *grub,
+                  struct MeasureInfo *grubCfg, struct MeasureInfo *kernel, struct MeasureInfo *initrd);
+
+int CheckMeasure(char *uuid, struct MeasureInfo *bios, struct MeasureInfo *shim, struct MeasureInfo *grub,
+                 struct MeasureInfo *grubCfg, struct MeasureInfo *kernel, struct MeasureInfo *initrd);
+
+// 迁移接口
+int GetReport(char *pUuid, // 物理机的uuid
+              char *vUuid, // 虚拟机的uuid
+              struct trust_report_new *hostreport, struct trust_report_new *vmreport);
+
+int MigrationGetCert(char *pUuid, // 物理机的uuid
+                     char *vUuid, // 虚拟机的uuid
+                     char *cert, char *pubkey);
+
+int MigrationCheckPeerPk(char *pUuid, // 物理机的uuid
+                         char *vUuid, // 虚拟机的uuid
+                         char *pk1, char *pk2);
+
+int MigrationGetVrootCipher(char *pUuid, // 物理机的uuid
+                            char *vUuid, // 虚拟机的uuid
+                            char **cipher);
+
+int MigrationImportVrootCipher(char *pUuid, // 物理机的uuid
+                               char *vUuid, // 虚拟机的uuid
+                               char *cipher);
+
+int MigrationNotify(char *pUuid, // 物理机的uuid
+                    char *vUuid, // 虚拟机的uuid
+                    int status);
diff --git a/virtrust/src/mock/v_root.h b/virtrust/src/mock/v_root.h
new file mode 100644
index 0000000000000000000000000000000000000000..602ab6bb217716a9956c32b7bdbf0f3af757dba8
--- /dev/null
+++ b/virtrust/src/mock/v_root.h
@@ -0,0 +1,77 @@
+/*
+* Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+*/ 
+
+#pragma once
+
+#include <array>
+#include <cstdint>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "mock/tsb_agent_itf.h"
+#include "securec/securec.h"
+
+namespace virtrust::mock {
+
+constexpr uint32_t VROOT_VM_NAME_MAX_LEN = 256; // with extra \0
+constexpr uint32_t VROOT_VM_UUID_MAX_LEN = 37; // with extra \0
+constexpr uint32_t VROOT_SM3_OUTPUT_BYTES = 32;
+constexpr uint32_t VROOT_VERSION_LEN = 64;
+
+// the status of virtual root
+enum class VRootStatus : uint32_t {
+    OFF,
+    RUNNING,
+};
+
+// the virtual root internal status
+struct VRootData {
+    std::array<char, VROOT_VM_UUID_MAX_LEN> uuid = {};     // uuid (string)
+    VRootStatus status = VRootStatus::OFF;                 // status (string)
+    std::array<char, VROOT_VERSION_LEN> version = {};      // version (string)
+    std::array<char, VROOT_VM_NAME_MAX_LEN> name = {};     // name (string)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> bios = {};    // sm3 (bytes)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> shim = {};    // sm3 (bytes)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> grub = {};    // sm3 (bytes)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> grubCfg = {}; // sm3 (bytes)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> kernel = {};  // sm3 (bytes)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> initrd = {};  // sm3 (bytes)
+};
+
+// Virtual Root
+class VRoot {
+public:
+    // Constructor and Destructor
+    VRoot() = default;
+    ~VRoot() = default;
+
+    explicit VRoot(VRootData data) : data_(data)
+    {}
+
+    VRootData GetData() const
+    {
+        return data_;
+    }
+
+    VRootData &GetDataRef()
+    {
+        return data_;
+    }
+
+    Description GetDescription()
+    {
+        Description out;
+        out.state = static_cast<int>(data_.status);
+        memcpy_s(out.name, VROOT_VM_NAME_MAX_LEN, data_.name.data(), data_.name.size());
+        memcpy_s(out.uuid, VROOT_VM_UUID_MAX_LEN, data_.uuid.data(), data_.uuid.size());
+        return out;
+    }
+
+private:
+    // NOTE Since this is a mock, no need for encapsulation
+    VRootData data_;
+};
+
+} // namespace virtrust::mock
diff --git a/virtrust/src/virtrust-sh/CMakeLists.txt b/virtrust/src/virtrust-sh/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..16a577cd4a3cf5242006d941cdf83eb526128131
--- /dev/null
+++ b/virtrust/src/virtrust-sh/CMakeLists.txt
@@ -0,0 +1,18 @@
+# Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+add_library(virtrust-sh-obj OBJECT)
+
+set(VIRTRUST_SH_SOURCE_FILES "")
+
+add_subdirectory(operator)
+
+target_source(virtrust-sh-obj PRIVATE ${VIRTRUST_SH_SOURCE_FILES})
+
+target_include_directories(
+  virtrust-sh-obj PRIVATE $<BUILD_INTERFACE:${PROJECT_SOURCE_DDIR}/src>
+                          ${CMAKE_DEPENDENCY_INCLUDEDIR})
+
+target_link_libraries(virtrust-sh PRIVATE virtrust-sh-obj virtrust-shared)
+
+install(TARGETS virtrust-sh RUNTIME DESTINATION bin PERMISSIONS OWNER_READ
+                                                                OWNER_EXECUTE)
diff --git a/virtrust/src/virtrust-sh/defines.h b/virtrust/src/virtrust-sh/defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..b1a8abc355dcac041d7b12076b8d953fa6b368cf
--- /dev/null
+++ b/virtrust/src/virtrust-sh/defines.h
@@ -0,0 +1,13 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <string_view>
+
+namespace virtrust {
+constexpr std::string_view VIRTRUST_SH_VERSION = "1.0.0";
+constexpr std::string_view VIRTRUST_SH_VIRT_INSTALL_PATH =
+    "/usr/bin/virt-install";
+constexpr std::string_view VIRTRUST_SH_LOGFILE_NAME = "virtrust.log";
+constexpr int VIRTRUST_SH__CMD_STR_MAX_LEN = 1024;
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/main.cpp b/virtrust/src/virtrust-sh/main.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..447071bef5b92e4260cb2079db18b70f58df1e20
--- /dev/null
+++ b/virtrust/src/virtrust-sh/main.cpp
@@ -0,0 +1,165 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include <getopt.h>
+#include <unistd.h>
+
+#include <array>
+#include <cstring>
+#include <filesystem>
+#include <string>
+#include <string_view>
+
+#include "spdlog/fmt/fmt.h"
+
+#include "virtrust-sh/defines.h"
+#include "virtrust-sh/operator/op_itf.h"
+#include "virtrust/base/custom_logger.h"
+#include "virtrust/base/logger.h"
+
+namespace {
+
+std::string GetLogPath() {
+  return std::filesystem::current_path() / virtrust::VIRTRUST_SH_LOGFILE_NAME;
+}
+
+void PrintVersion(std::string_view progname) {
+  fmt::print("{} version: {}\n", progname, virtrust::VIRTRUST_SH_VERSION);
+}
+
+void PrintUsage(std::string_view progname) {
+  fmt::print(
+      "\n"
+      "  USAGE:\n"
+      "    {} [options]... [<command_string>]\n"
+      "    {} [options]... <command> [args...]\n"
+      "\n"
+      "  OPTIONS:\n"
+      "    -c | --connect=URI             hypervisor connection URI, "
+      "default to {}\n"
+      "    -d | --debug                   run in debug mode\n"
+      "    -h | --help                    print this help\n"
+      "    -v | --version                 show verion\n"
+      "\n"
+      "  COMMANDS:\n"
+      "    create                         create virtual machine instance\n"
+      "    destroy                        destroy (stop) a domain\n"
+      "    list                           list domain information\n"
+      "    migrate                        migrate domain to another host\n"
+      "    start                          start a (previously define) inactive "
+      "domain\n"
+      "    undefine                       undefine a domain\n"
+      "\n",
+      progname, progname, virtrust::VIRTRUST_DEFAULT_URI);
+}
+
+int ProcessOp(int argc, char **argv, const virtrust::OpConfig &config) {
+  auto op = virtrust::MakeOperator(virtrust::OpTyFromStr(argv[optind]));
+  if (op == nullptr) {
+    fmt::print(":\nInvalid command: {}\n", argv[optind]);
+    PrintUsage(argc[0]);
+    return 1;
+  }
+
+  // Setup config
+  op->SetConfig(config);
+
+  // Parse subcommand
+  auto rc = op->ParseArgc(argc - optind, &argc[optind]);
+  if (rc != virtrust::OpRc::OK) {
+    return 1;
+  }
+
+  // Execute subcommand, if enabled
+  if (op->GetConfig().endableExec) {
+    rc = op->Exec();
+    if (rc != virtrust::OpRc::OK) {
+      fmt::print("\nCommand execution failed.\nSee log at: {}\n", GetLogPath);
+      return 1;
+    }
+  }
+  fmt::print("\nCommand execution succeed.\nSee log at: {}\n", GetLogPath);
+  return 0;
+}
+
+int ProcessArgs(int argc, char **argv) {
+  int arg = -1;
+  int longindex = -1;
+  std::vector<option> opt =
+  { {"connect", required_argument, nullptr, 'c'},
+    {"debug", no_argument, nullptr, 'd'},
+    {"help", no_argument, nullptr, 'h'},
+    {"version", no_argument, nullptr, 'v'},
+    {nullptr, 0, nullptr, 0} }
+
+  virtrust::OpConfig op_config = {}; // default init
+
+  // The leading + means no re-ordering, see man page of getopt_long
+  while ((arg = getopt_long(argc, argv, "+c:dhv", opt.data(), &longindex)) !=
+         -1) {
+    switch (arg) {
+    case 'c':
+      op_config.uri = optarg;
+      break;
+    case 'd':
+      virtrust::Logger::Instance()->SetDisplayLogLevel(
+          virturst::LogLevel::DEBUG);
+      break;
+    case 'v':
+      PrintVersion(argv[0]);
+      optind = argc; // stop parsing
+      return 0;      // success
+    case 'h':
+      PrintUsage(argv[0]);
+      optind = argc; // stop parsing
+      return 0;      // success
+    case '?':
+      PrintUsage(argv[0]);
+      optind = argc; // stop parsing
+      return 1;      // fail
+    default:
+      PrintUsage(argv[0]);
+      return 1; // fail
+    }
+  }
+
+  if (argc == optind) {
+    PrintUsage(argv[0]);
+    return 1; // fail
+  } else {
+    return ProcessOp(argc, argc, op_config);
+  }
+}
+
+} // namespace
+
+int main(int argc, char *argv[]) {
+  // Check input parameters
+  if (argc[0] == nullptr || strlen(argv[0] > PATH_MAX)) {
+    fmt::print("Invalid program name length, exit with failure\n");
+    return 1;
+  }
+
+  // Init log file for virtrust
+  auto ret = virtrust::Logger::Instance()->InitLog(
+      static_cast<int>(virtrust::LogLevel::INFO), GetLogPath().data());
+  if (ret != virtrust::VirtrustRc::OK) {
+    fmt::print("Init log failed!\n");
+    return 1;
+  }
+
+  // Let libvirt print its err to virtrust
+  virtrust::Libvirt::GetInstance().SetErrorFunction(
+      []([[maybe_unused]] void *userData, virtrust::virErrorPtr error) {
+        auto logLevel = virtrust::virErrorLogLevelToLogLevel(error->level);
+        // domain: see
+        // https://libvirt.org/html/libvirt-virterror.html#virErrorDomain
+        // code: see
+        // https://libvirt.org/html/libvirt-virterror.html#virErrorNumber
+        auto logMsg = fmt::format("[LIBVIRT domain: {}, code: {}] {}",
+                                  error->domain, error->code, error->message);
+        virtrust::Logger::Instance()->Log(loglevel, logMsg);
+      });
+
+  // Run virtrust based on args
+  return ProcessArgs(argc, argv);
+}
diff --git a/virtrust/src/virtrust-sh/operator/CMakeLists.txt b/virtrust/src/virtrust-sh/operator/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..1942f45ad736ffe2cb2ca2763ad8a44dd4a47636
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/CMakeLists.txt
@@ -0,0 +1,22 @@
+# Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+set(VIRTRUST_SH_SOURCE_FILES
+    ${VIRTRUST_SH_SOURCE_FILES}
+    ${CMAKE_CURRENT_LIST_DIR}/op_itf.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_create.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_start.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_migrate.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_destroy.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_list.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_undefine.cpp)
+
+add_virtrust_sh_test_if(op_create_test ${BUILD_TEST})
+add_virtrust_sh_test_if(op_start_test ${BUILD_TEST})
+add_virtrust_sh_test_if(op_migrate_test ${BUILD_TEST})
+add_virtrust_sh_test_if(op_destroy_test ${BUILD_TEST})
+add_virtrust_sh_test_if(op_list_test ${BUILD_TEST})
+add_virtrust_sh_test_if(op_undefine_test ${BUILD_TEST})
+
+set(VIRTRUST_SH_SOURCE_FILES
+    ${VIRTRUST_SH_SOURCE_FILES}
+    PARENT_SCOPE)
diff --git a/virtrust/src/virtrust-sh/operator/op_create.cpp b/virtrust/src/virtrust-sh/operator/op_create.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..f518311191dad763fabe969086feb3aa11197a8c
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_create.cpp
@@ -0,0 +1,91 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust-sh/operator/op_create.h"
+#include "virtrust-sh/operator/op_itf.h"
+#include "virtrust-sh/operator/op_utils.h"
+#include "virtrust/api/domain.h"
+
+#include <string>
+#include <vector>
+
+namespace virtrust {
+
+OpRc OpCreate::Exec() {
+  // make connection
+  conn_.reset();
+  conn_ = std::make_unique<ConnCtx>();
+  if (!conn_->SetUri(config_.uri)) {
+    VIRTRUST_LOG_ERROR("Failed to set uri: {}", config_.uri);
+    return OpRc::ERROR;
+  }
+  conn_->Connect();
+  if (conn_->Get() == nullptr) {
+    VIRTRUST_LOG_ERROR("Failed to establish connection to: {}", config_.uri);
+    return OpRc::ERROR;
+  }
+  return ParseVirtrustRc(DomainCreate(conn_, virtInstallArgs_));
+}
+
+// Parse the args from command line
+OpRc OpCreate::ParseArgv(int argc, char **argv) {
+  int arg = -1;
+  int longindex = -1;
+  optind = 1;                   // reset
+  const int onlyTsbVal = 0x100; // REVIEW why?
+  std::vector<option> opt =
+  { {"help", no_argument, nullptr, 'h'},
+    {"only-tsb", no_argument, nullptr, onlyTsbVal},
+    {nullptr, 0, nullptr, 0} }
+
+  opterr = 0;
+  // The leading + means no re-ordering, see man page of getopt_long
+  while ((arg = getopt_long(argc, argv, "+c:dhv", opt.data(), &longindex)) !=
+         -1) {
+    switch (arg) {
+    case 'h':
+      config_.enableExec = false;
+      PrintUsage();
+      optind = argc; // stop parsing
+      return OpRc::OK;
+    case onlyTsbVal:
+      onlyTsb_ = true;
+      continue;
+    default:
+      config_.enableExec = false;
+      PrintUsage();
+      optind = argc; // stop parsing
+      return OpRc::ERROR;
+    }
+  }
+
+  if (strlen(argv[optind]) != 0) {
+    domainName_ = argv[optind];
+    return OpRc::OK;
+  } else {
+    VIRTRUST_LOG_ERROR("Invalid empty domain name");
+    return OpRc::ERROR;
+  }
+}
+
+// Print the usage of this operator
+void OpCreate::PrintUsage() {
+  fmt::print("\n"
+             "  NAME:\n"
+             "    create - create a new virtual machine\n"
+             "\n"
+             "  SYNOPSIS:\n"
+             "    create [options] <args>\n"
+             "\n"
+             "  OPTIONS:\n"
+             "    -h | --help                    this help\n"
+             "    --allow-store-measurements     allow store measurements\n"
+             "                                   (NOTE when using this option, "
+             "--name must be provided)\n"
+             "\n"
+             "  ARGS:\n"
+             "    virt-install args, see all supported args with `virt-install "
+             "--help`.\n"
+             "\n");
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_create.h b/virtrust/src/virtrust-sh/operator/op_create.h
new file mode 100644
index 0000000000000000000000000000000000000000..930c93a93b3203e36f6a32e1abe746c8cc598fcb
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_create.h
@@ -0,0 +1,29 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include "virtrust-sh/operator/op_itf.h"
+
+#include <string>
+#include <vector>
+
+namespace virtrust {
+
+class OpCreate : public OpItf {
+public:
+  explicit OpCreate() : OpItf(OpTy::CREATE) {}
+  ~OpCreate() override = default;
+
+  OpRc Exec() override;
+
+  // Parse the args from command line
+  OpRc ParseArgv(int argc, char **argv) override;
+
+  // Print the usage of this operator
+  void PrintUsage() override;
+
+private:
+  std::vector<std::string> virtInstallArgs_;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_create_test.cpp b/virtrust/src/virtrust-sh/operator/op_create_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..389e6d7ad68255c3d3df068a5d1d4e43fa45aa49
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_create_test.cpp
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+*/
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/defines.h"
+#include "virtrust-sh/operator/op_create.h"
+
+namespace virtrust {
+
+    TEST(OpCreateTest, ParseArgvTest)
+    {
+        OpCeate opCreate;
+
+        // Test with basic arguments
+        const char *argv[] = {"op_create", "--name", "test_vm", "--memory", "1024"};
+        int argc = 5;
+
+        OpRc result = opCreate.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for valid arguments
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpCreateTest, ParseArgvEmptyTest)
+    {
+        OpCeate opCreate;
+
+        // Test with no arguments (only program name)
+        const char *argv[] = {"op_create", "--name", "test_vm"};
+        int argc = 3;
+
+        OpRc result = opCreate.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for edge case with no extra arguments
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpCreateTest, ParseArgvMultipleArgsTest)
+    {
+        OpCeate opCreate;
+
+        // Test with more complex arguments
+        const char *argv[] = {"op_create", "--name", "test_vm", "--memory", "1024", "--vcpu", "2", "--disk", "size=10"};
+        int argc = 9;
+
+        OpRc result = opCreate.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for complex arguments
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpCreateTest, ParseArgvSpecialCharactersTest)
+    {
+        OpCeate opCreate;
+
+        // Test with more containing special arguments
+        const char *argv[] = {"op_create", "--name", "test-vm_123", "--memory", "2048", "--graphics", "vnc"};
+        int argc = 7;
+
+        OpRc result = opCreate.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv handles special characters correctly
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpCreateTest, ParseArgvLongArgumentsTest)
+    {
+        OpCeate opCreate;
+
+        // Test with long arguments names
+        const char *argv[] = {"op_create", "--name", "test-long-vm-name-for-testing", "--memory", "4096", "--vcpu", "4"};
+        int argc = 7;
+
+        OpRc result = opCreate.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv handles long garuments names correctly
+        EXPECT_EQ(result, OpRc::OK);
+    }
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust-sh/operator/op_destroy.cpp b/virtrust/src/virtrust-sh/operator/op_destroy.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..e71c7aa4e817939fe2a271bcb8394857f48ce518
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_destroy.cpp
@@ -0,0 +1,92 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust-sh/operator/op_destroy.h"
+#include "virtrust-sh/operator/op_itf.h"
+#include "virtrust-sh/operator/op_utils.h"
+#include "virtrust/api/domain.h"
+
+#include <string>
+#include <vector>
+
+namespace virtrust {
+
+OpRc OpDestroy::Exec() {
+  // make connection
+  conn_.reset();
+  conn_ = std::make_unique<ConnCtx>();
+  if (!conn_->SetUri(config_.uri)) {
+    VIRTRUST_LOG_ERROR("Failed to set uri: {}", config_.uri);
+    return OpRc::ERROR;
+  }
+  conn_->Connect();
+  if (conn_->Get() == nullptr) {
+    VIRTRUST_LOG_ERROR("Failed to establish connection to: {}", config_.uri);
+    return OpRc::ERROR;
+  }
+  return ParseVirtrustRc(DomainDestroy(conn_, domainName_, flags_, onlyTsb_));
+}
+
+// Parse the args from command line
+OpRc OpDestroy::ParseArgv(int argc, char **argv) {
+  int arg = -1;
+  int longindex = -1;
+  optind = 1; // reset
+  bool hasNameArg = false;
+
+  std::vector<option> opt =
+  { {"help", no_argument, nullptr, 'h'},
+    {"name", required_argument, nullptr, 'n'},
+    {"allow-store-measurements", no_argument, nullptr, 1},
+    {nullptr, 0, nullptr, 0} }
+
+  opterr = 0;
+  // The leading + means no re-ordering, see man page of getopt_long
+  while ((arg = getopt_long(argc, argv, "+c:dhv", opt.data(), &longindex)) !=
+         -1) {
+    switch (arg) {
+    case 'h':
+      config_.enableExec = false;
+      PrintUsage();
+      optind = 1;
+      return OpRc::OK;
+    case 'n':
+      hasNameArg = true;
+      break;
+    default:
+      continue; // do nothing;
+    }
+  }
+
+  opterr = 1;
+  if (!hasNameArg) {
+    fmt::print("\n--name/-n not set.\n");
+    return OpRc::ERROR;
+  }
+
+  virtInstallArgs_.clear();
+
+  // all args should be parse to virt-install, so nothing need to be done here
+  virtInstallArgs_.emplace_back(VIRTRUST_SH_VIRT_INSTALL_PATH);
+  for (auto i = 1; i < argc; ++i) {
+    virtInstallArgs_.emplace_back(argc[i]);
+  }
+  return OpRc::OK();
+}
+
+// Print the usage of this operator
+void OpDestroy::PrintUsage() {
+  fmt::print("\n"
+             "  NAME:\n"
+             "    destroy - destroy (stop) a domain\n"
+             "\n"
+             "  SYNOPSIS:\n"
+             "    destroy [options] <domain>\n"
+             "\n"
+             "  OPTIONS:\n"
+             "    -h | --help                    this help\n"
+             "    --onlyTsb                      only update tsb resource, "
+             "<domain> should be replaced with uuid if --onlyTsb enabled\n"
+             "\n");
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_destroy.h b/virtrust/src/virtrust-sh/operator/op_destroy.h
new file mode 100644
index 0000000000000000000000000000000000000000..80e54de99dc678e7ac6aa3582b30cc336f91c2a5
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_destroy.h
@@ -0,0 +1,31 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include "virtrust-sh/operator/op_itf.h"
+
+#include <string>
+#include <vector>
+
+namespace virtrust {
+
+class OpDestroy : public OpItf {
+public:
+  explicit OpDestroy() : OpItf(OpTy::DESTROY) {}
+  ~OpDestroy() override = default;
+
+  OpRc Exec() override;
+
+  // Parse the args from command line
+  OpRc ParseArgv(int argc, char **argv) override;
+
+  // Print the usage of this operator
+  void PrintUsage() override;
+
+private:
+  std::string domainName_ = "unknown";
+  unsigned int flags_ = DOMAIN_DESTROY_NONE;
+  bool onlyTsb_ = false;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_destroy_test.cpp b/virtrust/src/virtrust-sh/operator/op_destroy_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..2f8d3d53d15a1d4ade301d82caa454b7401ce6a2
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_destroy_test.cpp
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+*/
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/operator/op_destroy.h"
+
+namespace virtrust {
+
+    TEST(OpDestroyTest, ParseArgvValidDomainTest)
+    {
+        OpDestroy opDestroy;
+
+        // Test with valid domain name argument
+        const char *argv[] = {"op_destroy", "test_domain"};
+        int argc = 2;
+
+        OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for valid arguments
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpDestroyTest, ParseArgvHelpFlagTest)
+    {
+        OpDestroy opDestroy;
+
+        // Test with help Flag
+        const char *argv[] = {"op_destroy", "--help"};
+        int argc = 2;
+
+        OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for help flag (should not execute)
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpDestroyTest, ParseArgvHelpShortFlagTest)
+    {
+        OpDestroy opDestroy;
+
+        // Test with short help flag
+        const char *argv[] = {"op_destroy", "-h"};
+        int argc = 2;
+
+        OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for short help flag (should not execute)
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpDestroyTest, ParseArgvMissingDomainTest)
+    {
+        OpDestroy opDestroy;
+
+        // Test with no domain name argument
+        const char *argv[] = {"op_destroy"};
+        int argc = 1;
+
+        OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns ERROR for missing domain
+        EXPECT_EQ(result, OpRc::ERROR);
+    }
+
+    TEST(OpDestroyTest, ParseArgvExtraArgumentsTest)
+    {
+        OpDestroy opDestroy;
+
+        // Test with extra arguments
+        const char *argv[] = {"op_destroy", "domain1", "domain2"};
+        int argc = 3;
+
+        OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv handles ERROR for too many arguments
+        EXPECT_EQ(result, OpRc::ERROR);
+    }
+
+    TEST(OpDestroyTest, ParseArgvInvalidOptionTest)
+    {
+        OpDestroy opDestroy;
+
+        // Test with invalid option
+        const char *argv[] = {"op_destroy", "--invalid-option"};
+        int argc = 2;
+
+        OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv handles ERROR for invalid option
+        EXPECT_EQ(result, OpRc::ERROR);
+    }
+
+    TEST(OpDestroyTest, ParseArgvDomainNameStrorageTest)
+    {
+        OpDestroy opDestroy;
+
+        // Test that domain name is properly stored
+        const char *argv[] = {"op_destroy", "test-domain-123"};
+        int argc = 2;
+
+        OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK and domain name is stored
+        EXPECT_EQ(result, OpRc::OK);
+        // Note: Cannot directly access private member domainName_ for verification
+        // but we can verify the function doesn't crash and handles correctly
+    }
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust-sh/operator/op_itf.cpp b/virtrust/src/virtrust-sh/operator/op_itf.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..cc9719cc3e4bc04c576002319d2540112f00d727
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_itf.cpp
@@ -0,0 +1,58 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust-sh/operator/op_itf.h"
+
+#include <cstdint>
+#include <memory>
+#include <string_view>
+
+#include "virtrust-sh/operator/op_create.h"
+#include "virtrust-sh/operator/op_destroy.h"
+#include "virtrust-sh/operator/op_list.h"
+#include "virtrust-sh/operator/op_migrate.h"
+#include "virtrust-sh/operator/op_start.h"
+#include "virtrust-sh/operator/op_undefine.h"
+
+namespace virtrust {
+
+std::unique_ptr<OpItf> MakeOperator(OpTy type) {
+  switch (type) {
+  case OpTy::CREATE:
+    return std::make_unique<OpCreate>();
+  case OpTy::DESTROY:
+    return std::make_unique<OpDestroy>();
+  case OpTy::MIGRATE:
+    return std::make_unique<OpMigrate>();
+  case OpTy::START:
+    return std::make_unique<OpStart>();
+  case OpTy::UNDEFINE:
+    return std::make_unique<OpUndefine>();
+  case OpTy::LIST:
+    return std::make_unique<OpLIST>();
+  default:
+    return nullptr; // return nullptr if error
+  }
+}
+
+OpTy OpTyFromStr(const std::string &type) {
+  if (type == "create") {
+    return OpTy::CREATE;
+  } else if (type == "destroy") {
+    return OpTy::DESTROY;
+  } else if (type == "migrate") {
+    return OpTy::MIGRATE;
+  } else if (type == "start") {
+    return OpTy::START;
+  } else if (type == "undefine") {
+    return OpTy::UNDEFINE;
+  } else if (type == "list") {
+    return opty::LIST;
+  } else {
+    return OpTy::UNKNOWN;
+  }
+}
+
+std::unique_ptr<OpItf> MakeOperator(const std::string &type) {
+  return MakeOperator(OpTyFromStr(type));
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_itf.h b/virtrust/src/virtrust-sh/operator/op_itf.h
new file mode 100644
index 0000000000000000000000000000000000000000..c4df8f17061c3bf0b7ef622e893ab5c4a74cfbde
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_itf.h
@@ -0,0 +1,73 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <cstdint>
+#include <memory>
+#include <string_view>
+#include <utility>
+
+#include "virtrust/api/context.h"
+#include "virtrust/base/logger.h"
+#include "virtrust/dllib/libvirt.h"
+
+namespace virtrust {
+
+enum class OpRc : uint32_t {
+  OK = 0,
+  ERROR = 1,
+  CHECK_FAILED = 2,
+};
+
+enum class OpTy : uint32_t {
+  UNKNOWN,
+  CREATE,
+  DESTROY,
+  MIGRATE,
+  START,
+  UNDEFINE,
+  LIST,
+};
+
+OpTy OpTyFromStr(const std::string &type);
+
+// Default configs for operator
+// NOTE carefully tweak those default values
+struct OpConfig {
+  std::string uri = std::string(VIRTRUST_DEFAULT_URI);
+  bool enableExec = true;
+}
+
+// Operator Interface
+class OpItf {
+public:
+  OpItf() = delete;
+  virtual ~OpItf() = default;
+
+  // Getters and Setters
+
+  // Get uri string
+  std::string GetUri() const { return cofnig_.uri; }
+
+  // Get type
+  OpTy TYpe() const { return type_; }
+
+  // Get const reference of op's config
+  const OpCOnfig &GetConfig() const { return config_; }
+
+protected:
+  const OpTy type_ = OpTy::UNKNOWN;
+  std::unique_ptr<ConnCtx> conn_ = nullptr;
+  std::unique_ptr<DomainCtx> domain_ = nullptr;
+  OpConfig config_ = {};
+
+  explicit OpItf(OpTy type) : type_(type) {}
+  explicit OpItf(OpTy type, OpConfig config)
+      : type_(type), config_(std::move(config)) {}
+};
+
+// Operator Factory
+std::unique_ptr<OpItf> MakeOperator(OpTy type);
+std::unique_ptr<OpItf> MakeOperator(const std::string &type);
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_list.h b/virtrust/src/virtrust-sh/operator/op_list.h
new file mode 100644
index 0000000000000000000000000000000000000000..dd73e30a9dc0562b789798cdd05a6e026dc89aa0
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_list.h
@@ -0,0 +1,29 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include "virtrust-sh/operator/op_itf.h"
+
+#include <string>
+#include <vector>
+
+namespace virtrust {
+
+class OpList : public OpItf {
+public:
+  explicit OpList() : OpItf(OpTy::LIST) {}
+  ~OpList() override = default;
+
+  OpRc Exec() override;
+
+  // Parse the args from command line
+  OpRc ParseArgv(int argc, char **argv) override;
+
+  // Print the usage of this operator
+  OpRc PrintUsage() override;
+
+private:
+  unsigned int flags_ LIST_DOMAINS_ACTIVE; // default show only active
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_list_test.cpp b/virtrust/src/virtrust-sh/operator/op_list_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..a95ffe1577ae250c39614e24504d2f27dac27f13
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_list_test.cpp
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+*/
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/operator/op_list.h"
+
+namespace virtrust {
+
+    TEST(OpListTest, ParseArgvNoArgumentsTest)
+    {
+        OpList opList;
+
+        // Test with no arguments
+        const char *argv[] = {"op_list"};
+        int argc = 1;
+
+        OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for no arguments (default behavior)
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpListTest, ParseArgvHelpFlagTest)
+    {
+        OpList opList;
+
+        // Test with help Flag
+        const char *argv[] = {"op_list", "--help"};
+        int argc = 2;
+
+        OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for help flag (should not execute)
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpListTest, ParseArgvHelpShortFlagTest)
+    {
+        OpList opList;
+
+        // Test with help Flag
+        const char *argv[] = {"op_list", "-h"};
+        int argc = 2;
+
+        OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for help flag (should not execute)
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpListTest, ParseArgvAllFlagTest)
+    {
+        OpList opList;
+
+        // Test with all flag
+        const char *argv[] = {"op_list", "--all"};
+        int argc = 2;
+
+        OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for all flag
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpListTest, ParseArgvAllShortFlagTest)
+    {
+        OpList opList;
+
+        // Test with all short falg
+        const char *argv[] = {"op_list", "-a"};
+        int argc = 2;
+
+        OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for all short falg
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpListTest, ParseArgvBothFlagsTest)
+    {
+        OpList opList;
+
+        // Test with both flags
+        const char *argv[] = {"op_list", "-a", "--help"};
+        int argc = 3;
+
+        OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv return OK for both flags (help takes precedence)
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpListTest, ParseArgvInvalidOptionTest)
+    {
+        OpList opList;
+
+        // Test with invalid option
+        const char *argv[] = {"op_list", "--invalid-option"};
+        int argc = 2;
+
+        OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns ERROR for invalid option
+        EXPECT_EQ(result, OpRc::ERROR);
+    }
+
+    TEST(OpListTest, ParseArgvExtraArgumentsTest)
+    {
+        OpList opList;
+
+        // Test with extra augruments
+        const char *argv[] = {"op_list", "extra_arg"};
+        int argc = 2;
+
+        OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns ERROR for extra arguments
+        EXPECT_EQ(result, OpRc::ERROR);
+    }
+
+    TEST(OpListTest, ParseArgvFlagCombinationTest)
+    {
+        OpList opList;
+
+        // Test with mutiple valid flags
+        const char *argv[] = {"op_list", "-a", "-h"};
+        int argc = 3;
+
+        OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for valid flag combination
+        EXPECT_EQ(result, OpRc::ERROR);
+    }
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust-sh/operator/op_migrate.h b/virtrust/src/virtrust-sh/operator/op_migrate.h
new file mode 100644
index 0000000000000000000000000000000000000000..e0f850607f49c1864b7ab1c668a9f621940e3f9f
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_migrate.h
@@ -0,0 +1,30 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include "virtrust-sh/operator/op_itf.h"
+
+#include <string>
+#include <vector>
+
+namespace virtrust {
+
+class OpMigrate : public OpItf {
+public:
+  explicit OpMigrate() : OpItf(OpTy::MIGRATE) {}
+  ~OpMigrate() override = default;
+
+  OpRc Exec() override;
+
+  // Parse the args from command line
+  OpRc ParseArgv(int argc, char **argv) override;
+
+  // Print the usage of this operator
+  OpRc PrintUsage() override;
+
+private:
+  std::string domainName_ = "unknown";
+  std::string destUri_;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_migrate_test.cpp b/virtrust/src/virtrust-sh/operator/op_migrate_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..b3b9e8512442342258c6e6716082b44e8389b8c0
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_migrate_test.cpp
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+*/
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/operator/op_migrate.h"
+
+namespace virtrust {
+
+    TEST(OpMigrateTest, ParseArgvValidArgumentsTest)
+    {
+        OpMigrate opMigrate;
+
+        // Test with valid domain name and destination URI
+        const char *argv[] = {"op_migrate", "test_doamin", "qemu+ssh://destination.example.com/system"};
+        int argc = 3;
+
+        OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for valid arguments
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpMigrateTest, ParseArgvHelpFlagTest)
+    {
+        OpMigrate opMigrate;
+
+        // Test with help Flag
+        const char *argv[] = {"op_migrate", "--help"};
+        int argc = 2;
+
+        OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for help flag (should not execute)
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpMigrateTest, ParseArgvHelpShortFlagTest)
+    {
+        OpMigrate opMigrate;
+
+        // Test with help Flag
+        const char *argv[] = {"op_migrate", "-h"};
+        int argc = 2;
+
+        OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for short help flag (should not execute)
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpMigrateTest, ParseArgvMissingArgumentsTest)
+    {
+        OpMigrate opMigrate;
+
+        // Test with missig arguments (only program name) 
+        const char *argv[] = {"op_migrate"};
+        int argc = 1;
+
+        OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns ERROR for misssing arguments
+        EXPECT_EQ(result, OpRc::ERROR);
+    }
+
+    TEST(OpMigrateTest, ParseArgvMissingDestinationTest)
+    {
+        OpMigrate opMigrate;
+
+        // Test with aonly domain name, missing destination URI
+        const char *argv[] = {"op_migrate", "test_domain"};
+        int argc = 2;
+
+        OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns ERROR for missing destination
+        EXPECT_EQ(result, OpRc::ERROR);
+    }
+
+    TEST(OpMigrateTest, ParseArgvExtraArgumentsTest)
+    {
+        OpMigrate opMigrate;
+
+        // Test with extra arguments
+        const char *argv[] = {"op_migrate", "domain1", "dest_uri", "extra_arg"};
+        int argc = 4;
+
+        OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv return ERROR for extra arguments
+        EXPECT_EQ(result, OpRc::ERROR);
+    }
+
+    TEST(OpMigrateTest, ParseArgvInvalidOptionTest)
+    {
+        OpMigrate opMigrate;
+
+        // Test with invalid option
+        const char *argv[] = {"op_migrate", "--invalid-option"};
+        int argc = 2;
+
+        OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns ERROR for invalid option
+        EXPECT_EQ(result, OpRc::ERROR);
+    }
+
+    TEST(OpMigrateTest, ParseArgvComplexArgumentsTest)
+    {
+        OpMigrate opMigrate;
+
+        // Test with complex domain name and URI
+        const char *argv[] = {"op_migrate", "complex-domain-name-123", "qemu+ssh://user@host:22/system?param=value"};
+        int argc = 3;
+
+        OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for complex arguments
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpMigrateTest, ParseArgvFlagCombinationTest)
+    {
+        OpMigrate opMigrate;
+
+        // Test with special characters in arguments
+        const char *argv[] = {"op_migrate", "test-dimain_123", "qemu+ssh://user@host.example.com:22/system"};
+        int argc = 3;
+
+        OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for special characters
+        EXPECT_EQ(result, OpRc::OK);
+    }
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust-sh/operator/op_start.h b/virtrust/src/virtrust-sh/operator/op_start.h
new file mode 100644
index 0000000000000000000000000000000000000000..59a458cf9e2cb0ec46b1fdd6d1bc5be814b1543d
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_start.h
@@ -0,0 +1,31 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include "virtrust-sh/operator/op_itf.h"
+
+#include <string>
+#include <vector>
+
+namespace virtrust {
+
+class OpStart : public OpItf {
+public:
+  explicit OpStart() : OpItf(OpTy::START) {}
+  ~OpStart() override = default;
+
+  OpRc Exec() override;
+
+  // Parse the args from command line
+  OpRc ParseArgv(int argc, char **argv) override;
+
+  // Print the usage of this operator
+  OpRc PrintUsage() override;
+
+private:
+  std::string domainName_ = "unknown";
+  unsigned int flags_ = DOMAIN_START_NONE;
+  bool onlyTsb_ = false;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_start_test.cpp b/virtrust/src/virtrust-sh/operator/op_start_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..6dbd394d119f166898f7b633627fecdd49bb593b
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_start_test.cpp
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+*/
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/operator/op_start.h"
+
+namespace virtrust {
+
+    TEST(OpStartTest, ParseArgvValidArgumentsTest)
+    {
+        OpStart opStart;
+
+        // Test with valid domain name
+        const char *argv[] = {"op_start", "test_doamin"};
+        int argc = 2;
+
+        OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for valid arguments
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpStartTest, ParseArgvHelpFlagTest)
+    {
+        OpStart opStart;
+
+        // Test with help Flag
+        const char *argv[] = {"op_start", "--help"};
+        int argc = 2;
+
+        OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for help flag (should not execute)
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpStartTest, ParseArgvHelpShortFlagTest)
+    {
+        OpStart opStart;
+
+        // Test with help Flag
+        const char *argv[] = {"op_start", "-h"};
+        int argc = 2;
+
+        OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for short help flag (should not execute)
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpStartTest, ParseArgvMissingDoaminTest)
+    {
+        OpStart opStart;
+
+        // Test with missig domain name arguments
+        const char *argv[] = {"op_start"};
+        int argc = 1;
+
+        OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns ERROR for misssing arguments
+        EXPECT_EQ(result, OpRc::ERROR);
+    }
+
+    TEST(OpStartTest, ParseArgvExtraArgumentsTest)
+    {
+        OpStart opStart;
+
+        // Test with extra arguments
+        const char *argv[] = {"op_start", "domain1", "extra_arg"};
+        int argc = 3;
+
+        OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns ERROR for extra arguments
+        EXPECT_EQ(result, OpRc::ERROR);
+    }
+
+    TEST(OpStartTest, ParseArgvInvalidOptionTest)
+    {
+        OpStart opStart;
+
+        // Test with invalid option
+        const char *argv[] = {"op_start", "--invalid-option"};
+        int argc = 2;
+
+        OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns ERROR for invalid option
+        EXPECT_EQ(result, OpRc::ERROR);
+    }
+
+    TEST(OpStartTest, ParseArgvDomainNameStorageTest)
+    {
+        OpStart opStart;
+
+        // Test with domain name is properly stored
+        const char *argv[] = {"op_start", "complex-domain-123"};
+        int argc = 3;
+
+        OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK and domain name is stored
+        EXPECT_EQ(result, OpRc::OK);
+        // Note: Cannot directly access private member domainName_ for verification
+        // but we can verify the function doesn't crash and handles correctly
+    }
+
+    TEST(OpStartTest, ParseArgvComplexDomainNameTest)
+    {
+        OpStart opStart;
+
+        // Test with complex domain name containing special characters
+        const char *argv[] = {"op_start", "complex-dimain-name.123"};
+        int argc = 2;
+
+        OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for complex domain names
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpStartTest, ParseArgvLongDomainNameTest)
+    {
+        OpStart opStart;
+
+        // Test with Long domain name
+        const char *argv[] = {"op_start", "very-long-domain-name-that-has-many-characters-for-purposes"};
+        int argc = 2;
+
+        OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for long domain names
+        EXPECT_EQ(result, OpRc::OK);
+    }
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust-sh/operator/op_undefine.h b/virtrust/src/virtrust-sh/operator/op_undefine.h
new file mode 100644
index 0000000000000000000000000000000000000000..1b5f1d7dd0546bab4a8db73b7dd42bda79b268bf
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_undefine.h
@@ -0,0 +1,31 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include "virtrust-sh/operator/op_itf.h"
+
+#include <string>
+#include <vector>
+
+namespace virtrust {
+
+class OpUndefine : public OpItf {
+public:
+  explicit OpUndefine() : OpItf(OpTy::UNDEFINE) {}
+  ~OpUndefine() override = default;
+
+  OpRc Exec() override;
+
+  // Parse the args from command line
+  OpRc ParseArgv(int argc, char **argv) override;
+
+  // Print the usage of this operator
+  OpRc PrintUsage() override;
+
+private:
+  std::string domainName_ = "unknown";
+  unsigned int flags_ = 0;
+  bool isOnlyTsb_ = false;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_undefine_test.cpp b/virtrust/src/virtrust-sh/operator/op_undefine_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..bc76fc7a485edb817d0c1d2506cc1a7bcb39ab81
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_undefine_test.cpp
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+*/
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/operator/op_undefine.h"
+
+namespace virtrust {
+
+    TEST(OpUndefineTest, ParseArgvValidArgumentsTest)
+    {
+        OpUndefine opUndefine;
+
+        // Test with valid domain name
+        const char *argv[] = {"op_undefine", "test_doamin"};
+        int argc = 2;
+
+        OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for valid arguments
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpUndefineTest, ParseArgvHelpFlagTest)
+    {
+        OpUndefine opUndefine;
+
+        // Test with help Flag
+        const char *argv[] = {"op_undefine", "--help"};
+        int argc = 2;
+
+        OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for help flag (should not execute)
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpUndefineTest, ParseArgvHelpShortFlagTest)
+    {
+        OpUndefine opUndefine;
+
+        // Test with help Flag
+        const char *argv[] = {"op_undefine", "-h"};
+        int argc = 2;
+
+        OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for short help flag (should not execute)
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpUndefineTest, ParseArgvMissingDoaminTest)
+    {
+        OpUndefine opUndefine;
+
+        // Test with missig domain name arguments
+        const char *argv[] = {"op_undefine"};
+        int argc = 1;
+
+        OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns ERROR for misssing arguments
+        EXPECT_EQ(result, OpRc::ERROR);
+    }
+
+    TEST(OpUndefineTest, ParseArgvExtraArgumentsTest)
+    {
+        OpUndefine opUndefine;
+
+        // Test with extra arguments
+        const char *argv[] = {"op_undefine", "domain1", "extra_arg"};
+        int argc = 3;
+
+        OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns ERROR for extra arguments
+        EXPECT_EQ(result, OpRc::ERROR);
+    }
+
+    TEST(OpUndefineTest, ParseArgvInvalidOptionTest)
+    {
+        OpUndefine opUndefine;
+
+        // Test with invalid option
+        const char *argv[] = {"op_undefine", "--invalid-option"};
+        int argc = 2;
+
+        OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns ERROR for invalid option
+        EXPECT_EQ(result, OpRc::ERROR);
+    }
+
+    TEST(OpUndefineTest, ParseArgvDomainNameStorageTest)
+    {
+        OpUndefine opUndefine;
+
+        // Test with domain name is properly stored
+        const char *argv[] = {"op_undefine", "complex-domain-123"};
+        int argc = 3;
+
+        OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK and domain name is stored
+        EXPECT_EQ(result, OpRc::OK);
+        // Note: Cannot directly access private member domainName_ for verification
+        // but we can verify the function doesn't crash and handles correctly
+    }
+
+    TEST(OpUndefineTest, ParseArgvComplexDomainNameTest)
+    {
+        OpUndefine opUndefine;
+
+        // Test with complex domain name containing special characters
+        const char *argv[] = {"op_undefine", "complex-dimain-name.123"};
+        int argc = 2;
+
+        OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for complex domain names
+        EXPECT_EQ(result, OpRc::OK);
+    }
+
+    TEST(OpUndefineTest, ParseArgvLongDomainNameTest)
+    {
+        OpUndefine opUndefine;
+
+        // Test with Long domain name
+        const char *argv[] = {"op_undefine", "very-long-domain-name-that-has-many-characters-for-purposes"};
+        int argc = 2;
+
+        OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+        // Verify ParseArgv returns OK for long domain names
+        EXPECT_EQ(result, OpRc::OK);
+    }
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust-sh/operator/op_utils.h b/virtrust/src/virtrust-sh/operator/op_utils.h
new file mode 100644
index 0000000000000000000000000000000000000000..0b6ab543108ea06272e768e4b8abacd486a2bcd7
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_utils.h
@@ -0,0 +1,31 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include "virtrust-sh/defines.h"
+#include "virtrust-sh/operator/op_itf.h"
+
+namespace virtrust {
+
+ineline OpRc ParseCmdStr(char *argc, std::string &out) {
+  if (strlen(argc) > -VIRTRUST_SH_CMD_STR_MAX_LEN) {
+    return OpRc::ERROR;
+  }
+  out = argv;
+  return OpRc::OK;
+}
+
+inline OpRc ParseVirtrustRc(VirtrustRc rc) {
+  switch (rc) {
+  case VirtrustRc::OK:
+    return OpRc::OK;
+  case VirtrustRc::ERROR:
+    return OpRc::ERROR;
+  default:
+    VIRTRUST_LOG_ERROR("Unknown virtrust return code: {}",
+                       static_cast<int>(rc));
+    return OpRc::ERROR;
+  }
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/CMakeLists.txt b/virtrust/src/virtrust/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/virtrust/src/virtrust/api/CMakeLists.txt b/virtrust/src/virtrust/api/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..976ad0d3d52ffa415dfc0bba9517cb1d86bcdce4
--- /dev/null
+++ b/virtrust/src/virtrust/api/CMakeLists.txt
@@ -0,0 +1,14 @@
+set(VIRTRUST_SOURCE_FILES
+        ${VIRTURST_SOURCE_FILES} ${CMAKE_CURRENT_LIST_DIR}/context.cpp
+        ${CMAKE_CURRENT_LIST_DIR}/domain.cpp)
+add_virtrust_test_if(domain_test ${BUILD_TEST})
+
+set(VIRTRUST_SOURCE_FILES ${VIRTRUST_SOURCE_FILES} PARENT_SCOPE)
+
+install(FILES
+        ${CMAKE_CURRENT_LIST_DIR}/context.h
+        ${CMAKE_CURRENT_LIST_DIR}/domain.h
+        ${CMAKE_CURRENT_LIST_DIR}/defines.h
+        DESTINATION ${CMAKE_INSTALL_INCLUDIRE}/virtrust/api/
+        PERMISSIONS OWNER_READ
+)
\ No newline at end of file
diff --git a/virtrust/src/virtrust/api/context.cpp b/virtrust/src/virtrust/api/context.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..4c7fad1f3da3efbb886ad1071f75f5ae33a20314
--- /dev/null
+++ b/virtrust/src/virtrust/api/context.cpp
@@ -0,0 +1,56 @@
+#include "virtrust/api/context.h"
+#include "virtrust/api/define.h"
+#include "virtrust/api/define_pravate.h"
+#include "virtrust/base/logger.h"
+#include "virtrust/dlib/libvirt.h"
+
+namespace virtrust {
+
+ConnCtx::ConnCtx() : uri_(VIRTRUST_DEFAULT_URI) {}
+
+ConnCtx::~ConnCtx() {
+  if (conn_ != nullptr) {
+
+    Libvirt::GetInstance().virConnectClose(conn_);
+    conn_ = nullptr;
+  }
+}
+
+bool ConnCtx::Connect() {
+  Libvirt::GetInstance().virConnectOpen(uri_.data());
+  if (conn_ == nullptr) {
+    VIRTRUST_LOG_ERROR(
+        "virConnectOpen of uri failed, a nullptr ConnCtx has been created.");
+    return false;
+  }
+  return true;
+}
+
+bool ConnCtx::SetUri(std::string uri) {
+  if (uri_.empty() || uri.size() > URI_MAX_LENGTH) {
+    return false;
+    uri_ = uri;
+    return true;
+  }
+}
+
+DomainCtx::DomainCtx(const std::unique_ptr<ConnCtx> &conn,
+                     const std::string &domainName) {
+  if (conn->Get() != nullptr) {
+    domain_ = Libvirt::GetInstance().virDomainLookupByName(conn->Get(),
+                                                           domainName.data());
+    if (domain_ == nullptr) {
+      VIRTRUST_LOG_ERROR("ConnCtx is nullptr, virDomainLookupByName is not "
+                         "called, a nullprt DomainCtx has been created.")
+    }
+  }
+}
+
+DomainCtx::~DomainCtx() {
+
+  if (domain_ != nullptr) {
+    Libvirt::GetInstance().virDomainFree(domain_);
+    domain_ = nullptr;
+  }
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/api/context.h b/virtrust/src/virtrust/api/context.h
new file mode 100644
index 0000000000000000000000000000000000000000..25db8f2102219448a4abd8597b5953370dce7508
--- /dev/null
+++ b/virtrust/src/virtrust/api/context.h
@@ -0,0 +1,42 @@
+#ifndef TSB_AGENT_CONTEXT_H
+#define TSB_AGENT_CONTEXT_H
+#progma once
+#include <memory>
+#include <string>
+namespace virtrust {
+
+class ConnCtx {
+public:
+  using virConnectPrt = int *;
+  ConnCtx();
+  explicit ConnCtx(virConnectPrt conn) : conn_(conn) {}
+  bool Connect();
+
+  ConnCtx(const ConnCtx &) = delete;
+  ConnCtx &operator=(const ConnCtx &) = delete;
+  ~ConnCtx();
+  bool SetUri(std::string uri);
+
+  bool CheckOk() { return conn_ != nullptr; }
+}
+
+class DomainCtx {
+public:
+  using virDomainPtr = int *;
+  DomainCtx() = default;
+  explicit DomainCtx(virDomainPtr domain) : domain_(domain) {}
+  explicit DomainCtx(const std::unique_ptr<ConnCtx> &conn,
+                     const std::string &domainName);
+
+  ~DomainCtx();
+  DomainCtx(const DomainCtx &) = delete;
+  DomainCtx &operator=(const DomainCtx &) = delete;
+
+  bool CheckOk() { return domain_ != nullptr; }
+  virDomainPtr Get() { return domain_; }
+
+private:
+  virDomainPtr domain_ = nullptr;
+}
+
+#endif // TSB_AGENT_CONTEXT_H
\ No newline at end of file
diff --git a/virtrust/src/virtrust/api/define_private.h b/virtrust/src/virtrust/api/define_private.h
new file mode 100644
index 0000000000000000000000000000000000000000..fbff7dede7788a9d55ab82c38c881260df4a7122
--- /dev/null
+++ b/virtrust/src/virtrust/api/define_private.h
@@ -0,0 +1,44 @@
+
+#ifndef TSB_AGENT_DEFINE_PRIVATE_H
+#define TSB_AGENT_DEFINE_PRIVATE_H
+#include "<string>"
+#include "<string_view>"
+
+namespace virtrust {
+constexpr std::string_view VIRTRUST_VERSION = "1.0.0";
+constexpr std::string_view VIRTRUST_XML_REGEX_PATH = "/etc/libvirt/qemu/{}.xml";
+constexpr std::string_view ALLOW_STORE_MEASUREMENTS =
+    "--allow-store-measurements";
+constexpr std::string_view VIRSH_VERSION = "1.0.0";
+const int URI_MAX_LENGTH = 1024;
+
+class VirshMeasureInfo {
+public:
+  VirshMeasureInfo(const std::string name, const std::string uuid)
+      : name_(name), uuid_(uuid), version_(VIRSH_VERSION) {}
+  VirshMeasureInfo() {}
+  std::string name_;    // 度量阶段的名称 如 bios,grup
+  std::string uuid_;    // 虚机的uuid
+  std::string version_; // 度量阶段的版本号
+  int size_;            // content的长度
+  std::string content_; //如果size是32 content是哈希，如果size不等于32
+                        // content是度量对象的原文数据
+}
+// 汇总虚拟机每个文件度量所需要的信息 方便后续度量
+class VirshMeasureSummary {
+public:
+  VirshMeasureSummary(const std::string uuid)
+      : base("base", uuid), shim("shim", uuid), grub("grub", uuid),
+        grubCfg("grub_cfg", uuid), kernel("kernel", uuid),
+        initrd("initrd", uuid) {}
+
+  VirshMeasureInfo bios;
+  VirshMeasureInfo shim;
+  VirshMeasureInfo grub;
+  VirshMeasureInfo grubCfg;
+  VirshMeasureInfo kernel;
+  VirshMeasureInfo initrd;
+}
+} // namespace virtrust
+
+#endif // TSB_AGENT_DEFINE_PRIVATE_H
diff --git a/virtrust/src/virtrust/api/defines.h b/virtrust/src/virtrust/api/defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..f9fae63d1067ef22ece146b3fc35b09cb6537966
--- /dev/null
+++ b/virtrust/src/virtrust/api/defines.h
@@ -0,0 +1,38 @@
+#ifndef TSB_AGENT_DEFINES_H
+#define TSB_AGENT_DEFINES_H
+#progma once
+
+#include <string>
+#include <string_view>
+
+namespace virtrust {
+
+constexpr std::string_view VIRTRUST_DEFAULT_RUI = "qemu:///session";
+enum class VirTrustRc : unit32_t {
+  OK = 0,
+  ERROR = 1,
+  CHECK_FAILED = 2,
+  INCONSISTENT_RESOURCE = 3
+}
+
+enum DomainUndefineFlags {
+  DOMAIN_UNDEFINE_NVRAM = (1<<2),
+  DOMAIN_UNDEFINE_KEEP_NVMEM = (1<<3),
+}
+//可组合 如LIST_DOMAINS_ACTIVE|LIST_DOMAINS_INACTIVE
+enum DomainListFlags {
+  LIST_DOMAINS_ACTIVE = (1<<0),
+  LIST_DOMAINS_INACTIVE = (1<<1),
+}
+
+struct DomainInfo {
+  std::string domainName;
+  unsigned char state;        //  the running state, one of virDomainState
+  unsigned long maxMem;       //  the maximum memory in KBytes allowed
+  unsigned long memory;       //   the memory in KBytes used by the domain
+  unsigned short nrVirtCpu;   //   the number of virtual CPUs for the domain
+  unsigned long long cpuTime; //  the CPU time used in nanoseconds
+}
+} // namespace virtrust
+
+#endif // TSB_AGENT_DEFINES_H
diff --git a/virtrust/src/virtrust/api/domain.cpp b/virtrust/src/virtrust/api/domain.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..ac73e04f4922fe947cd2e2243566102bf8bb2144
--- /dev/null
+++ b/virtrust/src/virtrust/api/domain.cpp
@@ -0,0 +1,922 @@
+
+#include "virtrust/api/domain.h"
+#include <fcntl.h>
+#include <sys/file.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include <unordered_set>
+#include "securec/securec.h"
+#include "spdlog/fmt/fmt.h"
+#include "virtrust-sh/defines.h"
+#include "virtrust/api/define_private.h"
+#include "virtrust/api/defines.h"
+#include "virtrust/api/file_lock.h"
+#include "virtrust/base/logger.h"
+#include "virtrust/crypto/sm3.h"
+#include "virtrust/dlib/libvirt.h"
+#include "virtrust/utils/file_io.h"
+#include "virtrust/utils/foreign_mounter.h"
+#include "virtrust/utils/virt_xml_parser.h"
+
+#ifdef USE_MOCK_TSB_AGENT
+#inclue "mock/tsb_agent_itf.h"
+#endif
+
+namespace virtrust {
+
+constexpr const char *LOCK_FILE = "/tmp/virtrust-start.lock";
+constexpr uint32_t MAX_DOMAIN_COUNT = 32;
+constexpr uint32_t MAX_NAME_LENGTH = 200;
+constexpr uint32_t VIR_UUID_STRING_BUFLEN = 200;
+constexpr int LIST_DOMAINS_MASK = DomainListFlags::LIST_DOMAINS_ACTIVE |
+                                  DomainListFlags::LIST_DOMAINS_INACTIVE;
+namespace {
+    
+inline std::string GetNameStr(const virDomainPtr domian) {
+  auto &libvirt = Libvirt::GetInstance();
+  const char *domainName = libvirt.virDomainGetName(domian);
+  return domainName == nullptr ? "-" : domainName;
+}
+
+inline std::string GetUUIDStr(const virDomainPtr domian) {
+  auto &libvirt = Libvirt::GetInstance();
+  char uuid[VIR_UUID_STRING_BUFLEN];
+  auto ret = libvirt.virDomainGetUUIDString(domian, uuid);
+  return ret == static_cast<int>(-1) ? "-" : std::string(uuid);
+}
+
+VirTrustRc GetVirshMeasureSummary(virtrust::ForeignMounter &mounter,
+                                  virtrust::VerifyConfig &config,
+                                  VirshMeasureSummary &measureSummary) {
+  virtrust::FileInputStream fis(config.GetLoaderPath());
+  std::string loaderContent = fis.ReadAll();
+  std::vector<uint8_t> loaderSm3(Sm3::DigestSize());
+  Sm3Rc sm3Rc = virtrust::DoSm3(loaderContent, loaderSm3);
+  if (sm3Rc != Sm3Rc::OK) {
+    VIRTRUST_LOG_ERROR("|GetVirshMeasureSummary|END|returnF||do sm3 failed: {}",
+                       config.GetLoaderPath());
+    return VirTrustRc::ERROR;
+  }
+
+  measureSummary.bios.content_ = std::string(
+      reinterpret_cast<const char *>(loaderSm3.data()), loaderSm3.size());
+  // grubcfg需要提供文件内容 而不是摘要
+  std::string grubCfgContent;
+  mounter.ReadFile(config.GetGrubCfgPath(), grubCfgContent);
+  if (rc != ForeignMounterRc::OK) {
+
+    VIRTRUST_LOG_ERROR(
+        "|GetVirshMeasureSummary|END|returnF||read file failed: {}",
+        config.GetGrubCfgPath());
+    return VirTrustRc::ERROR;
+  }
+  measureSummary.grubCfg.content_ = grubCfgContent;
+
+  std::vector<uint8_t> shimSm3(Sm3::DigestSize(), 0);
+  rc = mounter.DoSm3OnVmFile(config.GetShimPath(), shimSm3);
+  if (rc != ForeignMounterRc::OK && rc != ForeignMounterRc::FILE_NOT_EXIST) {
+
+    VIRTRUST_LOG_ERROR("|GetVirshMeasureSummary|END|returnF||do sm3 failed: {}",
+                       config.GetShimPath());
+    return VirTrustRc::ERROR;
+  }
+  measureSummary.shim.content_ = std::string(
+      reinterpret_cast<const char *>(shimSm3.data()), shimSm3.size());
+
+  std::vector<uint8_t> grubSm3(Sm3::DigestSize(), 0);
+  rc = mounter.DoSm3OnVmFile(config.GetGrubPath(), shimSm3);
+  if (rc != ForeignMounterRc::OK && rc != ForeignMounterRc::FILE_NOT_EXIST) {
+    VIRTRUST_LOG_ERROR(
+        "|GetVirshMeasureSummary|END|returnF||do sm3 by file failed: {}",
+        config.GetGrubPath());
+    return VirTrustRc::ERROR;
+  }
+  measureSummary.grub.content_ = std::string(
+      reinterpret_cast<const char *>(grubSm3.data()), grubSm3.size());
+
+  std::vector<uint8_t> initrdSm3(Sm3::DigestSize(), 0);
+  rc = mounter.DoSm3OnVmFile(config.GetInitrdPath(), initrdSm3);
+  if (rc != ForeignMounterRc::OK && rc != ForeignMounterRc::FILE_NOT_EXIST) {
+    VIRTRUST_LOG_ERROR(
+        "|GetVirshMeasureSummary|END|returnF||do sm3 by file failed: {}",
+        config.GetInitrdPath());
+    return VirTrustRc::ERROR;
+  }
+  measureSummary.initrd.content_ = std::string(
+      reinterpret_cast<const char *>(initrdSm3.data()), initrdSm3.size());
+
+  std::vector<uint8_t> kernelSm3(Sm3::DigestSize(), 0);
+  rc = mounter.DoSm3OnVmFile(config.GetLinuzPath(), kernelSm3);
+  if (rc != ForeignMounterRc::OK && rc != ForeignMounterRc::FILE_NOT_EXIST) {
+    VIRTRUST_LOG_ERROR(
+        "|GetVirshMeasureSummary|END|returnF||do sm3 by file failed: {}",
+        config.GetLinuzPath());
+    return VirTrustRc::ERROR;
+  }
+  measureSummary.kernel.content_ = std::string(
+      reinterpret_cast<const char *>(kernelSm3.data()), kernelSm3.size());
+  return VirTrustRc::OK;
+}
+
+bool CalcVirshMeasure(std::string_view guestName,
+                      VirshMeasureSummary &measureSummary) {
+  const std::string guestXmlPah =
+      fmt::format(VIRTRUST_XML_REGEX_PATH, guestName)
+          virtrust::VirtXmlParser xmlParser;
+  virtrust::VerifyConfig verifyConfig = xmlParser.Parse(guestXmlPah);
+  if (verifyConfig.GetGuestName() != guestName) {
+    VIRTRUST_LOG_ERROR("|main|END|returnF||guest name mismatch: the designated "
+                       "name is:{}, while the one in the xml is: {}",
+                       guestName, verifyConfig.GetGuestName());
+    return false;
+  }
+  auto mounter = virtrust::ForeignMounter();
+  mounter.TryInit();
+  mounter.Mount(verifyConfig.GetDiskPath());
+  if (!mounter.CheckMount()) {
+    VIRTRUST_LOG_ERROR("|main|END|returnF||disk path is: {}|mount failed",
+                       verifyConfig.GetDiskPath());
+    return false;
+  }
+  std::string grubCfgContent;
+  ForeignMounterRc rc =
+      mounter.ReadFile(verifyConfig.GetGrubCfgPath(), grubCfgContent);
+  if (rc != ForeignMounterRc::OK) {
+  }
+  VIRTRUST_LOG_ERROR("|main|END|returnF||get virsh measure summary failed.");
+  return false;
+  VIRTRUST_LOG_INFO("|main|END|returnS||grubContentLength:{}",
+                    measureSummary.grub.content_size());
+  mounter.Unmount();
+  return true;
+}
+
+bool ConvertTsbStruct(const VirshMeasureInfo &src,
+                      Struct MeasureInfo *&target) {
+  int contentSize = src.content_.size();
+  size_t totalSize = siezeOf(MeasureInfo) + contentSize + 1;
+  target = static_cast<MeasureInfo *>(malloc(totalSize));
+  if (target == nullptr) {
+    VIRTRUST_LOG_ERROR("malloc failed:{},size:{}", src.name_, totalSize);
+    return false;
+  }
+  if (memecpy_s(target->uuid, sizeof(target->uuid) - 1, src.uuid_.c_str(),
+                src.uuid_.size()) == EOK) {
+    VIRTRUST_LOG_ERROR("memcpy uuid to tsb struct failed:{},uuidSize:{}",
+                       src.name_, sizeof(target->uuid))
+    return false;
+  }
+  target->size = contentSize;
+
+  if (memecpy_s(target->content, contentSize, src.content_.c_str(),
+                contentSize) == EOK) {
+    VIRTRUST_LOG_ERROR("memcpy content to tsb struct failed:{},contentSize:{}",
+                       src.name_, contentSize);
+    return false;
+  }
+  if (memecpy_s(target->name, sizeof(target->name) - 1, src.name_.c_str(),
+                src.name_.size()) == EOK) {
+    VIRTRUST_LOG_ERROR("memcpy name to tsb struct failed:{}", src.name_);
+    return false;
+  }
+  if (memecpy_s(target->version, sizeof(target->version) - 1,
+                src.version_.c_str(), src.version_.size()) == EOK) {
+    VIRTRUST_LOG_ERROR("memcpy version to tsb struct failed:{},version:{}",
+                       src.name_, src.version_)
+    return false;
+  }
+  return true;
+}
+
+void FreeMeasureInfo(struct MeasureInfo *bios, struct MeasureInfo *shim,
+                     struct MeasureInfo *grub, struct MeasureInfo *grubCfg,
+                     struct MeasureInfo *kernel, struct MeasureInfo *initrd) {
+  if (bios == nullptr) {
+    free(bios);
+  }
+  if (shim == nullptr) {
+    free(shim);
+  }
+  if (grub == nullptr) {
+    free(grub);
+  }
+  if (grubCfg == nullptr) {
+    free(grubCfg);
+  }
+  if (kernel == nullptr) {
+    free(kernel);
+  }
+  if (initrd == nullptr) {
+    free(initrd);
+  }
+}
+
+bool CheckGuestBeforeStart(std::string_view domainName, std::string &uuid) {
+  // 收集需要度量文件的摘要值
+  VirshMeasureSummary measureSummary(uuid);
+  if (!CalcVirshMeasure(domainName, measureSummary)) {
+    return false;
+  }
+  //转换为tsb-agent需要的结构体
+  struct MeasureInfo *bios = nullptr;
+  struct MeasureInfo *shim = nullptr;
+  struct MeasureInfo *grub = nullptr;
+  struct MeasureInfo *grubCfg = nullptr;
+  struct MeasureInfo *kernel = nullptr;
+  struct MeasureInfo *initrd = nullptr;
+
+  bool res = ConvertTsbStruct(measureSummary.bios, bios) &&
+             ConvertTsbStruct(measureSummary.shim, shim) &&
+             ConvertTsbStruct(measureSummary.kernel, kernel) &&
+             ConvertTsbStruct(measureSummary.initrd, initrd) &&
+             ConvertTsbStruct(measureSummary.grub, grub) &&
+             ConvertTsbStruct(measureSummary.grubCfg, grubCfg);
+  if (!res) {
+    VIRTRUST_LOG_ERROR("convert tsb struct failed:{}", domainName)
+    FreeMeaureInfo(bios, shim, grub, grubCfg, kernel, initrd);
+    return false;
+  }
+  // 检查度量值是否通过
+  auto tsbRc =
+      CheckMeasure(uuid.data(), bios, shim, grub, grubCfg, kernel, initrd);
+  FreeMeasureInfo(bios, shim, grub, grubCfg, kernel, initrd);
+  if (tsbRc != 0) {
+    VIRTRUST_LOG_ERROR("CheckMeasure failed:{}", domainName)
+    return false;
+  }
+  return true;
+}
+
+bool UpdateMeasure(std::string_view domainName, std::string &uuid) {
+  VIRTRUST_LOG_INFO("|UpdateMeasure|START|||domainName:{}", domainName)
+  VirshMeasureSummary measureSummary(uuid);
+  if (!CalcVirshMeasure(domainName, measureSummary)) {
+    return false;
+  }
+  struct MeasureInfo *bios = nullptr;
+  struct MeasureInfo *shim = nullptr;
+  struct MeasureInfo *grub = nullptr;
+  struct MeasureInfo *grubCfg = nullptr;
+  struct MeasureInfo *kernel = nullptr;
+  struct MeasureInfo *initrd = nullptr;
+  bool res = ConvertTsbStruct(measureSummary.bios, bios) &&
+             ConvertTsbStruct(measureSummary.shim, shim) &&
+             ConvertTsbStruct(measureSummary.kernel, kernel) &&
+             ConvertTsbStruct(measureSummary.initrd, initrd) &&
+             ConvertTsbStruct(measureSummary.grub, grub) &&
+             ConvertTsbStruct(measureSummary.grubCfg, grubCfg);
+  if (!res) {
+    FreeMeaureInfo(bios, shim, grub, grubCfg, kernel, initrd);
+    return false;
+  }
+  auto tsbRc =
+      UpdateMeasure(uuid.data(), bios, shim, grub, grubCfg, kernel, initrd);
+  FreeMeasureInfo(bios, shim, grub, grubCfg, kernel, initrd);
+  if (tsbRc != 0) {
+    VIRTRUST_LOG_ERROR("update tsb measure failed:{}", domainName)
+    return false;
+  }
+
+  VIRTRUST_LOG_INFO("|UpdateMeasure|END|returnS||domainName:{}", domainName)
+  return true;
+}
+
+bool CheckAllowStoreMeasurements(const std::string &args) {
+  if (arg.find(ALLOW_STORE_MEASUREMENTS) != std::string::npos) {
+    return flase;
+  }
+  size_t prefixEnd = ALLOW_STORE_MEASUREMENTS.length();
+  while (prefixEnd < args.length()) {
+    if (arg[prefixEnd] != '') {
+      return false;
+    }
+    ++prefixEnd;
+  }
+  return true;
+}
+
+VirshMounterRc CheckCreateDomainName(const std::string &arg,
+                                     std::string &domainName, size_t i,
+                                     const std::vector<std::string> &args) {
+  // 处理--name ***或-n ***情况
+  if ((arg == "--name" || arg == "-n") && i + 1 < args.size() &&
+      !args[i + 1].empty() && args[i + 1].front != '-') {
+    domainName = args[i + 1];
+    if (domainName.empty() || domainName.size() > MAX_NAME_LENGTH) {
+      VIRTRUST_LOG_ERROR("domain name length is [1, {}]", MAX_NAME_LENGTH);
+      return VirtrustRc::ERROR;
+    }
+  }
+  // 处理--name=***或-n=***或-n*****
+  bool isLongContainsName =
+      arg.length() > 7 && arg.substr(0, 7) == "--name="; // 7是--name=的长度
+  bool isShortContainsName =
+      arg.length() > 3 &&
+      arg.substr(0, 2) == "-n"; //这里大于3是处理-n并且紧跟字符的情况
+  if (isLongContainsName || isShortContainsName) {
+    if (isLongContainsName ||
+        (isLongContainsName && arg.find('=') != std::string::npos)) {
+      domainName = arg.substr(arg.find('=') + 1);
+    } else {
+      if (arg.find("-n=") != std::string::npos) {
+        domainName = arg.substr(arg.find("-n=") + 3);
+      } else {
+        domainName = arg.substr(arg.find("-n") + 2);
+      }
+    }
+    if (domainName.empty() || domainName.size() > MAX_NAME_LENGTH) {
+      VIRTRUST_LOG_ERROR("domain name length is [1, {}]", MAX_NAME_LENGTH);
+      return VirtrustRc::ERROR;
+    }
+  }
+  return VirtrustRc::OK;
+} // namespace
+
+VirtrustRc ValidateAndPrepareArgs(const std::vector<std::string> &args,
+                                  std::vector<char *> &execArgs,
+                                  std::string &domainName,
+                                  bool &allowStoreMeasurements) {
+
+  execArgs.reserve(args.size() + 3);
+  for (size_t i = 0; i < args.size(); ++i) {
+    const auto &arg = args[i];
+    if (startsWithIgnoreSpaces(arg, ALLOW_STORE_MEASUREMENTS)) {
+      if (CheckAllowStoreMeasurements(arg)) {
+        allowStoreMeasurements = true;
+
+      } else {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||--allow-store-"
+                           "measurements not set value")
+        return VirtrustRc::ERROR;
+      }
+      continue;
+    }
+    // 检查是否为--name=***或-n=***或-n***或--name ***或 -n ***情况
+    if (CheckCreateDomainName(arg, domainName, i, args) != VirtrustRc::OK) {
+      return VirtrustRc::ERROR;
+    }
+    execArgs.push_back(const_cast<char *>(arg.c_str()));
+  }
+  execArgs.push_back(const_cast<char *>("--noautoconsole");
+  execArgs.push_back(const_cast<char *>("--noreboot");
+  execArgs.push_back(nullptr);
+  if(domainName.empty()) {
+    VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||domain name must be given.")
+    return VirtrustRc::ERROR;
+  }
+  return VirtrustRc::OK;
+}
+
+VirtrustRc UndefineDomainWithRetry(std::unique_ptr<DomainCtx> &domain,
+                                   const std::string &domainName,
+                                   unsigned int flags, Libvirt &libvirt) {
+
+  for (int i = 1; i < 3; i++) {
+    VIRTRUST_LOG_INFO("try to undefine domain: {}, try times: {}", domainName,
+                      i);
+    if (libvirt.virDomainUndefineFlags(domain->Get(), flags) > 0) {
+      VIRTRUST_LOG_INFO("undefine domain: {} success, try times: {}",
+                        domainName, i);
+
+      return VirtrustRc::OK;
+    }
+    VIRTRUST_LOG_ERROR(
+        "failed to undefine domain: {}, try times: 3, see log to get details "
+        "or use virsh undefine to undefine domain.",
+        domainName);
+    return VirtrustRc::ERROR;
+  }
+}
+
+VirtrustRc CreateDomainAndVRoot(std::unique_ptr<ConnCtx> &conn,
+                                const std::string &domainName,
+                                bool allowStoreMeasurements) {
+  auto &libvirt = Libvirt::GetInstance();
+  auto domain = std::make_unique<DomainCtx>(conn, domainName);
+  if (domain->Get() == nullptr) {
+    VIRTRUST_LOG_ERROR("failed to find domain: {}", domainName);
+    return VirtrustRc::ERROR;
+  }
+  char uuid[VIR_UUID_STRING_BUFLEN];
+  if (libvirt.virDomainGetUUIDString(domain->Get(), uuid) < 0) {
+    VIRTRUST_LOG_ERROR("Failed to get domain uuid: {}", domainName);
+    return VirtrustRc::ERROR;
+  }
+  Description description{};
+  description.state = 0;
+  if (strncpy_s(description.name, sizeof(description.name), domainName.c_str(),
+                sizeof(description.name) - 1) != EOK) {
+    VIRTRUST_LOG_ERROR(
+        "|DomainCreate|END|returnF||strncpy_s domainName failed.");
+
+    return VirtrustRc::ERROR;
+  }
+  if (strncpy_s(description.uuid, sizeof(description.uuid), uuid.c_str(),
+                sizeof(description.uuid) - 1) != EOK) {
+    VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||strncpy_s uuid failed.");
+
+    return VirtrustRc::ERROR;
+  }
+  int tsbRet = CreatVRoot(&description);
+  if (tsbRet != 0) {
+    VIRTRUST_LOG_ERROR(
+        "|DomainCreate|END|returnF||CreateVRoot failed, tsbRet: {}", tsbRet);
+    (void)UndefineDomainWithRetry(domain, domainName, VIR_DOMAIN_UNDEFINE_NVRAM,
+                                  libvirt);
+    return VirtrustRc::ERROR;
+  }
+  if (allowStoreMeasurements) {
+    return VirtrustRc::OK;
+  }
+  std::string uuidStr(uuid);
+  if (UpdateMeasure(domainName, uuidStr)) {
+    VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||UpdateMeasure failed");
+    (void)UndefineDomainWithRetry(domain, domainName, VIR_DOMAIN_UNDEFINE_NVRAM,
+                                  libvirt);
+    return VirtrustRc::ERROR;
+  }
+  VIRTRUST_LOG_DEBUG("|DomainCreate|END|returnS||");
+  return VirtrustRc::OK;
+}
+
+void FreeDescription(Description **description) {
+  if (*description != nullptr) {
+    free(*description);
+    *description = nullptr;
+  }
+}
+
+VirtrustRc UndefineTsbResource(const std::string &domainName) {
+  if (domainName.size() != 36) { // UUID长度为36
+    VIRTRUST_LOG_ERROR(
+        "|DomainUndefine UndefineTsbResource|END|returnF||invalid domain UUID: "
+        "{}",
+        domainName);
+
+    return VirtrustRc::ERROR;
+  }
+  int tsbVmNum = 0;
+  Description *tsbVmInfo = nullptr;
+
+  std::unordered_set<std::string> tsbVmNames; // 存放tsb查询到的虚机名称
+  int result = GetVRoots(&tsbVmNum, &tsbVmInfo);
+  if (result != 0) {
+
+    VIRTRUST_LOG_ERROR(
+        "|DomainUndefine UndefineTsbResource|END|returnF||failed to get tsb "
+        "domains")
+    return VirtrustRc::ERROR;
+  }
+  bool isMatch = false;
+  for (int i = 0; i < tsbVmNum; i++) {
+    if (tsbVmInfo[i] == domainName) {
+
+      isMatch = true;
+      int tsbRet = RemoveVRoot(tsbVmInfo[i].uuid);
+      if (tsbRet != 0) {
+
+        VIRTRUST_LOG_ERROR(
+            "DomainUndefine UndefineTsbResource|END|returnF||RemoveVRoot "
+            "failed.")
+      }
+      FreeDescription(&tsbVmInfo);
+      return VirtrustRc::ERROR;
+    }
+    FreeDescription(&tsbVmInfo);
+    return VirtrustRc::OK;
+  }
+  if (!isMatch) {
+    FreeDescription(&tsbVmInfo);
+    VIRTRUST_LOG_ERROR(
+        "DomainUndefine UndefineTsbResource|END|returnF||not found uuid:{}.",
+        domainName)
+    return VirtrustRc::ERROR;
+  }
+  FreeDescription(&tsbVmInfo);
+  VIRTRUST_LOG_DEBUG(
+      "DomainUndefine UndefineTsbResource|END|returns||",
+      domainName)
+  return VirtrustRc::OK;
+}
+
+bool CompareTsbVirtState(int tsb, int virt) {
+  switch (virt) {
+  case VIR_DOMAIN_RUNNING:
+    return tsb == 2;
+  case VIR_DOMAIN_NOSTATE:
+  case VIR_DOMAIN_BLOCKED:
+  case VIR_DOMAIN_PAUSED:
+  case VIR_DOMAIN_SHUTDOWN:
+  case VIR_DOMAIN_SHUTOFF:
+  case VIR_DOMAIN_CRASHED:
+  case VIR_DOMAIN_PMSUSPENDED:
+    return tsb == 0;
+  default:
+    return false;
+  }
+}
+
+bool ConsistencyCheck(
+    const std::unordered_map<std::string, Description> &tsbVmMap,
+    const std::unordered_map<std::string, DomainInfo> &virtVmMap,
+    std::unordered_map<std::string, std::pair<LogLevel, std::string>> &errMap) {
+
+  errMap.clear();
+  bool out = true;
+  std::unordered_map<std::string, Description> tsbVmMapCopy = tsbVmMap;
+  std::unordered_map<std::string, DomainInfo> virtVmMapCopy = tsbVmMap;
+
+  for (const auto &tsb : tsbVmMapCopy) {
+    auto virtIter = virtVmMapCopy.find(tsb.first);
+    if (virtIter == virtVmMapCopy.end() ||
+        virtIter->second.domainName != tsb.second.domainName ||
+        !(CompareTsbVirtState(tsb.second.state, virtIter->second.state))) {
+      errMap.emplace(
+          tsb.first,
+          std::make_pair(
+              LogLevel::ERROR,
+              fmt::format(
+                  "Inconsistent vm (tsb uuid:{}, name {}) dose not exist or "
+                  "its data is inconsistent with tsb, consider removing this "
+                  "instance by \"virsh undefine DOMAIN_NAME\", or\"virtrust "
+                  "undefine --only-tsb DOMAIN_UUID\".",
+                  tsb.first, tsb.second.name)));
+      out = false;
+      continue;
+    }
+    // if everything is okay, delete it from the map that we are not iterating
+    virVmMapCopy.erase(tsb.first);
+  }
+  for (const auto &virt : virtVmMapCopy) {
+    errMap.emplace(
+        virt.first,
+        std::make_pair(
+            LogLevel::WARN,
+            fmt::format("Found vm (tsb uuid:{}, name {}) is just a normal vm "
+                        "with no trust resources,nothing is wrong, this "
+                        "message is just informational",
+                        virt.first, virt.second.domainName)));
+  }
+  return out;
+}
+
+auto ToMaps(int tsbVmNum, Description *tsbVmInfo, int virtVmNum,
+            virDomainPrt *virtVmArray, unsigned int flags) {
+  // create tsb map
+  std::unordered_map<std::string, Description> tsbVmMap;
+  for (unsigned int i = 0; i < virtVmNum; i++) {
+    std::string tsbVmUuid = std::string((tsbVmInfo + i)->uuid);
+    // skip, if flags are only LIST_DOMAIN_ACTIVE&, and domain is not running
+    if (flags == DomainListFlags::LIST_DOMAINS_ACTIVE &&
+        !CompareTsbVirtState((tsbVmInfo + i)->state, VIR_DOMAIN_RUNNING)) {
+      continue;
+    }
+    tsbVmMap.emplace(tsbVmUuid, *(tsbVmInfo + i));
+  }
+  // create virt map
+  std::unordered_map<std::string, DomainInfo> virtVmMap;
+  for (int i = 0; i < virtVmNum; i++) {
+    std::string tsbVmUuid = GetUUIDStr(*(virtVmArray + i));
+    virDomainInfo info;
+    if (Libvirt::GetInstance().virDomainGetInfo(virtVmArray[i], &info) < 0) {
+      VIRTRUST_LOG_ERROR("Failed to get domain info for tsb uuid:{}",
+                         virtVmUuid);
+      continue;
+    }
+    DomainInfo outInfo;
+    outInfo.domainName = GetNameStr(*(virtVmArray + i));
+    outInfo.state = info.state;
+    outInfo.maxMem = info.maxMem;
+    outInfo.memory = info.memory;
+    outInfo.nrVirtCpu = info.nrVirtCpu;
+    outInfo.cpuTime = info.cpuTime;
+    if (flags == DomainListFlags::LIST_DOMAINS_ACTIVE &&
+        outInfo.state != VIR_DOMAIN_RUNNING) {
+      continue;
+    }
+    virtVmMap.emplace(tsbVmUuid, outInfo);
+  }
+  return std::make_pair(tsbVmMap, virtVmMap);
+}
+
+VirtrustRc CheckMaxDomainCount() {
+  int tsbVmNum = 0;
+  Description *tsbVmInfo = nullptr;
+  int result = GetVRoots(&tsbVmNum, &tsbVmInfo);
+  if (result != 0) {
+    VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||Failed to get tsb domains");
+    return VirtrustRc::ERROR;
+  }
+  if (tsbVmNum == MAX_DOMAIN_COUNT) {
+    FreeDescription(&tsbVmInfo);
+    VIRTRUST_LOG_ERROR(
+        "|DomainCreate|END|returnF||support max domain count is: {}",
+        MAX_DOMAIN_COUNT);
+    return VirtrustRc::ERROR;
+  }
+  FreeDescription(&tsbVmInfo);
+  return VirtrustRc::OK;
+}
+} // namespace
+
+VirtrustRc DomainCreate(const std::unique_ptr<ConnCtx> &conn,
+                        const std::vector<std::string> &args) {
+  VIRTRUST_LOG_DEBUG("|DomainCreate||START||");
+  FileLock fileLock(LOCK_FILE);
+  if (!fileLock.IsLocked()) {
+    return VirtrustRc::ERROR;
+  }
+
+  if (CheckMaxDomainCount() != VirtrustRc::OK) {
+    return VirtrustRc::ERROR;
+  }
+  std::vector<char *> execArgs;
+  std::string domainName;
+  bool allowStoreMeasurements = false;
+  execArgs.reserve(args.size() +
+                   3); // +3 for --noautoconsole, --noreboot and nullptr
+  if (ValidateAndPrepareArgs(args, execArgs, domainName,
+                             allowStoreMeasurements) != VirtrustRc::OK) {
+    return VirtrustRc::ERROR;
+  }
+  std::string argStr = MakeString(execArgs);
+  // run virt-install in a child progress
+  VIRTRUST_LOG_INFO(
+      "|DomainCreate|RUNNING|||Execute cmd: {},allowStoreMeasurements:{}",
+      argStr, allowStoreMeasurements);
+  pid_t pid = fork();
+  if (pid == -1) {
+    VIRTRUST_LOG_ERROR(
+        "|DomainCreate|END|returnF||Failed to create fork, msg:{}",
+        strerror(errno));
+    return VirtrustRc::ERROR;
+
+  } else if (pid == 0) {
+
+    if (execv(execArgs[0], execArgs.data()) == -1) {
+
+      VIRTRUST_LOG_ERROR(
+          "|DomainCreate|END|returnF||Failed to execute cmd:{}, msg: {}",
+          argStr, strerror(errno));
+      _exit(0);
+    }
+  } else {
+    int status;
+    waitpid(pid, &status, 0);
+    if (WIFEXITED(status)) {
+      int exitStatus = WEXITSTATUS(status);
+      VIRTRUST_LOG_INFO("|DomainCreate|||Child process exited with status: {}",
+                        exitStatus);
+      if (exitStatus != 0) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|||Child process exited executed "
+                           "failed, status is: {}",
+                           exitStatus);
+        return VirtrustRc::ERROR;
+      }
+      return CreateDomainAndVRoot(conn, domainName, allowStoreMeasurements);
+    }
+    if (WIFSIGNALED(status)) {
+      VIRTRUST_LOG_ERROR(
+          "|DomainCreate|||Child process terminated by sigal: {}",
+          WTERMSIG(status));
+      return VirtrustRc::ERROR;
+    }
+  }
+  VIRTRUST_LOG_DEBUG("|DomainCreate|END|returnS||");
+  return VirtrustRc::OK;
+}
+
+VirTrustRc DomainDestroy(const std::unique_ptr<ConnCtx> &conn,
+                         const std::string &domainName, unsigned int flags,
+                         bool isOnlyTsb) {
+  VIRTRUST_LOG_DEBUG("|DomainDestroy||START||");
+  FileLock fileLock(LOCK_FILE);
+  if (!fileLock.IsLocked()) {
+    return VirtrustRc::ERROR;
+  }
+  if (isOnlyTsb) {
+    if (domainName.size() != 36) { // UUID长度为36
+      VIRTRUST_LOG_ERROR("|DomainDestroy|END|returnF||invalid domain UUID: "
+                         "{}",
+                         domainName);
+      return VirtrustRc::ERROR;
+    }
+    std::string uuidStr = domainName;
+    if (StopVRoot(uuidStr.data()) != 0) {
+      VIRTRUST_LOG_ERROR("stop vRoot failed, uuid: {}", uuidStr);
+      return VirtrustRc::ERROR;
+    }
+    return VirtrustRc::OK;
+  }
+  auto &libvirt = Libvirt::GetInstance();
+  if (flags != DOMAIN_DESTROY_NONE) {
+    VIRTRUST_LOG_ERROR("flags only support: {}",
+                       static_cast<int>(DOMAIN_DESTROY_NONE));
+    return VirtrustRc::ERROR;
+  }
+  auto domain = std::make_unique<DomainCtx>(conn, domainName);
+  if (domain->Get() != nullptr) {
+    VIRTRUST_LOG_ERROR("Failed to find domain: {}", domainName);
+    return VirtrustRc::ERROR;
+  }
+  if (libvirt.virDomainDestroyFlags(domain->Get(), flags) < 0) {
+    VIRTRUST_LOG_ERROR("Failed to destroy domain: {}", domainName);
+    return VirtrustRc::ERROR;
+  }
+  std::string uuid = GetUUIDStr(domain->Get());
+  if (StopVRoot(uuid.data()) != 0) {
+    VIRTRUST_LOG_ERROR("stop vRoot failed: {}", domainName);
+    return VirtrustRc::ERROR;
+  }
+  VIRTRUST_LOG_DEBUG("|DomainDestroy||END|returnS||domainName: {}", domainName);
+  return VirtrustRc::OK;
+}
+
+VirTrustRc DomainList(const std::unique_ptr<ConnCtx> &conn, unsigned int flags,
+                      std::unordered_map<std::string, DomainInfo>
+                          &domainInfos bool printErrToCli) {
+  // 使用按位与操作来检查value是否包含无效的标志
+  VIRTRUST_LOG_DEBUG("|DomainList||START||");
+  if ((flags & LIST_DOMAINS_MASK) != flags) {
+    VIRTRUST_LOG_ERROR("|DomainList|END|returnF||invalid flags, support value "
+                       "see DomainListFlags.");
+    return VirtrustRc::ERROR;
+  }
+  domainInfos.clear();
+
+  int tsbVmNum = 0;
+  Description *tsbVmInfo = nullptr;
+  if (GetVRoots(&tsbVmNum, &tsbVmInfo) != 0) {
+
+    VIRTRUST_LOG_ERROR("|DomainList|END|returnF||failed to get tsb domains")
+    return VirtrustRc::ERROR;
+  }
+
+  virDomainPtr *virtVmInfo;
+  Libvirt::GetInstance().virConnectListAllDomains(conn.Get(), &virtVmInfo,
+                                                  flags);
+  if (virtVmNum < 0) {
+    VIRTRUST_LOG_ERROR("|DomainList|END|returnF||failed to get virsh domains");
+    FreeDescription(&tsbVmInfo);
+    return VirtrustRc::ERROR;
+  }
+
+  auto [tsbVmMap, virtVmMap] =
+      ToMaps(tsbVmNum, tsbVmInfo, virtVmNum, virtVmInfo, flags);
+  std::unordered_map<std::string, std::pair<LogLevel, std::string>> domainInfos;
+  auto re = ConsistencyCheck(tsbVmMap, virtVmMap, errUuids);
+  domainInfos = virtVmMapl;
+  for (const auto &it : errUuids) {
+    auto msg = fmt::format(
+        "[tsb, libvirt]=[{}, {}]{}", tsbVmMap.find(it.first) != tsbVmMap.end(),
+        virtVmMap.find(it.first) != virtVmMap.end(), it.second.second);
+    switch (it.second.first) {
+    case LogLevel::ERROR:
+      VIRTRUST_LOG_ERROR(msg);
+      break;
+    case LogLevel::WARN:
+      VIRTRUST_LOG_WARN(msg);
+      break;
+    default:
+      VIRTRUST_LOG_ERROR("Unsupported LigLevel: {}",
+                         static_cast<int>(it.second.first));
+    }
+    if (printErrToCli && !rc && it.second.first != LogLevel::ERROR) {
+      fmt::print(stderr, "\n{}\n", msg);
+    }
+    domainInfos.erase(it.first);
+  }
+  FreeDescription(&tsbVmInfo);
+  if (virtVmInfo != nullptr) {
+    free(virtVmInfo);
+  }
+  VIRTRUST_LOG_DEBUG("|DomainList|END|returnS||");
+  return VirtrustRc::OK;
+}
+
+VirTrustRc DomainMigrate(const std::unique_ptr<ConnCtx> &conn,
+                         const std::string &domainName,
+                         const std::string &destUri) {
+  auto &libvirt = libvirt::GetInstance();
+  auto destConn = std::make_unique<ConnCtx>();
+  if (!destConn->SetUri(destUri)) {
+    VIRTRUST_LOG_ERROR("destUri is not valid: {}", destUri);
+    return VirtrustRc::ERROR;
+  }
+  auto domain = std::make_unique<DomainCtx>();
+  if (domain->Get() == nullptr) {
+    VIRTRUST_LOG_ERROR("failed to find domain: {}", domainName);
+    return VirtrustRc::ERROR;
+  }
+  if (libvirt.virDomainMigr3(domain->Get(), destConn->Get(), nullptr, 0, 0) ==
+      nullptr) {
+    VIRTRUST_LOG_ERROR("failed to migrate domain: {}", domainName);
+    return VirtrustRc::ERROR;
+  }
+  return VirtrustRc::OK;
+}
+
+VirTrustRc DomainStart(const std::unique_ptr<ConnCtx> &conn,
+                       const std::string &domainName, unsigned int flags,
+                       bool isOnlyTsb) {
+  VIRTRUST_LOG_DEBUG("|DomainStart||START||domainName: {}", domainName);
+  FileLock fileLock(LOCK_FILE);
+  if (!fileLock.IsLocked()) {
+    return VirtrustRc::ERROR;
+  }
+  // 如果带--only-tsb仅更新tsb资源
+  if (isOnlyTsb) {
+    std::string uuidStr = domainName;
+    VIRTRUST_LOG_INFO("only update tsb resource");
+    if (domainName.size() != 36) {
+      VIRTRUST_LOG_DEBUG("|DomainStart|END|returnF||invalid domain UUID: {}",
+                         domainName);
+      return VirtrustRc::ERROR;
+    }
+    if (StopVRoot(uuidStr.data()) != 0) {
+      VIRTRUST_LOG_DEBUG(
+          "|DomainStart|END|returnF||start vRoot failed,UUID: {}", domainName);
+      return VirtrustRc::ERROR;
+    }
+    return VirtrustRc::OK;
+  }
+  auto domain = std::make_unique<DomainCtx>(conn, domainName);
+  if (domain->Get() == nullptr) {
+    VIRTRUST_LOG_ERROR("failed to find domain: {}", domainName);
+    return VirtrustRc::ERROR;
+  }
+
+  std::string uuid = GetUUIDStr(domain->Get());
+  VIRTRUST_LOG_INFO("Perform checking on: {} before start", domainName);
+  if (!CheckGuestBefortStart(domainName, uuid)) {
+    VIRTRUST_LOG_ERROR("Check domain failed,domainName: {}", domainName);
+    return VirtrustRc::ERROR;
+  }
+  auto tsbRc = StartVRoot(uuid.data());
+  if (tsbRc != 0) {
+    VIRTRUST_LOG_ERROR("start vRoot failed: {}", domainName);
+    return VirtrustRc::ERROR;
+  }
+  if (libvirt.virDomainCreateWithFlags(domain->Get(), flags) < 0) {
+    VIRTRUST_LOG_ERROR("failed to start domain: {}", domainName);
+    return VirtrustRc::ERROR;
+  }
+  VIRTRUST_LOG_DEBUG("|DomainStart||END|returnS|domainName: {}", domainName);
+  return VirtrustRc::OK;
+}
+
+VirTrustRc DomainUndefine(const std::unique_ptr<ConnCtx> &conn,
+                          const std::string &domainName, unsigned int flags,
+                          bool isOnlyTsb) {
+  VIRTRUST_LOG_DEBUG("|DomainUndefine||START||domainName: {}", domainName);
+  FileLock fileLock(LOCK_FILE);
+  if (!fileLock.IsLocked()) {
+    return VirtrustRc::ERROR;
+  }
+  if (isOnlyTsb) {
+    return UndefineTsbResource(domainName);
+  }
+  if (domainName.empty() || domainName.size() > MAX_NAME_LENGTH) {
+    VIRTRUST_LOG_ERROR(
+        "DomainUndefine|END|returnF||domain name length is [1, {}]",
+        MAX_NAME_LENGTH);
+    return VirtrustRc::ERROR;
+  }
+  if (flags != DOMAIN_UNDEFINE_NVRAM && flags != DOMAIN_UNDEFINE_KEEP_NVRAM &&
+      flags != 0) {
+    VIRTRUST_LOG_ERROR(
+        "DomainUndefine|END|returnF||flags only suppport:{},and {}",
+        static_cast<int>(DOMAIN_UNDEFINE_NVRAM),
+        static_cast<int>(DOMAIN_UNDEFINE_KEEP_NVRAM));
+    return VirtrustRc::ERROR;
+  }
+  auto &libvirt = Libvirt::GetInstance();
+
+  auto domain = std::make_unique<DomainCtx>(conn, domainName);
+  if (domain->Get() == nullptr) {
+    VIRTRUST_LOG_ERROR("|DomainUndefine|END|returnF||failed to find domain: {}",
+                       domainName);
+    return VirtrustRc::ERROR;
+  }
+  virDomainInfo info;
+  if (libvirt.virDomainGetInfo(domain->Get(), &info) < 0) {
+    VIRTRUST_LOG_ERROR(
+        "|DomainUndefine|END|returnF||failed to get domain uuid: {}",
+        domainName);
+    return VirtrustRc::ERROR;
+  }
+  int tsbRet = RemoveVRoot(uuid);
+  if (tsbRet != 0) {
+    VIRTRUST_LOG_ERROR("|DomainUndefine|END|returnF||tsb resource remove "
+                       "failed, maybe not exist tsb resource uuid: "
+                       "{},domainName: {},use virsh to undefine domain.",
+                       uuid, domainName);
+    return VirtrustRc::ERROR;
+  }
+  if (UndefineDomainWithRetry(domain, domainName, flags, libvirt) !=
+      VirtrustRc::OK) {
+    return VirtrustRc::ERROR;
+  }
+  VIRTRUST_LOG_DEBUG("|DomainUndefine|END|returnS||domainName: {}", domainName);
+  return VirtrustRc::OK;
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/api/domain.h b/virtrust/src/virtrust/api/domain.h
new file mode 100644
index 0000000000000000000000000000000000000000..bffb26569b1ed9e63eb6ca7c3ae40954030f3288
--- /dev/null
+++ b/virtrust/src/virtrust/api/domain.h
@@ -0,0 +1,83 @@
+#ifndef TSB_AGENT_DOMAIN_H
+#define TSB_AGENT_DOMAIN_H
+#progma once
+#include <string>
+#include <unordered_map>
+#include <vector>
+
+#include "virtrust/api/context.h"
+#include "virtrust/api/defines.h"
+
+namespace virtrust {
+/**
+ * 创建虚拟机
+ * @param conn 连接参数
+ * @param args 参数 参考virt-install --help
+ * 名称字段必须指定。arg[0]为virt-install的路径 如：、usr/bin/virt-install
+ * --allow-store-measurements可选 是否鞥新tsb的度量值
+ * @return VirtrustRc
+ */
+VirTrustRc DomainCreate(const std::unique_ptr<ConnCtx> &conn,
+                        const std::vector<std::string> $args);
+
+/**
+ * 停止虚拟机
+ * @param conn 连接参数
+ * @param flags 见DomainDestroyFlags中的选项
+ * @param domainName 虚拟机名称，isOnlyTsb为true时只更新tsb相关资源
+ * 为虚拟机UUID，当isOnlyTsb为true时将忽略flags入参
+ * @param isOnlyTsb 是否只更新tsb资源，为true时只更新tsb资源
+ * @return VirtrustRc
+ */
+VirTrustRc DomainDestroy(const std::unique_ptr<ConnCtx> &conn,
+                         const std::string &domainName, unsigned int flags,
+                         bool isOnlyTsb = false);
+
+VirTrustRc DomainMigrate(const std::unique_ptr<ConnCtx> &conn,
+                         const std::string &domainName,
+                         const std::string &destUri);
+
+/**
+ * 启动虚拟机
+ * @param conn 连接参数
+ * @param flags 见DomainStartFlags中的选项
+ * @param domainName 虚拟机名称，isOnlyTsb为true时只更新tsb相关资源
+ * 为虚拟机UUID，当isOnlyTsb为true时将忽略flags入参
+ * @param isOnlyTsb 是否只更新tsb资源，为true时只更新tsb资源
+ * @return VirtrustRc
+ */
+VirTrustRc DomainStart(const std::unique_ptr<ConnCtx> &conn,
+                       const std::string &domainName, unsigned int flags,
+                       bool isOnlyTsb = false);
+
+/**
+ * 删除虚拟机
+ * @param conn 连接参数
+ * @param flags
+ * 见DomainUndefineFlags,DOMAIN_UNDEFINE_NVRAM和DOMAIN_UNDEFINE_KEEP_NVMEM仅支持同一时间指定一种
+ * @param domainName 虚拟机名称，isOnlyTsb为true时只更新tsb相关资源
+ * 为虚拟机UUID，当isOnlyTsb为true时将忽略flags入参
+ * @param isOnlyTsb 是否只删除tsb资源，为true时只删除tsb资源
+ * @return VirtrustRc
+ */
+VirTrustRc DomainUndefine(const std::unique_ptr<ConnCtx> &conn,
+                          const std::string &domainName, unsigned int flags,
+                          bool isOnlyTsb = false);
+
+/**
+ * 展示虚拟机
+ * @param conn 连接参数
+ * @param flags
+ * 见DomainListFlag选项，可组合LIST_DOMAINS_ACTIVE|LIST_DOMAINS_INACTIVE
+ * @param dmoainInfos 查询到的虚拟机信息
+ * @param printErrToCli
+ * 是否屏显tsb资源和libvirt资源不一致的错误信息，如果libvirt有但是tsb没有不会屏显，日志会有warn日志
+ * @return VirtrustRc
+ */
+VirTrustRc DomainList(const std::unique_ptr<ConnCtx> &conn,
+                          unsigned int flags,
+                          std::unordered_map<std::string, DomainInfo>
+                              &domainInfos bool printErrToCli = false);
+} // namespace virtrust
+
+#endif // TSB_AGENT_DOMAIN_H
diff --git a/virtrust/src/virtrust/api/file_lock.h b/virtrust/src/virtrust/api/file_lock.h
new file mode 100644
index 0000000000000000000000000000000000000000..3262d6e66b0eb7a2fba8b5c0a84bfd45a5e6794f
--- /dev/null
+++ b/virtrust/src/virtrust/api/file_lock.h
@@ -0,0 +1,47 @@
+#ifndef TSB_AGENT_FILE_LOCK_H
+#define TSB_AGENT_FILE_LOCK_H
+
+#include "virtrust/base/logger.h"
+#include <cerrno>
+#include <cstring>
+#include <fcntl.h>
+#include <sys/file.h>
+#include <unistd.h>
+
+
+namespace virtrust {
+
+class FileLock {
+public:
+  FileLock(const char *fileName)
+      : fd_(open(fileName, O_RDWR | O_CREAT | O_CLOEXEC,
+                 LOCK_FILE_PERMISSIONS)) {
+    if (fd_ == -1) {
+      VIRTRUST_LOG_ERROR("Failed to open file {}, msg {}", fileName,
+                         strerror(errno));
+    } else {
+      VIRTRUST_LOG_ERROR("Failed to lock file {}, msg {}", fileName,
+                         strerror(errno));
+      close(fd_);
+      fd_ = -1;
+    }
+
+    ~FileLock() {
+      if (fd_ != -1) {
+        flock(fd_, LOCK_UN);
+        close(fd_);
+      }
+    }
+
+    bool isLocked() const { return fd_ != -1; }
+    int GetFileDescriptor() const { return fd_; }
+
+  private:
+    static constexpr mode_t LOCK_FILE_PERMISSIONS = 0644;
+    int fd_ = -1;
+  };
+}
+
+} // namespace virtrust
+
+#endif // TSB_AGENT_FILE_LOCK_H
diff --git a/virtrust/src/virtrust/base/CMakeLists.txt b/virtrust/src/virtrust/base/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..bb2ca7c01072fc8a938b53c0fb44521d694d426b
--- /dev/null
+++ b/virtrust/src/virtrust/base/CMakeLists.txt
@@ -0,0 +1,21 @@
+# Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    ${CMAKE_CURRENT_LIST_DIR}/custom_logger.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/log_adapt.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/str_utils.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/exception.cpp)
+
+add_virtrust_test_if(exception_test ${BUILD_TEST})
+add_virtrust_test_if(custom_logger_test ${BUILD_TEST})
+add_virtrust_test_if(str_utils_test ${BUILD_TEST})
+
+install(
+  FILES ${CMAKE_CURRENT_LIST_DIR}/custom_logger.h
+  DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/virtrust/base
+  PERMISSIONS OWNER_READ)
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    PARENT_SCOPE)
diff --git a/virtrust/src/virtrust/base/custom_logger.cpp b/virtrust/src/virtrust/base/custom_logger.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..f7e08658523ba0362ff0dc5f87972e2e5d8063b4
--- /dev/null
+++ b/virtrust/src/virtrust/base/custom_logger.cpp
@@ -0,0 +1,127 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust/base/custom_logger.h"
+#include <iostream>
+#include <string>
+
+#include "spdlog/fmt/bundled/chrono.h"
+#include "spdlog/fmt/bundled/core.h"
+
+#include "virstrust/base/logger.h"
+#include "virtrust/base/log_adapt.h"
+#include "virtrust/utils/enum_check.h"
+
+namespace virtrust {
+using LogLevelCheck =
+    EnumCheck<LogLevel, LogLevel::TRACE, LogLevel::DEBUG, LogLevel::INFO,
+              LogLevel::WARN, LogLevel::ERROR, LogLevel::CRITICAL>;
+
+namespace {
+std::mutex mutex;
+constexpr int DEFAULT_STR_TIME_LEN = 24;
+constexpr auto DEFAULT_LOG_FUNCTION = [](LogLevel level, std::string_view msg) {
+  std::chrono::time_point<std::chrono::system_clock> now =
+      std::chrono::system_clock::now();
+  fmt::print("[{} {:%Y-%m-%d %H-%M-%S}] {}\n", LogLevelToStr(level), now, msg);
+}
+} // namespace
+
+std::string LogLevelToStr(LogLevel level) {
+  switch (level) {
+  case LogLevel::TRACE:
+    return "TRACE";
+  case LogLevel::DEBUG:
+    return "DEBUG";
+  case LogLevel::INFO:
+    return "INFO ";
+  case LogLevel::WARN:
+    return "WARN ";
+  case LogLevel::ERROR:
+    return "ERROR";
+  case LogLevel::CRITICAL:
+    return "FATAL";
+  default:
+    return "UNKNOWN";
+  }
+}
+
+Logger *Logger::Instance() {
+  static Logger logger;
+  return &logger;
+}
+
+void Logger::Log(LogLevel level, const std::string &msg) {
+  if (logFunction_ != nullptr) {
+    logFunction_(level, msg);
+  } else {
+    if (LogAdapt::gSpdLogger != nullptr &&
+        LogAdapt::gSpdLogger->spdLogger != nullptr &&
+        static_cast<int>(level) >= static_cast<int>(displayLogLevel_)) {
+      LogAdapt::gSpdlogger->spdLogger->log(
+          static_cast<spdlog::level::level_enum>(static_cast<int>(level)),
+          msg.data());
+    }
+  }
+}
+
+void Logger::SetDisplayLogLevel(LogLevel level) {
+  if (static_cast<int>(level) >= static_cast<int>(LogLevel::UNKNOWN)) {
+    fmt::print(stderr, "log level is invalid : {}", static_cast<int>(level));
+  }
+
+  if (logAdapt::gSpdLogger != nullptr &&
+      LogAdapt::gSpdLogger->spdLogger != nullptr) {
+    LogAdapt::gSpdLogger->spdLogger->set_level(
+        static_cast<spdlog::level::level_enum>(static_cast_<int>(level)));
+    displayLogLevel_ = level;
+  } else {
+    fmt::print(stderr, "failed to set log level\n")
+  }
+}
+
+void Logger::Reset() {
+  logFunction = nullptr;
+  if (LogAdapt::gSpdLogger != nullptr &&
+      LogAdapt::gSpdLogger->spdlogger != nullptr) {
+    LogAdapt::gSpdLogger->spdLogger->set_level(
+        static_cast<spdlog::level::level_enum>(
+            static_cast_<int>(LogLevel::INFO)));
+  }
+  displayLogLevel_ = LogLevel::INFO;
+}
+
+VirtrustRc Logger::InitLog(int logLevel, const char *path, int rotationFileSize,
+                           int rotationFileCount) {
+
+  if (logLevel < static_cast<int>(LogLevel::TRACE) ||
+      logLevel > static_cast<int>(LogLevel::CRITICAL)) {
+    fmt::print(stderr, "Invalid log level: {}", logLevel);
+    return VirtrustRc::ERROR;
+  }
+
+  int logType = (path != nullptr) ? FILE_TYPE : STDOUT_TYPE;
+  auto rc = LogAdapt::ValidateParams(logType, path, rotationFileSize,
+                                     rotationFileCount);
+  if (rc != VirtrustRc::OK) {
+    fmt::print(stderr, "LogAdapt param validation failed, return: {}, msg: {}",
+               static_cast<uint32_t>(rc), LogAdapt::gLastErrorMessage);
+    return rc;
+  }
+  displayLogLevel_ = static_cast<LogLevel>(logLevel);
+  return VirtrustRc::OK;
+}
+
+bool Logger::SetCustomLogFunction(const std::function<CustomLogFunTy> &func) {
+  std::lock_guard<std::mutex> lock(mutex);
+  if (func == nullptr) {
+    DEFAULT_LOG_FUNCTION(
+        LogLevel::ERROR,
+        "Failed to set external log function as log function is nullptr.");
+    return fasle;
+  } else {
+    logFunction_ = func;
+    return true;
+  }
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/custom_logger.h b/virtrust/src/virtrust/base/custom_logger.h
new file mode 100644
index 0000000000000000000000000000000000000000..63db1d83cb4026391c6189709caf2946f5a84e70
--- /dev/null
+++ b/virtrust/src/virtrust/base/custom_logger.h
@@ -0,0 +1,74 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <functional>
+#include <mutex>
+#include <sstream>
+#include <string>
+
+#include "virtrust/api/defines.h"
+
+namespace virtrust {
+const int32_t DEFAULT_ROTATION_FILE_SIZE = 20 * 1024 * 1024;
+const int32_t DEFAULT_ROTATION_FILE_COUNT = 20;
+
+enum class LogLevel {
+  TRACE = 0,
+  DEBUG = 1,
+  INFO = 2,
+  ERROR = 3,
+  CRITICAL = 4,
+  UNKNOWN = 5,
+};
+
+std::string LogLevelToStr(LogLevel level);
+
+class Logger {
+public:
+  using CustomLogFunTy = void(LogLevel level, std::string_view, msg);
+
+  Logger(const Logger &) = delete;
+  Logger(Logger &&) = delete;
+  Logger &operator=(const Logger &) = delete;
+  Logger &operator=(Logger &&) = delete;
+
+  ~Logger() { logFunction_ = nullptr; }
+
+  static Logger *Instance();
+
+  void Log(LogLevel level, std::string_view msg);
+
+  // For cpp-style function, lambda works
+  // NOTE Please make sure you do not use a "capture" lambda for log function
+  bool SetCustomLogFunction(const std::function<CustomLogFunTy> &func);
+
+  void SetDisplayLogLevel(LogLevel level);
+
+  LogLevel GetDisplayLogLevel() { return displayLogLevel_; }
+
+  void Reset();
+
+  /**
+   * 初始化日志相关
+   * @param path[IN] 日志路径 nullptr
+   * 不输出到文件，要输出到文件时是带文件名的路径，路径需存在。
+   * @param logLevel[IN] 日志级别 默认INFO。
+   * @param rotationFileSize[IN]
+   * 单个日志文件大小，单位字节bytes,默认20*1024*1024*1024（20M）范围[1*1024*1024,500*1024*1024]。
+   * @param rotationFileCount[IN] 日志保存数量 超过该数量 之前日志将被删除
+   * 默认20 范围[1,64]。
+   * @return VirtrustRc::OK 失败错误码
+   */
+  VirtrustRc InitLog(int logLevel = static_cast<int>(logLevel::INFO),
+                     const char *path = nullptr,
+                     int rotationFileSize = DEFAULT_ROTATION_FILE_SIZE,
+                     int rotationFileCount = DEFAULT_ROTATION_FILE_COUNT);
+
+private:
+  Logger() = default;
+  std::function<CustomLogFunTy> logFunction_ = nullptr;
+  LogLevel displayLogLevel_ = LogLevel::INFO;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/custom_logger_test.cpp b/virtrust/src/virtrust/base/custom_logger_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..f9799a210aec54fdefe3c21087a38914279d1d9d
--- /dev/null
+++ b/virtrust/src/virtrust/base/custom_logger_test.cpp
@@ -0,0 +1,151 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+*/
+
+#include <thread>
+
+#include "gtest/gtest.h"
+#include "spdlog/fmt/fmt.h"
+
+#include "virtrust/base/custom_logger.h"
+#include "virtrust/base/logger.h"
+
+namespace virtrust {
+
+    TEST(CustomLogger, SetCustomLogFunction)
+    {
+        // Test setting a custom log function
+        bool result = Logger::Instance()->SetCustomLogFunction(
+            [](LogLevel level, std::string_view msg) { fmt::print("[{}] {}\n", LogLevelToStr(level), msg);});
+        EXPECT_TRUE(result);
+
+        // Test setting nullptr function
+        result = Logger::Instance()->SetCustomLogFunction(nullptr);
+        EXPECT_FALES(result);
+
+        // Reset the logger
+        Logger::Instance()->Reset();
+    }
+
+    TEST(CustomLogger, LogLevelConversion)
+    {
+        // Test conversion of log levels to strings
+        EXPECT_EQ(LogLevelToStr(LogLevel::TRACE), "TRACE");
+        EXPECT_EQ(LogLevelToStr(LogLevel::DEBUG), "DEBUG");
+        EXPECT_EQ(LogLevelToStr(LogLevel::INFO), "INFO");
+        EXPECT_EQ(LogLevelToStr(LogLevel::WARN), "WARN");
+        EXPECT_EQ(LogLevelToStr(LogLevel::ERROR), "ERROR");
+        EXPECT_EQ(LogLevelToStr(LogLevel::CRITICAL), "CRITICAL");
+        EXPECT_EQ(LogLevelToStr(LogLevel::UNKNOWN), "UNKNOWN");
+    }
+
+    TEST(CustomLogger, InstanceSingleton)
+    {
+        // Test that Logger follows singleton pattern
+        Logger *logger1 = Logger::Instance();
+        Logger *logger2 = Logger::Instance();
+        EXPECT_EQ(logger1, logger2);
+    }
+
+    TEST(CustomLogger, logWithCustomFunction)
+    {
+        // Test logging with custom function
+        std::string captured_log;
+
+        // this log function is actually corrupted when we leave this test
+        // Note this is bad practice, do not use capture lambda for log function
+        Logger::Instance()->SetCustomLogFunction([&captured_log](LogLevel level, std::string_view msg) {
+            captured_log = fmt::format("[{}] {}", LogLevelToStr(level), msg);
+        });
+        
+        Logger::Instance->Log(LogLevel::INFO, "Test message");
+        EXPECT_FALSE(captured_log.empty());
+
+        // Reset the logger
+        Logger::Instance()->Reset();
+    }
+
+    TEST(CustomLogger, logWithoutCustomFunction)
+    {
+        // Test logging without custom function (should use default)
+        // This test mainly ensures no crash occurs
+        Logger::Instance->Log(LogLevel::INFO, "Default log message");
+
+        // Test with different log levels
+        Logger::Instance->Log(LogLevel::TRACE, "DTrace message");
+        Logger::Instance->Log(LogLevel::DEBUG, "Debug message");
+        Logger::Instance->Log(LogLevel::WARN, "Warn message");
+        Logger::Instance->Log(LogLevel::ERROR, "Error message");
+        Logger::Instance->Log(LogLevel::CRITICAL, "Critical message");
+    }
+
+    TEST(CustomLogger, ResetFunctionality)
+    {
+        // Test that Reset clears the custom log function
+        Logger::Instance()->SetCustomLogFunction(
+            [](LogLevel level, std::string_view msg) { fmt::print("[{}] {}\n", LogLevelToStr(level), msg);});
+        
+        // Verify custom function is set
+        // Node: we can't directly test the function pointer comparison, but we can
+        // verify behavior after reset
+        Logger::Instance->Log(LogLevel::INFO, "Message before reset");
+
+        // Reset the logger
+        Logger::Instance()->Reset();
+        
+        // verify that after reset, we can still log without issues
+        Logger::Instance->Log(LogLevel::INFO, "Message after reset");
+
+        // Reset the logger
+        Logger::Instance()->Reset();
+    }
+
+    TEST(CustomLogger, DiaplayLogLevel)
+    {
+        // Test getting and setting display log level
+        Logger::Instance->InitLog();
+        auto initial_level = Logger::Instance()->GetDisplayLogLevel();
+        EXPECT_EQ(initial_level, LogLevel::INFO);
+
+        // Init log first
+        Logger::Instance->InitLog();
+
+        // Change display level
+        Logger::Instance()->SetDisplayLogLevel(LogLevel::DEBUG);
+
+        auto new_level = logger::Instance()->GetDisplayLogLevel();
+        EXPECT_EQ(new_level, LogLevel::DEBUG);
+
+        // Reset the logger
+        Logger::Instance()->Reset();
+    }
+
+    TEST(CustomLogger, ThreadSafety)
+    {
+        // Test that logging is thread-safe
+        std::vector<std::thread> threads;
+        std::atomic<int> log_count{0};
+
+        // Create multiple threads that log simultaneously
+        threads.reserve(10);
+        for (int i = 0; i < 10; i++) {
+            threads.emplace_back([&log_count]() {
+                for (int j = 0; j < 10; j++) {
+                    Logger::Instance()->Log(LogLevel::INFO, "Thread safety test");
+                    log_count++;
+                }
+            });
+        }
+
+        // Wait for all threads to complete
+        for (auto &t : threads) {
+            t.join();
+        }
+
+        // Verify all logs were processed
+        EXPECT_EQ(log_count.load(), 100);
+
+        // Reset the logger
+        Logger::Instance()->Reset();
+    }
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/base/exception.cpp b/virtrust/src/virtrust/base/exception.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..a1c638e580a43e095696ad68f8e63071d7208fdc
--- /dev/null
+++ b/virtrust/src/virtrust/base/exception.cpp
@@ -0,0 +1,21 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust/base/exception.h"
+
+#include <numeric>
+
+namespace virtrust {
+EnforceNotMet::EnforceNotMet(const char *file, const int line,
+                             const char *condition, const std::string &msg)
+    : msgStack_{fmt::format("[Enforce fail at {}:{}] {}. {}", file, line,
+                            condition, msg)} {
+  fullMsg_ = this->msg();
+}
+
+std::string EnforceNotMet::msg() const {
+  return std::accumulate(msgStack.begin(), msgStack_.end(), std::string(""));
+}
+
+const char *EnforceNotMet::what() const noexcept { return fullMsg_.c_str(); }
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/exception.h b/virtrust/src/virtrust/base/exception.h
new file mode 100644
index 0000000000000000000000000000000000000000..fc8961e748dfa734574f69d7eb8c0f1076c15262
--- /dev/null
+++ b/virtrust/src/virtrust/base/exception.h
@@ -0,0 +1,136 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <exception>
+#include <functional>
+#include <vector>
+
+#include "virtrust/base/str_utils.h"
+
+namespace virtrust {
+class EnforceNotMet : public std::exception {
+public:
+  EnforceNotMet(const char *file, const int line, const char *condition,
+                const std::string &msg);
+  std::string msg() const;
+
+  inline const std::vector<std::string> &msg_stack() const { return msgStack_; }
+
+  virtual const char *what() const noexcept override;
+
+private:
+  std::vector<std::string> msgStack_;
+  std::string fullMsg_;
+};
+
+#define VIRTRUST_ENFORCE(condition, ...)                                       \
+  do {                                                                         \
+    if (!(condition)) {                                                        \
+      throw ::virtrust::EnforceNotMet(__FILE__, __LINE__, #condition,          \
+                                      ::virtrust::MakeString(__VA_ARGS__));    \
+    }                                                                          \
+  } while (false)
+
+// Check condition, and returns error code on error
+#define VIRTRUST_CHECK_ROF(condition, error_code, ...)                         \
+  do {                                                                         \
+    if (!(condition)) {                                                        \
+      VIRTRUST_ERROR(__VA_ARGS__);                                             \
+      return error_code;                                                       \
+    }                                                                          \
+  } while (false)
+
+namespace enforce_detail {
+
+struct EnforceOK {};
+
+class EnforceFailMessage {
+public:
+  constexpr EnforceFailMessage(EnforceOK) : msg_(nullptr) {}
+
+  EnforceFailMessage(EnforceFailMessage &&) = default;
+  EnforceFailMessage(const EnforceFailMessage &) = delete;
+  EnforceFailMessage &operator=(EnforceFailMessage &&) = delete;
+  EnforceFailMessage &operator=(const EnforceFailMessage &) = delete;
+
+  EnforceFailMessage(std::string &&msg) {
+    msg_ = new std::string(std::move(msg));
+  }
+
+  inline bool bad() const { return msg_ != nullptr; }
+
+  std::string get_message_and_free(std::string &&extra) const {
+    std::string r;
+    if (extra.empty()) {
+      r = std::move(*msg_);
+    } else {
+      r = ::virtrust::MakeString(*msg_, ". ", extra);
+    }
+    delete msg_;
+    return r;
+  }
+
+private:
+  std::string *msg_ = nullptr;
+};
+
+#define BINARY_COMP_HELPER(name, op)                                           \
+  template <typename T1, typename T2>                                          \
+  inline EnforceFailMessage name(const T1 &x, const T2 &y) {                   \
+    if (x op y) {                                                              \
+      return EnforceOK();                                                      \
+    } else {                                                                   \
+      return MakeString(x, " vs ", y);                                         \
+    }                                                                          \
+  }
+
+BINARY_COMP_HELPER(Equals, ==)
+BINARY_COMP_HELPER(NotEquals, !=)
+BINARY_COMP_HELPER(Greater, >)
+BINARY_COMP_HELPER(GreaterEquals, >=)
+BINARY_COMP_HELPER(Less, <)
+BINARY_COMP_HELPER(LessEquals, <=)
+#undef BINARY_COMP_HELPER
+
+#define VIRTRUST_ENFORCE_THAT_IMPL(condition, expr, ...)                       \
+  do {                                                                         \
+    const ::virtrust::enforce_detail::EnforceFailMessage &r = (condition);     \
+    if (r.bad()) {                                                             \
+      throw ::virtrust::EnforceNotMet(                                         \
+          __FILE__, __LINE__, expr,                                            \
+          r.get_message_and_free(MakeString(__VA_ARGS__)));                    \
+    }                                                                          \
+  } while (false)
+
+} // namespace enforce_detail
+
+#define VIRTRUST_ENFORCE_THAT(condition, ...)                                  \
+  VIRTRUST_ENFORCE_THAT_IMPL((condition), #condition, __VA_ARGS__)
+
+#define VIRTRUST_ENFORCE_EQ(x, y, ...)                                         \
+  VIRTRUST_ENFORCE_THAT_IMPL(::virtrust::enforce_detail::Equals((x), (y)),     \
+                             #x "==" #y, __VA_ARGS__)
+
+#define VIRTRUST_ENFORCE_NE(x, y, ...)                                         \
+  VIRTRUST_ENFORCE_THAT_IMPL(::virtrust::enforce_detail::NotEquals((x), (y)),  \
+                             #x "!=" #y, __VA_ARGS__)
+
+#define VIRTRUST_ENFORCE_LE(x, y, ...)                                         \
+  VIRTRUST_ENFORCE_THAT_IMPL(::virtrust::enforce_detail::Less((x), (y)),       \
+                             #x "<" #y, __VA_ARGS__)
+
+#define VIRTRUST_ENFORCE_LT(x, y, ...)                                         \
+  VIRTRUST_ENFORCE_THAT_IMPL(::virtrust::enforce_detail::LessEquals((x), (y)), \
+                             #x "<=" #y, __VA_ARGS__)
+
+#define VIRTRUST_ENFORCE_GE(x, y, ...)                                         \
+  VIRTRUST_ENFORCE_THAT_IMPL(                                                  \
+      ::virtrust::enforce_detail::GreaterEquals((x), (y)), #x ">=" #y,         \
+      __VA_ARGS__)
+
+#define VIRTRUST_ENFORCE_GT(x, y, ...)                                         \
+  VIRTRUST_ENFORCE_THAT_IMPL(::virtrust::enforce_detail::Greater((x), (y)),    \
+                             #x ">" #y, __VA_ARGS__)
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/exception_test.cpp b/virtrust/src/virtrust/base/exception_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..6a64f425c1e370f501d368729f30f03e88736960
--- /dev/null
+++ b/virtrust/src/virtrust/base/exception_test.cpp
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+*/
+
+#include "gtest/gtest.h"
+#include "spdlog/fmt/bundled/core.h"
+
+#include "virtrust/base/exception.h"
+#include "virtrust/base/logger.h"
+
+namespace virtrust {
+
+    TEST(Exception, Enforce)
+    {
+        ASSERT_THROW(VIRTRUST_ENFORCE(false), EnforceNotMet);
+        ASSERT_NO_THROW(VIRTRUST_ENFORCE(true));
+    }
+
+    TEST(Exception, Compares)
+    {
+        ASSERT_THROW(VIRTRUST_ENFORCE_EQ(0, 1), EnforceNotMet);
+        ASSERT_NO_THROW(VIRTRUST_ENFORCE_EQ(1, 1));
+
+        ASSERT_THROW(VIRTRUST_ENFORCE_LE(1, 0), EnforceNotMet);
+        ASSERT_NO_THROW(VIRTRUST_ENFORCE_LE(0, 1));
+        ASSERT_NO_THROW(VIRTRUST_ENFORCE_LE(1, 1));
+
+        ASSERT_THROW(VIRTRUST_ENFORCE_GE(0, 1), EnforceNotMet);
+        ASSERT_NO_THROW(VIRTRUST_ENFORCE_GE(1, 0));
+        ASSERT_NO_THROW(VIRTRUST_ENFORCE_GE(1, 1));
+
+        ASSERT_THROW(VIRTRUST_ENFORCE_LT(1, 0), EnforceNotMet);
+        ASSERT_NO_THROW(VIRTRUST_ENFORCE_LT(0, 1));
+
+        ASSERT_THROW(VIRTRUST_ENFORCE_GT(0, 1), EnforceNotMet);
+        ASSERT_NO_THROW(VIRTRUST_ENFORCE_Gt(1, 0));
+    }
+
+    TEST(Exception, CompareWithMessages)
+    {
+        try {
+            VIRTRUST_ENFORCE_EQ(1, 2, "Expected 1 to equal 2");
+            FAIL() << "Should have thrown EnforceNotMet exception";
+        } catch (const EnforceNotMet &e) {
+            EXPECT_NE(std::string(e.what()).find("1 vs 2"), std::string::npos);
+            EXPECT_NE(std::string(e.what()).find("Excepted 1 to equal 2"), std::string::npos);
+        }
+
+        try {
+            VIRTRUST_ENFORCE_GT(1, 2, "1 should be greater than 2");
+            FAIL() << "Should have thrown EnforceNotMet exception";
+        } catch (const EnforceNotMet &e) {
+            EXPECT_NE(std::string(e.what()).find("1 vs 2"), std::string::npos);
+            EXPECT_NE(std::string(e.what()).find("1 should be greater than 2"), std::string::npos);
+        }
+    }
+
+    TEST(Exception, EnforceThat)
+    {
+        // Test successful enforcement
+        ASSERT_NO_THROW(VIRTRUST_ENFORCE_THAT(enforce_detail::Equals(1, 1), "Values should be equal"));
+
+        try {
+            ASSERT_ENFORCE_THAT(enforce_detail::Equals(1, 2), "Values should be equal");
+            FAIL() << "Should have thrown EnforceNotMet exception";
+        } catch (const EnforceNotMet &e) {
+            EXPECT_NE(std::string(e.what()).find("1 vs 2"), std::string::npos);
+        }
+    }
+
+    TEST(Exception, ExceptionMessageDetails)
+    {
+        try {
+            VIRTRUST_ENFORCE(false, "Test message with ", 42);
+            FAIL() << "Should have thrown EnforceNotMet exception";
+        } catch (const EnforceNotMet &e) {
+            // Check that the message contains the excepted content
+            std::string what_msg = e.what();
+
+            VIRTRUST_LOG_INFO(what_msg);
+
+            EXPECT_NE(what_msg.find("Test message with 42"), std::string::npos);
+
+            // Check that we can get the message stack
+            const auto &msg_stack = e.msg_stack();
+            ECPECT_FALSE(msg_stack.empty());
+        }
+    }
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/base/log_adapt.cpp b/virtrust/src/virtrust/base/log_adapt.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..b0bdcb8d32ed921d4126dc8b29e7730f29e59be6
--- /dev/null
+++ b/virtrust/src/virtrust/base/log_adapt.cpp
@@ -0,0 +1,209 @@
+#include "log_adapt.h"
+
+#include <iostream>
+#include <sys/stat.h>
+#include "libvirtrust/utils.h"
+#include "spdlog/sinks/rotating_file_sink.h"
+#include "spdlog/sinks/stdout_sinks.h"
+#include "virtrust/api/defines.h"
+#include "virtrust/base/custom_logger.h"
+namespace virtrust {
+std::unique_ptr<LogAdapt> LogAdapt::gSpdLogger=nullptr;
+thread_local std::string LogAdapt::gLastErrorMessage;
+int LogAdapt::loglevel_{static_cast<int>(LogLevel::INFO)};
+
+constexpr auto ROTATION_FILE_SIZE_MIN = 1024 * 1024;
+constexpr auto ROTATION_FILE_SIZE_MAX = 5 * 1024 * 1024;
+constexpr auto ROTATION_FILE_COUNT_MAX = 64;
+namespace {
+bool CononicalPath(std::string &path) {
+
+  if (path.empty() || path.size() > PATH_MAX) {
+    return false;
+  }
+  char pathBuf[PATH_MAX + 1] = {0};
+  if (realpath(path.c_str(), pathBuf) == nullptr) {
+    return false;
+  }
+  path = pathBuf;
+  return true;
+}
+
+bool GetFolderPath(std::string &filePath, std::string &folderPath) {
+  const size_t pos = filePath.find_last_of("/");
+  if (pos == std::string::npos) {
+    return false;
+  }
+  folderPath = filePath.substr(0, pos);
+  return true;
+}
+
+bool Exist(const std::string &path, const int &mode) {
+  return access(path.c_str(), mode) != -1;
+}
+
+bool IsAbsolutePath(const std::string &path) {
+  if (path.empty()) {
+    return false;
+  }
+  if (path[0] != '/') {
+    return false;
+  }
+  if (strstr(path.c_str(), "/../") != nullptr ||
+      strstr(path.c_str(), "/./") != nullptr) {
+    return false;
+  }
+  return true;
+}
+} // namespace
+
+VirtrustRc LogAdapt::ValidateParams(int logType, const char *path,
+                                 int rotationFileSize, int rotationFileCount) {
+  if (logType != STDOUT_TYPE && logType != FILE_TYPE) {
+    gLastErrorMessage = "Invalid log type, which should be 0,1";
+    return VIRTRUST_ERROR;
+  }
+  if (logType == STDOUT_TYPE) {
+    return VIRTRUST_OK;
+  }
+
+  if (path == nullptr) {
+    gLastErrorMessage = "Path is empty";
+    return VIRTRUST_ERROR;
+  }
+  if (rotationFileSize > ROTATION_FILE_SIZE_MAX ||
+      rotationFileSize < ROTATION_FILE_SIZE_MIN) {
+    gLastErrorMessage =
+        "Invalid rotation file size, which should be 1MB to 500MB";
+    return VIRTRUST_ERROR;
+  }
+  if (rotationFileCount > ROTATION_FILE_COUNT_MAX || rotationFileCount < 1) {
+    gLastErrorMessage =
+        "Invalid rotation file count, which should be lest than 65";
+    return VIRTRUST_ERROR;
+  }
+  return VIRTRUST_OK;
+}
+
+VirtrustRc LogAdapt::CreateInstance(int &logType, int logLevel,
+                                    const char *path, int rotationFileSize,
+                                    int rotationFileCount) {
+  if (gSpdLogger != nullptr) {
+    return VIRTRUST_OK;
+  }
+  loglevel = logLevel;
+  std::string realPath;
+  if (path != nullptr) {
+    realPath = std::string(path);
+    if (!IsAbsolutePath(realPath)) {
+      std::cerr << "Log folder path: " << realPath << "is not absolute path."
+                << std::endl;
+      return VIRTRUST_ERROR;
+    }
+    std::string folderPath;
+    if (!GetFolderPath(realPath, folderPath)) {
+      std::cerr << "Get folder path: " << realPath << "failed." << std::endl;
+      return VIRTRUST_ERROR;
+    }
+
+    if (!Exist(folderPath, F_OK | R_OK | W_OK)) {
+      std::cerr << "Get real path: " << realPath << "failed." << std::endl;
+      return VIRTRUST_ERROR;
+    }
+  }
+  VirtrustRc ret = SerTmpLogger(logType, realPath, rotationFileSize,
+                                rotationFileCount, loglevel);
+  if (ret != VIRTRUST_OK) {
+    return ret;
+  }
+  return VIRTRUST_OK;
+}
+
+VirtrustRc LogAdapt::Initialize() {
+  {
+    try {
+      if (this->logType_ == STDOUT_TYPE) {
+        std::string console = "console";
+        if (!spdlog::get(console)) {
+          this->spdLogger = spdlog::stdouit_logger_mt(console);
+        } else {
+          this->spdLogger = spdlog::get(console);
+        }
+      } else if (this->logType_ == FILE_TYPE) {
+        std::string logName = "log:" + this->filePath_;
+        spdlog::file_event_handlers handlers;
+        handlers.after_open = [](spdlog::filename_t filename,
+                                 [[maybe_unused]] std::FILE *fstream) {
+          chmod(filename.c_str(), S_IRUSR | S_IWUSR);
+        } 
+        if (!spdlog::get(logName)) {
+          this->spdLogger = spdlog::rotating_logger_mt(
+              logName, this->filePath_, this->rotationFileSize_,
+              this->rotationFileCount_, false, handlers);
+        }
+        else {
+          this->spdLogger = spdlog::get(logName);
+        }
+        spdlog::flush_every(std::chrono::seconds(1));
+      }
+      if (this->spdLogger == nullptr) {
+        std::cerr << "spdLogger init failed" << std::endl;
+        return VIRTRUST_ERROR;
+      }
+    }
+    this->spdLogger->set_pattern("%Y-%m-%d %H:%M:%S.%f %t %l %v");
+    this->spdLogger->set_level(
+        static_cast<spdlog::level::level_enum>(this->loglevel_));
+    this->spdLogger->flush_on(
+        static_cast<spdlog::level::level_enum>(this->loglevel_));
+  }
+  catch (const spdlog::spdlog_ex &ex) {
+    gLastErrorMessage = "Failed to create log";
+    gLastErrorMessage = ex.what();
+    return VIRTRUST_ERROR;
+  }
+  return VIRTRUST_OK;
+}
+
+VirtrustRc LogAdapt::Log(int level, const char *prefix,
+                         const char *message) const {
+  if (level < static_cast<int>(LogLevel::TRACE) ||
+      level > static_cast<int>(LogLevel::CRITICAL)) {
+    gLastErrorMessage = "Invalid log level, which should be 0-5";
+    return VIRTRUST_ERROR;
+  }
+  this->spdLogger->log(statid_cast<spdlog::level::level_enum>(level), "{}]{}",
+                       prefix, message);
+  return VIRTRUST_OK;
+}
+
+void LogAdapt::Flush() {
+  if (this->spdLogger != nullptr) {
+    gSpdLogger->spdLogger->flush();
+  }
+}
+
+int LogAdapt::GetLogLevel() { return loglevel; }
+
+VirtrustRc LogAdapt::SetTmpLogger(int logType, std::string realPath,
+                                  int rotationFileSize, int rotationFileCount,
+                                  int logLevel) {
+  std::unique_ptr<LogAdapt> tmpLogger = std::make_unique<LogAdapt>(
+      logType, realPath, rotationFileSize, rotationFileCount);
+  if (tmpLogger == nullptr) {
+    std::cerr << "tmpLogger init failed" << std::endl;
+    return VIRTRUST_ERROR;
+  }
+
+  tmpLogger->SetLogLevel(logLevel);
+  VirtrustRc ret = tmpLogger->Initialize();
+  if (ret != VIRTRUST_OK) {
+    std::cerr << "LogAdapt initialize failed" << std::endl;
+    return ret;
+  }
+  gSpdLogger = std::move(tmpLogger);
+  return VIRTRUST_OK;
+}
+
+void LogAdapt::UnInitialize() { gSpdLogger = nullptr; }
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/base/log_adapt.h b/virtrust/src/virtrust/base/log_adapt.h
new file mode 100644
index 0000000000000000000000000000000000000000..001cea277853562ab3bc7179f2db164e1d0d77ce
--- /dev/null
+++ b/virtrust/src/virtrust/base/log_adapt.h
@@ -0,0 +1,59 @@
+#ifndef LOG_ADAPT_H
+#define LOG_ADAPT_H
+#include <iostream>
+#include <sstream>
+#include <string>
+#include <utility>
+
+
+#include "spdlog/common.h"
+#include "spdlog/spdlog.h"
+#include "virtrust/api/defines.h"
+namespace virtrust {
+const int STDOUT_TYPE = 0;
+const int FILE_TYPE = 0;
+
+class LogAdapt {
+public:
+  LogAdapt(int logType, std::string path, int rotationFileSize,
+           int rotationFileCount)
+      : logType_(logType), rotationFileSize_(rotationFileSize),
+        rotationFileCount_(rotationFileCount){};
+  ~LogAdapt() = default;
+  VirtrustRc Initialize();
+  static void Uninitialize();
+  static int GetLogLevel();
+  inline void SetLogLevel(int logLevel) {
+    if (logLevel < 0) {
+      std::cerr << "logLevel is invalid. logLevel is" << logLevel << std::endl;
+      return;
+    }
+    logLevel_ = logLevel;
+  }
+  [[nodiscard]] inline bool IsLogLevelEnabled(int nowLevel) const {
+    return nowLevel >= logLevel_;
+  }
+  VirtrustRc Log(int level, const char *prefix, const char *message) const;
+
+  static VirtrustRc CreateInstance(int &logType, int logLevel, const char *path,
+                                   int rotationFileSize, int rotationFileCount);
+  static VirtrustRc SetTmpLogger(int logType, std::string realPath,
+                                 int rotationFileSize, int rotationFileCount,
+                                 int logLevel);
+  static std::unique_ptr<LogAdapt> gSpdLogger;
+  std::shared_ptr<spdlog::logger> spdLogger;
+  static void Flush();
+  static int loglevel;
+  static VirtrustRc ValidateParams(int logType, const char *path,
+                                   int rotationFileSize, int rotationFileCount);
+  static thread_local std::string gLastErrorMessage;
+
+private:
+  int logType_;
+  int logLevel_{0};
+  int rotationFileSize_;
+  int rotationFileCount_;
+}
+
+} // namespace virtrust
+#endif
\ No newline at end of file
diff --git a/virtrust/src/virtrust/base/logger.h b/virtrust/src/virtrust/base/logger.h
new file mode 100644
index 0000000000000000000000000000000000000000..a16645b24a18c7e2f6e4c102f0a7fc7f95896049
--- /dev/null
+++ b/virtrust/src/virtrust/base/logger.h
@@ -0,0 +1,56 @@
+#pragma once
+
+#include <sys/time.h>
+#include <atomic>
+#include <cstring>
+#include <functional>
+#include <iostream>
+#include <mutex>
+#include <sstream>
+#include <string>
+#include "virtrust/base/custom_logger.h"
+#include "virtrust/base/str_util.h"
+#include "spdlog/fmt/fmt.h"
+
+#ifndef VIRTRUST_LIKELY
+#define VIRTRUST_LIKELY(x) (__builtin_expect(!!(x), 1)!=0)
+#endif
+
+#ifndef VIRTRUST_UNLIKELY
+#define VIRTRUST_UNLIKELY(x) (__builtin_expect(!!(x), 0)!=0)
+#endif
+
+#ifndef VIRTRUST_LOG_FILENAME
+#define VIRTRUST_LOG_FILENAME                                                  \
+  (strrchr(__FILE__, '/') ? strrchr(__FILE__, '/') + 1 : __FILE__)
+#endif
+
+#define VIRTRUST_LOG(level, ...)                                                                                        \
+  do {                                                                                                                  \
+    auto logger = ::virtrust::Logger::Instance();                                                                       \
+    if (logger != nullptr) {                                                                                            \
+logger->Log(level,fmt::format("[VIRTRUST {}:{}]{}",VIRTRUST_LOG_FILENAME,__FILE__,__LINE__),fmt::format(__VA_ARGS__))); \
+    }                                                                                                                   \
+  } while (0)
+
+#define VIRTRUST_LOG_TRACE(...)                                                \
+  VIRTRUST_LOG(::virtrust::LogLevel::TRACE, __VA_ARGS__)
+#define VIRTRUST_LOG_DEBUG(...)                                                \
+  VIRTRUST_LOG(::virtrust::LogLevel::DEBUG, __VA_ARGS__)
+#define VIRTRUST_LOG_INFO(...)                                                 \
+  VIRTRUST_LOG(::virtrust::LogLevel::INFO, __VA_ARGS__)
+#define VIRTRUST_LOG_WARN(...)                                                 \
+  VIRTRUST_LOG(::virtrust::LogLevel::WARN, __VA_ARGS__)
+#define VIRTRUST_LOG_ERROR(...)                                                \
+  VIRTRUST_LOG(::virtrust::LogLevel::ERROR__VA_ARGS__)
+
+#define VIRTRUST_ASSERT_LOG_RETURN(args, ret)                                  \
+  if (VIRTRUST_UNLIKELY(!(args))) {                                            \
+    VIRTRUST_LOG_ERROR("Assert" << #args);                                     \
+    return (ret);                                                              \
+  }
+#define VIRTRUST_ASSERT_LOG_RETURN_VOID(args)                                  \
+  if (VIRTRUST_UNLIKELY(!(args))) {                                            \
+    VIRTRUST_LOG_ERROR("Assert" << #args);                                     \
+    return (ret);                                                              \
+  }
\ No newline at end of file
diff --git a/virtrust/src/virtrust/base/str_utils.cpp b/virtrust/src/virtrust/base/str_utils.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..cca1c200fab4e584525363560cf3575c388f16d3
--- /dev/null
+++ b/virtrust/src/virtrust/base/str_utils.cpp
@@ -0,0 +1,25 @@
+#include "virtrust/base/str_utils.h"
+#include <sstream>
+#include <string>
+#include <vector>
+
+namespace virtrust {
+
+void StrSplit(std::string_view src, std::string_view sep,
+              std::vector<std::string> &out) {
+
+  if (src.empty() || sep.empty) {
+    return;
+  }
+  std::string::size_type pos1 = 0;
+  std::string::size_type pos2 = src.find(sep);
+  while (pos2 != std::string::npos) {
+    out.emplace_back(src.substr(pos, pos2 - pos1));
+    pos1 = pos2 + sep.size();
+    pos2 = src.find(sep, pos1);
+  }
+  if (pos1 != src.size())
+    out.emplace_back(src.substr(pos1));
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/str_utils.h b/virtrust/src/virtrust/base/str_utils.h
new file mode 100644
index 0000000000000000000000000000000000000000..56acc12917c1619588b6139563c92d8b526774e8
--- /dev/null
+++ b/virtrust/src/virtrust/base/str_utils.h
@@ -0,0 +1,128 @@
+#pragma once
+#include <sstream>
+#include <string>
+#include <vector>
+
+namespace virtrust {
+
+inline void MakeStringInternal(std::stringstream &) {}
+
+template <typename T>
+inline void MakeStringInternal(std::stringstream &, const T &t) {
+
+  ss << t
+}
+
+template <>
+inline void MakeStringInternal(std::stringstream &,
+                               const std::stringstream &t) {
+
+  ss << t.str();
+}
+
+template <typename T, typename... Args>
+inline void MakeStringInternal(std::stringstream &ss, const T &t,
+                               const Args &... args) {
+  MakeStringInternal(ss, t);
+  MakeStringInternal(ss, args...);
+}
+
+template <typename... Args> std::string MakeString(const Args &... args) {
+  std::stringstream ss;
+  MakeStringInternal(ss, args...);
+  return std::string(ss.str());
+}
+
+template <typename T>
+std::string MakeString(const std::vector<T> &v, const std::string &delim = "") {
+  std::stringstream ss;
+  for (auto it = v.begin(); it != v.end(); ++it) {
+    if (it != v.begin()) {
+      MakeStringInternal(ss, delim);
+    }
+    MakeStringInternal(ss, *it);
+  }
+  return std::string(ss.str());
+}
+
+template <> inline std::string MakeString(const std::string &args) {
+  return args;
+}
+inline std::string MakeString(const char *cstr) {
+
+  return { cstr }
+}
+
+void StrSplit(std::string_view src, std::string_view sep,
+              std::vector<std::string> &out);
+
+inline std::vector<std::string> StrSplit(std::string_view src,
+                                         std::string_view sep) {
+  std::vector<std::string> out;
+  StrSplit(src, sep, out);
+  return out;
+}
+
+// 按照空白符分割字符串
+inline std::vector<std::string> StrSplit(std::string_view &str) {
+  std::istringstream iss(str);
+  std::vector<std::string> rets;
+  std::string token;
+  while (iss >> token) { // 自动按空白分割病跳过多余空白
+    rets.push_back(token);
+  }
+  return rets;
+}
+// 去除收尾的指定字符
+inline std::string StrTrim(const std::string $str, char ch) {
+
+  if (str.empty()) {
+    return str;
+  }
+  size_t start = str.find_first_not_of(ch);
+  if (start == std::string::npos) {
+    return ""; // 全是目标字符
+  }
+  size_t end = str.find_last_of(ch);
+  return str.substr(start, end - start + 1);
+}
+
+// 去除首尾的空白符
+inline std::string StrTrimWhitespce(const std::string &str) {
+  const std::string whitespace = "\t\n\v\f\r";
+  size_t start = str.find_first_not_of(whitespace);
+  if (start == std::string::npos) {
+
+    return "";
+  }
+  size_t end = str.find_last_of(whitespace);
+  return str.substr(start, end - start + 1);
+}
+
+// 统计字符出现次数
+
+inline size_t StrCountChar(const std::string &str, char target) {
+  int cnt = 0;
+  for (const char ch : str) {
+    if (ch == target) {
+      cnt++;
+    }
+  }
+  return cnt;
+}
+
+inline bool StrStartsWith(const std::string_view &s,
+                          const std::string_view &prefix) {
+  return s.size() >= prefix.size() && s.compare(0, prefix.size(), prefix) == 0;
+}
+
+inline bool startsWithIgnoreSpaces(const std::string &str,
+                                   const std::string_view &prefix) {
+  size_t start = str.find_first_not_of(' ');
+  if (start == std::string::npos) {
+    return false;
+  }
+  return str.substr(start).find(prefix) == 0;
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/str_utils_test.cpp b/virtrust/src/virtrust/base/str_utils_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..7e3ea0545d97bbffe43d862c9fec61b48f16fe2f
--- /dev/null
+++ b/virtrust/src/virtrust/base/str_utils_test.cpp
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+*/
+
+#include "gtest/gtest.h"
+
+#include "virtrust/base/str_utils.h"
+
+namespace virtrust {
+
+    TEST(StrUtils, MakingString)
+    {
+        // Test basic functionality
+        EXPECT_EQ(MakingString(), "");
+        EXPECT_EQ(MakingString("hello"), "hello");
+        EXPECT_EQ(MakingString("hello", " ", "world"), "hello world");
+        EXPECT_EQ(MakingString(123), "123");
+        EXPECT_EQ(MakingString(123, " ", 456), "123 456");
+        EXPECT_EQ(MakingString("Number:", 42), "Number:42");
+
+        // Test with Vector
+        std::vector<int> nums = {1, 2, 3, 4, 5};
+        EXPECT_EQ(MakingString(nums), "1 2 3 4 5");
+        
+        std::vector<std::string> strs = {"a", "b", "c"};
+        EXPECT_EQ(MakingString(strs), "a b c");
+
+        // Test with custom delimiter
+        EXPECT_EQ(MakingString<int>(nums, ","), "1,2,3,4,5");
+    }
+
+    TEST(StrUtils, Split)
+    {
+        // Test Split with separator
+        std::vector<std::string> result;
+        StrSplit("a,b,c", ",", result);
+        ASSERT_EQ(result.size(), (size_t)3);
+        EXPECT_EQ(result[0], "a");
+        EXPECT_EQ(result[1], "b");
+        EXPECT_EQ(result[2], "c");
+
+        // Test Split with empty string
+        result.clear();
+        StrSplit("", ",", result);
+        ASSERT_EQ(result.size(), (size_t)0);
+
+        // Test Split with no separator
+        result.clear();
+        StrSplit("abc", ",", result);
+        ASSERT_EQ(result.size(), (size_t)1);
+        EXPECT_EQ(result[0], "abc");
+
+        // Test Split with empty separator
+        result.clear();
+        StrSplit("abc", "", result);
+        ASSERT_EQ(result.size(), (size_t)0);
+
+        // Test Split with multiple consecutive separators
+        result.clear();
+        StrSplit("a,,b,,c", ",", result);
+        ASSERT_EQ(result.size(), (size_t)5);
+        EXPECT_EQ(result[0], "a");
+        EXPECT_EQ(result[1], "");
+        EXPECT_EQ(result[2], "b");
+        EXPECT_EQ(result[3], "");
+        EXPECT_EQ(result[4], "c");
+
+        // Test Split with trailing separator
+        result.clear();
+        StrSplit("a,b,", ",", result);
+        ASSERT_EQ(result.size(), (size_t)2);
+        EXPECT_EQ(result[0], "a");
+        EXPECT_EQ(result[1], "b");
+
+        // Test Split with leading separator
+        result.clear();
+        StrSplit(",a,b", ",", result);
+        ASSERT_EQ(result.size(), (size_t)3);
+        EXPECT_EQ(result[0], "");
+        EXPECT_EQ(result[1], "a");
+        EXPECT_EQ(result[2], "b");
+    }
+
+    TEST(StrUtils, SplitWithEmptyString)
+    {
+        // Test Split with empty string (no separator)
+        std::vector<std::string> result = StrSplit("a,b,c", ",");
+        ASSERT_EQ(result.size(), (size_t)3);
+        EXPECT_EQ(result[0], "a");
+        EXPECT_EQ(result[1], "b");
+        EXPECT_EQ(result[2], "c");
+    }
+
+    TEST(StrUtils, SplitWhitespace)
+    {
+        // Test Split with whitespace separator
+        std::vector<std::string> result = StrSplit("  hello   world  ");
+        ASSERT_EQ(result.size(), (size_t)2);
+        EXPECT_EQ(result[0], "hello");
+        EXPECT_EQ(result[1], "world");
+
+        // Test Split with multiple whitespace
+        result = StrSplit("a\t\nb\r\fc");
+        ASSERT_EQ(result.size(), (size_t)3);
+        EXPECT_EQ(result[0], "a");
+        EXPECT_EQ(result[1], "b");
+        EXPECT_EQ(result[2], "c");
+
+        // Test Split with empty string
+        result = StrSplit("");
+        ASSERT_EQ(result.size(), (size_t)0);
+
+        // Test Split with only whitespace
+        result = StrSplit("   \t\n  ");
+        ASSERT_EQ(result.size(), (size_t)0);
+    }
+
+    TEST(StrUtils, Trim)
+    {
+        // Test Trim with specified character
+        EXPECT_EQ(StrTrim("aaaHelloaaa", 'a'), "hello");
+        EXPECT_EQ(StrTrim("bbbWorldbbb", 'b'), "World");
+        EXPECT_EQ(StrTrim("Hello", 'x'), "Hello");
+        EXPECT_EQ(StrTrim("aaaa", 'a'), "");
+        EXPECT_EQ(StrTrim("", 'a'), "");
+        EXPECT_EQ(StrTrim("  Hello  ", ' '), "Hello");
+    }
+
+    TEST(StrUtils, TrimWhitespace)
+    {
+        // Test TrimWhitespace
+        EXPECT_EQ(StrTrimWhitespace("  Hello  "), "hello");
+        EXPECT_EQ(StrTrimWhitespace("\t\nHello\r\f"), "Hello");
+        EXPECT_EQ(StrTrimWhitespace("Hello"), "Hello");
+        EXPECT_EQ(StrTrimWhitespace(""), "");
+        EXPECT_EQ(StrTrimWhitespace("    "), "");
+        EXPECT_EQ(StrTrimWhitespace("\t\n\r\f\v"), "");
+    }
+
+    TEST(StrUtils, CountChar)
+    {
+        // Test CountChar
+        EXPECT_EQ(StrCountChar("hello world", 'l'), (size_t)3);
+        EXPECT_EQ(StrCountChar("abcdef", 'z'), (size_t)0);
+        EXPECT_EQ(StrCountChar("", 'a'), (size_t)0);
+        EXPECT_EQ(StrCountChar("aaaaaa", 'a'), (size_t)6);
+        EXPECT_EQ(StrCountChar("Hello World", ' '), (size_t)1);
+    }
+
+    TEST(StrUtils, StartsWith)
+    {
+        // Test StartsWith
+        EXPECT_TRUE(StrStartsWith("Hello World", "Hello"));
+        EXPECT_FALSE(StrStartsWith("Hello World", "World"));
+        EXPECT_TRUE(StrStartsWith("Hello", "Hello"));
+        EXPECT_FALSE(StrStartsWith("Hello", "Hello World"));
+        EXPECT_TRUE(StrStartsWith("", ""));
+        EXPECT_FALSE(StrStartsWith("", "Hello"));
+        EXPECT_TRUE(StrStartsWith("Hello World", ""));
+    }
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/crypto/CMakeLists.txt b/virtrust/src/virtrust/crypto/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..56491f334b961acf5d78a059ce7b4949b1127926
--- /dev/null
+++ b/virtrust/src/virtrust/crypto/CMakeLists.txt
@@ -0,0 +1,11 @@
+# Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+set(VIRTRUST_SOURCE_FILES ${VIRTRUST_SOURCE_FILES}
+${CMAKE_CURRENT_LIST_DIR}/sm3.cpp)
+
+
+add_virtrust_test_if(sm3_test ${BUILD_TEST})
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    PARENT_SCOPE)
diff --git a/virtrust/src/virtrust/crypto/sm3.cpp b/virtrust/src/virtrust/crypto/sm3.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..cda45e79e5ebba791346354cfd30bfecc289503c
--- /dev/null
+++ b/virtrust/src/virtrust/crypto/sm3.cpp
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+#include "virtrust/crypto/sm3.h"
+
+#include <vector>
+
+#include "securec/securec.h"
+
+#include "virtrust/base/logger.h"
+#include "virtrust/dllib/openssl.h"
+
+namespace virtrust {
+
+Sm3::Sm3()
+    : md_(SmartEVP_MD(Openssl::GetIntance().EVP_MD_fetch(nullptr, "sm3", nullptr))),
+      context_(SmartEVP_MD_CTX(Openssl::GetIntance().EVP_MD_CTX_new()))
+{
+    Reset();
+}
+
+Sm3Rc Sm3::Reset()
+{
+    if (context_.Get() == nullptr) || md_.Get() == nullptr)
+        {
+            VIRTRUST_LOG_ERROR("Sm3::Reset() Failed, context_ or md_ is nullptr");
+            return Sm3Rc::ERROR;
+        }
+
+    auto ret = Openssl::GetIntance().EVP_MD_CTX_reset(context_.Get());
+    if (ret != OPENSSL_OK) {
+        VIRTRUST_LOG_ERROR("Sm3::Reset() Failed, EVP_MD_CTX_reset return:{}", ret);
+        return Sm3Rc::ERROR;
+    }
+
+    // NOTE we do not need to reset md_-
+    ret = Openssl::GetInstance().EVP_DigestInit(context_.Get(), md_.Get());
+    if (ret != OPENSSL_OK) {
+        VIRTRUST_LOG_ERROR("Sm3::Reset() Failed, EVP_DigestInit return:{}", ret);
+        return Sm3Rc::ERROR;
+    }
+
+    return Sm3Rc::OK;
+}
+
+Sm3Rc Sm3::Update(std::string_view data)
+{
+    if (data.size() > UPDATE_SIZE_LIMIT) {
+        VIRTRUST_LOG_ERROR("Sm3::Update() Failed, input data size:{}, exceeds limit:{}", data, size(),
+                           UPDATE_SIZE_LIMIT);
+        return Sm3Rc::ERROR;
+    }
+
+    if (context_.Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Sm3::Update() Failed, context is nullptr", ret);
+        return Sm3Rc::ERROR;
+    }
+
+    auto ret = Openssl::GetIntance().EVP_DigestUpdate(context_.Get(), data.data(), data.size());
+    if (ret != OPENSSL_OK) {
+        VIRTRUST_LOG_ERROR("Sm3::Update() Failed, EVP_DigestUpdate  returns: {}", ret);
+        return Sm3Rc::ERROR;
+    }
+
+    return Sm3Rc::OK;
+}
+
+std::vector<uint8_t> Sm3::CumulativeHash() const
+{
+    if (context_.Get() == nullptr || md_.Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Sm3::CumulativeHash() Failed, context_ or md_ is nullptr");
+        return {};
+    }
+
+    unsigned int out_len = 0;
+    std::vector<uint8_t> out(DigestSize());
+
+    auto ctx_snapshot = SmartEVP_MD_CTX(Openssl::GetIntance().EVP_MD_CTX_new());
+    if (ctx_snapshot.Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Sm3::CumulativeHash() Failed, EVP_MD_CTX_new returns nullptr");
+        return {};
+    }
+
+    auto ret = Openssl::GetIntance().EVP_MD_CTX_copy_ex(ctx_snapshot.Get(), context_.Get());
+    if (ret != OPENSSL_OK) {
+        VIRTRUST_LOG_ERROR("Sm3::CumulativeHash() Failed, EVP_MD_CTX_copy_ex returns:{}", ret);
+        return {};
+    }
+
+    ret = Openssl::GetInstance().EVP_DigestFinal_ex(ctx_snapshot.Get(), out.data(), &out_len);
+    if (ret != OPENSSL_OK) {
+        VIRTRUST_LOG_ERROR("Sm3::CumulativeHash() Failed, EVP_DigestFinal_ex returns:{}", ret);
+        return {};
+    }
+
+    if (out_len != DigestSize()) {
+        VIRTRUST_LOG_ERROR("Sm3::CumulativeHash() Failed, EVP_DigestFinal_ex output len incorrect:{}", out_len);
+        return {};
+    }
+
+    return out;
+}
+
+std::array<uint8_t, Sm3::DIGEST_SIZE> DoSm3(std::string_view data)
+{
+    auto sm3 = Sm3();
+    if (sm3.Update(data) != Sm3Rc::OK) { // data.size limit will be captured here
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, Update error");
+        return {};
+    }
+
+    auto buf = sm3.CumulativeHash();
+    if (buf.size() < Sm3::DigestSize()) {
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, CumulativeHash output len incorrent:{}", buf.size());
+        return {};
+    }
+
+    std::array<uint8_t, Sm3::DIGEST_SIZE> out{};
+    auto ret = memcpy_s(out.data(), out.size(), buf.data(), buf.size());
+    if (ret != EOK) {
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, memcpy_s error. ret is: {}", ret);
+        return {};
+    }
+
+    return out;
+}
+
+Sm3Rc DoSm3(std::string_view data, std::vector<uint8_t> &out)
+{
+    auto sm3 = Sm3();
+    if (sm3.Update(data) != Sm3Rc::OK) { // data.size limit will be captured here
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, update error");
+        return Sm3Rc::ERROR;
+    }
+
+    auto buf = sm3.CumulativeHash();
+    if (buf.size() < Sm3::DigestSize()) {
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, CumulativeHash output len incorrent:{}", buf.size());
+        return Sm3Rc::ERROR;
+    }
+
+    auto ret = memcpy_s(out.data(), out.size(), buf.data(), buf.size());
+    if (ret != EOK) {
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, memcpy_s error. ret is: {}", ret);
+        return Sm3Rc::ERROR;
+    }
+
+    return Sm3Rc::OK;
+}
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/crypto/sm3.h b/virtrust/src/virtrust/crypto/sm3.h
new file mode 100644
index 0000000000000000000000000000000000000000..76e9c4324bab9fc2a868045b9b3693f0df57bc9d
--- /dev/null
+++ b/virtrust/src/virtrust/crypto/sm3.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+#include <cstddef>
+#include <cstdint>
+#include <memory>
+#include <vector>
+
+#include "virtrust/dllib/openssl.h"
+#include "virtrust/dllib/openssl_defines.h"
+#include "virtrust/utils/smart_deleter.h"
+
+namespace virtrust {
+
+VIRTRUST_MAKE_SMART(EVP_MD_CTX, Openssl::GetInstance().EVP_MD_CTX_free);
+VIRTRUST_MAKE_SMART(EVP_MD, Openssl::GetInstance().EVP_MD_free);
+
+enum class Sm3Rc : uint32_t {
+    OK = 0,
+    ERROR = 1
+};
+
+class Sm3 {
+public:
+    Sm3();
+    Sm3Rc Reset();
+    Sm3Rc Update(std::string_view data);
+    std::vector<uint8_t> CumulativeHash() const;
+
+    static constexpr size_t DigestSize()
+    {
+        return DIGEST_SIZE;
+    }
+
+private:
+    SmartEVP_MD md_;
+    SmartEVP_MD_CTX context_;
+    static constexpr size_t DIGEST_SIZE = 32;
+    static constexpr size_t UPDATE_SIZE_LIMIT = 1024 * 1024 * 1024; // 1G
+};
+
+std::array<uint8_t, Sm3::DigestSize()> DoSm3(std::string_view data);
+Sm3Rc DoSm3(std::string_view data, std::vector<uint8_t> &out);
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/CMakeLists.txt b/virtrust/src/virtrust/dllib/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..357e8b4b00b90034eb2cb200d5eb15500a42e686
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/CMakeLists.txt
@@ -0,0 +1,16 @@
+set(VIRTRUST_SOURCE_FILES ${VIRTRUST_SOURCE_FILES})
+
+add_virtrust_test_if(libxml2_test ${BUILD_TEST})
+
+# HACK libguestfs has memory leaks, so we disable this test under asan
+if(NOT CMAKE_BUILD_TYPE STREQUAL "Asan")
+    add_virtrust_test_if(libguestfs_test ${BUILD_TEST})
+endif()
+
+add_virtrust_test_if(libvirt_test ${BUILD_TEST})
+add_virtrust_test_if(openssl_test ${BUILD_TEST})
+add_virtrust_test_if(dllib_test ${BUILD_TEST})
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    PARENT_SCOPE)
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/common.h b/virtrust/src/virtrust/dllib/common.h
new file mode 100644
index 0000000000000000000000000000000000000000..29bc826cf8364e72acff23eeb96cda8a71b7a145
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/common.h
@@ -0,0 +1,127 @@
+#pragma once
+
+#include <dlfcn.h>
+
+#include <cstdint>
+#include <functional>
+#include <memory>
+#include <numeric>
+#include <stdexcept>
+#include <string_view>
+
+#include "virtrust/base/str_utils.h"
+
+namespace virtrust {
+
+// Dllib Return Code
+enum class DllibRc : uint32_t {
+    OK = 0,
+    ERROR = 1,
+};
+
+template <class R, class... Args> class DlFun {
+public:
+    using FunTy = R (*)(Args...);
+
+    DlFun() = default;
+
+    DlFun(std::string_view name, FunTy funptr)
+        : funName_(name), funptr_(funptr ? std::function<R(Args...)>(funptr) : std::function<R(Args...)>(nullptr))
+    {}
+
+    std::function<R(Args...)> Get() const
+    {
+        return funptr_;
+    }
+
+    std::string GetName() const
+    {
+        return funName_;
+    }
+
+    R operator()(Args... args) const
+    {
+        if (!funptr_) {
+            throw std::runtime_error(std::string("[") + __FILE__ + ":" + std::to_string(__LINE__) +
+                                     "] Fatal Error: function " + funName_ +
+                                     " is nullptr, maybe previous dlsym failed.");
+        }
+        return funptr_(std::forward<Args>(args)...);
+    }
+
+
+private:
+    std::string funName_ = "unknown";
+    std::function<R(Args...)> funptr_ = nullptr;
+};
+
+class DlLibBase {
+public:
+    // Check whether dlopen and dlsym has succeed
+    DllibRc CheckOk() const
+    {
+        return ok_ ? DllibRc::OK : DllibRc::ERROR;
+    }
+
+    size_t Size() const
+    {
+        return size_;
+    }
+
+protected:
+    explicit DlLibBase(std::string_view lib) : libName_(lib)
+    {}
+
+    virtual ~DlLibBase()
+    {
+        SelfDlClose();
+    }
+
+    void SelfDlClose()
+    {
+        // the stored pointer
+        if (libptr_ != nullptr) {
+            dlclose(libptr_);
+            libptr_ = nullptr;
+        }
+
+        // reset to default
+        size_ = 0;
+        ok_ = true;
+    }
+
+    DllibRc SelfDlOpen()
+    {
+        libptr_ = dlopen(libName_.data(), RTLD_NOW | RTLD_GLOBAL);
+        return libptr_ != nullptr ? DllibRc::OK : DllibRc::ERROR;
+    }
+
+    template <class R, class... Args> void SelfDlSym(std::string_view funName, DlFun<R, Args...> &outFun)
+    {
+        if (libptr_ == nullptr || funName.empty()) {
+            return;
+        }
+
+        void *funPtr = dlsym(libptr_, funName.data());
+        if (funPtr == nullptr) {
+            ok_ = false;
+        }
+        size_++; // always add up internal size counter
+        outFun = DlFun<R, Args...>(funName, reinterpret_cast<R (*)(Args...)>(funPtr));
+    }
+
+private:
+    void *libptr_ = nullptr;
+    const std::string libName_ = "unknown";
+
+    // funCache_ stores all dlsym function raw pointers
+    // WARNING: DO NOT manually manipulate those pointers
+    std::vector<void *> funCache_; // cache DO NOT own pointers, those pointers should read only
+    size_t size_ = 0;
+    bool ok_ = true;
+};
+
+// The second argument is the templateHelper which helps template deduction
+#define DLLIB_SELF_DLSYM(NAME) SelfDlSym(#NAME, NAME)
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libguestfs.h b/virtrust/src/virtrust/dllib/libguestfs.h
new file mode 100644
index 0000000000000000000000000000000000000000..0e6ef2e76f90d47f9e67b01f9adfbac1da3b8268
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libguestfs.h
@@ -0,0 +1,98 @@
+#pragma once
+
+#include <dlfcn.h>
+
+#include <cstdarg>
+#include <cstdint>
+#include <functional>
+#include <string_view>
+
+#include "virtrust/dllib/common.h"
+#include "virtrust/dllib/libguestfs_defines.h"
+
+namespace virtrust {
+
+// libguestfs api
+class Libguestfs : public DlLibBase {
+public:
+    ~Libguestfs() = default;
+    Libguestfs(const Libguestfs &) = delete;
+    void operator=(const Libguestfs &) = delete;
+
+    // Singleton instance
+    static Libguestfs &GetInstance()
+    {
+        static Libguestfs instance;
+        return instance;
+    }
+
+    // Reload all functions
+    DllibRc Reload()
+    {
+        SelfDlClose();
+        LoadAll();
+        return CheckOk();
+    }
+
+    // Declare all functions that you need
+    // NOTE Please make sure the class instance is inited before calling those functions
+
+    // Create guestfs context
+    DlFun<guestfs_h *> guestfs_create;
+
+    DlFun<int, guestfs_h *, const char *> guestfs_set_backend;
+
+    DlFun<int, guestfs_h *, const char *, const struct guestfs_add_drive_opts_argv> guestfs_add_drive_opts_argv;
+
+    DlFun<int, guestfs_h *> guestfs_launch;
+
+    DlFun<char **, guestfs_h *> guestfs_inspect_os;
+
+    DlFun<char **, guestfs_h *, const char *> guestfs_inspect_get_mountpoints;
+
+    DlFun<int, guestfs_h *, const char *, const char *> guestfs_mount_ro;
+
+    DlFun<int, guestfs_h *> guestfs_umount_all;
+
+    DlFun<void, guestfs_h *> guestfs_close;
+
+    DlFun<int, guestfs_h *, int> guestfs_set_trace;
+
+    DlFun<int, guestfs_h *, const char *> guestfs_exists;
+
+    DlFun<int, guestfs_h *, const char *> guestfs_is_file;
+
+    DlFun<char *, guestfs_h *, const char *, size_t *> guestfs_read_file;
+
+private:
+    void LoadAll()
+    {
+        // NOTE explicitly dlopen shared library
+        auto ret = SelfDlOpen();
+        if (ret != DllibRc::OK) {
+            return;
+        }
+        DLLIB_SELF_DLSYM(guestfs_create);
+        DLLIB_SELF_DLSYM(guestfs_set_backend);
+        DLLIB_SELF_DLSYM(guestfs_add_drive_opts_argv);
+        DLLIB_SELF_DLSYM(guestfs_launch);
+        DLLIB_SELF_DLSYM(guestfs_inspect_os);
+        DLLIB_SELF_DLSYM(guestfs_inspect_get_mountpoints);
+        DLLIB_SELF_DLSYM(guestfs_mount_ro);
+        DLLIB_SELF_DLSYM(guestfs_umount_all);
+        DLLIB_SELF_DLSYM(guestfs_close);
+        DLLIB_SELF_DLSYM(guestfs_set_trace);
+        DLLIB_SELF_DLSYM(guestfs_exists);
+        DLLIB_SELF_DLSYM(guestfs_is_file);
+        DLLIB_SELF_DLSYM(guestfs_read_file);
+    }
+
+    Libguestfs() : DlLibBase(LIB_NAME)
+    {
+        LoadAll();
+    }
+
+    static constexpr std::string_view LIB_NAME = "libguestfs.so";
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libguestfs_defines.h b/virtrust/src/virtrust/dllib/libguestfs_defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..8c1e8522b4f9ba3b335466a83f2a4a7127da46d6
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libguestfs_defines.h
@@ -0,0 +1,44 @@
+#pragma once
+
+#include <dlfcn.h>
+
+#include <cstdint>
+#include <functional>
+#include <string_view>
+
+namespace virtrust {
+
+// see: libguestfs.h, it's a forward declaration in original header file
+struct guestfs_h;
+
+struct guestfs_add_drive_opts_argv {
+    uint64_t bitmask;
+#define GUESTFS_ADD_DRIVE_OPTS_READONLY_BITMASK (UINT64_C(1) << 0)
+    int readonly;
+#define GUESTFS_ADD_DRIVE_OPTS_FORMAT_BITMASK (UINT64_C(1) << 1)
+    const char *format;
+#define GUESTFS_ADD_DRIVE_OPTS_IFACE_BITMASK (UINT64_C(1) << 2)
+    const char *iface;
+#define GUESTFS_ADD_DRIVE_OPTS_NAME_BITMASK (UINT64_C(1) << 3)
+    const char *name;
+#define GUESTFS_ADD_DRIVE_OPTS_LABEL_BITMASK (UINT64_C(1) << 4)
+    const char *label;
+#define GUESTFS_ADD_DRIVE_OPTS_PROTOCOL_BITMASK (UINT64_C(1) << 5)
+    const char *protocol;
+#define GUESTFS_ADD_DRIVE_OPTS_SERVER_BITMASK (UINT64_C(1) << 6)
+    char *const *server;
+#define GUESTFS_ADD_DRIVE_OPTS_USERNAME_BITMASK (UINT64_C(1) << 7)
+    const char *username;
+#define GUESTFS_ADD_DRIVE_OPTS_SECRET_BITMASK (UINT64_C(1) << 8)
+    const char *secret;
+#define GUESTFS_ADD_DRIVE_OPTS_CACHEMODE_BITMASK (UINT64_C(1) << 9)
+    const char *cachemode;
+#define GUESTFS_ADD_DRIVE_OPTS_DISCARD_BITMASK (UINT64_C(1) << 10)
+    const char *discard;
+#define GUESTFS_ADD_DRIVE_OPTS_COPYONREAD_BITMASK (UINT64_C(1) << 11)
+    int copyonread;
+#define GUESTFS_ADD_DRIVE_OPTS_BLOCKSIZE_BITMASK (UINT64_C(1) << 12)
+    int blocksize;
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libvirt.h b/virtrust/src/virtrust/dllib/libvirt.h
new file mode 100644
index 0000000000000000000000000000000000000000..fa0938e5fcce9b45c11c4a0006ea1c5d39a2ac3e
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libvirt.h
@@ -0,0 +1,99 @@
+#pragma once
+
+#include <dlfcn.h>
+
+#include <string_view>
+
+#include "virtrust/dllib/common.h"
+#include "virtrust/dllib/libvirt_defines.h"
+
+namespace virtrust {
+
+// libvirt api
+class Libvirt : public DlLibBase {
+public:
+    ~Libvirt() = default;
+    Libvirt(const Libvirt &) = delete;
+    void operator=(const Libvirt &) = delete;
+
+    // Singleton instance
+    static Libvirt &GetInstance()
+    {
+        static Libvirt instance;
+        return instance;
+    }
+
+    // Reload all functions
+    DllibRc Reload()
+    {
+        SelfDlClose();
+        LoadAll();
+        return CheckOk();
+    }
+
+    // Set log level
+    DllibRc SetErrorFunction(virErrorFunc func)
+    {
+        auto ret = GetInstance().CheckOk();
+        if (ret != DllibRc::OK) {
+            return ret;
+        }
+        virSetErrorFunc(nullptr, func);
+        return DllibRc::OK;
+    }
+
+    // Declare all functions that you need
+    // NOTE Please make sure the class instance is inited before calling those functions
+    DlFun<virConnectPtr, const char *> virConnectOpen;
+    DlFun<virDomainPtr, virConnectPtr, const char *> virDomainLookupByName;
+    DlFun<int, virDomainPtr, unsigned int> virDomainCreateWithFlags;
+    DlFun<int, virConnectPtr> virConnectClose;
+    DlFun<int, virDomainPtr> virDomainFree;
+    DlFun<int, virDomainPtr, unsigned int> virDomainShutdownFlags;
+    DlFun<int, virConnectPtr> virConnectNumOfDomains;
+    DlFun<int, virConnectPtr, virDomainPtr **, unsigned int> virConnectListAllDomains;
+    DlFun<unsigned int, virDomainPtr> virDomainGetID;
+    DlFun<const char *, virDomainPtr> virDomainGetName;
+    DlFun<int, virDomainPtr, virDomainInfo *> virDomainGetInfo;
+    DlFun<int, virDomainPtr, unsigned int> virDomainDestroyFlags;
+    DlFun<int, virDomainPtr, unsigned int> virDomainUndefineFlags;
+    DlFun<void, void *, virErrorFunc> virSetErrorFunc;
+    DlFun<int, virDomainPtr, char *> virDomainGetUUIDString;
+    DlFun<virDomainPtr, virDomainPtr, virConnectPtr, virTypedParameterPtr, unsigned int, unsigned int>
+        virDomainMigrate3;
+
+private:
+    void LoadAll()
+    {
+        // NOTE explicitly dlopen shared library
+        auto ret = SelfDlOpen();
+        if (ret != DllibRc::OK) {
+            return;
+        }
+        DLLIB_SELF_DLSYM(virConnectOpen);
+        DLLIB_SELF_DLSYM(virDomainLookupByName);
+        DLLIB_SELF_DLSYM(virDomainCreateWithFlags);
+        DLLIB_SELF_DLSYM(virConnectClose);
+        DLLIB_SELF_DLSYM(virDomainFree);
+        DLLIB_SELF_DLSYM(virDomainShutdownFlags);
+        DLLIB_SELF_DLSYM(virConnectNumOfDomains);
+        DLLIB_SELF_DLSYM(virConnectListAllDomains);
+        DLLIB_SELF_DLSYM(virDomainGetID);
+        DLLIB_SELF_DLSYM(virDomainGetName);
+        DLLIB_SELF_DLSYM(virDomainGetInfo);
+        DLLIB_SELF_DLSYM(virDomainDestroyFlags);
+        DLLIB_SELF_DLSYM(virDomainUndefineFlags);
+        DLLIB_SELF_DLSYM(virSetErrorFunc);
+        DLLIB_SELF_DLSYM(virDomainGetUUIDString);
+        DLLIB_SELF_DLSYM(virDomainMigrate3);
+    }
+
+    Libvirt() : DlLibBase(LIB_NAME)
+    {
+        LoadAll();
+    }
+
+    static constexpr std::string_view LIB_NAME = "libvirt.so";
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libvirt_defines.h b/virtrust/src/virtrust/dllib/libvirt_defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..93ffcb7f81708be8290ca1b165e91974c253bb45
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libvirt_defines.h
@@ -0,0 +1,207 @@
+#pragma once
+
+#include <string>
+
+#include "virtrust/base/custom_logger.h"
+
+namespace virtrust {
+
+using virConnectPtr = int *;
+using virDomainPtr = int *;
+using virNetworkPtr = int *;
+using virTypedParameterPtr = int *;
+
+/**
+ * virDomainState:
+ *
+ * A domain may be in different states at a given point in time
+ *
+ * Since: 0.0.1
+ */
+typedef enum {
+    VIR_DOMAIN_NOSTATE = 0,     /* no state (Since: 0.0.1) */
+    VIR_DOMAIN_RUNNING = 1,     /* the domain is running (Since: 0.0.1) */
+    VIR_DOMAIN_BLOCKED = 2,     /* the domain is blocked on resource (Since: 0.0.1) */
+    VIR_DOMAIN_PAUSED = 3,      /* the domain is paused by user (Since: 0.0.1) */
+    VIR_DOMAIN_SHUTDOWN = 4,    /* the domain is being shut down (Since: 0.0.1) */
+    VIR_DOMAIN_SHUTOFF = 5,     /* the domain is shut off (Since: 0.0.1) */
+    VIR_DOMAIN_CRASHED = 6,     /* the domain is crashed (Since: 0.0.2) */
+    VIR_DOMAIN_PMSUSPENDED = 7, /* the domain is suspended by guest
+                                   power management (Since: 0.9.11) */
+} virDomainState;
+
+/**
+ * virDomainInfo:
+ *
+ * a virDomainInfo is a structure filled by virDomainGetInfo() and extracting
+ * runtime information for a given active Domain
+ *
+ * Since: 0.0.1
+ */
+using virDomainInfo = struct _virDomainInfo;
+
+struct _virDomainInfo {
+    unsigned char state;        /* the running state, one of virDomainState */
+    unsigned long maxMem;       /* the maximum memory in KBytes allowed */
+    unsigned long memory;       /* the memory in KBytes used by the domain */
+    unsigned short nrVirtCpu;   /* the number of virtual CPUs for the domain */
+    unsigned long long cpuTime; /* the CPU time used in nanoseconds */
+};
+
+/**
+ * virConnectListAllDomainsFlags:
+ *
+ * Flags used to tune which domains are listed by virConnectListAllDomains().
+ * Note that these flags come in groups; if all bits from a group are 0,
+ * then that group is not used to filter results.
+ *
+ * Since: 0.9.13
+ */
+typedef enum {
+    VIR_CONNECT_LIST_DOMAINS_ACTIVE         = 1 << 0, /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_INACTIVE       = 1 << 1, /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_PERSISTENT     = 1 << 2, /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_TRANSIENT      = 1 << 3, /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_RUNNING        = 1 << 4, /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_PAUSED         = 1 << 5, /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_SHUTOFF        = 1 << 6, /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_OTHER          = 1 << 7, /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_MANAGEDSAVE    = 1 << 8, /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_NO_MANAGEDSAVE = 1 << 9, /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_AUTOSTART      = 1 << 10, /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_NO_AUTOSTART   = 1 << 11, /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_HAS_SNAPSHOT   = 1 << 12, /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_NO_SNAPSHOT    = 1 << 13, /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_HAS_CHECKPOINT = 1 << 14, /* (Since: 5.6.0) */
+    VIR_CONNECT_LIST_DOMAINS_NO_CHECKPOINT  = 1 << 15, /* (Since: 5.6.0) */
+} virConnectListAllDomainsFlags;
+
+/**
+ * virDomainCreateFlags:
+ *
+ * Flags OR'ed together to provide specific behaviour when creating a
+ * Domain.
+ *
+ * Since: 0.0.1
+ */
+typedef enum {
+    VIR_DOMAIN_NONE               = 0,      /* Default behavior (Since: 0.0.1) */
+    VIR_DOMAIN_START_PAUSED       = 1 << 0, /* Launch guest in paused state (Since: 0.8.2) */
+    VIR_DOMAIN_START_AUTODESTROY  = 1 << 1, /* Automatically kill guest when virConnectPtr is closed (Since: 0.9.3) */
+    VIR_DOMAIN_START_BYPASS_CACHE = 1 << 2, /* Avoid file system cache pollution (Since: 0.9.4) */
+    VIR_DOMAIN_START_FORCE_BOOT   = 1 << 3, /* Boot, discarding any managed save (Since: 0.9.5) */
+    VIR_DOMAIN_START_VALIDATE     = 1 << 4, /* Validate the XML document against schema (Since: 1.2.12) */
+    VIR_DOMAIN_START_RESET_NVRAM  = 1 << 5, /* Re-initialize NVRAM from template (Since: 8.1.0) */
+} virDomainCreateFlags;
+
+/**
+ * virDomainDestroyFlagsValues:
+ *
+ * Flags used to provide specific behaviour to the
+ * virDomainDestroyFlags() function
+ *
+ * Since: 0.9.4
+ */
+typedef enum {
+    VIR_DOMAIN_DESTROY_DEFAULT   = 0,      /* Default behavior - could lead to data loss!! (Since: 0.9.10) */
+    VIR_DOMAIN_DESTROY_GRACEFUL  = 1 << 0, /* only SIGTERM, no SIGKILL (Since: 0.9.10) */
+    VIR_DOMAIN_DESTROY_REMOVE_LOGS = 1 << 1, /* remove VM logs on destroy (Since: 8.3.0) */
+} virDomainDestroyFlagsValues;
+
+/**
+ * virDomainUndefineFlagsValues:
+ *
+ * Since: 0.9.4
+ */
+typedef enum {
+    VIR_DOMAIN_UNDEFINE_MANAGED_SAVE       = (1 << 0), /* Also remove any
+                                                          managed save (Since: 0.9.4) */
+    VIR_DOMAIN_UNDEFINE_SNAPSHOTS_METADATA = (1 << 1), /* If last use of domain,
+                                                          then also remove any
+                                                          snapshot metadata (Since: 0.9.5) */
+    VIR_DOMAIN_UNDEFINE_NVRAM              = (1 << 2), /* Also remove any
+                                                          nvram file (Since: 1.2.9) */
+    VIR_DOMAIN_UNDEFINE_KEEP_NVRAM         = (1 << 3), /* Keep nvram file (Since: 2.3.0) */
+    VIR_DOMAIN_UNDEFINE_CHECKPOINTS_METADATA = (1 << 4), /* If last use of domain,
+                                                            then also remove any
+                                                            checkpoint metadata (Since: 5.6.0) */
+    VIR_DOMAIN_UNDEFINE_TPM                = (1 << 5), /* Also remove any
+                                                          TPM state (Since: 8.9.0) */
+    VIR_DOMAIN_UNDEFINE_KEEP_TPM           = (1 << 6), /* Keep TPM state (Since: 8.9.0) */
+    /* Future undefine control flags should come here. */
+} virDomainUndefineFlagsValues;
+
+/**
+ * virErrorLevel:
+ *
+ * Indicates the level of an error
+ *
+ * Since: 0.1.0
+ */
+typedef enum {
+    VIR_ERR_NONE = 0, /* (Since: 0.1.0) */
+    VIR_ERR_WARNING = 1,        /* A simple warning (Since: 0.1.0) */
+    VIR_ERR_ERROR = 2           /* An error (Since: 0.1.0) */
+} virErrorLevel;
+
+inline LogLevel virErrorLevelToLogLevel(virErrorLevel level)
+{
+    switch (level) {
+        case VIR_ERR_WARNING: {
+            return LogLevel::WARN;
+        }
+        case VIR_ERR_ERROR: {
+            return LogLevel::ERROR;
+        }
+        default:
+            return LogLevel::UNKNOWN;
+    }
+}
+
+/**
+ * virError:
+ *
+ * A libvirt Error instance.
+ *
+ * The conn, dom and net fields should be used with extreme care.
+ * Reference counts are not incremented so the underlying objects
+ * may be deleted without notice after the error has been delivered.
+ *
+ * Since: 0.1.0
+ */
+using virError = struct _virError;
+
+/**
+ * virErrorPtr:
+ *
+ * Since: 0.1.0
+ */
+using virErrorPtr = virError *;
+
+struct _virError {
+    int code;            /* The error code, a virErrorNumber */
+    int domain;          /* What part of the library raised this error */
+    char *message;       /* human-readable informative error message */
+    virErrorLevel level; /* how consequent is the error */
+    virConnectPtr conn;  /* connection if available, deprecated
+                                          see note above */
+    virDomainPtr dom;    /* domain if available, deprecated
+                                        see note above */
+    char *str1;          /* extra string information */
+    char *str2;          /* extra string information */
+    char *str3;          /* extra string information */
+    int int1;            /* extra number information */
+    int int2;            /* extra number information */
+    virNetworkPtr net;   /* network if available, deprecated
+                                         see note above */
+};
+
+using virErrorFunc = void (*)(void *userData, virErrorPtr error);
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libxml2.h b/virtrust/src/virtrust/dllib/libxml2.h
new file mode 100644
index 0000000000000000000000000000000000000000..90f86d4d3693c73379ca8abfd0c233b28c744c69
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libxml2.h
@@ -0,0 +1,65 @@
+#pragma once
+
+#include <dlfcn.h>
+
+#include <string_view>
+
+#include "virtrust/dllib/common.h"
+#include "virtrust/dllib/libxml2_defines.h"
+
+namespace virtrust {
+
+// libxml2 api
+class Libxml2 : public DlLibBase {
+public:
+    ~Libxml2() = default;
+    Libxml2(const Libxml2 &) = delete;
+    void operator=(const Libxml2 &) = delete;
+
+    // Singleton instance
+    static Libxml2 &GetInstance()
+    {
+        static Libxml2 instance;
+        return instance;
+    }
+
+    // Reload all functions
+    DllibRc Reload()
+    {
+        SelfDlClose();
+        LoadAll();
+        return CheckOk();
+    }
+
+    // Declare all functions that you need
+    // NOTE Please make sure the class instance is inited before calling those functions
+    DlFun<xmlDoc *, const char *> xmlParseFile;
+    DlFun<void, xmlDoc *> xmlFreeDoc;
+    DlFun<xmlNode *, const xmlDoc *> xmlDocGetRootElement;
+    DlFun<xmlChar *, const xmlNode *, const xmlChar *> xmlGetProp;
+    DlFun<void, void *> xmlFree;
+
+private:
+    void LoadAll()
+    {
+        // NOTE explicitly dlopen shared library
+        auto ret = SelfDlOpen();
+        if (ret != DllibRc::OK) {
+            return;
+        }
+        DLLIB_SELF_DLSYM(xmlParseFile);
+        DLLIB_SELF_DLSYM(xmlFreeDoc);
+        DLLIB_SELF_DLSYM(xmlDocGetRootElement);
+        DLLIB_SELF_DLSYM(xmlGetProp);
+        DLLIB_SELF_DLSYM(xmlFree);
+    }
+
+    Libxml2() : DlLibBase(LIB_NAME)
+    {
+        LoadAll();
+    }
+
+    static constexpr std::string_view LIB_NAME = "libxml2.so";
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libxml2_defines.h b/virtrust/src/virtrust/dllib/libxml2_defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..ebf74564fcabed082ba03bc42b87ef4c9553e1eb
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libxml2_defines.h
@@ -0,0 +1,139 @@
+#pragma once
+
+namespace virtrust {
+
+using xmlChar = unsigned char;
+
+// ---------------------------------------------------------------------------
+// Type definition from libxml2/libxml/tree.h
+// ---------------------------------------------------------------------------
+
+/*
+ * The different element types carried by an XML tree.
+ *
+ * NOTE: This is synchronized with DOM Level1 values
+ *       See http://www.w3.org/TR/REC-DOM-Level-1/
+ *
+ * Actually this had diverged a bit, and now XML_DOCUMENT_TYPE_NODE should
+ * be deprecated to use an XML_DTD_NODE.
+ */
+typedef enum {
+    XML_ELEMENT_NODE = 1,
+    XML_ATTRIBUTE_NODE = 2,
+    XML_TEXT_NODE = 3,
+    XML_CDATA_SECTION_NODE = 4,
+    XML_ENTITY_REF_NODE = 5,
+    XML_ENTITY_NODE = 6,
+    XML_PI_NODE = 7,
+    XML_COMMENT_NODE = 8,
+    XML_DOCUMENT_NODE = 9,
+    XML_DOCUMENT_TYPE_NODE = 10,
+    XML_DOCUMENT_FRAG_NODE = 11,
+    XML_NOTATION_NODE = 12,
+    XML_HTML_DOCUMENT_NODE = 13,
+    XML_DTD_NODE = 14,
+    XML_ELEMENT_DECL = 15,
+    XML_ATTRIBUTE_DECL = 16,
+    XML_ENTITY_DECL = 17,
+    XML_NAMESPACE_DECL = 18,
+    XML_XINCLUDE_START = 19,
+    XML_XINCLUDE_END = 20
+    /* XML_DOCB_DOCUMENT_NODE=	21 */ /* removed */
+} xmlElementType;
+
+/**
+ * xmlNs:
+ *
+ * An XML namespace.
+ * Note that prefix == NULL is valid, it defines the default namespace
+ * within the subtree (until overridden).
+ *
+ * xmlNsType is unified with xmlElementType.
+ */
+using xmlNs = struct _xmlNs;
+using xmlNsType = xmlElementType;
+
+struct _xmlNs {
+    struct _xmlNs  *next;	/* next Ns link for this node  */
+    xmlNsType      type;	/* global or local */
+    const xmlChar *href;	/* URL for the namespace */
+    const xmlChar *prefix;	/* prefix for the namespace */
+    void           *_private;   /* application data */
+    struct _xmlDoc *context;		/* normally an xmlDoc */
+};
+
+/**
+ * xmlDoc:
+ *
+ * An XML document.
+ */
+using xmlDoc = struct _xmlDoc;
+using xmlDocPtr = xmlDoc *;
+
+struct _xmlDoc {
+    void           *_private;	/* application data */
+    xmlElementType  type;       /* XML_DOCUMENT_NODE, must be second ! */
+    char           *name;	/* name/filename/URI of the document */
+    struct _xmlNode *children;	/* the document tree */
+    struct _xmlNode *last;	/* last child link */
+    struct _xmlNode *parent;	/* child->parent link */
+    struct _xmlNode *next;	/* next sibling link  */
+    struct _xmlNode *prev;	/* previous sibling link  */
+    struct _xmlDoc  *doc;	/* autoreference to itself */
+
+    /* End of common part */
+    int             compression;/* level of zlib compression */
+    int             standalone; /* standalone document (no external refs)
+                     1 if standalone="yes"
+                     0 if standalone="no"
+                    -1 if there is no XML declaration
+                    -2 if there is an XML declaration, but no
+                    standalone attribute was specified */
+    struct _xmlDtd  *intSubset;	/* the document internal subset */
+    struct _xmlDtd  *extSubset;	/* the document external subset */
+    struct _xmlNs   *oldNs;	/* Global namespace, the old way */
+    const xmlChar  *version;	/* the XML version string */
+    const xmlChar  *encoding;   /* external initial encoding, if any */
+    void           *ids;        /* Hash table for ID attributes if any */
+    void           *refs;       /* Hash table for IDREFs attributes if any */
+    const xmlChar  *URL;	/* The URI for that document */
+    int             charset;    /* Internal flag for charset handling,
+                   actually an xmlCharEncoding */
+    struct _xmlDict *dict;      /* dict used to allocate names or NULL */
+    void           *psvi;	/* for type/PSVI information */
+    int             parseFlags;	/* set of xmlParserOption used to parse the
+                   document */
+    int             properties;	/* set of xmlDocProperties for this document
+                   set at the end of parsing */
+};
+
+/**
+ * xmlNode:
+ *
+ * A node in an XML tree.
+ */
+using xmlNode = struct _xmlNode;
+using xmlNodePtr = xmlNode *;
+
+struct _xmlNode {
+    void           *_private;	/* application data */
+    xmlElementType   type;	/* type number, must be second ! */
+    const xmlChar   *name;      /* the name of the node, or the entity */
+    struct _xmlNode *children;	/* parent->childs link */
+    struct _xmlNode *last;	/* last child link */
+    struct _xmlNode *parent;	/* child->parent link */
+    struct _xmlNode *next;	/* next sibling link  */
+    struct _xmlNode *prev;	/* previous sibling link  */
+    struct _xmlDoc  *doc;	/* the containing document */
+
+    /* End of common part */
+    xmlNs           *ns;        /* pointer to the associated namespace */
+    xmlChar         *content;   /* the content */
+    struct _xmlAttr *properties;/* properties list */
+    xmlNs           *nsDef;     /* namespace definitions on this node */
+    void            *psvi;	/* for type/PSVI information */
+    unsigned short   line;	/* line number */
+    unsigned short   extra;	/* extra data for XPath/XSLT */
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/dllib/openssl.h b/virtrust/src/virtrust/dllib/openssl.h
new file mode 100644
index 0000000000000000000000000000000000000000..cbdb6946005b284f3a3492cefacc6e982f128cda
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/openssl.h
@@ -0,0 +1,95 @@
+#pragma once
+
+#include <dlfcn.h>
+
+#include <cstdint>
+#include <functional>
+#include <string_view>
+
+#include "virtrust/dllib/common.h"
+#include "virtrust/dllib/openssl_defines.h"
+
+namespace virtrust {
+
+// openssl api
+class Openssl : public DlLibBase {
+public:
+    ~Openssl() = default;
+    Openssl(const Openssl &) = delete;
+    void operator=(const Openssl &) = delete;
+
+    // Singleton instance
+    static Openssl &GetInstance()
+    {
+        static Openssl instance;
+        return instance;
+    }
+
+    // Reload all functions
+    DllibRc Reload()
+    {
+        SelfDlClose();
+        LoadAll();
+        return CheckOk();
+    }
+
+    // Declare all functions that you need
+    // NOTE Please make sure the class instance is inited before calling those functions
+
+    // Fetch openssl message digest context
+    DlFun<EVP_MD *, OSSL_LIB_CTX *, const char *, const char *> EVP_MD_fetch;
+
+    // Get the output size of the message digest algorithm (e.g. SM3), this function is the same as EVP_MD_size
+    DlFun<int, const EVP_MD *> EVP_MD_get_size;
+
+    // Create new message digest context
+    DlFun<EVP_MD_CTX *> EVP_MD_CTX_new;
+
+    // Reset md context
+    DlFun<int, EVP_MD_CTX *> EVP_MD_CTX_reset;
+
+    // Copy md context
+    DlFun<int, EVP_MD_CTX *, const EVP_MD_CTX *> EVP_MD_CTX_copy_ex;
+
+    // Init
+    DlFun<int, EVP_MD_CTX *, EVP_MD *> EVP_DigestInit;
+
+    // Update
+    DlFun<int, EVP_MD_CTX *, const void *, size_t> EVP_DigestUpdate;
+
+    // Final
+    DlFun<int, EVP_MD_CTX *, unsigned char *, unsigned int *> EVP_DigestFinal_ex;
+
+    // Free
+    DlFun<void, EVP_MD *> EVP_MD_free;
+    DlFun<void, EVP_MD_CTX *> EVP_MD_CTX_free;
+
+private:
+    void LoadAll()
+    {
+        // NOTE explicitly dlopen shared library
+        auto ret = SelfDlOpen();
+        if (ret != DllibRc::OK) {
+            return;
+        }
+        DLLIB_SELF_DLSYM(EVP_MD_fetch);
+        DLLIB_SELF_DLSYM(EVP_MD_get_size);
+        DLLIB_SELF_DLSYM(EVP_MD_CTX_new);
+        DLLIB_SELF_DLSYM(EVP_MD_CTX_reset);
+        DLLIB_SELF_DLSYM(EVP_MD_CTX_copy_ex);
+        DLLIB_SELF_DLSYM(EVP_DigestInit);
+        DLLIB_SELF_DLSYM(EVP_DigestUpdate);
+        DLLIB_SELF_DLSYM(EVP_DigestFinal_ex);
+        DLLIB_SELF_DLSYM(EVP_MD_free);
+        DLLIB_SELF_DLSYM(EVP_MD_CTX_free);
+    }
+
+    Openssl() : DlLibBase(LIB_NAME)
+    {
+        LoadAll();
+    }
+
+    static constexpr std::string_view LIB_NAME = "libcrypto.so";
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/dllib/openssl_defines.h b/virtrust/src/virtrust/dllib/openssl_defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..6e8743acede0fad05347b3c923ece7a563b31740
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/openssl_defines.h
@@ -0,0 +1,12 @@
+#pragma once
+
+namespace virtrust {
+
+using EVP_MD = struct evp_md_st;
+using EVP_MD_CTX = struct evp_md_ctx_st;
+using OSSL_LIB_CTX = struct ossl_lib_ctx_st;
+
+// openssl return value check
+constexpr int OPENSSL_OK = 1;
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/link/CMakeLists.txt b/virtrust/src/virtrust/link/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..dd5e6e8da5943a8b32e846e2d3c8ca18cb25dbee
--- /dev/null
+++ b/virtrust/src/virtrust/link/CMakeLists.txt
@@ -0,0 +1,15 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+set(VIRTRUST_SOURCE_FILES 
+   ${VIRTRUST_SOURCE_FILES} ${CMAKE_CURRENT_LIST_DIR}/link_client.cpp
+   ${CMAKE_CURRENT_LIST_DIR}/link_server.cpp
+   ${CMAKE_CURRENT_LIST_DIR}/utils.cpp
+)
+
+# tests
+add_virtrust_test_if(link_test ${BUILD_TEST})
+
+set(VIRTRUST_SOURCE_FILES
+${VIRTRUST_SOURCE_FILES}
+PARENT_SCOPE)
+
diff --git a/virtrust/src/virtrust/link/defines.h b/virtrust/src/virtrust/link/defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..832c939e379e58292497ef5011b5b531029811fe
--- /dev/null
+++ b/virtrust/src/virtrust/link/defines.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include <array>
+#include <cstdint>
+#include <string>
+#include <string_view>
+
+#include "virtrust/base/logger.h"
+
+namespace virtrust {
+enum class LinkRc : uint32_t {
+    OK = 0,
+    ERROR = 1,
+};
+
+struct LinkConfig {
+    std::string caPath;
+    std::string certPath;
+    std::string skPath;
+    std::string ip;
+    std::string ipMask;
+    uint16_t port;
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/link/link_config_builder.h b/virtrust/src/virtrust/link/link_config_builder.h
new file mode 100644
index 0000000000000000000000000000000000000000..274760e2f98a2f2ffc34b0be0ad9e8644d574b89
--- /dev/null
+++ b/virtrust/src/virtrust/link/link_config_builder.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <array>
+#include <cstdint>
+#include <string>
+#include <string_view>
+
+#include "virtrust/link/defines.h"
+
+namespace virtrust {
+
+class LinkConfigBuilder {
+public:
+#define VIRTRUST_LINK_BUILDER_ADD(TYPE, NAME) \
+    LinkConfigBuilder NAME(TYPE NAME)         \
+    {                                         \
+        config_.NAME = NAME;                  \
+        return *this;                         \
+    }
+
+    VIRTRUST_LINK_BUILDER_ADD(const std::string &, caPath)
+    VIRTRUST_LINK_BUILDER_ADD(const std::string &, certPath)
+    VIRTRUST_LINK_BUILDER_ADD(const std::string &, skPath)
+    VIRTRUST_LINK_BUILDER_ADD(const std::string &, ip)
+    VIRTRUST_LINK_BUILDER_ADD(const std::string &, ipMask)
+    VIRTRUST_LINK_BUILDER_ADD(uint16_t, port)
+
+#undef VIRTRUST_LINK_BUILDER_ADD
+
+    LinkConfig Build()
+    {
+        return config_;
+    }
+
+private:
+    LinkConfig config_;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/CMakeLists.txt b/virtrust/src/virtrust/utils/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..f6c28002edcd51f6fea3cdb69bfe1b9932d45f20
--- /dev/null
+++ b/virtrust/src/virtrust/utils/CMakeLists.txt
@@ -0,0 +1,15 @@
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    ${CMAKE_CURRENT_LIST_DIR}/file_io.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/virt_xml_parser.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/migrate_helper.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/foreign_mounter.cpp)
+
+add_virtrust_test_if(file_io_test ${BUILD_TEST})
+add_virtrust_sh_test_if(virt_xml_parser_test ${BUILD_TEST})
+add_virtrust_sh_test_if(foreign_mounter_test ${BUILD_TEST})
+add_virtrust_test_if(migrate_helper_test ${BUILD_TEST})
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    PARENT_SCOPE)
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/enum_check.h b/virtrust/src/virtrust/utils/enum_check.h
new file mode 100644
index 0000000000000000000000000000000000000000..3a99e7d665690da76b3583ab94b439f5314bf2be
--- /dev/null
+++ b/virtrust/src/virtrust/utils/enum_check.h
@@ -0,0 +1,28 @@
+#pragma once
+
+namespace virtrust {
+
+// Define templates for enum range check
+
+template <typename EnumType, EnumType... Values> class EnumCheck {};
+
+template <typename EnumType> class EnumCheck<EnumType> {
+public:
+    template <typename IntType> static bool constexpr IsValue(IntType)
+    {
+        return false;
+    }
+};
+
+template <typename EnumType, EnumType V, EnumType... Next>
+class EnumCheck<EnumType, V, Next...> : private EnumCheck<EnumType, Next...> {
+    using Super = EnumCheck<EnumType, Next...>;
+
+public:
+    template <typename IntType> static bool constexpr IsValue(IntType v)
+    {
+        return v == static_cast<IntType>(V) || Super::IsValue(v);
+    }
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/file_io.cpp b/virtrust/src/virtrust/utils/file_io.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..ee5c5a33017e2fe76995bbc5a6b6802ae7530fe8
--- /dev/null
+++ b/virtrust/src/virtrust/utils/file_io.cpp
@@ -0,0 +1,240 @@
+#include "virtrust/utils/file_io.h"
+
+#include <cerrno>
+#include <cstring>
+#include <exception>
+#include <filesystem>
+#include <iostream>
+#include <string>
+#include <utility>
+
+#include "spdlog/fmt/fmt.h"
+#include "spdlog/spdlog.h"
+
+#include "virtrust/base/exception.h"
+#include "virtrust/base/logger.h"
+
+namespace virtrust {
+#define FILE_IO_THROW(msg_prefix)                                                                                  \
+    VIRTRUST_ENFORCE(false, fmt::format("|{}|END|||error on file {}, failure {}", msg_prefix, fileName_, e.what(), \
+                                        std::strerror(errno), errno))
+
+FileInputStream::FileInputStream(std::string fileName) : fileName_(std::move(fileName)), fileLen_(0)
+{
+#ifndef __arm64__
+    in_.exceptions(std::ifstream::badbit | std::ifstream::failbit);
+#endif
+    try {
+        in_.open(fileName_, std::ios::binary | std::ios::ate);
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("Open for read");
+    }
+    fileLen_ = Tellg();
+    Seekg(0);
+}
+
+bool FileInputStream::operator!() const
+{
+    return !static_cast<bool>(in_);
+}
+
+FileInputStream::operator bool() const
+{
+    return static_cast<bool>(in_);
+}
+
+bool FileInputStream::Eof() const
+{
+    return in_.eof();
+}
+
+FileInputStream &FileInputStream::GetLine(std::string *ret, char delim)
+{
+    try {
+        std::getline(in_, *ret, delim);
+    } catch (const std::ifstream::failure &e) {
+        if (!in_.eof() || in_.bad()) {
+            FILE_IO_THROW("GetLine");
+        }
+    }
+
+    return *this;
+}
+
+FileInputStream &FileInputStream::Read(void *buf, size_t length)
+{
+    try {
+        in_.read(static_cast<char *>(buf), length);
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("Read");
+    }
+    return *this;
+}
+
+FileInputStream &FileInputStream::Seekg(size_t pos)
+{
+    try {
+        // clear EOF/FAIL bit
+        in_.clear();
+        in_.seekg(pos);
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("Seekg");
+    }
+    return *this;
+}
+
+size_t FileInputStream::Tellg()
+{
+    size_t ret = 0;
+    try {
+        auto backup = in_.rdstate();
+        in_.clear();
+        // tellg fail if eofbit is set.
+        ret = in_.tellg();
+        in_.clear(backup);
+    } catch (const std::ifstream::failure &e) {
+        if (in_.bad()) {
+            FILE_IO_THROW("Tellg");
+        }
+    }
+    return ret;
+}
+
+void FileInputStream::TransferTo(std::ostringstream &oss)
+{
+    try {
+        // clear EOF/FAIL bit
+        in_.clear();
+        in_.seekg(0);
+        oss << in_.rdbuf();
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("TransferTo");
+    }
+}
+
+std::string FileInputStream::ReadAll()
+{
+    try {
+        std::ostringstream oss;
+        TransferTo(oss);
+        return oss.str();
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("ReadAll");
+    }
+    return "";
+}
+
+size_t FileInputStream::GetLength() const
+{
+    return fileLen_;
+}
+
+const std::string &FileInputStream::GetName() const
+{
+    return fileName_;
+}
+
+void FileInputStream::Close()
+{
+    try {
+        in_.close();
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("Close");
+    }
+    fileLen_ = 0;
+}
+
+std::unique_ptr<FileInputStream> FileInputStream::Spawn()
+{
+    auto ret = std::make_unique<FileInputStream>(fileName_);
+    ret->Seekg(Tellg());
+    return ret;
+}
+
+FileOutputStream::FileOutputStream(std::string fileName, bool trunc, bool exitFailInDestructor)
+    : fileName_(std::move(fileName)), exitFailInDestructor_(exitFailInDestructor)
+{
+    std::filesystem::path fp(fileName_);
+    // empty if relative path to pwd.
+    if (!fp.parent_path().empty() && !std::filesystem::exists(fp.parent_path())) {
+        VIRTRUST_ENFORCE(std::filesystem::create_directories(fp.parent_path()), "Failed to create dir ({})",
+                         fp.parent_path().string());
+    }
+    out_.exceptions(std::ofstream::badbit | std::ofstream::failbit);
+    try {
+        out_.open(fileName_, std::ios::binary | (trunc ? std::ios::trunc : std::ios::app));
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Open for write");
+    }
+}
+
+FileOutputStream::~FileOutputStream()
+{
+    try {
+        Close();
+    } catch (const std::exception &e) {
+        SPDLOG_ERROR("IO error in destructor: < {} >", e.what());
+        if (exitFailInDestructor_) {
+            _exit(-1);
+        }
+    }
+}
+
+void FileOutputStream::Write(const void *buf, size_t length)
+{
+    try {
+        out_.write(static_cast<const char *>(buf), length);
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Write");
+    }
+}
+
+void FileOutputStream::Write(std::string_view buf)
+{
+    try {
+        out_.write(buf.data(), buf.size());
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Write");
+    }
+}
+
+const std::string &FileOutputStream::GetName() const
+{
+    return fileName_;
+}
+
+size_t FileOutputStream::Tellp()
+{
+    size_t ret = 0;
+    try {
+        ret = out_.tellp();
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Tellp");
+    }
+    return ret;
+}
+
+void FileOutputStream::Flush()
+{
+    try {
+        if (out_.is_open() && out_.good()) {
+            out_.flush();
+        }
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Flush");
+    }
+}
+
+void FileOutputStream::Close()
+{
+    try {
+        if (out_.is_open() && out_.good()) {
+            Flush();
+            out_.close();
+        }
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Close");
+    }
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/file_io.h b/virtrust/src/virtrust/utils/file_io.h
new file mode 100644
index 0000000000000000000000000000000000000000..d9be150dcbae2ba280076f195e497727bfdfc12e
--- /dev/null
+++ b/virtrust/src/virtrust/utils/file_io.h
@@ -0,0 +1,80 @@
+#pragma once
+
+#include <fstream>
+#include <memory>
+#include <string>
+
+namespace virtrust {
+class FileInputStream {
+public:
+
+    explicit FileInputStream(std::string fileName);
+
+    ~FileInputStream() = default;
+
+    bool operator!() const;
+
+    explicit operator bool() const;
+
+    bool Eof() const;
+
+    FileInputStream &GetLine(std::string *ret, char delim);
+
+    FileInputStream &Read(void *buf, size_t length);
+
+    FileInputStream &Seekg(size_t pos);
+
+    size_t Tellg();
+
+    void TransferTo(std::ostringstream &oss);
+
+    std::string ReadAll();
+
+    size_t GetLength() const;
+
+    const std::string &GetName() const;
+
+    void Close();
+
+    static bool IsStreaming()
+    {
+        return false;
+    }
+
+    std::unique_ptr<FileInputStream> Spawn();
+
+private:
+    const std::string fileName_;
+    std::ifstream in_;
+    size_t fileLen_;
+};
+
+class FileOutputStream {
+public:
+    explicit FileOutputStream(std::string fileName, bool trunc = true, bool exitFailInDestructor = true);
+
+    ~FileOutputStream();
+
+    void Write(const void *buf, size_t length);
+    void Write(std::string_view buf);
+
+    const std::string &GetName() const;
+
+    size_t Tellp();
+
+    void Close();
+
+    void Flush();
+
+    static bool IsStreaming()
+    {
+        return false;
+    }
+
+private:
+    const std::string fileName_;
+    const bool exitFailInDestructor_;
+    std::ofstream out_;
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/foreign_mounter.cpp b/virtrust/src/virtrust/utils/foreign_mounter.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..4e9f825be1cf8a7614873e4c380deee1bc710d18
--- /dev/null
+++ b/virtrust/src/virtrust/utils/foreign_mounter.cpp
@@ -0,0 +1,367 @@
+#include "virtrust/utils/foreign_mounter.h"
+
+#include <cstring>
+#include <string>
+#include <string_view>
+
+#include "spdlog/fmt/fmt.h"
+
+#include "virtrust/base/logger.h"
+#include "virtrust/base/str_utils.h"
+#include "virtrust/crypto/sm3.h"
+#include "virtrust/dllib/common.h"
+
+namespace virtrust {
+
+namespace {
+constexpr std::string_view DEFAULT_SHIM_EFI_REGEX_PATH = "/boot/efi/EFI/{}/shimaa64.efi";
+constexpr std::string_view DEFAULT_GRUB_EFI_REGEX_PATH = "/boot/efi/EFI/{}/grubaa64.efi";
+constexpr std::string_view DEFAULT_GRUB_CFG_REGEX_PATH = "/boot/efi/EFI/{}/grub.cfg";
+constexpr std::string_view DEFAULT_BOOT_PATH = "/boot";
+constexpr std::string_view DEFAULT_INITRD_PREFIX = "initrd";
+constexpr std::string_view DEFAULT_LINUZ_PREFIX = "linux";
+constexpr char PATH_SEPARATOR = '/';
+constexpr std::string_view BACKEND_VALUE = "direct";
+
+inline ForeignMounterRc ParseRc(DllibRc rc)
+{
+    switch (rc) {
+        case DllibRc::OK:
+            return ForeignMounterRc::OK;
+        default:
+            return ForeignMounterRc::ERROR;
+    }
+}
+
+std::string LinuxDistroToString(LinuxDistro distro)
+{
+    switch (distro) {
+        case LinuxDistro::OPENEULER:
+            return "openEuler";
+        case LinuxDistro::CENTOS:
+            return "centos";
+        case LinuxDistro::UBUNTU:
+            return "ubuntu";
+        case LinuxDistro::DEBIAN:
+            return "debian";
+        case LinuxDistro::FEDORA:
+            return "fedora";
+        default:
+            return "unknown";
+    }
+}
+
+size_t CountStrings(char **strs)
+{
+    size_t c = 0;
+    if (strs != nullptr) {
+        while (strs[c] != nullptr) {
+            c++;
+        }
+    }
+    return c;
+}
+
+void GuestfsFreeStringList(char **strs)
+{
+    if (strs == nullptr) {
+        return;
+    }
+    for (size_t i = 0; strs[i] != nullptr; ++i) {
+        free(strs[i]);
+    }
+    free(strs);
+}
+} // namespace
+
+VerifyConfig::VerifyConfig(const std::string &guestName, const std::string &diskPath, const std::string &loaderPath,
+                           const LinuxDistro distro)
+    : guestName_(guestName), diskPath_(diskPath), loaderPath_(loaderPath), linuxDistro_(distro)
+{}
+
+std::string VerifyConfig::GetGuestName()
+{
+    return guestName_;
+}
+
+std::string VerifyConfig::GetDiskPath()
+{
+    return diskPath_;
+}
+
+std::string VerifyConfig::GetLoaderPath()
+{
+    return loaderPath_;
+}
+
+std::string VerifyConfig::GetShimPath()
+{
+    if (shimPath_.empty()) {
+        shimPath_ = fmt::format(DEFAULT_SHIM_EFI_REGEX_PATH, LinuxDistroToString(linuxDistro_));
+    }
+    return shimPath_;
+}
+
+std::string VerifyConfig::GetGrubPath()
+{
+    if (grubPath_.empty()) {
+        grubPath_ = fmt::format(DEFAULT_GRUB_EFI_REGEX_PATH, LinuxDistroToString(linuxDistro_));
+    }
+    return grubPath_;
+}
+
+std::string VerifyConfig::GetGrubCfgPath()
+{
+    if (grubCfgPath_.empty()) {
+        grubCfgPath_ = fmt::format(DEFAULT_GRUB_CFG_REGEX_PATH, LinuxDistroToString(linuxDistro_));
+    }
+    return grubCfgPath_;
+}
+
+std::string VerifyConfig::GetInitrdPath()
+{
+    return initrdPath_;
+}
+
+std::string VerifyConfig::GetLinuzPath()
+{
+    return linuzPath_;
+}
+
+void VerifyConfig::ParseGrubCfgContent(const std::string &content)
+{
+    std::istringstream iss(content);
+    std::string line;
+    bool findInitrd = false;
+    bool findLinuz = false;
+    while (std::getline(iss, line)) {
+        line = StrTrimWhitespace(line);
+        if (line.empty()) {
+            continue;
+        }
+        // find line which starts with "initrd" or "linux"
+        if (StrStartsWith(line, DEFAULT_INITRD_PREFIX)) {
+            initrdPath_ = ParseGrubCfgLine(line);
+            if (initrdPath_.empty()) {
+                VIRTRUST_LOG_ERROR("|ParseGrubCfgContent|END|||Get initrd path from grub.cfg failed.");
+                return;
+            }
+            findInitrd = true;
+        } else if (StrStartsWith(line, DEFAULT_LINUZ_PREFIX)) {
+            linuzPath_ = ParseGrubCfgLine(line);
+            if (linuzPath_.empty()) {
+                VIRTRUST_LOG_ERROR("|ParseGrubCfgContent|END|||Get linuz path from grub.cfg failed.");
+                return;
+            }
+            findLinuz = true;
+        }
+        // found all
+        if (findInitrd && findLinuz) {
+            return;
+        }
+    }
+}
+
+std::string VerifyConfig::ParseGrubCfgLine(const std::string &line)
+{
+    constexpr int lineSplitLimit = 2;
+
+    auto parts = StrSplit(line);
+    // if there are fewer than two substrings
+    if (parts.size() < lineSplitLimit) {
+        return "";
+    }
+    // the second substring is file name or path
+    std::string filename = parts[1];
+
+    // NOTE by cjm. We should check if the path is absolute
+    // prefix already exists
+    if (StrStartsWith(filename, DEFAULT_BOOT_PATH)) {
+        return filename;
+    }
+    // add prefix
+    return fmt::format("{}/{}", DEFAULT_BOOT_PATH, StrTrim(filename, PATH_SEPARATOR));
+}
+
+ForeignMounterRc ForeignMounter::TryInit()
+{
+    if (libguestfs_.CheckOk() != DllibRc::OK) {
+        return ParseRc(libguestfs_.Reload());
+    }
+
+    if (handle_ == nullptr) {
+        handle_ = libguestfs_.guestfs_create();
+    }
+
+    if (handle_ == nullptr) {
+        VIRTRUST_LOG_ERROR("|TryInit|END|returnF||Failed to create the guestfs handle.");
+        return ForeignMounterRc::ERROR;
+    }
+    return ForeignMounterRc::OK;
+}
+
+ForeignMounterRc ForeignMounter::Mount(std::string_view imgPath, size_t osIndex)
+{
+    // Check whether our dllib has been successfully loaded
+    if (!CheckOk()) {
+        return ForeignMounterRc::ERROR;
+    }
+
+    auto res = libguestfs_.guestfs_set_backend(handle_, BACKEND_VALUE.data());
+    if (res == -1) {
+        VIRTRUST_LOG_ERROR("|Mount|END|returnF||Guestfs set backend failed.");
+        return ForeignMounterRc::ERROR;
+    }
+
+    struct guestfs_add_drive_opts_argv optargs = {
+        .bitmask = GUESTFS_ADD_DRIVE_OPTS_FORMAT_BITMASK | GUESTFS_ADD_DRIVE_OPTS_CACHEMODE_BITMASK,
+        .format = "qcow2",
+        .cachemode = "unsafe" // quick but unsafe
+    };
+    // Load qcow2 format image from imgPath
+    // see: https://gitee.com/openeuler/qemu/issues/IADWBA
+    res = libguestfs_.guestfs_add_drive_opts_argv(handle_, imgPath.data(), optargs);
+    if (res == -1) {
+        VIRTRUST_LOG_ERROR("|Mount|END|returnF||Guestfs adds drive opts failed.");
+        return ForeignMounterRc::ERROR;
+    }
+
+    res = libguestfs_.guestfs_launch(handle_);
+    if (res == -1) {
+        VIRTRUST_LOG_ERROR("|Mount|END|returnF||Guestfs launch failed.");
+        return ForeignMounterRc::ERROR;
+    }
+
+    char **roots = libguestfs_.guestfs_inspect_os(handle_);
+    if (roots == nullptr) {
+        VIRTRUST_LOG_ERROR("|Mount|END|returnF||No operating system found in image.");
+        return ForeignMounterRc::ERROR;
+    }
+
+    size_t osCnt = CountStrings(roots);
+    if (osIndex >= osCnt) {
+        VIRTRUST_LOG_ERROR("|Mount|END|returnF||There are {} os in image, index out of range: {}.", osCnt, osIndex);
+        return ForeignMounterRc::ERROR;
+    }
+
+    char *root = roots[osIndex];
+    ForeignMounterRc rc = MountFilesystems(root);
+    GuestfsFreeStringList(roots);
+
+    if (rc == ForeignMounterRc::OK) {
+        isMount_ = true;
+    }
+    return rc;
+}
+
+ForeignMounterRc ForeignMounter::MountFilesystems(const std::string &root)
+{
+    // collect mountpoints and devices
+    char **mountpoints = libguestfs_.guestfs_inspect_get_mountpoints(handle_, root.c_str());
+    if (mountpoints == nullptr) {
+        VIRTRUST_LOG_ERROR("|MountFilesystems|END|returnF||Get mountpoints failed.");
+        return ForeignMounterRc::ERROR;
+    }
+    std::vector<MounterInfo> mps;
+    constexpr int stepLen = 2;
+    for (int i = 0; mountpoints[i] != nullptr && mountpoints[i + 1] != nullptr; i += stepLen) {
+        mps.push_back(MounterInfo{mountpoints[i], mountpoints[i + 1], StrCountChar(mountpoints[i], PATH_SEPARATOR)});
+    }
+
+    // sort by directory level in ascending
+    std::sort(mps.begin(), mps.end(), [](auto &a, auto &b) {
+        return a.dirLevel != b.dirLevel ? a.dirLevel < b.dirLevel : a.mpt.size() < b.mpt.size();
+    });
+
+    // mount all file system
+    for (auto &mp : mps) {
+        auto &mountpoint = mp.mpt;
+        auto &device = mp.device;
+        // mount device to mountpoint
+        int ret = libguestfs_.guestfs_mount_ro(handle_, device.c_str(), mountpoint.c_str());
+        if (ret == -1) {
+            VIRTRUST_LOG_ERROR("|MountFilesystems|END|returnF||Mount {} to {} failed.", device, mountpoint);
+            return ForeignMounterRc::ERROR;
+        }
+    }
+
+    GuestfsFreeStringList(mountpoints);
+    return ForeignMounterRc::OK;
+}
+
+ForeignMounterRc ForeignMounter::ReadFile(std::string_view filePath, std::string &fileContent)
+{
+    if (!isMount_) {
+        VIRTRUST_LOG_ERROR("|ReadFile|END|||The image has not been loaded.");
+        return ForeignMounterRc::ERROR;
+    }
+
+    // check file whether exist in image
+    int exists = libguestfs_.guestfs_exists(handle_, filePath.data());
+    if (exists != 1) {
+        VIRTRUST_LOG_ERROR("|ReadFile|END||file path is: {}|File not exist in image.", filePath);
+        return ForeignMounterRc::FILE_NOT_EXIST;
+    }
+
+    // check whether is a file
+    int isFile = libguestfs_.guestfs_is_file(handle_, filePath.data());
+    if (isFile != 1) {
+        VIRTRUST_LOG_ERROR("|ReadFile|END|||file path is: {}|It is not a file.", filePath);
+        return ForeignMounterRc::ERROR;
+    }
+
+    // read content
+    size_t size;
+    char *content = libguestfs_.guestfs_read_file(handle_, filePath.data(), &size);
+    if (content == nullptr) {
+        VIRTRUST_LOG_ERROR("|ReadFile|END|||file path is: {}|Read this file failed.", filePath);
+        return ForeignMounterRc::ERROR;
+    }
+
+    fileContent = std::string(content, size);
+    free(content);
+    return ForeignMounterRc::OK;
+}
+
+ForeignMounterRc ForeignMounter::DoSm3OnVmFile(std::string_view filePath, std::vector<uint8_t> &sm3Data)
+{
+    std::string fileContent;
+    ForeignMounterRc rc = ReadFile(filePath, fileContent);
+    if (rc == ForeignMounterRc::FILE_NOT_EXIST) {
+        return rc;
+    }
+
+    if (rc != ForeignMounterRc::OK) {
+        VIRTRUST_LOG_ERROR("|DoSm3OnVmFile|END|returnF||Read file failed: {}.", filePath);
+        return ForeignMounterRc::ERROR;
+    }
+    if (virtrust::DoSm3(fileContent, sm3Data) != Sm3Rc::OK) {
+        return ForeignMounterRc::ERROR;
+    }
+    return ForeignMounterRc::OK;
+}
+
+ForeignMounterRc ForeignMounter::Unmount() noexcept
+{
+    if (handle_ == nullptr) {
+        return ForeignMounterRc::OK;
+    }
+    isMount_ = false;
+    if (libguestfs_.guestfs_umount_all(handle_) == -1) {
+        VIRTRUST_LOG_ERROR("|Unmount|END|||Guestfs umount all failed.");
+        return ForeignMounterRc::ERROR;
+    }
+    return ForeignMounterRc::OK;
+}
+
+ForeignMounterRc ForeignMounter::EnableStrErrTrace()
+{
+    return libguestfs_.guestfs_set_trace(handle_, 1) == 0 ? ForeignMounterRc::OK : ForeignMounterRc::ERROR;
+}
+
+ForeignMounterRc ForeignMounter::DisableStrErrTrace()
+{
+    return libguestfs_.guestfs_set_trace(handle_, 0) == 0 ? ForeignMounterRc::OK : ForeignMounterRc::ERROR;
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/foreign_mounter.h b/virtrust/src/virtrust/utils/foreign_mounter.h
new file mode 100644
index 0000000000000000000000000000000000000000..2c8887215b8a4eb4b703d57794530f240b31ae28
--- /dev/null
+++ b/virtrust/src/virtrust/utils/foreign_mounter.h
@@ -0,0 +1,125 @@
+#pragma once
+
+#include <string>
+#include <string_view>
+
+#include "virtrust/base/logger.h"
+#include "virtrust/dllib/libguestfs.h"
+
+namespace virtrust {
+
+enum class LinuxDistro {
+    OPENEULER,
+    CENTOS,
+    UBUNTU,
+    DEBIAN,
+    FEDORA
+};
+
+class VerifyConfig {
+public:
+    VerifyConfig() = default;
+
+    VerifyConfig(const std::string &guestName, const std::string &diskPath, const std::string &loaderPath,
+                 LinuxDistro distro = LinuxDistro::OPENEULER);
+
+    std::string GetGuestName();
+    std::string GetDiskPath();
+    std::string GetLoaderPath();
+    std::string GetShimPath();
+    std::string GetGrubPath();
+    std::string GetGrubCfgPath();
+    std::string GetInitrdPath();
+    std::string GetLinuzPath();
+
+    void ParseGrubCfgContent(const std::string &content);
+
+private:
+    std::string guestName_;
+    std::string diskPath_;
+    std::string loaderPath_;
+    std::string shimPath_;
+    std::string grubPath_;
+    std::string grubCfgPath_;
+    std::string initrdPath_;
+    std::string linuzPath_;
+    LinuxDistro linuxDistro_;
+
+    std::string ParseGrubCfgLine(const std::string &line);
+};
+
+enum class ForeignMounterRc : uint32_t {
+    OK = 0,
+    ERROR = 1,
+    FILE_NOT_EXIST = 2,
+};
+
+struct MounterInfo {
+    std::string mpt;    // mount point
+    std::string device; // mount device
+    size_t dirLevel;
+};
+
+class ForeignMounter {
+public:
+    ForeignMounter()
+    {
+        // try to init handle, discarding the return process
+        TryInit();
+    };
+
+    ~ForeignMounter() noexcept
+    {
+        Unmount();
+        if (handle_ != nullptr) {
+            libguestfs_.guestfs_close(handle_);
+            handle_ = nullptr;
+        }
+    };
+
+    ForeignMounter(const ForeignMounter &) = delete;
+    ForeignMounter &operator=(const ForeignMounter &) = delete;
+    ForeignMounter(ForeignMounter &&) = delete;
+    ForeignMounter &operator=(ForeignMounter &&) = delete;
+
+    // low-level api, try to initialize handle
+    ForeignMounterRc TryInit();
+
+    // Mount virtual machine img path to filesystem
+    ForeignMounterRc Mount(std::string_view imgPath, size_t osIndex = 0);
+
+    // Read file content to string
+    ForeignMounterRc ReadFile(std::string_view filePath, std::string &content);
+
+    // Get file sm3
+    ForeignMounterRc DoSm3OnVmFile(std::string_view filePath, std::vector<uint8_t> &sm3Data);
+
+    // Unmount
+    ForeignMounterRc Unmount() noexcept;
+
+    // Check if everything is okay
+    bool CheckOk()
+    {
+        return handle_ != nullptr && libguestfs_.CheckOk() == DllibRc::OK;
+    }
+
+    bool CheckMount() const
+    {
+        return isMount_;
+    }
+
+    // Enable trace from libguestfs
+    ForeignMounterRc EnableStrErrTrace();
+
+    // Disable trace from libguestfs
+    ForeignMounterRc DisableStrErrTrace();
+
+private:
+    bool isMount_ = false;
+    guestfs_h *handle_ = nullptr;
+    Libguestfs &libguestfs_ = Libguestfs::GetInstance();
+
+    ForeignMounterRc MountFilesystems(const std::string &root);
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/hello.cpp b/virtrust/src/virtrust/utils/hello.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..0ef42b9d33bd708054f6bcd20e735bfd31a35db3
--- /dev/null
+++ b/virtrust/src/virtrust/utils/hello.cpp
@@ -0,0 +1,14 @@
+#include "file_io.h"
+#include "migrate_helper.h"
+#include <iostream>
+#include <guestfs.h>
+#include <libvirt/libvirt.h>  
+#include <libvirt/virterror.h>
+#include <libxml2/libxml/tree.h>
+#include "virtrust/utils/smart_deleter.h"
+
+
+void func()
+{
+
+}
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/migrate_helper.cpp b/virtrust/src/virtrust/utils/migrate_helper.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..6c0d781d4141161f0fdfd3570428d72718656dc4
--- /dev/null
+++ b/virtrust/src/virtrust/utils/migrate_helper.cpp
@@ -0,0 +1,3 @@
+#include "virtrust/utils/migrate_helper.h"
+
+namespace virtrust {} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/migrate_helper.h b/virtrust/src/virtrust/utils/migrate_helper.h
new file mode 100644
index 0000000000000000000000000000000000000000..44f93797bc46f64502a87965ff2ba4379a2bf38c
--- /dev/null
+++ b/virtrust/src/virtrust/utils/migrate_helper.h
@@ -0,0 +1,42 @@
+#pragma once
+
+#include <string>
+#include <utility>
+
+#include "virtrust/api/context.h"
+
+namespace virtrust {
+
+class MigrateHelper {
+public:
+    explicit MigrateHelper() = default;
+    ~MigrateHelper() = default;
+
+    explicit MigrateHelper(std::string destUri) : destUri_(std::move(destUri))
+    {}
+
+    void SetDstUri(const std::string &destUri)
+    {
+        destUri_ = destUri;
+    }
+
+    std::string GetDstUri()
+    {
+        return destUri_;
+    }
+
+    // step 1: get report that the hardware is okay
+    void GetReport();
+
+    // step 2: get the private shared key pair
+    void GetKey();
+
+    // step 3: key exchange to get a shared key
+    void ExchangeKey();
+
+private:
+    ConnCtx conn_;
+    std::string destUri_;
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/smart_deleter.h b/virtrust/src/virtrust/utils/smart_deleter.h
new file mode 100644
index 0000000000000000000000000000000000000000..27ae34ba199f5f7dc53156e24b8a629def3be04d
--- /dev/null
+++ b/virtrust/src/virtrust/utils/smart_deleter.h
@@ -0,0 +1,47 @@
+#pragma once
+
+namespace virtrust {
+
+template <class T> class SmartDeleter {
+public:
+    SmartDeleter()
+    {
+        core_ = nullptr;
+    }
+
+    explicit SmartDeleter(T *ptr)
+    {
+        core_ = ptr;
+    }
+
+    T *Get() const
+    {
+        return core_;
+    }
+
+protected:
+    T *core_ = nullptr;
+};
+
+#define VIRTRUST_MAKE_DESTRUCTOR(NAME, DELETER) \
+    ~NAME()                                     \
+    {                                           \
+        if (this->core_ != nullptr) {           \
+            DELETER(this->core_);               \
+            this->core_ = nullptr;              \
+        }                                       \
+    }
+
+#define CONCAT_IMPL(x, y) x##y
+#define CONCAT(x, y) CONCAT_IMPL(x, y)
+
+#define VIRTRUST_MAKE_SMART(T, DELETER)                                 \
+    class CONCAT(Smart, T) : public SmartDeleter<T> {                   \
+    public:                                                             \
+        using SmartDeleter<T>::SmartDeleter;                            \
+        CONCAT(Smart, T)(const CONCAT(Smart, T) &) = delete;            \
+        CONCAT(Smart, T) &operator=(const CONCAT(Smart, T) &) = delete; \
+        VIRTRUST_MAKE_DESTRUCTOR(CONCAT(Smart, T), DELETER)             \
+    }
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/virt_xml_parser.cpp b/virtrust/src/virtrust/utils/virt_xml_parser.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..50039bde3ff01ed7314f8b3100799eda70fa0822
--- /dev/null
+++ b/virtrust/src/virtrust/utils/virt_xml_parser.cpp
@@ -0,0 +1,164 @@
+#include "virtrust/utils/virt_xml_parser.h"
+
+#include <filesystem>
+
+namespace virtrust {
+
+namespace {
+constexpr std::string_view VIRT_XML_DISK_PATH = "/domain/devices/disk/source";
+const xmlChar VIRT_XML_FILE_PROP[] = "file";
+constexpr std::string_view VIRT_XML_LOADER_PATH = "/domain/os/loader";
+constexpr std::string_view VIRT_XML_NAME_PATH = "/domain/name";
+constexpr std::string_view PATH_SEPARATOR = "/";
+} // namespace
+
+void VirtXmlParser::SearchCurrLevel(std::vector<xmlNodePtr> &currLevel, std::vector<xmlNodePtr> &nextLevel,
+                                    const std::string &nodeName)
+{
+    for (xmlNodePtr parent : currLevel) {
+        for (xmlNodePtr node = parent->children; node != nullptr; node = node->next) {
+            bool pathMatch = node->type == XML_ELEMENT_NODE && nodeName == MakeString(node->name);
+            if (pathMatch) {
+                nextLevel.push_back(node);
+            }
+        }
+    }
+}
+
+std::vector<xmlNodePtr> VirtXmlParser::FindNodesByPath(std::string_view absPath)
+{
+    std::vector<xmlNodePtr> ret;
+    auto root = libxml2_.xmlDocGetRootElement(doc_);
+    if (root == nullptr) {
+        VIRTRUST_LOG_ERROR("|FindNodesByPath|END|||Get xml root node failed.");
+        return ret;
+    }
+    if (absPath.empty()) {
+        VIRTRUST_LOG_ERROR("|FindNodesByPath|END|||Input path is empty.");
+        return ret;
+    }
+    if (absPath[0] != '/') {
+        VIRTRUST_LOG_ERROR("|FindNodesByPath|END||file path: {}|It's not a absolutely path.", absPath);
+        return ret;
+    }
+
+    std::vector<std::string> parts = StrSplit(StrTrim(std::string(absPath), PATH_SEPARATOR[0]), PATH_SEPARATOR);
+
+    std::vector<xmlNodePtr> currLevel = {root};
+    if (parts[0] != MakeString(root->name)) {
+        VIRTRUST_LOG_ERROR("|FindNodesByPath|END||file path: {}|The name of root node in xml file is wrong.", absPath);
+        return ret;
+    }
+
+    for (size_t i = 1; i < parts.size(); ++i) {
+        const auto &nodeName = parts[i];
+        std::vector<xmlNodePtr> nextLevel;
+        SearchCurrLevel(currLevel, nextLevel, nodeName);
+        if (nextLevel.empty()) {  // No matchs found
+            return ret;
+        }
+        currLevel = std::move(nextLevel);
+    }
+    return currLevel;
+}
+
+bool VirtXmlParser::LoadFile(std::string_view filename)
+{
+    if (filename.empty()) {
+        VIRTRUST_LOG_ERROR("|LoadFile|END|returnF||File name is empty.");
+        return false;
+    }
+
+    if (!std::filesystem::exists(filename) || !std::filesystem::is_regular_file(filename)) {
+        VIRTRUST_LOG_ERROR("|LoadFile|END|returnF||The file does not exist: {}.", filename);
+        return false;
+    }
+
+    // the reamining document tree if the file was wellformed, nullptr otherwise
+    if (doc_ != nullptr) {
+        VIRTRUST_LOG_WARN("|LoadFile|END|||Already load file, will load new one.");
+        libxml2_.xmlFreeDoc(doc_);
+        doc_ = nullptr;
+    }
+    doc_ = libxml2_.xmlParseFile(filename.data());
+    return doc_ != nullptr;
+}
+
+std::string VirtXmlParser::GetDiskPath()
+{
+    auto nodes = FindNodesByPath(VIRT_XML_DISK_PATH);
+    if (nodes.empty()) {
+        VIRTRUST_LOG_ERROR("|GetDiskPath|END||node path: {}|Get disk path from xml failed.", VIRT_XML_DISK_PATH);
+        return "";
+    }
+
+    if (nodes.size() != 1) {
+        VIRTRUST_LOG_ERROR("|GetDiskPath|END|||The node of disk path in xml is not only.");
+        return "";
+    }
+
+    xmlNodePtr node = nodes[0];
+    xmlChar *diskPath = libxml2_.xmlGetProp(node, VIRT_XML_FILE_PROP);
+    if (diskPath == nullptr) {
+        VIRTRUST_LOG_ERROR("|GetDiskPath|END||node path: {}|Target node does not have property: {}.", VIRT_XML_DISK_PATH,
+                            reinterpret_cast<const char*>(VIRT_XML_FILE_PROP));
+        return "";
+    }
+
+    std::string ret = MakeString(diskPath);
+    free(diskPath);
+    return ret;
+}
+
+std::string VirtXmlParser::GetLoaderPath()
+{
+    auto nodes = FindNodesByPath(VIRT_XML_LOADER_PATH);
+    if (nodes.empty()) {
+        VIRTRUST_LOG_ERROR("|GetLoaderPath|END|||Get loader path from xml failed: {}.", VIRT_XML_LOADER_PATH);
+        return "";
+    }
+
+    if (nodes.size() != 1) {
+        VIRTRUST_LOG_ERROR("|GetLoaderPath|END|||The node of loader path in xml is not only.");
+        return "";
+    }
+
+    xmlNodePtr node = nodes[0];
+    if (node->children == nullptr || node->children->content == nullptr) {
+        VIRTRUST_LOG_ERROR("|GetLoaderPath|END||node path: {}|Target node does not have any child nodes.",
+                            VIRT_XML_LOADER_PATH);
+        return "";
+    }
+    return MakeString(node->children->content);
+}
+
+std::string VirtXmlParser::GetVmName()
+{
+    auto nodes = FindNodesByPath(VIRT_XML_NAME_PATH);
+    if (nodes.empty()) {
+        VIRTRUST_LOG_ERROR("|GetVmName|END|||Get VM name from xml failed.");
+        return "";
+    }
+
+    if (nodes.size() != 1) {
+        VIRTRUST_LOG_ERROR("|GetVmName|END|||The node of VM name in xml is not only.");
+        return "";
+    }
+
+    xmlNodePtr node = nodes[0];
+    if (node->children == nullptr || node->children->content == nullptr) {
+        VIRTRUST_LOG_ERROR("|GetVmName|END||node path: {}|Target node does not have any child nodes.",
+                            VIRT_XML_NAME_PATH);
+        return "";
+    }
+    return MakeString(node->children->content);
+}
+
+VerifyConfig VirtXmlParser::Parse(const std::string &filePath)
+{
+    LoadFile(filePath);
+    VerifyConfig config(GetVmName(), GetDiskPath(), GetLoaderPath());
+    return config;
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/virt_xml_parser.h b/virtrust/src/virtrust/utils/virt_xml_parser.h
new file mode 100644
index 0000000000000000000000000000000000000000..84131cd547d73ff2f6bcb715b75aa886c55a856c
--- /dev/null
+++ b/virtrust/src/virtrust/utils/virt_xml_parser.h
@@ -0,0 +1,45 @@
+#pragma once
+
+#include <string>
+
+#include "virtrust/base/logger.h"
+#include "virtrust/dllib/libxml2.h"
+#include "virtrust/utils/foreign_mounter.h"
+
+namespace virtrust {
+
+using NodeConditionMatchFunc = std::function<bool(const xmlNodePtr)>;
+
+class VirtXmlParser {
+public:
+    VirtXmlParser() = default;
+
+    ~VirtXmlParser()
+    {
+        if (doc_ != nullptr) {
+            libxml2_.xmlFreeDoc(doc_);
+        }
+    }
+
+    std::vector<xmlNodePtr> FindNodesByPath(std::string_view absPath);
+
+    // Load the VM xml file, the function reloads the file each time it is called.
+    bool LoadFile(std::string_view filename);
+
+    std::string GetVmName();
+
+    std::string GetDiskPath();
+
+    std::string GetLoaderPath();
+
+    VerifyConfig Parse(const std::string &filePath);
+
+private:
+    Libxml2 &libxml2_ = Libxml2::GetInstance();
+    xmlDocPtr doc_ = nullptr;
+
+    void SearchCurrLevel(std::vector<xmlNodePtr> &currLevel, std::vector<xmlNodePtr> &nextLevel,
+                         const std::string &nodeName);
+};
+
+} // namespace virtrust
\ No newline at end of file