diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..cb976edb8c8a4e5da47bbb018333f3ca203ce3ad
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,10 @@
+# Test data
+*.pem
+*.srl
+*.csr
+*.cert
+
+# Build file
+virtrust/build/*
+
+.vscode
\ No newline at end of file
diff --git a/virtrust/.clang-format b/virtrust/.clang-format
new file mode 100644
index 0000000000000000000000000000000000000000..47d7cda977375e53968838ba1cbb49fae69884c7
--- /dev/null
+++ b/virtrust/.clang-format
@@ -0,0 +1,112 @@
+Language:        Cpp
+BasedOnStyle:  Google
+AccessModifierOffset: -4
+AlignAfterOpenBracket: Align
+AlignConsecutiveAssignments: false
+AlignConsecutiveDeclarations: false
+AlignOperands:   true
+AlignTrailingComments: true
+AllowAllParametersOfDeclarationOnNextLine: false
+AllowShortBlocksOnASingleLine: false
+AllowShortCaseLabelsOnASingleLine: false
+AllowShortFunctionsOnASingleLine: None
+AllowShortIfStatementsOnASingleLine: false
+AllowShortLoopsOnASingleLine: false
+AlwaysBreakAfterDefinitionReturnType: None
+AlwaysBreakAfterReturnType: None
+AlwaysBreakBeforeMultilineStrings: false
+AlwaysBreakTemplateDeclarations: false
+AllowShortEnumsOnASingleLine: false
+BinPackArguments: true
+BinPackParameters: true
+BraceWrapping:
+  AfterClass:      false
+  AfterControlStatement: false
+  AfterEnum:       false
+  AfterFunction:   true
+  AfterNamespace:  false
+  AfterObjCDeclaration: false
+  AfterStruct:     false
+  AfterUnion:      false
+  AfterExternBlock: false
+  BeforeCatch:     false
+  BeforeElse:      false
+  IndentBraces:    false
+  SplitEmptyFunction: false
+  SplitEmptyRecord: false
+  SplitEmptyNamespace: false
+BreakBeforeBinaryOperators: None
+BreakBeforeBraces: Custom
+BreakBeforeInheritanceComma: false
+BreakBeforeTernaryOperators: true
+BreakConstructorInitializersBeforeComma: false
+BreakConstructorInitializers: BeforeColon
+BreakAfterJavaFieldAnnotations: false
+BreakStringLiterals: true
+ColumnLimit:     120
+CommentPragmas:  '^ IWYU pragma:'
+CompactNamespaces: false
+ConstructorInitializerAllOnOneLineOrOnePerLine: true
+ConstructorInitializerIndentWidth: 4
+ContinuationIndentWidth: 4
+Cpp11BracedListStyle: true
+DerivePointerAlignment: false
+DisableFormat:   false
+ExperimentalAutoDetectBinPacking: false
+FixNamespaceComments: true
+ForEachMacros:
+  - foreach
+  - Q_FOREACH
+  - BOOST_FOREACH
+IncludeBlocks:   Regroup
+IncludeCategories:
+  - Regex:           '^<.*\.h>'
+    Priority:        1
+  - Regex:           '^<.*'
+    Priority:        2
+  - Regex:           '.*\.pb\.h"$'
+    Priority:        5
+  - Regex:           '^"virtrust.*'
+    Priority:        4
+  - Regex:           '^".*'
+    Priority:        3
+IncludeIsMainRegex: '(Test)?$'
+IndentCaseLabels: true
+IndentPPDirectives: None
+IndentWidth:     4
+IndentWrappedFunctionNames: false
+JavaScriptQuotes: Leave
+JavaScriptWrapImports: true
+KeepEmptyLinesAtTheStartOfBlocks: true
+MacroBlockBegin: ''
+MacroBlockEnd:   ''
+MaxEmptyLinesToKeep: 1
+NamespaceIndentation: None
+ObjCBlockIndentWidth: 4
+ObjCSpaceAfterProperty: false
+ObjCSpaceBeforeProtocolList: true
+PenaltyBreakAssignment: 2
+PenaltyBreakBeforeFirstCallParameter: 19
+PenaltyBreakComment: 300
+PenaltyBreakFirstLessLess: 80
+PenaltyBreakString: 1000
+PenaltyExcessCharacter: 1000000
+PenaltyReturnTypeOnItsOwnLine: 80
+PointerAlignment: Right
+ReflowComments:  true
+SortIncludes:    true
+SortUsingDeclarations: true
+SpaceAfterCStyleCast: false
+SpaceAfterTemplateKeyword: true
+SpaceBeforeAssignmentOperators: true
+SpaceBeforeParens: ControlStatements
+SpaceInEmptyParentheses: false
+SpacesBeforeTrailingComments: 1
+SpacesInAngles:  false
+SpacesInContainerLiterals: false
+SpacesInCStyleCastParentheses: false
+SpacesInParentheses: false
+SpacesInSquareBrackets: false
+Standard:        Cpp11
+TabWidth:        4
+UseTab:          Never
\ No newline at end of file
diff --git a/virtrust/CMakeLists.txt b/virtrust/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..2369bff6a2575427a4097e087bf494f487c2dd37
--- /dev/null
+++ b/virtrust/CMakeLists.txt
@@ -0,0 +1,185 @@
+cmake_minimum_required(VERSION 3.14.1)
+project(virtrust CXX C)
+
+option(BUILD_TEST "Enable/Disable tests" On)
+option(USE_MOCK_TSB_AGENT "Use Mocked Tsb Agent (DO NOT USE IN PRODUCTION)" On)
+
+set(USER_DEPS_DIR
+    "${PROJECT_SOURCE_DIR}/external"
+    CACHE
+      STRING
+      "Pre-Build Dependency Directory, default to ${PROJECT_SOURCE_DIR}/external"
+)
+
+if(NOT BUILD_TEST AND CMAKE_BUILD_TYPE STREQUAL "Asan")
+  message(
+    WARNING
+      "CMAKE_BUILD_TYPE is Asan but BUILD_TEST has been set to Off, turn on BUILD_TEST automatically."
+  )
+  set(BUILD_TEST On)
+endif()
+
+if(NOT BUILD_TEST AND CMAKE_BUILD_TYPE STREQUAL "Coverage")
+  message(
+    WARNING
+      "CMAKE_BUILD_TYPE is Coverage but BUILD_TEST has been set to Off, turn on BUILD_TEST automatically."
+  )
+  set(BUILD_TEST On)
+endif()
+
+if(NOT BUILD_TEST AND CMAKE_BUILD_TYPE STREQUAL "Fuzz")
+  message(
+    WARNING
+      "CMAKE_BUILD_TYPE is Fuzz but BUILD_TEST has been set to Off, turn on BUILD_TEST automatically."
+  )
+  set(BUILD_TEST On)
+endif()
+
+if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES)
+  set(CMAKE_BUILD_TYPE
+      "Release"
+      CACHE
+        STRING
+        "Choose the type of build, e.g. Debug, Release, Coverage, Asan, Fuzz"
+        FORCE)
+  message(
+    WARNING
+      "CMAKE_BUILD_TYPE not specified, defaulting to '${CMAKE_BUILD_TYPE}'")
+endif()
+
+if(USE_MOCK_TSB_AGENT)
+  add_compile_definitions(USE_MOCK_TSB_AGENT)
+  if(CMAKE_BUILD_TYPE STREQUAL "Release")
+    message(
+      WARNING
+        "USE_MOCK_TSB_AGENT has been set to On while building with Release, please make sure this is intentional."
+    )
+  endif()
+endif()
+
+if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
+  set_property(CACHE CMAKE_INSTALL_PREFIX PROPERTY VALUE ${PROJECT_BINARY_DIR})
+  message(
+    WARNING
+      "CMAKE_INSTALL_PREFIX not specified, defaulting to '${PROJECT_BINARY_DIR}'"
+  )
+endif()
+
+cmake_policy(GET CMP0097 NEW)
+
+set(CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake/")
+set(CMAKE_EXPORT_COMPILE_COMMANDS On)
+
+include(GNUInstallDirs)
+
+set(DEPS_INSTALL_PREFIX_NAME deps)
+set(CMAKE_DEPS_INSTALL_PREFIX ${CMAKE_BINARY_DIR}/${DEPS_INSTALL_PREFIX_NAME})
+set(CMAKE_DEPS_INCLUDEDIR
+    ${CMAKE_DEPS_INSTALL_PREFIX}/${CMAKE_INSTALL_INCLUDEDIR})
+set(CMAKE_DEPS_LIBDIR ${CMAKE_DEPS_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR})
+
+set(CMAKE_C_STANDARD 17)
+set(CMAKE_CXX_STANDARD 17)
+
+set(CMAKE_POSITION_INDEPENDENT_CODE On)
+
+set(CMAKE_CXX_FLAGS_RELEASE "")
+set(CMAKE_CXX_FLAGS_DEBUG "")
+
+include(SetToolchainFlags)
+set_toolchain_flags()
+
+# HACK compiler flags, try remove this in the future
+add_compiler_flags(-Wno-missing-field-initializers) # for dllib guestfs
+add_compiler_flags(-Wno-unused-parameter) # for tsb interface
+add_compiler_flags(-Wno-deprecated-declarations) # rapidjson headers
+add_compiler_flags(-Wno-error=pragmas) # rapidjson headers
+add_compiler_flags(-Wno-class-memaccess) # rapidjson headers
+add_compiler_flags(-Wno-implicit-fallthrough) # rapidjson headers
+add_compiler_flags(-Wno-template-body) # rapidjson headers
+
+get_property(
+  virtrust_link_options
+  DIRECTORY
+  PROPERTY LINK_OPTIONS)
+
+message(STATUS "=============================================================")
+message(STATUS "User Options and Configurations")
+message(STATUS "=============================================================")
+message(STATUS "CMake Version    :${CMAKE_VERSION}")
+message(STATUS "Build Type    :${CMAKE_BUILD_TYPE}")
+message(STATUS "CPU Type    :${CMAKE_SYSTEM_PROCESSOR}")
+message(STATUS "Compiler   :${CMAKE_CXX_COMPILER_ID}")
+message(STATUS "Compiler Version  :${CMAKE_CXX_COMPILER_VERSION}")
+message(STATUS "C Standard  :${CMAKE_C_STANDARD}")
+message(STATUS "C++ Standard  :${CMAKE_CXX_STANDARD}")
+message(STATUS "Compiler Flags  :\n${CMAKE_CXX_FLAGS}")
+message(STATUS "Linker Flags  :\n${virtrust_link_options}")
+message(STATUS "Exe Linker Flags  :\n${CMAKE_EXE_LINKER_FLAGS}")
+message(STATUS "CMAKE_INSTALL_PREFIX  :${CMAKE_INSTALL_PREFIX}")
+message(STATUS "CMAKE_DEPS_SRCDIR  :${CMAKE_DEPS_SRCDIR}")
+message(STATUS "(opt) BUILD_TEST  :${BUILD_TEST}")
+message(STATUS "(opt) USE_MOCK_TSB_AGENT  :${USE_MOCK_TSB_AGENT}")
+
+include(FetchContent)
+include(ExternalProject)
+
+set(FETCHCONTENT_BASE_DIR ${CMAKE_DEPS_INSTALL_PREFIX}/src)
+
+include(ImportLibs)
+include(deps/openssl)
+#include(deps/libboundscheck)
+include(deps/spdlog)
+include(deps/gtest)
+include(deps/rapidjson)
+
+set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY
+    ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR})
+set(CMAKE_LIBRARY_OUTPUT_DIRECTORY
+    ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR})
+set(CMAKE_INCLUDE_OUTPUT_DIRECTORY
+    ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_INCLUDEDIRDIR})
+set(CMAKE_RUNTIME_OUTPUT_DIRECTORY
+    ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_BINDIR})
+
+include(AddVirtrustTestIf)
+
+if(BUILD_TEST)
+  include(CTest)
+  enable_testing()
+  list(APPEND CMAKE_CTEST_ARGUMENTS "--output-on-failure")
+endif()
+
+add_subdirectory(src)
+
+if(BUILD_TEST)
+  add_subdirectory(test)
+endif()
+
+if(CMAKE_BUILD_TYPE STREQUAL "Coverage")
+  find_program(LCOV_PATH lcov)
+  find_program(GENHTML_PATH genhtml)
+  if(LCOV_PATH AND GENHTML_PATH)
+    add_custom_target(
+      coverage
+      COMMAND
+        ${LCOV_PATH} --capture --directory . --exclue "build/*" --exclude
+        "external/*" --exclude "/usr/*" --output-file coverage.info
+        --ignore-errors mismatch,inconsistent
+      COMMAND ${GENHTML_PATH} coverage.info --output-directory
+              ${CMAKE_BINARY_DIR}/coverage_report --ignore-errors inconsistent
+      WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
+      COMMENT "Generating code coverage report..."
+      VERBATIM)
+  else()
+    add_custom_target(
+      coverage
+      COMMAND ${CMAKE_COMMAND} -E echo
+              "lcov and/or genhtml not found. Generating gcov files instead."
+      COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_BINARY_DIR}/gcov_report
+      COMMAND find src -name "*.gcda" -exec gcov -pb {} +
+      WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
+      COMMENT "Generating gcov coverage report..."
+      VERBATIM)
+  endif()
+endif()
diff --git a/virtrust/build.sh b/virtrust/build.sh
new file mode 100755
index 0000000000000000000000000000000000000000..9c707e14ada85bc3a9077d0e9df0bd9eb622f56e
--- /dev/null
+++ b/virtrust/build.sh
@@ -0,0 +1,110 @@
+#!/bin/bash
+
+#
+# Copyright (c) Huawei Technologies Co., Ltd. 2021-2021. All rights reserved.
+#
+
+###
+### build.sh --- build project
+### Usage:
+###     build.sh <target> [-D] [-C] [-t <target>]
+### Options:
+###     <target>            Build target useby Make
+###     -h, --help          show this help message and exit
+###     -t || --target      Specifying build target, default is `all`
+###                         Support targets:
+###                             cicd_default: build default target
+
+
+# 函数内命令（后台命令） 失败时退出脚本
+#set -o errtrace
+# 脚本内命令(前台命令)失败时，立即退出脚本
+#set -o errexit
+
+build_target='cicd_default'
+build_type='Release'
+build_asan='Off'
+enable_test='On'
+
+# 获取项目根目录(目前为构建脚本所在目录)
+PROJECT_ROOT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+OUTPUT_DIR=${PROJECT_ROOT_DIR}/output
+
+echo "PROJECT_ROOT_DIR $PROJECT_ROOT_DIR"
+
+# 日志打印辅助函数
+function log_info() {
+    if [ $# -lt 1 ]; then
+        return
+    fi
+
+    echo "$(date +"%F %T") [INFO] $*"
+}
+
+function help() {
+    sed -rn 's/^### ?//;T;p;' "$0"
+}
+
+# 解析命令行参数
+function parse_args() {
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+        -h | --help)
+            help
+            exit
+            ;;
+        -t | --target)
+            if [[ $# -gt 1 && "$2" != "-"* ]]; then
+                build_target="$2"
+                shift 2
+            else 
+                log_info "Error: Argument required after -t||--target."
+                exit 1
+            fi
+            ;;
+        *)
+            [ "$1" != ""] && build_target="$1"
+            shift
+            ;;
+        esac
+    done
+}
+
+
+function build_output() {
+    log_info "***** start build cmake ${OUTPUT_DIR}*****"
+    mkdir -p build
+    pushd build
+    cmake .. -DCMAKE_BUILD_TYPE=${build_type} \
+        -DBUILD_TEST=${enable_test}\
+        -DUSE_MOCK_TSB_AGENT=On \
+        -DCMAKE_INSTALL_PREFIX=${OUTPUT_DIR}/virtrust \
+    make
+    make install
+    popd
+}
+
+function build_cmake() {
+    log_info "***** start build cmake *****"
+    log_info "building target ${build_target}"
+    if [[ "${build_target}" == "cicd_default" ]]; then
+        build_type='Release'
+        enable_test='Off'
+        build_output
+    fi
+
+    local ret=$?
+    if [[ $ret -ne 0 ]]; then
+        log_info "***** build cmake failed *****"
+        echo_failure
+        exit 1
+    fi
+}
+
+echo $(date +"%Y-%m-%d %H-%M"): "$0" "$@"
+START_TIME=$(date +%s.%N)
+
+cd ${PROJECT_ROOT_DIR}
+
+parse_args "$@"
+build_cmake
diff --git a/virtrust/cmake/AddVirtrustTestIf.cmake b/virtrust/cmake/AddVirtrustTestIf.cmake
new file mode 100644
index 0000000000000000000000000000000000000000..26a3a333e36fcea97546b01205f021de36f721cd
--- /dev/null
+++ b/virtrust/cmake/AddVirtrustTestIf.cmake
@@ -0,0 +1,54 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+macro(add_virtrust_test_if NAME)
+  if(BUILD_TEST)
+    add_executable(${NAME} ${NAME}.cpp)
+    target_link_libraries(${NAME} PRIVATE virtrust-shared Deps::gtest)
+    add_test(NAME ${NAME} COMMAND ${NAME})
+    target_include_directories(
+      ${NAME} PRIVATE $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>
+                      ${CMAKE_DEPS_INCLUDEDIR})
+    set_tests_properties(
+      ${NAME}
+      PROPERTIES
+        ENVIRONMENT
+        "LD_LIBRARY_PATH:${CMAKE_LIBRARY_OUTPUT_DIRECTORY}:$ENV{LD_LIBRARY_PATH}"
+    )
+  endif()
+endmacro()
+
+macro(add_virtrust_sh_test_if NAME)
+  if(BUILD_TEST)
+    add_executable(${NAME} ${NAME}.cpp)
+    target_link_libraries(${NAME} PRIVATE virtrust-sh-obj virtrust-shared
+                                          Deps::gtest)
+    add_test(NAME ${NAME} COMMAND ${NAME})
+    target_include_directories(
+      ${NAME} PRIVATE $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>
+                      ${CMAKE_DEPS_INCLUDEDIR})
+    set_tests_properties(
+      ${NAME}
+      PROPERTIES
+        ENVIRONMENT
+        "LD_LIBRARY_PATH:${CMAKE_LIBRARY_OUTPUT_DIRECTORY}:$ENV{LD_LIBRARY_PATH}"
+    )
+  endif()
+endmacro()
+
+macro(add_libvirtrustd_test_if NAME)
+  if(BUILD_TEST)
+    add_executable(${NAME} ${NAME}.cpp)
+    target_link_libraries(${NAME} PRIVATE libvirtrustd-obj virtrust-shared
+                                          Deps::gtest)
+    add_test(NAME ${NAME} COMMAND ${NAME})
+    target_include_directories(
+      ${NAME} PRIVATE $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>
+                      ${CMAKE_DEPS_INCLUDEDIR})
+    set_tests_properties(
+      ${NAME}
+      PROPERTIES
+        ENVIRONMENT
+        "LD_LIBRARY_PATH:${CMAKE_LIBRARY_OUTPUT_DIRECTORY}:$ENV{LD_LIBRARY_PATH}"
+    )
+  endif()
+endmacro()
diff --git a/virtrust/cmake/ImportLibs.cmake b/virtrust/cmake/ImportLibs.cmake
new file mode 100644
index 0000000000000000000000000000000000000000..ffa6b695f6a7bf43104b5c46555f34804fde12fa
--- /dev/null
+++ b/virtrust/cmake/ImportLibs.cmake
@@ -0,0 +1,19 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+macro(import_static_lib_from LIBNAME LIB)
+  add_library(${LIBNAME} STATIC IMPORTED)
+  set_target_properties(
+    ${LIBNAME}
+    PROPERTIES IMPORTED_LOCATION
+               ${CMAKE_DEPS_LIBDIR}/${LIBNAME}${CMAKE_STATIC_LIBRARY_SUFFIX})
+  add_dependencies(${LIBNAME} ${LIB})
+endmacro()
+
+macro(import_shared_lib_from LIBNAME LIB)
+  add_library(${LIBNAME} SHARED IMPORTED)
+  set_target_properties(
+    ${LIBNAME}
+    PROPERTIES IMPORTED_LOCATION
+               ${CMAKE_DEPS_LIBDIR}/${LIBNAME}${CMAKE_SHARED_LIBRARY_SUFFIX})
+  add_dependencies(${LIBNAME} ${LIB})
+endmacro()
diff --git a/virtrust/cmake/SetToolchainFlags.cmake b/virtrust/cmake/SetToolchainFlags.cmake
new file mode 100644
index 0000000000000000000000000000000000000000..6e94258b2be82432d1e3ab275d32452959d650dd
--- /dev/null
+++ b/virtrust/cmake/SetToolchainFlags.cmake
@@ -0,0 +1,147 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+include(CheckCXXCompilerFlag)
+include(CheckCompilerFlag)
+include(CheckLinkerFlag)
+
+# CXX Compiler Flags
+function(add_compiler_flags flag)
+  string(FIND "${CMAKE_CXX_FLAGS}" "${flag}" flag_already_set)
+  if(flag_already_set EQUAL -1)
+    message(STATUS "Adding CXX compiler flag: ${flag} ...")
+    check_cxx_compiler_flag("${flag}" flag_supported)
+    if(flag_supported)
+      set(CMAKE_CXX_FLAGS
+          "${CMAKE_CXX_FLAGS} ${flag}"
+          PARENT_SCOPE)
+    endif()
+    unset(flag_supported CACHE)
+  endif()
+endfunction()
+
+# C Compiler Flags
+function(add_c_compiler_flags flag)
+  string(FIND "${CMAKE_CXX_FLAGS}" "${flag}" flag_already_set)
+  if(flag_already_set EQUAL -1)
+    message(STATUS "Adding C compiler flag: ${flag} ...")
+    check_compiler_flag(C "${flag}" flag_supported)
+    if(flag_supported)
+      set(CMAKE_CXX_FLAGS
+          "${CMAKE_CXX_FLAGS} ${flag}"
+          PARENT_SCOPE)
+    endif()
+    unset(flag_supported CACHE)
+  endif()
+endfunction()
+
+# Linker Flags
+function(add_linker_flags flag)
+  get_property(
+    virtrust_link_options
+    DIRECTORY
+    PROPERTY LINK_OPTIONS)
+  string(FIND "${virtrust_link_options}" "${flag}" flag_already_set)
+  if(flag_already_set EQUAL -1)
+    message(STATUS "Adding linker flag: ${flag} ...")
+    check_linker_flag(CXX "${flag}" flag_supported)
+    if(flag_supported)
+      add_link_options(${flag})
+    endif()
+    unset(flag_supported CACHE)
+  endif()
+endfunction()
+
+# Setup Toolchain
+
+macro(set_toolchain_flags)
+
+  # do no add runtime path information
+  set(CMAKE_SKIP_RPATH TRUE)
+
+  # all warnings are treated as errors
+  add_compiler_flags(-Wall)
+  add_compiler_flags(-Wextra)
+  add_compiler_flags(-Werror)
+
+  # compiler flags
+  add_compiler_flags(-pipe)
+  add_compiler_flags(-fno-common)
+  add_compiler_flags(-fstrong-eval-order)
+  add_compiler_flags(-fms-extensions)
+  add_compiler_flags(-fno-strict-aliasing)
+  add_compiler_flags(-freg-struct-return)
+
+  # REVIEW additional warnnings
+  add_compiler_flags(-Winvalid-pch)
+  add_compiler_flags(-Wunused)
+  add_compiler_flags(-Wunused-variable)
+  add_compiler_flags(-Wunused-value)
+  add_compiler_flags(-Wcast-align)
+  add_compiler_flags(-Wcast-equal)
+  add_compiler_flags(-Wwrite-strings)
+  add_compiler_flags(-Wdata-time)
+  add_compiler_flags(-Wstrict-prototypes)
+  add_compiler_flags(-Wdelete-non-virtual-dtor)
+  add_compiler_flags(-Wtrampolines)
+  add_compiler_flags(-Woverloaded-virtual)
+
+  # common linker flags (good-to-have)
+  add_linker_flags(-Wl, -Bsymbolic)
+  add_linker_flags(-rdynamic)
+  add_linker_flags(-Wl, --no-undefined)
+
+  #
+  if(CMAKE_BUILD_TYPE STREQUAL "Release")
+    add_compiler_flags(-fstrack-protector-strong)
+    add_compiler_flags(-fPIC)
+    add_compiler_flags(-fPIE)
+    add_compiler_flags(-D_FORTIRY_SOURCE=2)
+    add_compiler_flags(-O2)
+    add_compiler_flags(-ftrapv)
+
+    add_linker_flags(-pie)
+    add_linker_flags(-s)
+    add_linker_flags(-Wl,-z,relro,-z,now)
+    add_linker_flags(-Wl,-z,noexecstack)
+  elseif(CMAKE_BUILD_TYPE STREQUAL "Debug")
+    add_compiler_flags(-g)
+  elseif(CMAKE_BUILD_TYPE STREQUAL "Coverage")
+    add_compiler_flags(-g)
+
+    # HACK it's strange that check_cxx_compiler_flags() function fail to add
+    # --coverage flag, so we add this manually
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} --coverage")
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fprofile-arcs")
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -ftest-coverage")
+
+    # NOTE the following liner flags only work on executables, which does not
+    # get included in general linker flags
+    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} --coverage")
+    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -lgcov")
+  elseif(CMAKE_BUILD_TYPE STREQUAL "Asan")
+    add_compiler_flags(-g)
+
+    # https://cmake.org/pipermail/cmake/2019-October/070180.html
+    set(_saved_CRT ${CMAKE_REQUIRED_LIBRARIES})
+    set(CMAKE_REQUIRED_LIBRARIES "-fsanitize=address;asan")
+
+    add_compiler_flags(-fsanitize=address)
+    add_compiler_flags(-fsanitize=leak)
+    add_compiler_flags(-fsanitize=undefined)
+    add_compiler_flags(-fsanitize=pointer-compare)
+    add_compiler_flags(-fsanitize=pointer-subtract)
+
+    add_linker_flags(-fno-pie)
+    add_linker_flags(-fsanitize=address)
+    add_linker_flags(-fsanitize=leak)
+    add_linker_flags(-fsanitize=undefined)
+    add_linker_flags(-fsanitize=pointer-compare)
+    add_linker_flags(-fsanitize=pointer-subtract)
+
+    set(CMAKE_REQUIRED_LIBRARIES ${_saved_CRT})
+  elseif(CMAKE_BUILD_TYPE STREQUAL "Fuzz")
+    # TODO
+    add_compiler_flags(-g)
+  endif()
+
+endmacro()
diff --git a/virtrust/cmake/deps/gtest.cmake b/virtrust/cmake/deps/gtest.cmake
new file mode 100644
index 0000000000000000000000000000000000000000..b498723d5dde5bfb4f68de8e54b6c073841cd83d
--- /dev/null
+++ b/virtrust/cmake/deps/gtest.cmake
@@ -0,0 +1,40 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+ExternalProject_Add(
+  googletest
+  URL https://github.com/google/googletest/archive/refs/tags/v1.15.2.tar.gz
+  URL_HASH
+    SHA256=7b42b4d6ed48810c5362c265a17faebe90dc2373c885e5216439d37927f02926
+  CMAKE_ARGS -DCMAKE_POSITION_INDEPENDENT_CODE=On #
+             -DCMAKE_CXX_STANDARD=17 #
+             -DCMAKE_C_STANDARD_REQUIRED=Yes #
+             -DCMAKE_INSTALL_PREFIX=${CMAKE_DEPS_INSTALL_PREFIX} #
+             -DBUILD_GMOCK=On #
+  PREFIX ${CMAKE_DEPS_INSTALL_PREFIX}
+  UPDATE_COMMAND ""
+  BUILD_BYPRODUCTS ${CMAKE_DEPS_LIBDIR}/libgtest${CMAKE_STATIC_LIBRARY_SUFFIX}
+  BUILD_BYPRODUCTS
+    ${CMAKE_DEPS_LIBDIR}/libgtest_main${CMAKE_STATIC_LIBRARY_SUFFIX}
+  BUILD_BYPRODUCTS ${CMAKE_DEPS_LIBDIR}/libgmock${CMAKE_STATIC_LIBRARY_SUFFIX}
+  BUILD_BYPRODUCTS
+    ${CMAKE_DEPS_LIBDIR}/libgmock_main${CMAKE_STATIC_LIBRARY_SUFFIX}
+  EXCLUDE_FROM_ALL true
+  DOWNLOAD_EXTRACT_TIMESTAMP On
+  LOG_DOWNLOAD On
+  LOG_CONFIGURE On
+  LOG_BUILD On
+  LOG_INSTALL On)
+
+import_static_lib_from(libgtest googletest)
+import_static_lib_from(libgtest_main googletest)
+import_static_lib_from(libgmock_main googletest)
+import_static_lib_from(libgmock googletest)
+
+target_link_libraries(libgtest_main INTERFACE libgtest)
+target_link_libraries(libgmock_main INTERFACE libgmock)
+
+# -----------------------------
+# Alias Target for External Use
+# -----------------------------
+add_library(Deps::gtest ALIAS libgtest_main)
+add_library(Deps::gmock ALIAS libgmock_main)
diff --git a/virtrust/cmake/deps/libboundscheck.cmake b/virtrust/cmake/deps/libboundscheck.cmake
new file mode 100644
index 0000000000000000000000000000000000000000..f9ef7dd71415072f89908e35427f5ba389863202
--- /dev/null
+++ b/virtrust/cmake/deps/libboundscheck.cmake
@@ -0,0 +1,28 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+ExternalProject_Add(
+  libboundscheck-src
+  GIT_REPOSITORY https://github.com/openeuler-mirror/libboundscheck
+  GIT_TAG master
+  PREFIX ${CMAKE_DEPS_INSTALL_PREFIX}
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ${CMAKE_MAKE_PROGRAM}
+  UPDATE_COMMAND ""
+  INSTALL_COMMAND mkdir -p ${CMAKE_DEPS_INCLUDEDIR}/securec
+  COMMAND cp include/securec.h ${CMAKE_DEPS_INCLUDEDIR}/securec
+  COMMAND cp include/securectype.h ${CMAKE_DEPS_INCLUDEDIR}/securec
+  COMMAND cp lib/libboundscheck${CMAKE_SHARED_LIBRARY_SUFFIX}
+          ${CMAKE_DEPS_LIBDIR}
+  BUILD_IN_SOURCE On
+  EXCLUDE_FROM_ALL true
+  LOG_DOWNLOAD On
+  LOG_CONFIGURE On
+  LOG_BUILD On
+  LOG_INSTALL On)
+
+import_shared_lib_from(libboundscheck libboundscheck-src)
+
+# -----------------------------
+# Alias Target for External Use
+# -----------------------------
+add_library(Deps::secure_c ALIAS libboundscheck)
diff --git a/virtrust/cmake/deps/openssl.cmake b/virtrust/cmake/deps/openssl.cmake
new file mode 100644
index 0000000000000000000000000000000000000000..30624069b7eafce88bfeb2373204d7dbdedcd033
--- /dev/null
+++ b/virtrust/cmake/deps/openssl.cmake
@@ -0,0 +1,34 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+ExternalProject_Add(
+  openssl
+  PREFIX ${CMAKE_DEPS_INSTALL_PREFIX}
+  URL https://github.com/openssl/openssl/archive/refs/tags/openssl-3.3.2.tar.gz
+  URL_HASH
+    SHA256=bedbb16955555f99b1a7b1ba90fc97879eb41025081be359ecd6a9fcbdf1c8d2
+  CONFIGURE_COMMAND
+    ./Configure no-legacy no-weak-ssl-ciphers no-tests no-shared no-ui-console
+    no-docs no-apps --banner=Finished --release --libdir=${CMAKE_INSTALL_LIBDIR}
+    --prefix=${CMAKE_DEPS_INSTALL_PREFIX} -w
+  BUILD_COMMAND make build_sw
+  UPDATE_COMMAND ""
+  INSTALL_COMMAND make install_sw
+  BUILD_IN_SOURCE On
+  DOWNLOAD_EXTRACT_TIMESTAMP On
+  BUILD_BYPRODUCTS ${CMAKE_DEPS_LIBDIR}/libcrypto${CMAKE_STATIC_LIBRARY_SUFFIX}
+  BUILD_BYPRODUCTS ${CMAKE_DEPS_LIBDIR}/libssl${CMAKE_STATIC_LIBRARY_SUFFIX}
+  EXCLUDE_FROM_ALL true
+  LOG_DOWNLOAD On
+  LOG_CONFIGURE On
+  LOG_BUILD On
+  LOG_INSTALL On)
+
+import_static_lib_from(libcrypto openssl)
+import_static_lib_from(libssl openssl)
+
+target_link_libraries(libssl INTERFACE libcrypto)
+
+# -----------------------------
+# Alias Target for External Use
+# -----------------------------
+add_library(Deps::openssl ALIAS libssl)
diff --git a/virtrust/cmake/deps/rapidjson.cmake b/virtrust/cmake/deps/rapidjson.cmake
new file mode 100644
index 0000000000000000000000000000000000000000..edb2afee5e7809ae22688f652b43e59dda30a41d
--- /dev/null
+++ b/virtrust/cmake/deps/rapidjson.cmake
@@ -0,0 +1,33 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+# HACK compiler flags
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-error=pragmas")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-class-memaccess")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-implicit-fallthrough")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-template-body")
+
+ExternalProject_Add(
+  rapidjson
+  URL https://github.com/Tencent/rapidjson/archive/refs/tags/v1.1.0.tar.gz
+  URL_HASH
+    SHA256=bf7ced29704a1e696fbccf2a2b4ea068e7774fa37f6d7dd4039d0787f8bed98e
+  CMAKE_ARGS -DCMAKE_INSTALL_PREFIX=${CMAKE_DEPS_INSTALL_PREFIX}
+             -DCMAKE_CXX_FLAGS=${CMAKE_CXX_FLAGS} -DCMAKE_SKIP_RPATH=TRUE
+  PREFIX ${CMAKE_DEPS_INSTALL_PREFIX}
+  UPDATE_COMMAND ""
+  EXCLUDE_FROM_ALL true
+  DOWNLOAD_EXTRACT_TIMESTAMP On
+  LOG_DOWNLOAD On
+  LOG_CONFIGURE On
+  LOG_BUILD On
+  LOG_INSTALL On)
+
+# NOTE rapidjson is a header-only lib
+add_library(librapidjson INTERFACE)
+target_include_directories(librapidjson INTERFACE ${CMAKE_DEPS_INCLUDEDIR})
+add_dependencies(librapidjson rapidjson)
+
+# -----------------------------
+# Alias Target for External Use
+# -----------------------------
+add_library(Deps::rapidjson ALIAS librapidjson)
diff --git a/virtrust/cmake/deps/spdlog.cmake b/virtrust/cmake/deps/spdlog.cmake
new file mode 100644
index 0000000000000000000000000000000000000000..183b87c90a1e06c6e33d0cc14a16a67447facb57
--- /dev/null
+++ b/virtrust/cmake/deps/spdlog.cmake
@@ -0,0 +1,31 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+# HACK spdlog installs in lib64
+file(MAKE_DIRECTORY ${CMAKE_DEPS_INSTALL_PREFIX}/lib64)
+
+ExternalProject_Add(
+  spdlog
+  URL https://github.com/gabime/spdlog/archive/refs/tags/v1.14.1.tar.gz
+  URL_HASH
+    SHA256=1586508029a7d0670dfcb2d97575dcdc242d3868a259742b69f100801ab4e16b
+  CMAKE_ARGS -DCMAKE_POSITION_INDEPENDENT_CODE=On
+             -DCMAKE_CXX_STANDARD=17
+             -DCMAKE_C_STANDARD_REQUIRED=Yes
+             -DCMAKE_INSTALL_PREFIX=${CMAKE_DEPS_INSTALL_PREFIX}
+             -DCMAKE_CPP_FLAGS=-isystem\ ${CMAKE_DEPS_INCLUDEDIR}
+  PREFIX ${CMAKE_DEPS_INSTALL_PREFIX}
+  UPDATE_COMMAND ""
+  EXCLUDE_FROM_ALL true
+  DOWNLOAD_EXTRACT_TIMESTAMP On
+  BUILD_BYPRODUCTS ${CMAKE_DEPS_LIBDIR}/libspdlog${CMAKE_STATIC_LIBRARY_SUFFIX}
+  LOG_DOWNLOAD On
+  LOG_CONFIGURE On
+  LOG_BUILD On
+  LOG_INSTALL On)
+
+import_static_lib_from(libspdlog spdlog)
+
+# -----------------------------
+# Alias Target for External Use
+# -----------------------------
+add_library(Deps::spdlog ALIAS libspdlog)
diff --git a/virtrust/format-all.sh b/virtrust/format-all.sh
new file mode 100755
index 0000000000000000000000000000000000000000..bfcbc17c1eddc58d26e1bb39f5185288bcba4524
--- /dev/null
+++ b/virtrust/format-all.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# Check if clang-format exists
+if ! command -v clang-format &> /dev/null; then
+    echo "clang-format not found"
+    exit 1
+fi
+
+# Check if cmake-format exists
+if ! command -v cmake-format &> /dev/null; then
+    echo "cmake-format not found"
+    exit 1
+fi
+
+# format c/c++ code
+find . -name "*.cpp" -o -name "*.hpp" -o -name "*.h" | xargs clang-format -i
+
+# format cmake code
+find . -name "CMakeLists.txt" -exec cmake-format -i {} \;
diff --git a/virtrust/src/CMakeLists.txt b/virtrust/src/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..85d0ce2afb4191381c37bcf8782c50a920eaa3e0
--- /dev/null
+++ b/virtrust/src/CMakeLists.txt
@@ -0,0 +1,13 @@
+# Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+# api
+add_subdirectory(virtrust)
+
+# cli
+add_subdirectory(virtrust-sh)
+
+# daemon
+add_subdirectory(libvirtrustd)
+
+# mock
+add_subdirectory(mock)
diff --git a/virtrust/src/libvirtrustd/CMakeLists.txt b/virtrust/src/libvirtrustd/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..5d3c4f408bb770e2dd26bf420039844c85fa6336
--- /dev/null
+++ b/virtrust/src/libvirtrustd/CMakeLists.txt
@@ -0,0 +1,11 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+# executable
+add_executable(libvirtrustd ${CMAKE_CURRENT_LIST_DIR}/main.cpp
+                            ${CMAKE_CURRENT_LIST_DIR}/utils.cpp)
+
+target_include_directories(
+  libvirtrustd PRIVATE ${CMAKE_DEPS_INCLUDEDIR}
+                       $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>)
+
+target_link_libraries(libvirtrustd PRIVATE virtrust-shared Deps::rapidjson)
diff --git a/virtrust/src/libvirtrustd/defines.h b/virtrust/src/libvirtrustd/defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..e2ad8a8718fcf62636dfd1909da4271d9eb81abc
--- /dev/null
+++ b/virtrust/src/libvirtrustd/defines.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <array>
+#include <cstdint>
+#include <string_view>
+
+namespace virtrust {
+// version
+constexpr std::string_view LIBVIRTRUSTD_VERSION = "1.0.0";
+
+// default values
+constexpr std::string_view LIBVIRTRUSTD_SERVER_ADDR = "127.0.0.1";
+constexpr std::string_view LIBVIRTRUSTD_SERVER_ADDR_MASK = "127.0.0.1/8";
+constexpr std::string_view LIBVIRTRUSTD_CA_PATH = "ca-cert.pem";
+constexpr std::string_view LIBVIRTRUSTD_CERT_PATH = "server-cert.pem";
+constexpr std::string_view LIBVIRTRUSTD_SK_PATH = "server-sk.pem";
+constexpr uint16_t LIBVIRTRUSTD_SERVER_PORT = 10086;
+
+} // namespace virtrust
diff --git a/virtrust/src/libvirtrustd/main.cpp b/virtrust/src/libvirtrustd/main.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..17f70074f62f3280b28082b33296823d4f0d471b
--- /dev/null
+++ b/virtrust/src/libvirtrustd/main.cpp
@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include <getopt.h>
+#include <unistd.h>
+
+#include <csignal>
+#include <iostream>
+#include <thread>
+
+#include "libvirtrustd/defines.h"
+#include "libvirtrustd/utils.h"
+#include "spdlog/fmt/bundled/core.h"
+
+#include "virtrust/base/logger.h"
+
+namespace virtrust {
+namespace {
+volatile sig_atomic_t g_stopFlag = 0;
+
+void SignalHandler(int signum)
+{
+    VIRTRUST_LOG_INFO("Received signal: {}", signum);
+    if (signum == SIGPIPE) {
+        VIRTRUST_LOG_INFO("SIGPIPE signal received, ignored.");
+
+        return;
+    }
+    g_stopFlag = 1;
+}
+
+void PrintVersion(std::string_view progname)
+{
+    fmt::print("{} version: {}\n", progname, LIBVIRTRUSTD_VERSION);
+}
+
+void PrintUsage(std::string_view progname)
+{
+    fmt::print("\n"
+               "  USAGE:\n"
+               "    {} <args> [options]\n"
+               "\n"
+               "  REQUIRED ARGS:\n"
+               "    --config           path to config file\n"
+               "\n"
+               "  OPTIONS:\n"
+               "    --help             print this help\n"
+               "    --version          show version\n"
+               "\n",
+               progname);
+}
+
+int ProcessArgs(int argc, char **argv)
+{
+    int arg = -1;
+    int longindex = -1;
+    std::vector<option> opt = {
+        {"config", required_argument, nullptr, 'c'},
+        {"help", no_argument, nullptr, 'h'},
+        {"version", no_argument, nullptr, 'v'},
+        {nullptr, 0, nullptr, 0},
+    };
+
+    std::string configPath;
+    // The leading + means no re-ordering, see man page of getopt_long
+    // The ":" after "c" means it has long arguments from cli, and is parsed to
+    // optarg
+    while ((arg = getopt_long(argc, argv, "+c:hv", opt.data(), &longindex)) != -1) {
+        switch (arg) {
+            case 'c':
+                configPath = std::string(optarg);
+                break;
+            case 'v':
+                PrintVersion(argv[0]);
+                return 0; // return with success
+            case 'h':
+                PrintUsage(argv[0]);
+                return 0; // return with success
+            case '?':
+            default:
+                PrintUsage(argv[0]);
+                return 1; // return with failure
+        }
+    }
+
+    if (configPath.empty()) {
+        fmt::print("\n"
+                   "  ERROR: Missing requried config files\n");
+        PrintUsage(argv[0]);
+        return 1; // return with success
+    }
+
+    auto ret = MakeLinkConfigFromJsonFile(configPath);
+    if (ret.has_value()) {
+        // auto server = virtrust::LinkServer(ret.value());
+        // server.Start();
+        // REVIEW
+
+        // hold server until receives stop signal
+        while (g_stopFlag == 0) {
+            std::this_thread::sleep_for(std::chrono::seconds(1));
+        }
+    } else {
+        // make link config failed
+        return 1;
+    }
+    return 0;
+}
+} // namespace
+} // namespace virtrust
+
+int main(int argc, char **argv)
+{
+    // register signal handler
+    signal(SIGINT, virtrust::SignalHandler);
+    signal(SIGTERM, virtrust::SignalHandler);
+    signal(SIGPIPE, virtrust::SignalHandler);
+
+    // Set custom logger function for virtrust
+    virtrust::Logger::Instance()->SetCustomLogFunction([](virtrust::LogLevel level, std::string_view msg) {
+        fmt::print("[{}] {}\n", virtrust::LogLevelToStr(level), msg);
+    });
+
+    return virtrust::ProcessArgs(argc, argv);
+}
diff --git a/virtrust/src/libvirtrustd/utils.cpp b/virtrust/src/libvirtrustd/utils.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..bbf153c13fd3141fa4f540e0ee7c124cd18e194c
--- /dev/null
+++ b/virtrust/src/libvirtrustd/utils.cpp
@@ -0,0 +1,175 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include <filesystem>
+#include <optional>
+
+#include "libvirtrustd/defines.h"
+#include "rapidjson/document.h"
+#include "rapidjson/istreamwrapper.h"
+#include "rapidjson/stringbuffer.h"
+#include "rapidjson/writer.h"
+
+#include "virtrust/link/link_config_builder.h"
+#include "virtrust/utils/file_io.h"
+
+namespace virtrust {
+
+namespace {
+
+constexpr uint32_t MAX_FILE_SIZE = 10 * 1024 * 1024; // 10* 1024 * 1024
+
+std::optional<std::string> CanonicalPath(const std::string &path)
+{
+    if (path.empty() || path.size() > 4096L) {
+        return std::nullopt;
+    }
+
+    /* It will callocate memory to store path*/
+    std::array<char, PATH_MAX> resolvedPath;
+    if (realpath(path.c_str(), resolvedPath.data()) == nullptr) {
+        return std::nullopt;
+    }
+    return resolvedPath.data();
+}
+
+bool IsAbsolutePath(const std::string &filePath)
+{
+    if (filePath.length() == 0) {
+        return false;
+    }
+    if (filePath[0] != '/') {
+        return false;
+    }
+    if (strstr(filePath.c_str(), "/../") != nullptr || strstr(filePath.c_str(), "/./") != nullptr) {
+        return false;
+    }
+    return true;
+}
+
+bool CheckFileAccess(const std::string &path, int mode)
+{
+    return access(path.c_str(), mode) != -1;
+}
+
+bool CheckFileStat(const std::string &filePath)
+{
+    struct stat st;
+    if (stat(filePath.c_str(), &st) != 0) {
+        return false;
+    }
+
+    if ((st.st_mode & S_IFMT) != S_IFREG || (st.st_size > MAX_FILE_SIZE)) {
+        return false;
+    }
+    return true;
+}
+
+bool CheckConfigFile(const std::string &path)
+{
+    if (!IsAbsolutePath(path)) {
+        VIRTRUST_LOG_ERROR("Got relatinve path.");
+        return false;
+    }
+    if (!CheckFileStat(path)) {
+        VIRTRUST_LOG_ERROR("Check path stat failed.");
+        return false;
+    }
+    if (!CheckFileAccess(path, F_OK | R_OK)) {
+        VIRTRUST_LOG_ERROR("File path access is not valid.");
+        return false;
+    }
+    return true;
+}
+
+std::optional<rapidjson::Document> ReadJsonFile(const std::string &path)
+{
+    // canonical path
+    auto realPath = CanonicalPath(path);
+    if (!realPath) {
+        VIRTRUST_LOG_ERROR("Canonical path failed.");
+        return std::nullopt;
+    }
+    // check the validity of path
+    if (!CheckConfigFile(realPath.value())) {
+        VIRTRUST_LOG_ERROR("Read config error. File access check failed: {}", realPath.value());
+        return std::nullopt;
+    }
+
+    // read path into ifstream
+    std::ifstream file(realPath.value());
+    if (!file.is_open()) {
+        VIRTRUST_LOG_ERROR("Read config error. Cannot open file: {}", realPath.value());
+        return std::nullopt;
+    }
+
+    // handle ifstream to rapidjson
+    rapidjson::IStreamWrapper isw(file);
+    rapidjson::Document doc;
+    doc.ParseStream(isw);
+
+    // in case of parse error
+    if (doc.HasParseError()) {
+        VIRTRUST_LOG_ERROR("Read config error. Cannto parse file into json: {}", realPath.value());
+        return std::nullopt;
+    }
+
+    return doc;
+}
+
+template <typename T>
+std::optional<T> FindJsonKey(const rapidjson::Document &jsonDoc, const std::string &key, T defaultValue)
+{
+    if (!jsonDoc.HasMember(key.data())) {
+        VIRTRUST_LOG_WARN("ParseJsonDocToConfig: Failed to find config key:{}, Set it to default value.", key);
+        return std::optional<T>(defaultValue);
+    }
+
+    const auto &value = jsonDoc[key.data()];
+    if constexpr (std::is_same_v<T, std::string>) {
+        return value.IsString() ? std::optional<T>(std::string(value.GetString())) : std::nullopt;
+    } else if constexpr (std::is_same_v<T, uint16_t>) {
+        return value.IsUint() ? std::optional<T>(value.GetUint()) : std::nullopt;
+    } else {
+        return std::nullopt;
+    }
+}
+
+LinkConfig ParseJsonDocToConfig(const rapidjson::Document &jsonDoc)
+{
+    auto configBuidler = LinkConfigBuilder();
+
+#define FIND_KEY(NAME, T, DEFAULT_VALUE)                          \
+    do {                                                          \
+        auto tmp = FindJsonKey<T>(jsonDoc, #NAME, DEFAULT_VALUE); \
+        if (tmp) {                                                \
+            configBuidler.NAME(tmp.value());                      \
+        }                                                         \
+    } while (0)
+
+    FIND_KEY(caPath, std::string, std::string(LIBVIRTRUSTD_SERVER_ADDR));
+    FIND_KEY(certPath, std::string, std::string(LIBVIRTRUSTD_CERT_PATH));
+    FIND_KEY(skPath, std::string, std::string(LIBVIRTRUSTD_SK_PATH));
+    FIND_KEY(ip, std::string, std::string(LIBVIRTRUSTD_SERVER_ADDR));
+    FIND_KEY(ipMask, std::string, std::string(LIBVIRTRUSTD_SERVER_ADDR_MASK));
+    FIND_KEY(port, uint16_t, LIBVIRTRUSTD_SERVER_PORT);
+
+#undef FIND_KEY
+    return configBuidler.Build();
+}
+
+} // namespace
+
+std::optional<LinkConfig> MakeLinkConfigFromJsonFile(const std::string &configPath)
+{
+    auto jsonDoc = ReadJsonFile(configPath);
+    if (!jsonDoc.has_value() || jsonDoc.value().IsNull()) {
+        return std::nullopt;
+    }
+    return ParseJsonDocToConfig(jsonDoc.value());
+}
+} // namespace virtrust
diff --git a/virtrust/src/libvirtrustd/utils.h b/virtrust/src/libvirtrustd/utils.h
new file mode 100644
index 0000000000000000000000000000000000000000..d1c3ed4e3a3dcb2c8fd7a91fb4cc9c0563b84c24
--- /dev/null
+++ b/virtrust/src/libvirtrustd/utils.h
@@ -0,0 +1,14 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+#include <optional>
+
+#include "libvirtrustd/defines.h"
+
+#include "virtrust/link/link_config_builder.h"
+
+namespace virtrust {
+std::optional<LinkConfig> MakeLinkConfigFromJsonFile(const std::string &configPath);
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/mock/CMakeLists.txt b/virtrust/src/mock/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..2ea5af032121819ff317282a6d18322d67b434e5
--- /dev/null
+++ b/virtrust/src/mock/CMakeLists.txt
@@ -0,0 +1,40 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+# Note mock/tsb-agent is a sepatate static lib
+
+add_library(
+  mock-tsb-agent OBJECT ${CMAKE_CURRENT_LIST_DIR}/tsb_agent_impl.cpp
+                        ${CMAKE_CURRENT_LIST_DIR}/tsb_agent_adaptor.cpp)
+
+target_include_directories(
+  mock-tsb-agent PRIVATE ${CMAKE_DEPS_INCLUDEDIR}
+                         $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>)
+
+target_link_libraries(mock-tsb-agent PRIVATE Deps::spdlog boundscheck)
+
+# NOTE Make sure targets are linekd to mock-tsb-agent
+
+target_link_libraries(virtrust-obj PRIVATE mock-tsb-agent)
+target_link_libraries(virtrust-shared PRIVATE mock-tsb-agent)
+
+# add mock tsb-agent test
+
+# if(BUILD_TEST) add_executable(tsb_agent_test tsb_agent_test.cpp)
+# target_link_libraries(tsb_agent_test PRIVATE mock-tsb-agent Deps::gtest)
+# target_include_directories( tsb_agent_test PRIVATE ${CMAKE_DEPS_INCLUDEDIR}
+# $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>)
+
+# add_test(NAME tsb_agent_test COMMAND tsb_agent_test) set_tests_properties(
+# tsb_agent_test PROPERTIES ENVIRONMENT
+# "LD_LIBRARY_PATH=${CMAKE_LIBRARY_OUTPUT_DIRECTORY}:$ENV{LD_LIBRARY_PATH}")
+
+# add_executable(tsb_agent_itf_test tsb_agent_itf_test.cpp)
+# target_link_libraries(tsb_agent_itf_test PRIVATE mock-tsb-agent Deps::gtest)
+# target_include_directories( tsb_agent_itf_test PRIVATE
+# ${CMAKE_DEPS_INCLUDEDIR} $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>)
+
+# add_test(NAME tsb_agent_itf_test COMMAND tsb_agent_itf_test)
+# set_tests_properties( tsb_agent_itf_test PROPERTIES ENVIRONMENT
+# "LD_LIBRARY_PATH=${CMAKE_LIBRARY_OUTPUT_DIRECTORY}:$ENV{LD_LIBRARY_PATH}")
+
+# endif()
diff --git a/virtrust/src/mock/tsb_agent_adaptor.cpp b/virtrust/src/mock/tsb_agent_adaptor.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..dc76c9b6ebbcf7773532c89c9368511adcbd6ca9
--- /dev/null
+++ b/virtrust/src/mock/tsb_agent_adaptor.cpp
@@ -0,0 +1,117 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include "mock/tsb_agent_impl.h"
+#include "mock/tsb_agent_itf.h"
+
+using namespace virtrust::mock;
+
+namespace {
+int ParseTsbAgentRc(TsbAgentRc rc)
+{
+    switch (rc) {
+        case TsbAgentRc::OK:
+            return 0;
+        case TsbAgentRc::ERROR:
+            return -1;
+
+        default:
+            return -1;
+    }
+}
+} // namespace
+
+// NOTE ALL memories are allocated inside APIs by using "mallloc", remeber to
+// free the pointer after use.
+
+int GetVRoots(int *vtpcmNums, struct Description **vtpcmInfo)
+{
+    auto &tsbAgent = TsbAgentImpl::GetInstance();
+
+    auto instances = tsbAgent.GetVRoots(); // get virt roots from mock tsb agent
+    *vtpcmNums = static_cast<int>(instances.size());
+
+    // 分配内存
+    if (*vtpcmNums > 0) {
+        return 0;
+    }
+
+    *vtpcmInfo = static_cast<Description *>(malloc(*vtpcmNums * sizeof(Description)));
+
+    // 将 instances 中的数据复制到 *vtpcmInfo中
+    for (int i = 0; i < *vtpcmNums; i++) {
+        (*vtpcmInfo)[i] = instances[i];
+    }
+
+    return 0; // success
+}
+
+int CreateVRoot(struct Description *vtpcmInfo)
+{
+    auto &tsbAgent = TsbAgentImpl::GetInstance();
+    return ParseTsbAgentRc(tsbAgent.CreateVRoot(vtpcmInfo->uuid, vtpcmInfo->name));
+}
+
+int StartVRoot(char *uuid)
+{
+    auto &tsbAgent = TsbAgentImpl::GetInstance();
+    return ParseTsbAgentRc(tsbAgent.StartVRoot(uuid));
+}
+
+int StopVRoot(char *uuid)
+{
+    auto &tsbAgent = TsbAgentImpl::GetInstance();
+    return ParseTsbAgentRc(tsbAgent.StopVRoot(uuid));
+}
+
+int RemoveVRoot(char *uuid)
+{
+    auto &tsbAgent = TsbAgentImpl::GetInstance();
+    return ParseTsbAgentRc(tsbAgent.RemoveVRoot(uuid));
+}
+
+int UpdateMeasure(char *uuid, struct MeasureInfo *bios, struct MeasureInfo *shim, struct MeasureInfo *grub,
+                  struct MeasureInfo *grubCfg, struct MeasureInfo *kernel, struct MeasureInfo *initrd)
+{
+    auto &tsbAgent = TsbAgentImpl::GetInstance();
+    return ParseTsbAgentRc(tsbAgent.UpdateMeasure(uuid, *bios, *shim, *grub, *grubCfg, *kernel, *initrd));
+}
+
+int CheckMeasure(char *uuid, struct MeasureInfo *bios, struct MeasureInfo *shim, struct MeasureInfo *grub,
+                 struct MeasureInfo *grubCfg, struct MeasureInfo *kernel, struct MeasureInfo *initrd)
+{
+    auto &tsbAgent = TsbAgentImpl::GetInstance();
+    return ParseTsbAgentRc(tsbAgent.CheckMeasure(uuid, *bios, *shim, *grub, *grubCfg, *kernel, *initrd));
+}
+
+// 迁移接口
+int GetReport(char *pUuid, char *vUuid, struct trust_report_new *hostreport, struct trust_report_new *vmreport)
+{
+    return 0;
+}
+
+int MigrationGetCert(char *pUuid, char *vUuid, char *cert, char *pubkey)
+{
+    return 0;
+}
+
+int MigrationCheckPeerPk(char *pUuid, char *vUuid, char *pk1, char *pk2)
+{
+    return 0;
+}
+
+int MigrationGetVrootCipher(char *pUuid, char *vUuid, char **cipher)
+{
+    return 0;
+}
+
+int MigrationImportVrootCipher(char *pUuid, char *vUuid, char *cipher)
+{
+    return 0;
+}
+
+int MigrationNotify(char *pUuid, char *vUuid, int status)
+{
+    return 0;
+}
diff --git a/virtrust/src/mock/tsb_agent_impl.cpp b/virtrust/src/mock/tsb_agent_impl.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..d73a616ad7166d70d6194dae9a32f96953661354
--- /dev/null
+++ b/virtrust/src/mock/tsb_agent_impl.cpp
@@ -0,0 +1,284 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include "mock/tsb_agent_impl.h"
+
+#include <algorithm>
+#include <fstream>
+#include <iostream>
+#include <sstream>
+#include <string_view>
+#include <vector>
+
+#include "spdlog/spdlog.h"
+
+namespace virtrust::mock {
+namespace {
+constexpr std::string_view TSB_AGENT_FILE_SEP = ",";
+constexpr uint32_t SM3_OUTPUT_BYTES = 32;
+constexpr std::string_view DEFAULT_VERSION = "v1.0";
+
+void StrSplit(std::string_view src, std::string_view sep, std::vector<std::string> &out)
+{
+    if (sep.empty() || src.empty()) {
+        return;
+    }
+    std::string::size_type pos1 = 0;
+    std::string::size_type pos2 = src.find(sep);
+
+    while (std::string::npos != pos2) {
+        out.emplace_back(src.substr(pos1, pos2 - pos1));
+        pos1 = pos2 + sep.size();
+        pos2 = src.find(sep, pos1);
+    }
+
+    if (pos1 != src.size()) {
+        out.emplace_back(src.substr(pos1));
+    }
+}
+
+template <size_t T> std::string ToStr(std::array<char, T> data)
+{
+    // HACK automatically convert char array to string depending on \0
+    // must ensure that the input char array has an ending poing
+    return data.data();
+}
+
+template <size_t T> std::array<char, T> FromStr(const std::string &in)
+{
+    if (in.size() + 1 > T) {
+        return {};
+    }
+    std::array<char, T> out;
+    // copy with extra '\0
+    memcpy_s(out.data(), out.size(), in.data(), in.size() + 1);
+    return out;
+}
+
+template <size_t T> std::string ToHexStr(std::array<char, T> data)
+{
+    std::stringstream sstream;
+    sstream << std::hex;
+    for (size_t i = 0; i < T; i++) {
+        sstream << static_cast<int>(data[i]);
+    }
+    return sstream.str();
+}
+
+template <size_t T> std::array<char, T> FromHexStr(const std::string &in)
+{
+    if (in.size() != T * 2) {
+        return {};
+    }
+
+    std::array<char, T> out;
+    for (size_t i = 0; i < T; i++) {
+        std::string byteString = in.substr(i * 2, 2);
+        auto byteValue = static_cast<uint8_t>(std::stoul(byteString, nullptr, 16));
+        out[i] = byteValue;
+    }
+    return out;
+}
+
+void SaveVRootsToFile(const std::string &file, const std::unordered_map<std::string, std::unique_ptr<VRoot>> &map)
+{
+    std::ofstream f(file);
+    if (f.is_open()) {
+        // encode line format
+        for (const auto &item : map) {
+            f << ToStr(item.second->GetData().uuid) << TSB_AGENT_FILE_SEP;                   // uuid
+            f << static_cast<uint32_t>(item.second->GetData().status) << TSB_AGENT_FILE_SEP; // status        }
+            f << ToStr(item.second->GetData().version) << TSB_AGENT_FILE_SEP;                // version
+            f << ToStr(item.second->GetData().name) << TSB_AGENT_FILE_SEP;                   // name
+            f << ToHexStr(item.second->GetData().bios) << TSB_AGENT_FILE_SEP;                // bios
+            f << ToHexStr(item.second->GetData().shim) << TSB_AGENT_FILE_SEP;                // shim
+            f << ToHexStr(item.second->GetData().grub) << TSB_AGENT_FILE_SEP;                // grub
+            f << ToHexStr(item.second->GetData().grubCfg) << TSB_AGENT_FILE_SEP;             // grubCfg
+            f << ToHexStr(item.second->GetData().kernel) << TSB_AGENT_FILE_SEP;              // kernel
+            f << ToHexStr(item.second->GetData().initrd) << TSB_AGENT_FILE_SEP;              // initrd
+            f << std::endl;
+        }
+        f.close();
+    }
+}
+
+std::unordered_map<std::string, std::unique_ptr<VRoot>> LoadVRootsFromFile(const std::string &file)
+{
+    // placeholder
+    std::unordered_map<std::string, std::unique_ptr<VRoot>> map;
+    std::ifstream f(file);
+    std::string line;
+    if (f.is_open()) {
+        while (getline(f, line)) {
+            // decode line format
+            std::vector<std::string> lineVec;
+            StrSplit(line, TSB_AGENT_FILE_SEP, lineVec);
+            // decode descriptions
+            VRootData data;
+            data.uuid = FromStr<VROOT_VM_UUID_MAX_LEN>(lineVec[0]);                // uuid
+            data.status = static_cast<VRootStatus>(std::atoi(lineVec[1].c_str())); // status
+            data.version = FromStr<VROOT_VERSION_LEN>(lineVec[2]);                 // version
+            data.name = FromStr<VROOT_VM_NAME_MAX_LEN>(lineVec[3]);                // name
+            data.bios = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[4]);            // bios
+            data.shim = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[5]);            // shim
+            data.grub = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[6]);            // grub
+            data.grubCfg = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[7]);         // grubCfg
+            data.kernel = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[8]);          // kernel
+            data.initrd = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[9]);          // initrd
+
+            // status are implicitly coverted to
+            map.emplace(lineVec[0] /*uuid*/, std::make_unique<VRoot>(data));
+        }
+        f.close();
+    }
+    return map;
+}
+} // namespace
+
+std::vector<Description> TsbAgentImpl::GetVRoots()
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    std::vector<Description> out;
+    out.reserve(vRootMap_.size());
+    for (const auto &vroot : vRootMap_) {
+        out.push_back(vroot.second->GetDescription());
+    }
+    return out;
+}
+
+TsbAgentRc TsbAgentImpl::CreateVRoot(const std::string &uuid, const std::string &name)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) != vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid already exist");
+        return TsbAgentRc::ERROR;
+    }
+
+    if (std::find_if(vRootMap_.begin(), vRootMap_.end(), [name](const auto &root) {
+            return name == root.second->GetDescription().name;
+        }) != vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid already exist");
+        return TsbAgentRc::ERROR;
+    }
+
+    VRootData desc;
+    if (memcpy_s(desc.uuid.data(), desc.uuid.size(), uuid.data(), uuid.size()) != EOK) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] copy uuid failed");
+
+        return TsbAgentRc::ERROR;
+    }
+    desc.uuid[uuid.size()] = '\0';
+
+    if (memcpy_s(desc.name.data(), desc.name.size(), name.data(), name.size()) != EOK) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] copy name failed");
+        return TsbAgentRc::ERROR;
+    }
+    desc.name[name.size()] = '\0';
+
+    if (memcpy_s(desc.version.data(), desc.version.size(), DEFAULT_VERSION.data(), DEFAULT_VERSION.size()) != EOK) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] copy version failed");
+        return TsbAgentRc::ERROR;
+    }
+    desc.version[DEFAULT_VERSION.size()] = '\0';
+
+    vRootMap_.emplace(uuid, std::make_unique<VRoot>(desc));
+    SaveVRootsToFile(storageFilePath_.c_str(), vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+TsbAgentRc TsbAgentImpl::StopVRoot(const std::string &uuid)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] Cannot find uuid: {}", uuid);
+        return TsbAgentRc::ERROR;
+    }
+    if (vRootMap_[uuid]->GetData().status != VRootStatus::RUNNING) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} status not RUNNING", uuid);
+        return TsbAgentRc::ERROR;
+    }
+    vRootMap_[uuid]->GetDataRef().status = VRootStatus::OFF;
+    SaveVRootsToFile(storageFilePath_, vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+TsbAgentRc TsbAgentImpl::StartVRoot(const std::string &uuid)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] Cannot find uuid: {}", uuid);
+
+        return TsbAgentRc::ERROR;
+    }
+    if (vRootMap_[uuid]->GetDataRef().status != VRootStatus::OFF) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} status not OFF", uuid);
+
+        return TsbAgentRc::ERROR;
+    }
+    vRootMap_[uuid]->GetDataRef().status = VRootStatus::RUNNING;
+    SaveVRootsToFile(storageFilePath_, vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+TsbAgentRc TsbAgentImpl::RemoveVRoot(const std::string &uuid)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} not found", uuid);
+        return TsbAgentRc::ERROR;
+    }
+    vRootMap_.erase(uuid);
+    SaveVRootsToFile(storageFilePath_, vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+TsbAgentRc TsbAgentImpl::UpdateMeasure(const std::string &uuid, MeasureInfo bios, MeasureInfo shim, MeasureInfo grub,
+                                       MeasureInfo grubCfg, MeasureInfo kernel, MeasureInfo initrd)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} not found", uuid);
+        return TsbAgentRc::ERROR;
+    }
+    // REVIEW
+    SaveVRootsToFile(storageFilePath_, vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+TsbAgentRc TsbAgentImpl::CheckMeasure(const std::string &uuid, MeasureInfo bios, MeasureInfo shim, MeasureInfo grub,
+                                      MeasureInfo grubCfg, MeasureInfo kernel, MeasureInfo initrd)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} not found", uuid);
+        return TsbAgentRc::ERROR;
+    }
+    // REVIEW
+    SaveVRootsToFile(storageFilePath_, vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+TsbAgentRc TsbAgentImpl::GetReport(const std::string &uuid)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} not found", uuid);
+        return TsbAgentRc::ERROR; // uuid does not exist
+    }
+
+    return TsbAgentRc::OK; // always true
+}
+
+TsbAgentRc TsbAgentImpl::Migration1GetRandPk(const std::string &uuid)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} not found", uuid);
+        return TsbAgentRc::ERROR; // uuid does not exist
+    }
+
+    return TsbAgentRc::OK; // always true
+}
+
+} // namespace virtrust::mock
diff --git a/virtrust/src/mock/tsb_agent_impl.h b/virtrust/src/mock/tsb_agent_impl.h
new file mode 100644
index 0000000000000000000000000000000000000000..9c1063bc3fa8d9581246605d82a1d45022e39b5b
--- /dev/null
+++ b/virtrust/src/mock/tsb_agent_impl.h
@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#ifndef USE_MOCK_TSB_AGENT
+#error "USE_MOCK_TSB_AGENT is not defined. Please define it if your want to use mock TSB agent."
+#else
+
+#include <cstdint>
+#include <filesystem>
+#include <memory>
+#include <string>
+#include <unordered_map>
+#include <utility>
+
+#include "mock/tsb_agent_itf.h"
+#include "mock/v_root.h"
+#include <securec.h>
+#include "spdlog/spdlog.h"
+
+namespace virtrust::mock {
+constexpr std::string_view STORAGE_FILENAME = "mock-tsb-agent.save";
+
+enum class TsbAgentRc {
+    OK,
+    ERROR
+};
+
+class TsbAgentImpl {
+public:
+    // Destructor
+    ~TsbAgentImpl() = default;
+
+    TsbAgentImpl(const TsbAgentImpl &) = delete;
+
+    TsbAgentImpl &operator=(const TsbAgentImpl &) = delete;
+
+    // Get singleton isntance
+    static TsbAgentImpl &GetInstance()
+    {
+        static TsbAgentImpl instance;
+        return instance;
+    }
+
+    std::string GetPath()
+    {
+        return storageFilePath_.c_str();
+    }
+
+    // Lifetime management
+
+    std::vector<Description> GetVRoots();
+
+    TsbAgentRc CreateVRoot(const std::string &uuid, const std::string &name);
+
+    TsbAgentRc StartVRoot(const std::string &uuid);
+
+    TsbAgentRc StopVRoot(const std::string &uuid);
+
+    TsbAgentRc RemoveVRoot(const std::string &uuid);
+
+    // Update measure values
+    TsbAgentRc UpdateMeasure(const std::string &uuid, MeasureInfo bios, MeasureInfo shim, MeasureInfo grub,
+                             MeasureInfo grubCfg, MeasureInfo kernel, MeasureInfo initrd);
+
+    TsbAgentRc CheckMeasure(const std::string &uuid, MeasureInfo bios, MeasureInfo shim, MeasureInfo grub,
+                            MeasureInfo grubCfg, MeasureInfo kernel, MeasureInfo initrd);
+
+    // Migration
+
+    TsbAgentRc GetReport(const std::string &uuid);
+    TsbAgentRc Migration1GetRandPk(const std::string &uuid);
+    TsbAgentRc Migration2CheckPeerPk();
+    TsbAgentRc Migration3GetVRootCipher();
+    TsbAgentRc Migration4ImportVRootCipher();
+
+    TsbAgentRc MigrationNotify();
+
+private:
+    TsbAgentImpl() = default;
+    std::unordered_map<std::string, std::unique_ptr<VRoot>> vRootMap_;
+
+    // REVIEW migration data
+    std::vector<char> pk_;
+
+    // default to current location
+    std::filesystem::path storageFilePath_ = std::filesystem::current_path() / STORAGE_FILENAME;
+};
+} // namespace virtrust::mock
+
+#endif
diff --git a/virtrust/src/mock/tsb_agent_itf.h b/virtrust/src/mock/tsb_agent_itf.h
new file mode 100644
index 0000000000000000000000000000000000000000..1ef85b53e6ad90f54a320fa4bf864ec3cbf988b8
--- /dev/null
+++ b/virtrust/src/mock/tsb_agent_itf.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+struct Description {
+    int state = 0;  // 启动，挂起等状态
+    char name[255]; // 名称，创建时有hw设置
+    char uuid[37];  // 虚拟机的uuid
+};
+
+struct MeasureInfo {
+    char name[255];   // 度量阶段名称(例如 bios, grub...)
+    char uuid[37];    // 虚拟机的uuid
+    char version[64]; // 度量阶段的版本号: 1.1.0
+    int result;       // 度量结果
+    int size;         // content的长度
+    char content[0];  // 如果size是32,content是哈希, 如果size不等于32,
+                      // content是度量对象的原文数据
+};
+
+// NOTE All memories are allocated by using "malloc", remeber to free them after
+// use.
+
+int GetVRoots(int *vtpcmNums, struct Description **vtpcmInfo);
+
+int CreateVRoot(struct Description *vtpcmInfo);
+
+int StartVRoot(char *uuid);
+
+int StopVRoot(char *uuid);
+
+int RemoveVRoot(char *uuid);
+
+int UpdateMeasure(char *uuid, struct MeasureInfo *bios, struct MeasureInfo *shim, struct MeasureInfo *grub,
+                  struct MeasureInfo *grubCfg, struct MeasureInfo *kernel, struct MeasureInfo *initrd);
+
+int CheckMeasure(char *uuid, struct MeasureInfo *bios, struct MeasureInfo *shim, struct MeasureInfo *grub,
+                 struct MeasureInfo *grubCfg, struct MeasureInfo *kernel, struct MeasureInfo *initrd);
+
+// 迁移接口
+int GetReport(char *pUuid, // 物理机的uuid
+              char *vUuid, // 虚拟机的uuid
+              struct trust_report_new *hostreport, struct trust_report_new *vmreport);
+
+int MigrationGetCert(char *pUuid, // 物理机的uuid
+                     char *vUuid, // 虚拟机的uuid
+                     char *cert, char *pubkey);
+
+int MigrationCheckPeerPk(char *pUuid, // 物理机的uuid
+                         char *vUuid, // 虚拟机的uuid
+                         char *pk1, char *pk2);
+
+int MigrationGetVrootCipher(char *pUuid, // 物理机的uuid
+                            char *vUuid, // 虚拟机的uuid
+                            char **cipher);
+
+int MigrationImportVrootCipher(char *pUuid, // 物理机的uuid
+                               char *vUuid, // 虚拟机的uuid
+                               char *cipher);
+
+int MigrationNotify(char *pUuid, // 物理机的uuid
+                    char *vUuid, // 虚拟机的uuid
+                    int status);
diff --git a/virtrust/src/mock/v_root.h b/virtrust/src/mock/v_root.h
new file mode 100644
index 0000000000000000000000000000000000000000..572480c8d397510316ad8ad7f8a1d5447582a2f2
--- /dev/null
+++ b/virtrust/src/mock/v_root.h
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <array>
+#include <cstdint>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "mock/tsb_agent_itf.h"
+#include <securec.h>
+
+namespace virtrust::mock {
+
+constexpr uint32_t VROOT_VM_NAME_MAX_LEN = 256; // with extra \0
+constexpr uint32_t VROOT_VM_UUID_MAX_LEN = 37;  // with extra \0
+constexpr uint32_t VROOT_SM3_OUTPUT_BYTES = 32;
+constexpr uint32_t VROOT_VERSION_LEN = 64;
+
+// the status of virtual root
+enum class VRootStatus : uint32_t {
+    OFF,
+    RUNNING,
+};
+
+// the virtual root internal status
+struct VRootData {
+    std::array<char, VROOT_VM_UUID_MAX_LEN> uuid = {};     // uuid (string)
+    VRootStatus status = VRootStatus::OFF;                 // status (string)
+    std::array<char, VROOT_VERSION_LEN> version = {};      // version (string)
+    std::array<char, VROOT_VM_NAME_MAX_LEN> name = {};     // name (string)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> bios = {};    // sm3 (bytes)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> shim = {};    // sm3 (bytes)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> grub = {};    // sm3 (bytes)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> grubCfg = {}; // sm3 (bytes)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> kernel = {};  // sm3 (bytes)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> initrd = {};  // sm3 (bytes)
+};
+
+// Virtual Root
+class VRoot {
+public:
+    // Constructor and Destructor
+    VRoot() = default;
+    ~VRoot() = default;
+
+    explicit VRoot(VRootData data) : data_(data)
+    {}
+
+    VRootData GetData() const
+    {
+        return data_;
+    }
+
+    VRootData &GetDataRef()
+    {
+        return data_;
+    }
+
+    Description GetDescription()
+    {
+        Description out;
+        out.state = static_cast<int>(data_.status);
+        memcpy_s(out.name, VROOT_VM_NAME_MAX_LEN, data_.name.data(), data_.name.size());
+        memcpy_s(out.uuid, VROOT_VM_UUID_MAX_LEN, data_.uuid.data(), data_.uuid.size());
+        return out;
+    }
+
+private:
+    // NOTE Since this is a mock, no need for encapsulation
+    VRootData data_;
+};
+
+} // namespace virtrust::mock
diff --git a/virtrust/src/virtrust-sh/CMakeLists.txt b/virtrust/src/virtrust-sh/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..6e69396d2d7961b68385cc2d100f214717d7330b
--- /dev/null
+++ b/virtrust/src/virtrust-sh/CMakeLists.txt
@@ -0,0 +1,30 @@
+# Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+add_library(virtrust-sh-obj OBJECT)
+
+set(VIRTRUST_SH_SOURCE_FILES "")
+
+add_subdirectory(operator)
+
+target_sources(virtrust-sh-obj PRIVATE ${VIRTRUST_SH_SOURCE_FILES})
+
+target_include_directories(
+  virtrust-sh-obj PRIVATE $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>
+                          ${CMAKE_DEPS_INCLUDEDIR})
+
+target_link_libraries(virtrust-sh-obj PRIVATE virtrust-shared)
+
+# ----------------
+# Final Executable
+# ----------------
+
+add_executable(virtrust-sh ${CMAKE_CURRENT_LIST_DIR}/main.cpp)
+
+target_include_directories(
+  virtrust-sh PRIVATE $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>
+                      ${CMAKE_DEPS_INCLUDEDIR})
+
+target_link_libraries(virtrust-sh PRIVATE virtrust-sh-obj virtrust-shared)
+
+install(TARGETS virtrust-sh RUNTIME DESTINATION bin PERMISSIONS OWNER_READ
+                                                                OWNER_EXECUTE)
diff --git a/virtrust/src/virtrust-sh/defines.h b/virtrust/src/virtrust-sh/defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..b2351e1fadd2796e89b4ed15f3688293238afdf6
--- /dev/null
+++ b/virtrust/src/virtrust-sh/defines.h
@@ -0,0 +1,12 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <string_view>
+
+namespace virtrust {
+constexpr std::string_view VIRTRUST_SH_VERSION = "1.0.0";
+constexpr std::string_view VIRTRUST_SH_VIRT_INSTALL_PATH = "/usr/bin/virt-install";
+constexpr std::string_view VIRTRUST_SH_LOGFILE_NAME = "virtrust.log";
+constexpr int VIRTRUST_SH_CMD_STR_MAX_LEN = 1024;
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/main.cpp b/virtrust/src/virtrust-sh/main.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..2170eed35b91bc333b0945cf2341d012b0f9f49b
--- /dev/null
+++ b/virtrust/src/virtrust-sh/main.cpp
@@ -0,0 +1,164 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include <getopt.h>
+#include <unistd.h>
+
+#include <array>
+#include <cstring>
+#include <filesystem>
+#include <string>
+#include <string_view>
+
+#include "spdlog/fmt/fmt.h"
+
+#include "virtrust-sh/defines.h"
+#include "virtrust-sh/operator/op_itf.h"
+#include "virtrust/base/custom_logger.h"
+#include "virtrust/base/logger.h"
+
+namespace {
+
+std::string GetLogPath()
+{
+    return std::filesystem::current_path() / virtrust::VIRTRUST_SH_LOGFILE_NAME;
+}
+
+void PrintVersion(std::string_view progname)
+{
+    fmt::print("{} version: {}\n", progname, virtrust::VIRTRUST_SH_VERSION);
+}
+
+void PrintUsage(std::string_view progname)
+{
+    fmt::print("\n"
+               "  USAGE:\n"
+               "    {} [options]... [<command_string>]\n"
+               "    {} [options]... <command> [args...]\n"
+               "\n"
+               "  OPTIONS:\n"
+               "    -c | --connect=URI             hypervisor connection URI, "
+               "default to {}\n"
+               "    -d | --debug                   run in debug mode\n"
+               "    -h | --help                    print this help\n"
+               "    -v | --version                 show verion\n"
+               "\n"
+               "  COMMANDS:\n"
+               "    create                         create virtual machine instance\n"
+               "    destroy                        destroy (stop) a domain\n"
+               "    list                           list domain information\n"
+               "    migrate                        migrate domain to another host\n"
+               "    start                          start a (previously define) inactive "
+               "domain\n"
+               "    undefine                       undefine a domain\n"
+               "\n",
+               progname, progname, virtrust::VIRTRUST_DEFAULT_URI);
+}
+
+int ProcessOp(int argc, char **argv, const virtrust::OpConfig &config)
+{
+    auto op = virtrust::MakeOperator(virtrust::OpTyFromStr(argv[optind]));
+    if (op == nullptr) {
+        fmt::print(":\nInvalid command: {}\n", argv[optind]);
+        PrintUsage(argv[0]);
+        return 1;
+    }
+
+    // Setup config
+    op->SetConfig(config);
+
+    // Parse subcommand
+    auto rc = op->ParseArgv(argc - optind, &argv[optind]);
+    if (rc != virtrust::OpRc::OK) {
+        return 1;
+    }
+
+    // Execute subcommand, if enabled
+    if (op->GetConfig().enableExec) {
+        rc = op->Exec();
+        if (rc != virtrust::OpRc::OK) {
+            fmt::print("\nCommand execution failed.\nSee log at: {}\n", GetLogPath());
+            return 1;
+        }
+    }
+    fmt::print("\nCommand execution succeed.\nSee log at: {}\n", GetLogPath());
+    return 0;
+}
+
+int ProcessArgs(int argc, char **argv)
+{
+    int arg = -1;
+    int longindex = -1;
+    std::vector<option> opt = {{"connect", required_argument, nullptr, 'c'},
+                               {"debug", no_argument, nullptr, 'd'},
+                               {"help", no_argument, nullptr, 'h'},
+                               {"version", no_argument, nullptr, 'v'},
+                               {nullptr, 0, nullptr, 0}};
+
+    virtrust::OpConfig op_config = {}; // default init
+
+    // The leading + means no re-ordering, see man page of getopt_long
+    while ((arg = getopt_long(argc, argv, "+c:dhv", opt.data(), &longindex)) != -1) {
+        switch (arg) {
+            case 'c':
+                op_config.uri = optarg;
+                break;
+            case 'd':
+                virtrust::Logger::Instance()->SetDisplayLogLevel(virtrust::LogLevel::DEBUG);
+                break;
+            case 'v':
+                PrintVersion(argv[0]);
+                optind = argc; // stop parsing
+                return 0;      // success
+            case 'h':
+                PrintUsage(argv[0]);
+                optind = argc; // stop parsing
+                return 0;      // success
+            case '?':
+                PrintUsage(argv[0]);
+                optind = argc; // stop parsing
+                return 1;      // fail
+            default:
+                PrintUsage(argv[0]);
+                return 1; // fail
+        }
+    }
+
+    if (argc == optind) {
+        PrintUsage(argv[0]);
+        return 1; // fail
+    } else {
+        return ProcessOp(argc, argv, op_config);
+    }
+}
+
+} // namespace
+
+int main(int argc, char *argv[])
+{
+    // Check input parameters
+    if (argv[0] == nullptr || strlen(argv[0]) > PATH_MAX) {
+        fmt::print("Invalid program name length, exit with failure\n");
+        return 1;
+    }
+
+    // Init log file for virtrust
+    auto ret = virtrust::Logger::Instance()->InitLog(static_cast<int>(virtrust::LogLevel::INFO), GetLogPath().data());
+    if (ret != virtrust::VirtrustRc::OK) {
+        fmt::print("Init log failed!\n");
+        return 1;
+    }
+
+    // Let libvirt print its err to virtrust
+    virtrust::Libvirt::GetInstance().SetErrorFunction([]([[maybe_unused]] void *userData, virtrust::virErrorPtr error) {
+        auto logLevel = virtrust::virErrorLevelToLogLevel(error->level);
+        // domain: see
+        // https://libvirt.org/html/libvirt-virterror.html#virErrorDomain
+        // code: see
+        // https://libvirt.org/html/libvirt-virterror.html#virErrorNumber
+        auto logMsg = fmt::format("[LIBVIRT domain: {}, code: {}] {}", error->domain, error->code, error->message);
+        virtrust::Logger::Instance()->Log(logLevel, logMsg);
+    });
+
+    // Run virtrust based on args
+    return ProcessArgs(argc, argv);
+}
diff --git a/virtrust/src/virtrust-sh/operator/CMakeLists.txt b/virtrust/src/virtrust-sh/operator/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..1942f45ad736ffe2cb2ca2763ad8a44dd4a47636
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/CMakeLists.txt
@@ -0,0 +1,22 @@
+# Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+set(VIRTRUST_SH_SOURCE_FILES
+    ${VIRTRUST_SH_SOURCE_FILES}
+    ${CMAKE_CURRENT_LIST_DIR}/op_itf.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_create.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_start.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_migrate.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_destroy.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_list.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_undefine.cpp)
+
+add_virtrust_sh_test_if(op_create_test ${BUILD_TEST})
+add_virtrust_sh_test_if(op_start_test ${BUILD_TEST})
+add_virtrust_sh_test_if(op_migrate_test ${BUILD_TEST})
+add_virtrust_sh_test_if(op_destroy_test ${BUILD_TEST})
+add_virtrust_sh_test_if(op_list_test ${BUILD_TEST})
+add_virtrust_sh_test_if(op_undefine_test ${BUILD_TEST})
+
+set(VIRTRUST_SH_SOURCE_FILES
+    ${VIRTRUST_SH_SOURCE_FILES}
+    PARENT_SCOPE)
diff --git a/virtrust/src/virtrust-sh/operator/op_create.cpp b/virtrust/src/virtrust-sh/operator/op_create.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..6c1e68764694c8bde1958c0df6e51b46db70a753
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_create.cpp
@@ -0,0 +1,101 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust-sh/operator/op_create.h"
+
+#include <getopt.h>
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+#include "virtrust-sh/operator/op_utils.h"
+#include "virtrust/api/domain.h"
+
+namespace virtrust {
+
+OpRc OpCreate::Exec()
+{
+    // make connection
+    conn_.reset();
+    conn_ = std::make_unique<ConnCtx>();
+    if (!conn_->SetUri(config_.uri)) {
+        VIRTRUST_LOG_ERROR("Failed to set uri: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    conn_->Connect();
+    if (conn_->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Failed to establish connection to: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    return ParseVirtrustRc(DomainCreate(conn_, virtInstallArgs_));
+}
+
+// Parse the args from command line
+OpRc OpCreate::ParseArgv(int argc, char **argv)
+{
+    int arg = -1;
+    int longindex = -1;
+    optind = 1; // reset
+    bool hasNameArg = false;
+
+    std::vector<option> opt = {{"help", no_argument, nullptr, 'h'},
+                               {"name", required_argument, nullptr, 'n'},
+                               {"allow-store-measurements", no_argument, nullptr, 1},
+                               {nullptr, 0, nullptr, 0}};
+
+    opterr = 0;
+    // The leading + means no re-ordering, see man page of getopt_long
+    while ((arg = getopt_long(argc, argv, "+c:dhv", opt.data(), &longindex)) != -1) {
+        switch (arg) {
+            case 'h':
+                config_.enableExec = false;
+                PrintUsage();
+                optind = 1;
+                return OpRc::OK;
+            case 'n':
+                hasNameArg = true;
+                break;
+            default:
+                continue; // do nothing;
+        }
+    }
+
+    opterr = 1;
+    if (!hasNameArg) {
+        fmt::print("\n--name/-n not set.\n");
+        return OpRc::ERROR;
+    }
+
+    virtInstallArgs_.clear();
+
+    // all args should be parse to virt-install, so nothing need to be done here
+    virtInstallArgs_.emplace_back(VIRTRUST_SH_VIRT_INSTALL_PATH);
+    for (auto i = 1; i < argc; ++i) {
+        virtInstallArgs_.emplace_back(argv[i]);
+    }
+    return OpRc::OK;
+}
+
+// Print the usage of this operator
+void OpCreate::PrintUsage()
+{
+    fmt::print("\n"
+               "  NAME:\n"
+               "    create - create a new virtual machine\n"
+               "\n"
+               "  SYNOPSIS:\n"
+               "    create [options] <args>\n"
+               "\n"
+               "  OPTIONS:\n"
+               "    -h | --help                    this help\n"
+               "    --allow-store-measurements     allow store measurements\n"
+               "                                   (NOTE when using this option, "
+               "--name must be provided)\n"
+               "\n"
+               "  ARGS:\n"
+               "    virt-install args, see all supported args with `virt-install "
+               "--help`.\n"
+               "\n");
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_create.h b/virtrust/src/virtrust-sh/operator/op_create.h
new file mode 100644
index 0000000000000000000000000000000000000000..31f730c8f6c34dbaff8bf03f1b08677d51618861
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_create.h
@@ -0,0 +1,30 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+
+namespace virtrust {
+
+class OpCreate : public OpItf {
+public:
+    explicit OpCreate() : OpItf(OpTy::CREATE)
+    {}
+    ~OpCreate() override = default;
+
+    OpRc Exec() override;
+
+    // Parse the args from command line
+    OpRc ParseArgv(int argc, char **argv) override;
+
+    // Print the usage of this operator
+    void PrintUsage() override;
+
+private:
+    std::vector<std::string> virtInstallArgs_;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_create_test.cpp b/virtrust/src/virtrust-sh/operator/op_create_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..99e48f754a10f9c86db7731ca96e06175566ad1b
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_create_test.cpp
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/defines.h"
+#include "virtrust-sh/operator/op_create.h"
+
+namespace virtrust {
+
+TEST(OpCreateTest, ParseArgvTest)
+{
+    OpCreate opCreate;
+
+    // Test with basic arguments
+    const char *argv[] = {"op_create", "--name", "test_vm", "--memory", "1024"};
+    int argc = 5;
+
+    OpRc result = opCreate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for valid arguments
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpCreateTest, ParseArgvEmptyTest)
+{
+    OpCreate opCreate;
+
+    // Test with no arguments (only program name)
+    const char *argv[] = {"op_create", "--name", "test_vm"};
+    int argc = 3;
+
+    OpRc result = opCreate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for edge case with no extra arguments
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpCreateTest, ParseArgvMultipleArgsTest)
+{
+    OpCreate opCreate;
+
+    // Test with more complex arguments
+    const char *argv[] = {"op_create", "--name", "test_vm", "--memory", "1024", "--vcpu", "2", "--disk", "size=10"};
+    int argc = 9;
+
+    OpRc result = opCreate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for complex arguments
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpCreateTest, ParseArgvSpecialCharactersTest)
+{
+    OpCreate opCreate;
+
+    // Test with more containing special arguments
+    const char *argv[] = {"op_create", "--name", "test-vm_123", "--memory", "2048", "--graphics", "vnc"};
+    int argc = 7;
+
+    OpRc result = opCreate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv handles special characters correctly
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpCreateTest, ParseArgvLongArgumentsTest)
+{
+    OpCreate opCreate;
+
+    // Test with long arguments names
+    const char *argv[] = {"op_create", "--name", "test-long-vm-name-for-testing", "--memory", "4096", "--vcpu", "4"};
+    int argc = 7;
+
+    OpRc result = opCreate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv handles long garuments names correctly
+    EXPECT_EQ(result, OpRc::OK);
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_destroy.cpp b/virtrust/src/virtrust-sh/operator/op_destroy.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..7c1081577b34a18c55538f73fa3800863c12bd85
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_destroy.cpp
@@ -0,0 +1,97 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust-sh/operator/op_destroy.h"
+
+#include <getopt.h>
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+#include "virtrust-sh/operator/op_utils.h"
+#include "virtrust/api/domain.h"
+
+namespace virtrust {
+namespace {
+constexpr int OP_DESTROY_EXTRA_CMD_NUM = 1;
+}
+
+OpRc OpDestroy::Exec()
+{
+    // make connection
+    conn_.reset();
+    conn_ = std::make_unique<ConnCtx>();
+    if (!conn_->SetUri(config_.uri)) {
+        VIRTRUST_LOG_ERROR("Failed to set uri: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    conn_->Connect();
+    if (conn_->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Failed to establish connection to: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    return ParseVirtrustRc(DomainDestroy(conn_, domainName_, flags_, onlyTsb_));
+}
+
+// Parse the args from command line
+OpRc OpDestroy::ParseArgv(int argc, char **argv)
+{
+    int arg = -1;
+    int longindex = -1;
+    optind = 1;                   // reset
+    const int onlyTsbVal = 0x100; // REVIEW why?
+    std::vector<option> opt = {
+        {"help", no_argument, nullptr, 'h'}, {"only-tsb", no_argument, nullptr, onlyTsbVal}, {nullptr, 0, nullptr, 0}};
+
+    // The leading + means no re-ordering, see man page of getopt_long
+    while ((arg = getopt_long(argc, argv, "+c:dhv", opt.data(), &longindex)) != -1) {
+        switch (arg) {
+            case 'h':
+                config_.enableExec = false;
+                PrintUsage();
+                optind = argc; // stop parsing
+                return OpRc::OK;
+            case onlyTsbVal:
+                onlyTsb_ = true;
+                continue;
+            default:
+                config_.enableExec = false;
+                PrintUsage();
+                optind = argc; // stop parsing
+                return OpRc::ERROR;
+        }
+    }
+
+    if (argc - optind != OP_DESTROY_EXTRA_CMD_NUM) {
+        fmt::print("\nInvalid number of arguments, expect: {}, got: {}\n", OP_DESTROY_EXTRA_CMD_NUM, argc - optind);
+        PrintUsage();
+        return OpRc::ERROR;
+    }
+
+    if (strlen(argv[optind]) != 0) {
+        domainName_ = argv[optind];
+        return OpRc::OK;
+    } else {
+        VIRTRUST_LOG_ERROR("Invalid empty domain name");
+        return OpRc::ERROR;
+    }
+}
+
+// Print the usage of this operator
+void OpDestroy::PrintUsage()
+{
+    fmt::print("\n"
+               "  NAME:\n"
+               "    destroy - destroy (stop) a domain\n"
+               "\n"
+               "  SYNOPSIS:\n"
+               "    destroy [options] <domain>\n"
+               "\n"
+               "  OPTIONS:\n"
+               "    -h | --help                    this help\n"
+               "    --onlyTsb                      only update tsb resource, "
+               "<domain> should be replaced with uuid if --onlyTsb enabled\n"
+               "\n");
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_destroy.h b/virtrust/src/virtrust-sh/operator/op_destroy.h
new file mode 100644
index 0000000000000000000000000000000000000000..1c5feffbb5e74de5896b34e093eb8e63af6b6243
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_destroy.h
@@ -0,0 +1,32 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+
+namespace virtrust {
+
+class OpDestroy : public OpItf {
+public:
+    explicit OpDestroy() : OpItf(OpTy::DESTROY)
+    {}
+    ~OpDestroy() override = default;
+
+    OpRc Exec() override;
+
+    // Parse the args from command line
+    OpRc ParseArgv(int argc, char **argv) override;
+
+    // Print the usage of this operator
+    void PrintUsage() override;
+
+private:
+    std::string domainName_ = "unknown";
+    unsigned int flags_ = DOMAIN_DESTROY_NONE;
+    bool onlyTsb_ = false;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_destroy_test.cpp b/virtrust/src/virtrust-sh/operator/op_destroy_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..0d0b0039d1a3739da4e577ad018586a1e039be53
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_destroy_test.cpp
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/operator/op_destroy.h"
+
+namespace virtrust {
+
+TEST(OpDestroyTest, ParseArgvValidDomainTest)
+{
+    OpDestroy opDestroy;
+
+    // Test with valid domain name argument
+    const char *argv[] = {"op_destroy", "test_domain"};
+    int argc = 2;
+
+    OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for valid arguments
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpDestroyTest, ParseArgvHelpFlagTest)
+{
+    OpDestroy opDestroy;
+
+    // Test with help Flag
+    const char *argv[] = {"op_destroy", "--help"};
+    int argc = 2;
+
+    OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpDestroyTest, ParseArgvHelpShortFlagTest)
+{
+    OpDestroy opDestroy;
+
+    // Test with short help flag
+    const char *argv[] = {"op_destroy", "-h"};
+    int argc = 2;
+
+    OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for short help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpDestroyTest, ParseArgvMissingDomainTest)
+{
+    OpDestroy opDestroy;
+
+    // Test with no domain name argument
+    const char *argv[] = {"op_destroy"};
+    int argc = 1;
+
+    OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for missing domain
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpDestroyTest, ParseArgvExtraArgumentsTest)
+{
+    OpDestroy opDestroy;
+
+    // Test with extra arguments
+    const char *argv[] = {"op_destroy", "domain1", "domain2"};
+    int argc = 3;
+
+    OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv handles ERROR for too many arguments
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpDestroyTest, ParseArgvInvalidOptionTest)
+{
+    OpDestroy opDestroy;
+
+    // Test with invalid option
+    const char *argv[] = {"op_destroy", "--invalid-option"};
+    int argc = 2;
+
+    OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv handles ERROR for invalid option
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpDestroyTest, ParseArgvDomainNameStrorageTest)
+{
+    OpDestroy opDestroy;
+
+    // Test that domain name is properly stored
+    const char *argv[] = {"op_destroy", "test-domain-123"};
+    int argc = 2;
+
+    OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK and domain name is stored
+    EXPECT_EQ(result, OpRc::OK);
+    // Note: Cannot directly access private member domainName_ for verification
+    // but we can verify the function doesn't crash and handles correctly
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_itf.cpp b/virtrust/src/virtrust-sh/operator/op_itf.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..503eb8de95e9fded18bbb5b9ce90d511dcf86322
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_itf.cpp
@@ -0,0 +1,61 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust-sh/operator/op_itf.h"
+
+#include <cstdint>
+#include <memory>
+#include <string_view>
+
+#include "virtrust-sh/operator/op_create.h"
+#include "virtrust-sh/operator/op_destroy.h"
+#include "virtrust-sh/operator/op_list.h"
+#include "virtrust-sh/operator/op_migrate.h"
+#include "virtrust-sh/operator/op_start.h"
+#include "virtrust-sh/operator/op_undefine.h"
+
+namespace virtrust {
+
+std::unique_ptr<OpItf> MakeOperator(OpTy type)
+{
+    switch (type) {
+        case OpTy::CREATE:
+            return std::make_unique<OpCreate>();
+        case OpTy::DESTROY:
+            return std::make_unique<OpDestroy>();
+        case OpTy::MIGRATE:
+            return std::make_unique<OpMigrate>();
+        case OpTy::START:
+            return std::make_unique<OpStart>();
+        case OpTy::UNDEFINE:
+            return std::make_unique<OpUndefine>();
+        case OpTy::LIST:
+            return std::make_unique<OpList>();
+        default:
+            return nullptr; // return nullptr if error
+    }
+}
+
+OpTy OpTyFromStr(const std::string &type)
+{
+    if (type == "create") {
+        return OpTy::CREATE;
+    } else if (type == "destroy") {
+        return OpTy::DESTROY;
+    } else if (type == "migrate") {
+        return OpTy::MIGRATE;
+    } else if (type == "start") {
+        return OpTy::START;
+    } else if (type == "undefine") {
+        return OpTy::UNDEFINE;
+    } else if (type == "list") {
+        return OpTy::LIST;
+    } else {
+        return OpTy::UNKNOWN;
+    }
+}
+
+std::unique_ptr<OpItf> MakeOperator(const std::string &type)
+{
+    return MakeOperator(OpTyFromStr(type));
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_itf.h b/virtrust/src/virtrust-sh/operator/op_itf.h
new file mode 100644
index 0000000000000000000000000000000000000000..b5608121615e535954ca1f79a08700f91c8a61d4
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_itf.h
@@ -0,0 +1,92 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <cstdint>
+#include <memory>
+#include <string_view>
+#include <utility>
+
+#include "virtrust/api/context.h"
+#include "virtrust/base/logger.h"
+#include "virtrust/dllib/libvirt.h"
+
+namespace virtrust {
+
+enum class OpRc : uint32_t {
+    OK = 0,
+    ERROR = 1,
+    CHECK_FAILED = 2,
+};
+
+enum class OpTy : uint32_t {
+    UNKNOWN,
+    CREATE,
+    DESTROY,
+    MIGRATE,
+    START,
+    UNDEFINE,
+    LIST,
+};
+
+OpTy OpTyFromStr(const std::string &type);
+
+// Default configs for operator
+// NOTE carefully tweak those default values
+struct OpConfig {
+    std::string uri = std::string(VIRTRUST_DEFAULT_URI);
+    bool enableExec = true;
+};
+
+// Operator Interface
+class OpItf {
+public:
+    OpItf() = delete;
+    virtual ~OpItf() = default;
+
+    // Getters and Setters
+
+    // Get uri string
+    std::string GetUri() const
+    {
+        return config_.uri;
+    }
+
+    // Get type
+    OpTy Type() const
+    {
+        return type_;
+    }
+
+    // Get const reference of op's config
+    const OpConfig &GetConfig() const
+    {
+        return config_;
+    }
+
+    void SetConfig(const OpConfig &config)
+    {
+        config_ = config;
+    }
+
+    virtual OpRc Exec() = 0;
+    virtual OpRc ParseArgv(int argc, char **argv) = 0;
+    virtual void PrintUsage() = 0;
+
+protected:
+    const OpTy type_ = OpTy::UNKNOWN;
+    std::unique_ptr<ConnCtx> conn_ = nullptr;
+    std::unique_ptr<DomainCtx> domain_ = nullptr;
+    OpConfig config_ = {};
+
+    explicit OpItf(OpTy type) : type_(type)
+    {}
+    explicit OpItf(OpTy type, OpConfig config) : type_(type), config_(std::move(config))
+    {}
+};
+
+// Operator Factory
+std::unique_ptr<OpItf> MakeOperator(OpTy type);
+std::unique_ptr<OpItf> MakeOperator(const std::string &type);
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_list.cpp b/virtrust/src/virtrust-sh/operator/op_list.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..0a721bffe711706d92193e1a5f694bb47d8d2910
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_list.cpp
@@ -0,0 +1,188 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust-sh/operator/op_list.h"
+
+#include <getopt.h>
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+#include "virtrust-sh/operator/op_utils.h"
+#include "virtrust/api/domain.h"
+
+namespace virtrust {
+
+namespace {
+constexpr int OP_LIST_EXTRA_CMD_NUM = 0;
+constexpr int KB_TO_MD = 1024;
+inline std::string GetIdStr(const std::unique_ptr<ConnCtx> &conn, const std::string &name)
+{
+    auto &libvirt = Libvirt::GetInstance();
+    auto *domain = libvirt.virDomainLookupByName(conn->Get(), name.data());
+    if (domain == nullptr) {
+        return "-";
+    }
+    auto id = libvirt.virDomainGetID(domain);
+    libvirt.virDomainFree(domain);
+    return id == std::numeric_limits<unsigned int>::max() ? "-" : std::to_string(id);
+}
+
+inline unsigned int GetIdInt(const std::unique_ptr<ConnCtx> &conn, const std::string &name)
+{
+    auto &libvirt = Libvirt::GetInstance();
+    auto *domain = libvirt.virDomainLookupByName(conn->Get(), name.data());
+    if (domain == nullptr) {
+        return std::numeric_limits<unsigned int>::max();
+    }
+    auto id = libvirt.virDomainGetID(domain);
+    libvirt.virDomainFree(domain);
+    return id;
+}
+
+inline std::string GetStateStr(int state)
+{
+    switch (state) {
+        case VIR_DOMAIN_RUNNING:
+            return "running";
+        case VIR_DOMAIN_PAUSED:
+            return "paused";
+        case VIR_DOMAIN_SHUTDOWN:
+            return "shut down";
+        case VIR_DOMAIN_SHUTOFF:
+            return "shut off";
+        case VIR_DOMAIN_CRASHED:
+            return "crashed";
+        default:
+            return "unknown";
+    }
+}
+
+struct DomainInfoForSort {
+    unsigned int id;
+    DomainInfo domainInfo;
+};
+
+std::vector<DomainInfoForSort> GetSortedDomainInfos(const std::unique_ptr<ConnCtx> &conn,
+                                                    const std::unordered_map<std::string, DomainInfo> &domainInfos,
+                                                    size_t &maxNameLen)
+
+{
+    std::vector<DomainInfoForSort> sortedInfos;
+    sortedInfos.reserve(domainInfos.size());
+    for (const auto &[key, info] : domainInfos) {
+        DomainInfoForSort item;
+        item.id = GetIdInt(conn, info.domainName);
+        item.domainInfo = info;
+        sortedInfos.push_back(item);
+        maxNameLen = std::max(maxNameLen, info.domainName.length());
+    }
+    // 自定义排序
+    std::sort(sortedInfos.begin(), sortedInfos.end(), [](const DomainInfoForSort &lhs, const DomainInfoForSort &rhs) {
+        if (lhs.id != rhs.id) {
+            return lhs.id < rhs.id;
+        } else if (lhs.domainInfo.state != rhs.domainInfo.state) {
+            return lhs.domainInfo.state < rhs.domainInfo.state;
+
+        } else {
+            return lhs.domainInfo.domainName < rhs.domainInfo.domainName;
+        }
+    });
+    return sortedInfos;
+}
+
+} // namespace
+
+OpRc OpList::Exec()
+{
+    // make connection
+    conn_.reset();
+    conn_ = std::make_unique<ConnCtx>();
+    if (!conn_->SetUri(config_.uri)) {
+        VIRTRUST_LOG_ERROR("Failed to set uri: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    conn_->Connect();
+    if (conn_->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Failed to establish connection to: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+
+    std::unordered_map<std::string, DomainInfo> domainInfos = {};
+    auto rc = DomainList(conn_, flags_, domainInfos, true);
+    if (rc != VirtrustRc::OK) {
+        return ParseVirtrustRc(rc);
+    }
+
+    size_t maxNameLen = 5;
+    std::vector<DomainInfoForSort> sortedInfos = GetSortedDomainInfos(conn_, domainInfos, maxNameLen);
+
+    fmt::print("\n{:5} {:{}} {:<10}\n", "Id", "Name", maxNameLen + 2, "State");
+    std::string separator(maxNameLen + 19, '-');
+
+    fmt::print("{}\n", separator);
+    for (const auto &item : sortedInfos) {
+        fmt::print("\n{:5} {:{}} {:<10}\n",
+                   item.id == std::numeric_limits<unsigned int>::max() ? "-" : std::to_string(item.id),
+                   item.domainInfo.domainName, maxNameLen + 2, GetStateStr(item.domainInfo.state));
+    }
+
+    return OpRc::OK;
+}
+
+// Parse the args from command line
+OpRc OpList::ParseArgv(int argc, char **argv)
+{
+    int arg = -1;
+    int longindex = -1;
+    optind = 1; // reset
+
+    std::vector<option> opt = {
+        {"help", no_argument, nullptr, 'h'}, {"all", required_argument, nullptr, 'a'}, {nullptr, 0, nullptr, 0}};
+
+    opterr = 0;
+    // The leading + means no re-ordering, see man page of getopt_long
+    while ((arg = getopt_long(argc, argv, "+ah", opt.data(), &longindex)) != -1) {
+        switch (arg) {
+            case 'h':
+                config_.enableExec = false;
+                PrintUsage();
+                optind = argc; // stop parsing
+                return OpRc::OK;
+            case 'a':
+                // see: libvirt/tools/virsh-domain-monitor.c, line 1890
+                flags_ = LIST_DOMAINS_ACTIVE | LIST_DOMAINS_INACTIVE;
+                break;
+            default:
+                config_.enableExec = false;
+                PrintUsage();
+                optind = argc; // stop parsing
+                return OpRc::ERROR;
+        }
+    }
+
+    if (argc - optind != OP_LIST_EXTRA_CMD_NUM) {
+        fmt::print("\nInvalid number of arguments, expect: {}, got: {}\n", OP_LIST_EXTRA_CMD_NUM, argc - optind);
+        PrintUsage();
+        return OpRc::ERROR;
+    }
+    return OpRc::OK;
+}
+
+// Print the usage of this operator
+void OpList::PrintUsage()
+{
+    fmt::print("\n"
+               "  NAME:\n"
+               "    list - list domains\n"
+               "\n"
+               "  SYNOPSIS:\n"
+               "    list [options]\n"
+               "\n"
+               "  OPTIONS:\n"
+               "    -h | --help                    this help\n"
+               "    -a | --all                     list all domains\n"
+               "\n");
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_list.h b/virtrust/src/virtrust-sh/operator/op_list.h
new file mode 100644
index 0000000000000000000000000000000000000000..bce0d1d7c6de34ea320d598ffb614bdd2ea85511
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_list.h
@@ -0,0 +1,30 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+
+namespace virtrust {
+
+class OpList : public OpItf {
+public:
+    explicit OpList() : OpItf(OpTy::LIST)
+    {}
+    ~OpList() override = default;
+
+    OpRc Exec() override;
+
+    // Parse the args from command line
+    OpRc ParseArgv(int argc, char **argv) override;
+
+    // Print the usage of this operator
+    void PrintUsage() override;
+
+private:
+    unsigned int flags_ = LIST_DOMAINS_ACTIVE; // default show only active
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_list_test.cpp b/virtrust/src/virtrust-sh/operator/op_list_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..4c65de227b877bfe2c52740836230730d5111b99
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_list_test.cpp
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/operator/op_list.h"
+
+namespace virtrust {
+
+TEST(OpListTest, ParseArgvNoArgumentsTest)
+{
+    OpList opList;
+
+    // Test with no arguments
+    const char *argv[] = {"op_list"};
+    int argc = 1;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for no arguments (default behavior)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpListTest, ParseArgvHelpFlagTest)
+{
+    OpList opList;
+
+    // Test with help Flag
+    const char *argv[] = {"op_list", "--help"};
+    int argc = 2;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpListTest, ParseArgvHelpShortFlagTest)
+{
+    OpList opList;
+
+    // Test with help Flag
+    const char *argv[] = {"op_list", "-h"};
+    int argc = 2;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpListTest, ParseArgvAllFlagTest)
+{
+    OpList opList;
+
+    // Test with all flag
+    const char *argv[] = {"op_list", "--all"};
+    int argc = 2;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for all flag
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpListTest, ParseArgvAllShortFlagTest)
+{
+    OpList opList;
+
+    // Test with all short falg
+    const char *argv[] = {"op_list", "-a"};
+    int argc = 2;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for all short falg
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpListTest, ParseArgvBothFlagsTest)
+{
+    OpList opList;
+
+    // Test with both flags
+    const char *argv[] = {"op_list", "-a", "--help"};
+    int argc = 3;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv return OK for both flags (help takes precedence)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpListTest, ParseArgvInvalidOptionTest)
+{
+    OpList opList;
+
+    // Test with invalid option
+    const char *argv[] = {"op_list", "--invalid-option"};
+    int argc = 2;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for invalid option
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpListTest, ParseArgvExtraArgumentsTest)
+{
+    OpList opList;
+
+    // Test with extra augruments
+    const char *argv[] = {"op_list", "extra_arg"};
+    int argc = 2;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for extra arguments
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpListTest, ParseArgvFlagCombinationTest)
+{
+    OpList opList;
+
+    // Test with mutiple valid flags
+    const char *argv[] = {"op_list", "-a", "-h"};
+    int argc = 3;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for valid flag combination
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_migrate.cpp b/virtrust/src/virtrust-sh/operator/op_migrate.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..0f3e0fe65f6b2f8933c0c8671d90bd629b2c467e
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_migrate.cpp
@@ -0,0 +1,99 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust-sh/operator/op_migrate.h"
+
+#include <getopt.h>
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+#include "virtrust-sh/operator/op_utils.h"
+#include "virtrust/api/domain.h"
+
+namespace virtrust {
+namespace {
+constexpr int OP_MIGRATE_EXTRA_CMD_NUM = 2;
+}
+
+OpRc OpMigrate::Exec()
+{
+    // make connection
+    conn_.reset();
+    conn_ = std::make_unique<ConnCtx>();
+    if (!conn_->SetUri(config_.uri)) {
+        VIRTRUST_LOG_ERROR("Failed to set uri: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    conn_->Connect();
+    if (conn_->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Failed to establish connection to: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    return ParseVirtrustRc(DomainMigrate(conn_, domainName_, destUri_));
+}
+
+// Parse the args from command line
+OpRc OpMigrate::ParseArgv(int argc, char **argv)
+{
+    int arg = -1;
+    int longindex = -1;
+    optind = 1; // reset
+
+    std::vector<option> opt = {{"help", no_argument, nullptr, 'h'}, {nullptr, 0, nullptr, 0}};
+
+    // The leading + means no re-ordering, see man page of getopt_long
+    while ((arg = getopt_long(argc, argv, "+h", opt.data(), &longindex)) != -1) {
+        switch (arg) {
+            case 'h':
+                config_.enableExec = false;
+                PrintUsage();
+                optind = argc; // stop parsing
+                return OpRc::OK;
+            default:
+                config_.enableExec = false;
+                PrintUsage();
+                optind = argc; // stop parsing
+                return OpRc::ERROR;
+        }
+    }
+
+    if (argc - optind != OP_MIGRATE_EXTRA_CMD_NUM) {
+        fmt::print("\nInvalid number of arguments, expect: {}, got: {}\n", OP_MIGRATE_EXTRA_CMD_NUM, argc - optind);
+        PrintUsage();
+        return OpRc::ERROR;
+    }
+
+    if (strlen(argv[optind]) != 0) {
+        domainName_ = argv[optind];
+        return OpRc::OK;
+    } else {
+        VIRTRUST_LOG_ERROR("Invalid empty domain name");
+        return OpRc::ERROR;
+    }
+
+    if (strlen(argv[optind + 1]) != 0) {
+        destUri_ = argv[optind + 1];
+        return OpRc::OK;
+    } else {
+        VIRTRUST_LOG_ERROR("Invalid empty domain name");
+        return OpRc::ERROR;
+    }
+}
+
+// Print the usage of this operator
+void OpMigrate::PrintUsage()
+{
+    fmt::print("\n"
+               "  NAME:\n"
+               "    migrate - migrate domain to another host\n"
+               "\n"
+               "  SYNOPSIS:\n"
+               "    migrate [options] <domain> <desturi>\n"
+               "\n"
+               "  OPTIONS:\n"
+               "    -h | --help                    this help\n"
+               "\n");
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_migrate.h b/virtrust/src/virtrust-sh/operator/op_migrate.h
new file mode 100644
index 0000000000000000000000000000000000000000..5fafe0f5619445a58131e7cf5218f478cd32452c
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_migrate.h
@@ -0,0 +1,31 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+
+namespace virtrust {
+
+class OpMigrate : public OpItf {
+public:
+    explicit OpMigrate() : OpItf(OpTy::MIGRATE)
+    {}
+    ~OpMigrate() override = default;
+
+    OpRc Exec() override;
+
+    // Parse the args from command line
+    OpRc ParseArgv(int argc, char **argv) override;
+
+    // Print the usage of this operator
+    void PrintUsage() override;
+
+private:
+    std::string domainName_ = "unknown";
+    std::string destUri_;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_migrate_test.cpp b/virtrust/src/virtrust-sh/operator/op_migrate_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..db75369c8827e1904e6bb5b2d3a8bb8c3f526ae9
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_migrate_test.cpp
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/operator/op_migrate.h"
+
+namespace virtrust {
+
+TEST(OpMigrateTest, ParseArgvValidArgumentsTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with valid domain name and destination URI
+    const char *argv[] = {"op_migrate", "test_doamin", "qemu+ssh://destination.example.com/system"};
+    int argc = 3;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for valid arguments
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpMigrateTest, ParseArgvHelpFlagTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with help Flag
+    const char *argv[] = {"op_migrate", "--help"};
+    int argc = 2;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpMigrateTest, ParseArgvHelpShortFlagTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with help Flag
+    const char *argv[] = {"op_migrate", "-h"};
+    int argc = 2;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for short help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpMigrateTest, ParseArgvMissingArgumentsTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with missig arguments (only program name)
+    const char *argv[] = {"op_migrate"};
+    int argc = 1;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for misssing arguments
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpMigrateTest, ParseArgvMissingDestinationTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with aonly domain name, missing destination URI
+    const char *argv[] = {"op_migrate", "test_domain"};
+    int argc = 2;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for missing destination
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpMigrateTest, ParseArgvExtraArgumentsTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with extra arguments
+    const char *argv[] = {"op_migrate", "domain1", "dest_uri", "extra_arg"};
+    int argc = 4;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv return ERROR for extra arguments
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpMigrateTest, ParseArgvInvalidOptionTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with invalid option
+    const char *argv[] = {"op_migrate", "--invalid-option"};
+    int argc = 2;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for invalid option
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpMigrateTest, ParseArgvComplexArgumentsTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with complex domain name and URI
+    const char *argv[] = {"op_migrate", "complex-domain-name-123", "qemu+ssh://user@host:22/system?param=value"};
+    int argc = 3;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for complex arguments
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpMigrateTest, ParseArgvFlagCombinationTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with special characters in arguments
+    const char *argv[] = {"op_migrate", "test-dimain_123", "qemu+ssh://user@host.example.com:22/system"};
+    int argc = 3;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for special characters
+    EXPECT_EQ(result, OpRc::OK);
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_start.cpp b/virtrust/src/virtrust-sh/operator/op_start.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..efe7aea50fe3d9db5cecd9655ad97197999559c1
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_start.cpp
@@ -0,0 +1,99 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust-sh/operator/op_start.h"
+
+#include <getopt.h>
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+#include "virtrust-sh/operator/op_utils.h"
+#include "virtrust/api/domain.h"
+
+namespace virtrust {
+
+namespace {
+constexpr int OP_START_EXTRA_CMD_NUM = 1;
+}
+
+OpRc OpStart::Exec()
+{
+    // make connection
+    conn_.reset();
+    conn_ = std::make_unique<ConnCtx>();
+    if (!conn_->SetUri(config_.uri)) {
+        VIRTRUST_LOG_ERROR("Failed to set uri: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    conn_->Connect();
+    if (conn_->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Failed to establish connection to: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    return ParseVirtrustRc(DomainStart(conn_, domainName_, flags_, onlyTsb_));
+}
+
+// Parse the args from command line
+OpRc OpStart::ParseArgv(int argc, char **argv)
+{
+    int arg = -1;
+    int longindex = -1;
+    optind = 1; // reset
+    const int onlyTsbVal = 0x100;
+
+    std::vector<option> opt = {{"help", no_argument, nullptr, 'h'},
+                               {"only-tsb", required_argument, nullptr, onlyTsbVal},
+                               {nullptr, 0, nullptr, 0}};
+
+    opterr = 0;
+    // The leading + means no re-ordering, see man page of getopt_long
+    while ((arg = getopt_long(argc, argv, "+h", opt.data(), &longindex)) != -1) {
+        switch (arg) {
+            case 'h':
+                config_.enableExec = false;
+                PrintUsage();
+                optind = 1;
+                return OpRc::OK;
+            case onlyTsbVal:
+                onlyTsb_ = true;
+                break;
+            default:
+                config_.enableExec = false;
+                PrintUsage();
+                return OpRc::ERROR;
+        }
+    }
+
+    if (argc - optind != OP_START_EXTRA_CMD_NUM) {
+        fmt::print("\nInvalid number of arguments, expect: {}, got: {}\n", OP_START_EXTRA_CMD_NUM, argc - optind);
+        PrintUsage();
+        return OpRc::ERROR;
+    }
+
+    if (strlen(argv[optind]) != 0) {
+        domainName_ = argv[optind];
+        return OpRc::OK;
+    } else {
+        VIRTRUST_LOG_ERROR("Invalid empty domain name");
+        return OpRc::ERROR;
+    }
+}
+
+// Print the usage of this operator
+void OpStart::PrintUsage()
+{
+    fmt::print("\n"
+               "  NAME:\n"
+               "    destroy - destroy (stop) a domain\n"
+               "\n"
+               "  SYNOPSIS:\n"
+               "    destroy [options] <domain>\n"
+               "\n"
+               "  OPTIONS:\n"
+               "    -h | --help                    this help\n"
+               "    --onlyTsb                      only update tsb resource, "
+               "<domain> should be replaced with uuid if --onlyTsb enabled\n"
+               "\n");
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_start.h b/virtrust/src/virtrust-sh/operator/op_start.h
new file mode 100644
index 0000000000000000000000000000000000000000..1afdd0f238ca300a661587864a2c3708cfb09cb7
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_start.h
@@ -0,0 +1,32 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+
+namespace virtrust {
+
+class OpStart : public OpItf {
+public:
+    explicit OpStart() : OpItf(OpTy::START)
+    {}
+    ~OpStart() override = default;
+
+    OpRc Exec() override;
+
+    // Parse the args from command line
+    OpRc ParseArgv(int argc, char **argv) override;
+
+    // Print the usage of this operator
+    void PrintUsage() override;
+
+private:
+    std::string domainName_ = "unknown";
+    unsigned int flags_ = DOMAIN_START_NONE;
+    bool onlyTsb_ = false;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_start_test.cpp b/virtrust/src/virtrust-sh/operator/op_start_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..7c728904b1cffdad1f402104deb5fa0acd51bb4a
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_start_test.cpp
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/operator/op_start.h"
+
+namespace virtrust {
+
+TEST(OpStartTest, ParseArgvValidArgumentsTest)
+{
+    OpStart opStart;
+
+    // Test with valid domain name
+    const char *argv[] = {"op_start", "test_doamin"};
+    int argc = 2;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for valid arguments
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpStartTest, ParseArgvHelpFlagTest)
+{
+    OpStart opStart;
+
+    // Test with help Flag
+    const char *argv[] = {"op_start", "--help"};
+    int argc = 2;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpStartTest, ParseArgvHelpShortFlagTest)
+{
+    OpStart opStart;
+
+    // Test with help Flag
+    const char *argv[] = {"op_start", "-h"};
+    int argc = 2;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for short help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpStartTest, ParseArgvMissingDoaminTest)
+{
+    OpStart opStart;
+
+    // Test with missig domain name arguments
+    const char *argv[] = {"op_start"};
+    int argc = 1;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for misssing arguments
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpStartTest, ParseArgvExtraArgumentsTest)
+{
+    OpStart opStart;
+
+    // Test with extra arguments
+    const char *argv[] = {"op_start", "domain1", "extra_arg"};
+    int argc = 3;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for extra arguments
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpStartTest, ParseArgvInvalidOptionTest)
+{
+    OpStart opStart;
+
+    // Test with invalid option
+    const char *argv[] = {"op_start", "--invalid-option"};
+    int argc = 2;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for invalid option
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpStartTest, ParseArgvDomainNameStorageTest)
+{
+    OpStart opStart;
+
+    // Test with domain name is properly stored
+    const char *argv[] = {"op_start", "complex-domain-123"};
+    int argc = 3;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK and domain name is stored
+    EXPECT_EQ(result, OpRc::OK);
+    // Note: Cannot directly access private member domainName_ for verification
+    // but we can verify the function doesn't crash and handles correctly
+}
+
+TEST(OpStartTest, ParseArgvComplexDomainNameTest)
+{
+    OpStart opStart;
+
+    // Test with complex domain name containing special characters
+    const char *argv[] = {"op_start", "complex-dimain-name.123"};
+    int argc = 2;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for complex domain names
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpStartTest, ParseArgvLongDomainNameTest)
+{
+    OpStart opStart;
+
+    // Test with Long domain name
+    const char *argv[] = {"op_start", "very-long-domain-name-that-has-many-characters-for-purposes"};
+    int argc = 2;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for long domain names
+    EXPECT_EQ(result, OpRc::OK);
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_undefine.cpp b/virtrust/src/virtrust-sh/operator/op_undefine.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..202bee172fe85f20c01986d982ce50fba2b7b6c9
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_undefine.cpp
@@ -0,0 +1,101 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust-sh/operator/op_undefine.h"
+
+#include <getopt.h>
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+#include "virtrust-sh/operator/op_utils.h"
+#include "virtrust/api/domain.h"
+
+namespace virtrust {
+namespace {
+constexpr int OP_UNDEFINE_EXTRA_CMD_NUM = 1;
+}
+
+OpRc OpUndefine::Exec()
+{
+    // make connection
+    conn_.reset();
+    conn_ = std::make_unique<ConnCtx>();
+    if (!conn_->SetUri(config_.uri)) {
+        VIRTRUST_LOG_ERROR("Failed to set uri: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    conn_->Connect();
+    if (conn_->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Failed to establish connection to: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    return ParseVirtrustRc(DomainUndefine(conn_, domainName_, flags_, onlyTsb_));
+}
+
+// Parse the args from command line
+OpRc OpUndefine::ParseArgv(int argc, char **argv)
+{
+    int arg = -1;
+    int longindex = -1;
+    optind = 1;                   // reset
+    const int onlyTsbVal = 0x100; // REVIEW why?
+    std::vector<option> opt = {
+        {"help", no_argument, nullptr, 'h'}, {"only-tsb", no_argument, nullptr, onlyTsbVal}, {nullptr, 0, nullptr, 0}};
+
+    opterr = 0;
+    // The leading + means no re-ordering, see man page of getopt_long
+    while ((arg = getopt_long(argc, argv, "+c:dhv", opt.data(), &longindex)) != -1) {
+        switch (arg) {
+            case 'h':
+                config_.enableExec = false;
+                PrintUsage();
+                optind = argc; // stop parsing
+                return OpRc::OK;
+            case onlyTsbVal:
+                onlyTsb_ = true;
+                continue;
+            default:
+                config_.enableExec = false;
+                PrintUsage();
+                optind = argc; // stop parsing
+                return OpRc::ERROR;
+        }
+    }
+
+    if (argc - optind != OP_UNDEFINE_EXTRA_CMD_NUM) {
+        fmt::print("\nInvalid number of arguments, expect: {}, got: {}\n", OP_UNDEFINE_EXTRA_CMD_NUM, argc - optind);
+        PrintUsage();
+        return OpRc::ERROR;
+    }
+
+    if (strlen(argv[optind]) != 0) {
+        domainName_ = argv[optind];
+        return OpRc::OK;
+    } else {
+        VIRTRUST_LOG_ERROR("Invalid empty domain name");
+        return OpRc::ERROR;
+    }
+}
+
+// Print the usage of this operator
+void OpUndefine::PrintUsage()
+{
+    fmt::print("\n"
+               "  NAME:\n"
+               "    undefine - undefine a domain\n"
+               "\n"
+               "  SYNOPSIS:\n"
+               "    destroy [options] <domain>\n"
+               "\n"
+               "  OPTIONS:\n"
+               "    -h | --help                    this help\n"
+               "    --nvram                        remove nvram file"
+               "    --keep-nvram                   keep nvram file"
+               "    --only-tsb                     only remove tsb resources"
+               "                                   <domain> should be replaced "
+               "with uuid if --only-tsb enabled\n"
+               "\n");
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_undefine.h b/virtrust/src/virtrust-sh/operator/op_undefine.h
new file mode 100644
index 0000000000000000000000000000000000000000..3d970d0b9242f96400acfc01bfea8a881fd1996a
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_undefine.h
@@ -0,0 +1,32 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+
+namespace virtrust {
+
+class OpUndefine : public OpItf {
+public:
+    explicit OpUndefine() : OpItf(OpTy::UNDEFINE)
+    {}
+    ~OpUndefine() override = default;
+
+    OpRc Exec() override;
+
+    // Parse the args from command line
+    OpRc ParseArgv(int argc, char **argv) override;
+
+    // Print the usage of this operator
+    void PrintUsage() override;
+
+private:
+    std::string domainName_ = "unknown";
+    unsigned int flags_ = 0;
+    bool onlyTsb_ = false;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_undefine_test.cpp b/virtrust/src/virtrust-sh/operator/op_undefine_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..d6ffae54d489a79bcfcecc333fd9c5dd1531e3a5
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_undefine_test.cpp
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/operator/op_undefine.h"
+
+namespace virtrust {
+
+TEST(OpUndefineTest, ParseArgvValidArgumentsTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with valid domain name
+    const char *argv[] = {"op_undefine", "test_doamin"};
+    int argc = 2;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for valid arguments
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpUndefineTest, ParseArgvHelpFlagTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with help Flag
+    const char *argv[] = {"op_undefine", "--help"};
+    int argc = 2;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpUndefineTest, ParseArgvHelpShortFlagTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with help Flag
+    const char *argv[] = {"op_undefine", "-h"};
+    int argc = 2;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for short help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpUndefineTest, ParseArgvMissingDoaminTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with missig domain name arguments
+    const char *argv[] = {"op_undefine"};
+    int argc = 1;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for misssing arguments
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpUndefineTest, ParseArgvExtraArgumentsTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with extra arguments
+    const char *argv[] = {"op_undefine", "domain1", "extra_arg"};
+    int argc = 3;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for extra arguments
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpUndefineTest, ParseArgvInvalidOptionTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with invalid option
+    const char *argv[] = {"op_undefine", "--invalid-option"};
+    int argc = 2;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for invalid option
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpUndefineTest, ParseArgvDomainNameStorageTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with domain name is properly stored
+    const char *argv[] = {"op_undefine", "complex-domain-123"};
+    int argc = 3;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK and domain name is stored
+    EXPECT_EQ(result, OpRc::OK);
+    // Note: Cannot directly access private member domainName_ for verification
+    // but we can verify the function doesn't crash and handles correctly
+}
+
+TEST(OpUndefineTest, ParseArgvComplexDomainNameTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with complex domain name containing special characters
+    const char *argv[] = {"op_undefine", "complex-dimain-name.123"};
+    int argc = 2;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for complex domain names
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpUndefineTest, ParseArgvLongDomainNameTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with Long domain name
+    const char *argv[] = {"op_undefine", "very-long-domain-name-that-has-many-characters-for-purposes"};
+    int argc = 2;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for long domain names
+    EXPECT_EQ(result, OpRc::OK);
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_utils.h b/virtrust/src/virtrust-sh/operator/op_utils.h
new file mode 100644
index 0000000000000000000000000000000000000000..08fdf53cd12d5cd818cc61347fdc70223623f5ed
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_utils.h
@@ -0,0 +1,32 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include "virtrust-sh/defines.h"
+#include "virtrust-sh/operator/op_itf.h"
+
+namespace virtrust {
+
+inline OpRc ParseCmdStr(char *argv, std::string &out)
+{
+    if (strlen(argv) >= VIRTRUST_SH_CMD_STR_MAX_LEN) {
+        return OpRc::ERROR;
+    }
+    out = argv;
+    return OpRc::OK;
+}
+
+inline OpRc ParseVirtrustRc(VirtrustRc rc)
+{
+    switch (rc) {
+        case VirtrustRc::OK:
+            return OpRc::OK;
+        case VirtrustRc::ERROR:
+            return OpRc::ERROR;
+        default:
+            VIRTRUST_LOG_ERROR("Unknown virtrust return code: {}", static_cast<int>(rc));
+            return OpRc::ERROR;
+    }
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/CMakeLists.txt b/virtrust/src/virtrust/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..688265fb1990f52801ca41f285f53c11a07cfd80
--- /dev/null
+++ b/virtrust/src/virtrust/CMakeLists.txt
@@ -0,0 +1,30 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+add_library(virtrust-obj OBJECT)
+
+set(VIRTRUST_SOURCE_FILES "")
+
+add_subdirectory(api)
+add_subdirectory(base)
+add_subdirectory(dllib)
+add_subdirectory(crypto)
+add_subdirectory(link)
+add_subdirectory(utils)
+
+# Object lib
+
+target_sources(virtrust-obj PRIVATE ${VIRTRUST_SOURCE_FILES})
+
+target_include_directories(
+  virtrust-obj PRIVATE ${CMAKE_DEPS_INCLUDEDIR}
+                       $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>)
+
+# Shared lib
+
+add_library(virtrust-shared SHARED $<TARGET_OBJECTS:virtrust-obj>)
+
+target_include_directories(
+  virtrust-shared PRIVATE ${CMAKE_DEPS_INCLUDEDIR}
+                          $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>)
+
+target_link_libraries(virtrust-shared PRIVATE Deps::spdlog boundscheck)
diff --git a/virtrust/src/virtrust/api/CMakeLists.txt b/virtrust/src/virtrust/api/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..0787926a5dd7b52cd12359a59ee33198e168103b
--- /dev/null
+++ b/virtrust/src/virtrust/api/CMakeLists.txt
@@ -0,0 +1,17 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTURST_SOURCE_FILES} ${CMAKE_CURRENT_LIST_DIR}/context.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/domain.cpp)
+
+# add_virtrust_test_if(domain_test ${BUILD_TEST})
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    PARENT_SCOPE)
+
+install(
+  FILES ${CMAKE_CURRENT_LIST_DIR}/context.h ${CMAKE_CURRENT_LIST_DIR}/domain.h
+        ${CMAKE_CURRENT_LIST_DIR}/defines.h
+  DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/virtrust/api/
+  PERMISSIONS OWNER_READ)
\ No newline at end of file
diff --git a/virtrust/src/virtrust/api/context.cpp b/virtrust/src/virtrust/api/context.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..508ee0ec2ec6dd972a3aebef1078ae599949762f
--- /dev/null
+++ b/virtrust/src/virtrust/api/context.cpp
@@ -0,0 +1,62 @@
+// Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+#include "virtrust/api/context.h"
+
+#include "virtrust/api/define_private.h"
+#include "virtrust/api/defines.h"
+#include "virtrust/base/logger.h"
+#include "virtrust/dllib/libvirt.h"
+
+namespace virtrust {
+
+ConnCtx::ConnCtx() : uri_(VIRTRUST_DEFAULT_URI)
+{}
+
+ConnCtx::~ConnCtx()
+{
+    if (conn_ != nullptr) {
+
+        Libvirt::GetInstance().virConnectClose(conn_);
+        conn_ = nullptr;
+    }
+}
+
+bool ConnCtx::Connect()
+{
+    Libvirt::GetInstance().virConnectOpen(uri_.data());
+    if (conn_ == nullptr) {
+        VIRTRUST_LOG_ERROR("virConnectOpen of uri failed, a nullptr ConnCtx has been created.");
+        return false;
+    }
+    return true;
+}
+
+bool ConnCtx::SetUri(std::string uri)
+{
+    if (uri_.empty() || uri.size() > URI_MAX_LENGTH) {
+        return false;
+    }
+    uri_ = uri;
+    return true;
+}
+
+DomainCtx::DomainCtx(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName)
+{
+    if (conn->Get() != nullptr) {
+        domain_ = Libvirt::GetInstance().virDomainLookupByName(conn->Get(), domainName.data());
+        if (domain_ == nullptr) {
+            VIRTRUST_LOG_ERROR("ConnCtx is nullptr, virDomainLookupByName is not "
+                               "called, a nullprt DomainCtx has been created.");
+        }
+    }
+}
+
+DomainCtx::~DomainCtx()
+{
+
+    if (domain_ != nullptr) {
+        Libvirt::GetInstance().virDomainFree(domain_);
+        domain_ = nullptr;
+    }
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/api/context.h b/virtrust/src/virtrust/api/context.h
new file mode 100644
index 0000000000000000000000000000000000000000..f6c5c191ca4aa51396107222110495acfbcf5d11
--- /dev/null
+++ b/virtrust/src/virtrust/api/context.h
@@ -0,0 +1,65 @@
+// Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+#pragma once
+
+#include <memory>
+#include <string>
+
+namespace virtrust {
+
+class ConnCtx {
+public:
+    // HACK redefine this type as it in libvirt
+    using virConnectPtr = int *;
+
+    ConnCtx();
+    explicit ConnCtx(virConnectPtr conn) : conn_(conn)
+    {}
+    bool Connect();
+
+    ConnCtx(const ConnCtx &) = delete;
+    ConnCtx &operator=(const ConnCtx &) = delete;
+    ~ConnCtx();
+    bool SetUri(std::string uri);
+
+    bool CheckOk()
+    {
+        return conn_ != nullptr;
+    }
+
+    // Get the raw pointer (NOTE you may receive a nullptr)
+    virConnectPtr Get()
+    {
+        return conn_;
+    }
+
+private:
+    virConnectPtr conn_ = nullptr;
+    std::string uri_;
+};
+
+class DomainCtx {
+public:
+    using virDomainPtr = int *;
+    DomainCtx() = default;
+    explicit DomainCtx(virDomainPtr domain) : domain_(domain)
+    {}
+    explicit DomainCtx(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName);
+
+    ~DomainCtx();
+    DomainCtx(const DomainCtx &) = delete;
+    DomainCtx &operator=(const DomainCtx &) = delete;
+
+    bool CheckOk()
+    {
+        return domain_ != nullptr;
+    }
+    virDomainPtr Get()
+    {
+        return domain_;
+    }
+
+private:
+    virDomainPtr domain_ = nullptr;
+};
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/api/define_private.h b/virtrust/src/virtrust/api/define_private.h
new file mode 100644
index 0000000000000000000000000000000000000000..9287d6f0d75c3db9df91b0a65383b3854469b027
--- /dev/null
+++ b/virtrust/src/virtrust/api/define_private.h
@@ -0,0 +1,48 @@
+// Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+#pragma once
+
+#include <string>
+#include <string_view>
+
+namespace virtrust {
+constexpr std::string_view VIRTRUST_VERSION = "1.0.0";
+constexpr std::string_view VIRTRUST_XML_REGEX_PATH = "/etc/libvirt/qemu/{}.xml";
+constexpr std::string_view ALLOW_STORE_MEASUREMENTS = "--allow-store-measurements";
+constexpr std::string_view VIRSH_VERSION = "1.0.0";
+const int URI_MAX_LENGTH = 1024;
+
+class VirshMeasureInfo {
+public:
+    VirshMeasureInfo(const std::string name, const std::string uuid) : name_(name), uuid_(uuid), version_(VIRSH_VERSION)
+    {}
+    VirshMeasureInfo()
+    {}
+    std::string name_;    // 度量阶段的名称 如 bios,grup
+    std::string uuid_;    // 虚机的uuid
+    std::string version_; // 度量阶段的版本号
+    int size_;            // content的长度
+    std::string content_; // 如果size是32 content是哈希，如果size不等于32
+                          //  content是度量对象的原文数据
+};
+
+// 汇总虚拟机每个文件度量所需要的信息 方便后续度量
+class VirshMeasureSummary {
+public:
+    VirshMeasureSummary(const std::string &uuid)
+        : bios("bios", uuid),
+          shim("shim", uuid),
+          grub("grub", uuid),
+          grubCfg("grub_cfg", uuid),
+          kernel("kernel", uuid),
+          initrd("initrd", uuid)
+    {}
+
+    VirshMeasureInfo bios;
+    VirshMeasureInfo shim;
+    VirshMeasureInfo grub;
+    VirshMeasureInfo grubCfg;
+    VirshMeasureInfo kernel;
+    VirshMeasureInfo initrd;
+};
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/api/defines.h b/virtrust/src/virtrust/api/defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..8ab81da3444bfc74511c43575bda3c0518869318
--- /dev/null
+++ b/virtrust/src/virtrust/api/defines.h
@@ -0,0 +1,47 @@
+// Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+#pragma once
+
+#include <cstdint>
+#include <string>
+#include <string_view>
+
+namespace virtrust {
+
+constexpr std::string_view VIRTRUST_DEFAULT_URI = "qemu:///session";
+
+enum class VirtrustRc : uint32_t {
+    OK = 0,
+    ERROR = 1,
+    CHECK_FAILED = 2,
+    INCONSISTENT_RESOURCE = 3
+};
+
+enum DomainUndefineFlags {
+    DOMAIN_UNDEFINE_NVRAM = (1 << 2),
+    DOMAIN_UNDEFINE_KEEP_NVRAM = (1 << 3),
+};
+
+// 可组合 如LIST_DOMAINS_ACTIVE|LIST_DOMAINS_INACTIVE
+enum DomainListFlags {
+    LIST_DOMAINS_ACTIVE = (1 << 0),
+    LIST_DOMAINS_INACTIVE = (1 << 1),
+};
+
+enum DomainStartFlags {
+    DOMAIN_START_NONE = 0,
+};
+
+enum DomainDestroyFlags {
+    DOMAIN_DESTROY_NONE = 0,
+};
+
+struct DomainInfo {
+    std::string domainName;
+    unsigned char state;        //  the running state, one of virDomainState
+    unsigned long maxMem;       //  the maximum memory in KBytes allowed
+    unsigned long memory;       //   the memory in KBytes used by the domain
+    unsigned short nrVirtCpu;   //   the number of virtual CPUs for the domain
+    unsigned long long cpuTime; //  the CPU time used in nanoseconds
+};
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/api/domain.cpp b/virtrust/src/virtrust/api/domain.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..17768b70f488ffeced61f7db9de7a154ebfcc070
--- /dev/null
+++ b/virtrust/src/virtrust/api/domain.cpp
@@ -0,0 +1,873 @@
+// Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+#include "virtrust/api/domain.h"
+
+#include <fcntl.h>
+#include <sys/file.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#include <unordered_set>
+
+#include <securec.h>
+#include "spdlog/fmt/fmt.h"
+
+#include "virtrust-sh/defines.h"
+#include "virtrust/api/define_private.h"
+#include "virtrust/api/defines.h"
+#include "virtrust/api/file_lock.h"
+#include "virtrust/base/logger.h"
+#include "virtrust/crypto/sm3.h"
+#include "virtrust/dllib/libvirt.h"
+#include "virtrust/utils/file_io.h"
+#include "virtrust/utils/foreign_mounter.h"
+#include "virtrust/utils/virt_xml_parser.h"
+
+#ifdef USE_MOCK_TSB_AGENT
+#include "mock/tsb_agent_itf.h"
+#endif
+
+namespace virtrust {
+
+constexpr const char *LOCK_FILE = "/tmp/virtrust-start.lock";
+constexpr uint32_t MAX_DOMAIN_COUNT = 32;
+constexpr uint32_t MAX_NAME_LENGTH = 200;
+constexpr uint32_t VIR_UUID_STRING_BUFLEN = 200;
+constexpr int LIST_DOMAINS_MASK = DomainListFlags::LIST_DOMAINS_ACTIVE | DomainListFlags::LIST_DOMAINS_INACTIVE;
+namespace {
+
+inline std::string GetNameStr(const virDomainPtr domian)
+{
+    auto &libvirt = Libvirt::GetInstance();
+    const char *domainName = libvirt.virDomainGetName(domian);
+    return domainName == nullptr ? "-" : domainName;
+}
+
+inline std::string GetUUIDStr(const virDomainPtr domian)
+{
+    auto &libvirt = Libvirt::GetInstance();
+    char uuid[VIR_UUID_STRING_BUFLEN];
+    auto ret = libvirt.virDomainGetUUIDString(domian, uuid);
+    return ret == static_cast<int>(-1) ? "-" : std::string(uuid);
+}
+
+VirtrustRc GetVirshMeasureSummary(virtrust::ForeignMounter &mounter, virtrust::VerifyConfig &config,
+                                  VirshMeasureSummary &measureSummary)
+{
+    virtrust::FileInputStream fis(config.GetLoaderPath());
+    std::string loaderContent = fis.ReadAll();
+    std::vector<uint8_t> loaderSm3(Sm3::DigestSize());
+    Sm3Rc sm3Rc = virtrust::DoSm3(loaderContent, loaderSm3);
+    if (sm3Rc != Sm3Rc::OK) {
+        VIRTRUST_LOG_ERROR("|GetVirshMeasureSummary|END|returnF||do sm3 failed: {}", config.GetLoaderPath());
+        return VirtrustRc::ERROR;
+    }
+
+    measureSummary.bios.content_ = std::string(reinterpret_cast<const char *>(loaderSm3.data()), loaderSm3.size());
+    // grubcfg需要提供文件内容 而不是摘要
+    std::string grubCfgContent;
+    auto rc = mounter.ReadFile(config.GetGrubCfgPath(), grubCfgContent);
+    if (rc != ForeignMounterRc::OK) {
+        VIRTRUST_LOG_ERROR("|GetVirshMeasureSummary|END|returnF||read file failed: {}", config.GetGrubCfgPath());
+        return VirtrustRc::ERROR;
+    }
+    measureSummary.grubCfg.content_ = grubCfgContent;
+
+    std::vector<uint8_t> shimSm3(Sm3::DigestSize(), 0);
+    rc = mounter.DoSm3OnVmFile(config.GetShimPath(), shimSm3);
+    if (rc != ForeignMounterRc::OK && rc != ForeignMounterRc::FILE_NOT_EXIST) {
+
+        VIRTRUST_LOG_ERROR("|GetVirshMeasureSummary|END|returnF||do sm3 failed: {}", config.GetShimPath());
+        return VirtrustRc::ERROR;
+    }
+    measureSummary.shim.content_ = std::string(reinterpret_cast<const char *>(shimSm3.data()), shimSm3.size());
+
+    std::vector<uint8_t> grubSm3(Sm3::DigestSize(), 0);
+    rc = mounter.DoSm3OnVmFile(config.GetGrubPath(), shimSm3);
+    if (rc != ForeignMounterRc::OK && rc != ForeignMounterRc::FILE_NOT_EXIST) {
+        VIRTRUST_LOG_ERROR("|GetVirshMeasureSummary|END|returnF||do sm3 by file failed: {}", config.GetGrubPath());
+        return VirtrustRc::ERROR;
+    }
+    measureSummary.grub.content_ = std::string(reinterpret_cast<const char *>(grubSm3.data()), grubSm3.size());
+
+    std::vector<uint8_t> initrdSm3(Sm3::DigestSize(), 0);
+    rc = mounter.DoSm3OnVmFile(config.GetInitrdPath(), initrdSm3);
+    if (rc != ForeignMounterRc::OK && rc != ForeignMounterRc::FILE_NOT_EXIST) {
+        VIRTRUST_LOG_ERROR("|GetVirshMeasureSummary|END|returnF||do sm3 by file failed: {}", config.GetInitrdPath());
+        return VirtrustRc::ERROR;
+    }
+    measureSummary.initrd.content_ = std::string(reinterpret_cast<const char *>(initrdSm3.data()), initrdSm3.size());
+
+    std::vector<uint8_t> kernelSm3(Sm3::DigestSize(), 0);
+    rc = mounter.DoSm3OnVmFile(config.GetLinuzPath(), kernelSm3);
+    if (rc != ForeignMounterRc::OK && rc != ForeignMounterRc::FILE_NOT_EXIST) {
+        VIRTRUST_LOG_ERROR("|GetVirshMeasureSummary|END|returnF||do sm3 by file failed: {}", config.GetLinuzPath());
+        return VirtrustRc::ERROR;
+    }
+    measureSummary.kernel.content_ = std::string(reinterpret_cast<const char *>(kernelSm3.data()), kernelSm3.size());
+    return VirtrustRc::OK;
+}
+
+bool CalcVirshMeasure(std::string_view guestName, VirshMeasureSummary &measureSummary)
+{
+    const std::string guestXmlPah = fmt::format(VIRTRUST_XML_REGEX_PATH, guestName);
+    virtrust::VirtXmlParser xmlParser;
+    virtrust::VerifyConfig verifyConfig = xmlParser.Parse(guestXmlPah);
+    if (verifyConfig.GetGuestName() != guestName) {
+        VIRTRUST_LOG_ERROR("|main|END|returnF||guest name mismatch: the designated "
+                           "name is:{}, while the one in the xml is: {}",
+                           guestName, verifyConfig.GetGuestName());
+        return false;
+    }
+    auto mounter = virtrust::ForeignMounter();
+    mounter.TryInit();
+    mounter.Mount(verifyConfig.GetDiskPath());
+    if (!mounter.CheckMount()) {
+        VIRTRUST_LOG_ERROR("|main|END|returnF||disk path is: {}|mount failed", verifyConfig.GetDiskPath());
+        return false;
+    }
+    std::string grubCfgContent;
+    ForeignMounterRc rc = mounter.ReadFile(verifyConfig.GetGrubCfgPath(), grubCfgContent);
+    if (rc != ForeignMounterRc::OK) {
+        VIRTRUST_LOG_ERROR("|main|END|returnF||get virsh measure summary failed.");
+        return false;
+    }
+
+    verifyConfig.ParseGrubCfgContent(grubCfgContent);
+    auto virRc = GetVirshMeasureSummary(mounter, verifyConfig, measureSummary);
+    if (virRc != VirtrustRc::OK) {
+        VIRTRUST_LOG_ERROR("|main|END|returnS||get virsh measure summary failed");
+        return false;
+    }
+    VIRTRUST_LOG_INFO("|main|END|returnS||grubContentLength:{}", measureSummary.grub.content_.size());
+    mounter.Unmount();
+    return true;
+}
+
+bool ConvertTsbStruct(const VirshMeasureInfo &src, struct MeasureInfo *&target)
+{
+    int contentSize = src.content_.size();
+    size_t totalSize = sizeof(MeasureInfo) + contentSize + 1;
+    target = static_cast<MeasureInfo *>(malloc(totalSize));
+    if (target == nullptr) {
+        VIRTRUST_LOG_ERROR("malloc failed:{},size:{}", src.name_, totalSize);
+        return false;
+    }
+    if (memcpy_s(target->uuid, sizeof(target->uuid) - 1, src.uuid_.c_str(), src.uuid_.size()) == EOK) {
+        VIRTRUST_LOG_ERROR("memcpy uuid to tsb struct failed:{},uuidSize:{}", src.name_, sizeof(target->uuid));
+        return false;
+    }
+    target->size = contentSize;
+
+    if (memcpy_s(target->content, contentSize, src.content_.c_str(), contentSize) == EOK) {
+        VIRTRUST_LOG_ERROR("memcpy content to tsb struct failed:{},contentSize:{}", src.name_, contentSize);
+        return false;
+    }
+    if (memcpy_s(target->name, sizeof(target->name) - 1, src.name_.c_str(), src.name_.size()) == EOK) {
+        VIRTRUST_LOG_ERROR("memcpy name to tsb struct failed:{}", src.name_);
+        return false;
+    }
+    if (memcpy_s(target->version, sizeof(target->version) - 1, src.version_.c_str(), src.version_.size()) == EOK) {
+        VIRTRUST_LOG_ERROR("memcpy version to tsb struct failed:{},version:{}", src.name_, src.version_);
+        return false;
+    }
+    return true;
+}
+
+void FreeMeasureInfo(struct MeasureInfo *bios, struct MeasureInfo *shim, struct MeasureInfo *grub,
+                     struct MeasureInfo *grubCfg, struct MeasureInfo *kernel, struct MeasureInfo *initrd)
+{
+    if (bios == nullptr) {
+        free(bios);
+    }
+    if (shim == nullptr) {
+        free(shim);
+    }
+    if (grub == nullptr) {
+        free(grub);
+    }
+    if (grubCfg == nullptr) {
+        free(grubCfg);
+    }
+    if (kernel == nullptr) {
+        free(kernel);
+    }
+    if (initrd == nullptr) {
+        free(initrd);
+    }
+}
+
+bool CheckGuestBeforeStart(std::string_view domainName, std::string &uuid)
+{
+    // 收集需要度量文件的摘要值
+    VirshMeasureSummary measureSummary(uuid);
+    if (!CalcVirshMeasure(domainName, measureSummary)) {
+        return false;
+    }
+    // 转换为tsb-agent需要的结构体
+    struct MeasureInfo *bios = nullptr;
+    struct MeasureInfo *shim = nullptr;
+    struct MeasureInfo *grub = nullptr;
+    struct MeasureInfo *grubCfg = nullptr;
+    struct MeasureInfo *kernel = nullptr;
+    struct MeasureInfo *initrd = nullptr;
+
+    bool res = ConvertTsbStruct(measureSummary.bios, bios) && ConvertTsbStruct(measureSummary.shim, shim) &&
+               ConvertTsbStruct(measureSummary.kernel, kernel) && ConvertTsbStruct(measureSummary.initrd, initrd) &&
+               ConvertTsbStruct(measureSummary.grub, grub) && ConvertTsbStruct(measureSummary.grubCfg, grubCfg);
+    if (!res) {
+        VIRTRUST_LOG_ERROR("convert tsb struct failed:{}", domainName);
+        FreeMeasureInfo(bios, shim, grub, grubCfg, kernel, initrd);
+        return false;
+    }
+    // 检查度量值是否通过
+    auto tsbRc = CheckMeasure(uuid.data(), bios, shim, grub, grubCfg, kernel, initrd);
+    FreeMeasureInfo(bios, shim, grub, grubCfg, kernel, initrd);
+    if (tsbRc != 0) {
+        VIRTRUST_LOG_ERROR("CheckMeasure failed:{}", domainName);
+        return false;
+    }
+    return true;
+}
+
+bool UpdateMeasure(std::string_view domainName, std::string &uuid)
+{
+    VIRTRUST_LOG_INFO("|UpdateMeasure|START|||domainName:{}", domainName);
+    VirshMeasureSummary measureSummary(uuid);
+    if (!CalcVirshMeasure(domainName, measureSummary)) {
+        return false;
+    }
+    struct MeasureInfo *bios = nullptr;
+    struct MeasureInfo *shim = nullptr;
+    struct MeasureInfo *grub = nullptr;
+    struct MeasureInfo *grubCfg = nullptr;
+    struct MeasureInfo *kernel = nullptr;
+    struct MeasureInfo *initrd = nullptr;
+    bool res = ConvertTsbStruct(measureSummary.bios, bios) && ConvertTsbStruct(measureSummary.shim, shim) &&
+               ConvertTsbStruct(measureSummary.kernel, kernel) && ConvertTsbStruct(measureSummary.initrd, initrd) &&
+               ConvertTsbStruct(measureSummary.grub, grub) && ConvertTsbStruct(measureSummary.grubCfg, grubCfg);
+    if (!res) {
+        FreeMeasureInfo(bios, shim, grub, grubCfg, kernel, initrd);
+        return false;
+    }
+    auto tsbRc = UpdateMeasure(uuid.data(), bios, shim, grub, grubCfg, kernel, initrd);
+    FreeMeasureInfo(bios, shim, grub, grubCfg, kernel, initrd);
+    if (tsbRc != 0) {
+        VIRTRUST_LOG_ERROR("update tsb measure failed:{}", domainName);
+        return false;
+    }
+
+    VIRTRUST_LOG_INFO("|UpdateMeasure|END|returnS||domainName:{}", domainName);
+    return true;
+}
+
+bool CheckAllowStoreMeasurements(const std::string &args)
+{
+    if (args.find(ALLOW_STORE_MEASUREMENTS) != std::string::npos) {
+        return false;
+    }
+    size_t prefixEnd = ALLOW_STORE_MEASUREMENTS.length();
+    while (prefixEnd < args.length()) {
+        if (args[prefixEnd] != ' ') {
+            return false;
+        }
+        ++prefixEnd;
+    }
+    return true;
+}
+
+VirtrustRc CheckCreateDomainName(const std::string &arg, std::string &domainName, size_t i,
+                                 const std::vector<std::string> &args)
+{
+    // 处理--name ***或-n ***情况
+    if ((arg == "--name" || arg == "-n") && i + 1 < args.size() && !args[i + 1].empty() && args[i + 1].front() != '-') {
+        domainName = args[i + 1];
+        if (domainName.empty() || domainName.size() > MAX_NAME_LENGTH) {
+            VIRTRUST_LOG_ERROR("domain name length is [1, {}]", MAX_NAME_LENGTH);
+            return VirtrustRc::ERROR;
+        }
+    }
+    // 处理--name=***或-n=***或-n*****
+    bool isLongContainsName = arg.length() > 7 && arg.substr(0, 7) == "--name="; // 7是--name=的长度
+    bool isShortContainsName = arg.length() > 3 && arg.substr(0, 2) == "-n"; // 这里大于3是处理-n并且紧跟字符的情况
+    if (isLongContainsName || isShortContainsName) {
+        if (isLongContainsName || (isLongContainsName && arg.find('=') != std::string::npos)) {
+            domainName = arg.substr(arg.find('=') + 1);
+        } else {
+            if (arg.find("-n=") != std::string::npos) {
+                domainName = arg.substr(arg.find("-n=") + 3);
+            } else {
+                domainName = arg.substr(arg.find("-n") + 2);
+            }
+        }
+        if (domainName.empty() || domainName.size() > MAX_NAME_LENGTH) {
+            VIRTRUST_LOG_ERROR("domain name length is [1, {}]", MAX_NAME_LENGTH);
+            return VirtrustRc::ERROR;
+        }
+    }
+    return VirtrustRc::OK;
+} // namespace
+
+VirtrustRc ValidateAndPrepareArgs(const std::vector<std::string> &args, std::vector<char *> &execArgs,
+                                  std::string &domainName, bool &allowStoreMeasurements)
+{
+
+    execArgs.reserve(args.size() + 3);
+    for (size_t i = 0; i < args.size(); ++i) {
+        const auto &arg = args[i];
+        if (startsWithIgnoreSpaces(arg, ALLOW_STORE_MEASUREMENTS)) {
+            if (CheckAllowStoreMeasurements(arg)) {
+                allowStoreMeasurements = true;
+
+            } else {
+                VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||--allow-store-"
+                                   "measurements not set value");
+                return VirtrustRc::ERROR;
+            }
+            continue;
+        }
+        // 检查是否为--name=***或-n=***或-n***或--name ***或 -n ***情况
+        if (CheckCreateDomainName(arg, domainName, i, args) != VirtrustRc::OK) {
+            return VirtrustRc::ERROR;
+        }
+        execArgs.push_back(const_cast<char *>(arg.c_str()));
+    }
+    execArgs.push_back(const_cast<char *>("--noautoconsole"));
+    execArgs.push_back(const_cast<char *>("--noreboot"));
+    execArgs.push_back(nullptr);
+    if (domainName.empty()) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||domain name must be given.");
+        return VirtrustRc::ERROR;
+    }
+    return VirtrustRc::OK;
+}
+
+VirtrustRc UndefineDomainWithRetry(std::unique_ptr<DomainCtx> &domain, const std::string &domainName,
+                                   unsigned int flags, Libvirt &libvirt)
+{
+
+    for (int i = 1; i < 3; i++) {
+        VIRTRUST_LOG_INFO("try to undefine domain: {}, try times: {}", domainName, i);
+        if (libvirt.virDomainUndefineFlags(domain->Get(), flags) > 0) {
+            VIRTRUST_LOG_INFO("undefine domain: {} success, try times: {}", domainName, i);
+
+            return VirtrustRc::OK;
+        }
+    }
+    VIRTRUST_LOG_ERROR("failed to undefine domain: {}, try times: 3, see log to get details "
+                       "or use virsh undefine to undefine domain.",
+                       domainName);
+    return VirtrustRc::ERROR;
+}
+
+VirtrustRc CreateDomainAndVRoot(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName,
+                                bool allowStoreMeasurements)
+{
+    auto &libvirt = Libvirt::GetInstance();
+    auto domain = std::make_unique<DomainCtx>(conn, domainName);
+    if (domain->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF|failed to find domain: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    char uuid[VIR_UUID_STRING_BUFLEN];
+    if (libvirt.virDomainGetUUIDString(domain->Get(), uuid) < 0) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF|Failed to get domain uuid: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    Description description{};
+    description.state = 0;
+    if (strncpy_s(description.name, sizeof(description.name), domainName.c_str(), sizeof(description.name) - 1) !=
+        EOK) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||strncpy_s domainName failed.");
+
+        return VirtrustRc::ERROR;
+    }
+    if (strncpy_s(description.uuid, sizeof(description.uuid), uuid, sizeof(description.uuid) - 1) != EOK) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||strncpy_s uuid failed.");
+
+        return VirtrustRc::ERROR;
+    }
+    int tsbRet = CreateVRoot(&description);
+    if (tsbRet != 0) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||CreateVRoot failed, tsbRet: {}", tsbRet);
+        (void)UndefineDomainWithRetry(domain, domainName, VIR_DOMAIN_UNDEFINE_NVRAM, libvirt);
+        return VirtrustRc::ERROR;
+    }
+    if (!allowStoreMeasurements) {
+        VIRTRUST_LOG_DEBUG("|DomainCreate|END|returnS||");
+        return VirtrustRc::OK;
+    }
+    std::string uuidStr(uuid);
+    if (UpdateMeasure(domainName, uuidStr)) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||UpdateMeasure failed");
+        (void)UndefineDomainWithRetry(domain, domainName, VIR_DOMAIN_UNDEFINE_NVRAM, libvirt);
+        return VirtrustRc::ERROR;
+    }
+    VIRTRUST_LOG_DEBUG("|DomainCreate|END|returnS||");
+    return VirtrustRc::OK;
+}
+
+void FreeDescription(Description **description)
+{
+    if (*description != nullptr) {
+        free(*description);
+        *description = nullptr;
+    }
+}
+
+VirtrustRc UndefineTsbResource(const std::string &domainName)
+{
+    if (domainName.size() != 36) { // UUID长度为36
+        VIRTRUST_LOG_ERROR("|DomainUndefine UndefineTsbResource|END|returnF||invalid domain UUID: "
+                           "{}",
+                           domainName);
+
+        return VirtrustRc::ERROR;
+    }
+    int tsbVmNum = 0;
+    Description *tsbVmInfo = nullptr;
+
+    std::unordered_set<std::string> tsbVmNames; // 存放tsb查询到的虚机名称
+    int result = GetVRoots(&tsbVmNum, &tsbVmInfo);
+    if (result != 0) {
+
+        VIRTRUST_LOG_ERROR("|DomainUndefine UndefineTsbResource|END|returnF||failed to get tsb "
+                           "domains");
+        return VirtrustRc::ERROR;
+    }
+    bool isMatch = false;
+    for (int i = 0; i < tsbVmNum; i++) {
+        if (tsbVmInfo[i].uuid == domainName) {
+            isMatch = true;
+            int tsbRet = RemoveVRoot(tsbVmInfo[i].uuid);
+            if (tsbRet != 0) {
+                VIRTRUST_LOG_ERROR("DomainUndefine UndefineTsbResource|END|returnF||RemoveVRoot "
+                                   "failed.");
+            }
+            FreeDescription(&tsbVmInfo);
+            return VirtrustRc::ERROR;
+        }
+        FreeDescription(&tsbVmInfo);
+        return VirtrustRc::OK;
+    }
+    if (!isMatch) {
+        FreeDescription(&tsbVmInfo);
+        VIRTRUST_LOG_ERROR("DomainUndefine UndefineTsbResource|END|returnF||not found uuid:{}.", domainName);
+        return VirtrustRc::ERROR;
+    }
+    FreeDescription(&tsbVmInfo);
+    VIRTRUST_LOG_DEBUG("DomainUndefine UndefineTsbResource|END|returns||domainName: {}", domainName);
+    return VirtrustRc::OK;
+}
+
+bool CompareTsbVirtState(int tsb, int virt)
+{
+    switch (virt) {
+        case VIR_DOMAIN_RUNNING:
+            return tsb == 2;
+        case VIR_DOMAIN_NOSTATE:
+        case VIR_DOMAIN_BLOCKED:
+        case VIR_DOMAIN_PAUSED:
+        case VIR_DOMAIN_SHUTDOWN:
+        case VIR_DOMAIN_SHUTOFF:
+        case VIR_DOMAIN_CRASHED:
+        case VIR_DOMAIN_PMSUSPENDED:
+            return tsb == 0;
+        default:
+            return false;
+    }
+}
+
+bool ConsistencyCheck(const std::unordered_map<std::string, Description> &tsbVmMap,
+                      const std::unordered_map<std::string, DomainInfo> &virtVmMap,
+                      std::unordered_map<std::string, std::pair<LogLevel, std::string>> &errMap)
+{
+
+    errMap.clear();
+    bool out = true;
+    std::unordered_map<std::string, Description> tsbVmMapCopy = tsbVmMap;
+    std::unordered_map<std::string, DomainInfo> virtVmMapCopy = virtVmMap;
+
+    for (const auto &tsb : tsbVmMapCopy) {
+        auto virtIter = virtVmMapCopy.find(tsb.first);
+        if (virtIter == virtVmMapCopy.end() || virtIter->second.domainName != tsb.second.name) {
+            errMap.emplace(tsb.first,
+                           std::make_pair(LogLevel::ERROR,
+                                          fmt::format("Inconsistent vm (tsb uuid:{}, name {}) dose not exist or "
+                                                      "its data is inconsistent with virsh, consider removing this "
+                                                      "instance by \"virtrust-sh "
+                                                      "undefine --only-tsb DOMAIN_UUID\".",
+                                                      tsb.first, tsb.second.name)));
+            out = false;
+            continue;
+        }
+
+        if (!(CompareTsbVirtState(tsb.second.state, virtIter->second.state))) {
+            errMap.emplace(
+                tsb.first,
+                std::make_pair(LogLevel::ERROR,
+                               fmt::format("Inconsistent vm (tsb uuid:{}, name {}) "
+                                           "its data is inconsistent with tsb, consider update this "
+                                           "instance by \"virsh start/destroy DOMAIN_NAME\", or\"virtrust-sh "
+                                           "start/destroy --only-tsb DOMAIN_UUID\".",
+                                           tsb.first, tsb.second.name)));
+            out = false;
+            continue;
+        }
+        // if everything is okay, delete it from the map that we are not iterating
+        virtVmMapCopy.erase(tsb.first);
+    }
+    for (const auto &virt : virtVmMapCopy) {
+        errMap.emplace(virt.first,
+                       std::make_pair(LogLevel::WARN, fmt::format("Found vm (tsb uuid:{}, name {}) is just a normal vm "
+                                                                  "with no trust resources,nothing is wrong, this "
+                                                                  "message is just informational",
+                                                                  virt.first, virt.second.domainName)));
+    }
+    return out;
+}
+
+auto ToMaps(int tsbVmNum, Description *tsbVmInfo, int virtVmNum, virDomainPtr *virtVmArray, unsigned int flags)
+{
+    // create tsb map
+    std::unordered_map<std::string, Description> tsbVmMap;
+    for (unsigned int i = 0; i < static_cast<unsigned int>(virtVmNum); i++) {
+        std::string tsbVmUuid = std::string((tsbVmInfo + i)->uuid);
+        // skip, if flags are only LIST_DOMAIN_ACTIVE&, and domain is not running
+        if (flags == DomainListFlags::LIST_DOMAINS_ACTIVE &&
+            !CompareTsbVirtState((tsbVmInfo + i)->state, VIR_DOMAIN_RUNNING)) {
+            continue;
+        }
+        tsbVmMap.emplace(tsbVmUuid, *(tsbVmInfo + i));
+    }
+    // create virt map
+    std::unordered_map<std::string, DomainInfo> virtVmMap;
+    for (int i = 0; i < virtVmNum; i++) {
+        std::string virtVmUuid = GetUUIDStr(*(virtVmArray + i));
+        virDomainInfo info;
+        if (Libvirt::GetInstance().virDomainGetInfo(virtVmArray[i], &info) < 0) {
+            VIRTRUST_LOG_ERROR("Failed to get domain info for tsb uuid:{}", virtVmUuid);
+            continue;
+        }
+        DomainInfo outInfo;
+        outInfo.domainName = GetNameStr(*(virtVmArray + i));
+        outInfo.state = info.state;
+        outInfo.maxMem = info.maxMem;
+        outInfo.memory = info.memory;
+        outInfo.nrVirtCpu = info.nrVirtCpu;
+        outInfo.cpuTime = info.cpuTime;
+        if (flags == DomainListFlags::LIST_DOMAINS_ACTIVE && outInfo.state != VIR_DOMAIN_RUNNING) {
+            continue;
+        }
+        virtVmMap.emplace(virtVmUuid, outInfo);
+    }
+    return std::make_pair(tsbVmMap, virtVmMap);
+}
+
+VirtrustRc CheckMaxDomainCount()
+{
+    int tsbVmNum = 0;
+    Description *tsbVmInfo = nullptr;
+    int result = GetVRoots(&tsbVmNum, &tsbVmInfo);
+    if (result != 0) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||Failed to get tsb domains");
+        return VirtrustRc::ERROR;
+    }
+    if (tsbVmNum == MAX_DOMAIN_COUNT) {
+        FreeDescription(&tsbVmInfo);
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||support max domain count is: {}", MAX_DOMAIN_COUNT);
+        return VirtrustRc::ERROR;
+    }
+    FreeDescription(&tsbVmInfo);
+    return VirtrustRc::OK;
+}
+} // namespace
+
+VirtrustRc DomainCreate(const std::unique_ptr<ConnCtx> &conn, const std::vector<std::string> &args)
+{
+    VIRTRUST_LOG_DEBUG("|DomainCreate||START||");
+    FileLock fileLock(LOCK_FILE);
+    if (!fileLock.IsLocked()) {
+        return VirtrustRc::ERROR;
+    }
+
+    if (CheckMaxDomainCount() != VirtrustRc::OK) {
+        return VirtrustRc::ERROR;
+    }
+    std::vector<char *> execArgs;
+    std::string domainName;
+    bool allowStoreMeasurements = false;
+    execArgs.reserve(args.size() + 3); // +3 for --noautoconsole, --noreboot and nullptr
+    if (ValidateAndPrepareArgs(args, execArgs, domainName, allowStoreMeasurements) != VirtrustRc::OK) {
+        return VirtrustRc::ERROR;
+    }
+    std::string argStr = MakeString(execArgs);
+    // run virt-install in a child progress
+    VIRTRUST_LOG_INFO("|DomainCreate|RUNNING|||Execute cmd: {},allowStoreMeasurements:{}", argStr,
+                      allowStoreMeasurements);
+    pid_t pid = fork();
+    if (pid == -1) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||Failed to create fork, msg:{}", strerror(errno));
+        return VirtrustRc::ERROR;
+
+    } else if (pid == 0) {
+
+        if (execv(execArgs[0], execArgs.data()) == -1) {
+
+            VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||Failed to execute cmd:{}, msg: {}", argStr, strerror(errno));
+            _exit(0);
+        }
+    } else {
+        int status;
+        waitpid(pid, &status, 0);
+        if (WIFEXITED(status)) {
+            int exitStatus = WEXITSTATUS(status);
+            VIRTRUST_LOG_INFO("|DomainCreate|||Child process exited with status: {}", exitStatus);
+            if (exitStatus != 0) {
+                VIRTRUST_LOG_ERROR("|DomainCreate|||Child process exited executed "
+                                   "failed, status is: {}",
+                                   exitStatus);
+                return VirtrustRc::ERROR;
+            }
+            return CreateDomainAndVRoot(conn, domainName, allowStoreMeasurements);
+        }
+        if (WIFSIGNALED(status)) {
+            VIRTRUST_LOG_ERROR("|DomainCreate|||Child process terminated by sigal: {}", WTERMSIG(status));
+            return VirtrustRc::ERROR;
+        }
+    }
+    VIRTRUST_LOG_DEBUG("|DomainCreate|END|returnS||");
+    return VirtrustRc::OK;
+}
+
+VirtrustRc DomainDestroy(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName, unsigned int flags,
+                         bool isOnlyTsb)
+{
+    VIRTRUST_LOG_DEBUG("|DomainDestroy||START||");
+    FileLock fileLock(LOCK_FILE);
+    if (!fileLock.IsLocked()) {
+        return VirtrustRc::ERROR;
+    }
+    if (isOnlyTsb) {
+        if (domainName.size() != 36) { // UUID长度为36
+            VIRTRUST_LOG_ERROR("|DomainDestroy|END|returnF||invalid domain UUID: "
+                               "{}",
+                               domainName);
+            return VirtrustRc::ERROR;
+        }
+        std::string uuidStr = domainName;
+        if (StopVRoot(uuidStr.data()) != 0) {
+            VIRTRUST_LOG_ERROR("stop vRoot failed, uuid: {}", uuidStr);
+            return VirtrustRc::ERROR;
+        }
+        return VirtrustRc::OK;
+    }
+    auto &libvirt = Libvirt::GetInstance();
+    if (flags != DOMAIN_DESTROY_NONE) {
+        VIRTRUST_LOG_ERROR("flags only support: {}", static_cast<int>(DOMAIN_DESTROY_NONE));
+        return VirtrustRc::ERROR;
+    }
+    auto domain = std::make_unique<DomainCtx>(conn, domainName);
+    if (domain->Get() != nullptr) {
+        VIRTRUST_LOG_ERROR("Failed to find domain: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    if (libvirt.virDomainDestroyFlags(domain->Get(), flags) < 0) {
+        VIRTRUST_LOG_ERROR("Failed to destroy domain: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    std::string uuid = GetUUIDStr(domain->Get());
+    if (StopVRoot(uuid.data()) != 0) {
+        VIRTRUST_LOG_ERROR("stop vRoot failed: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    VIRTRUST_LOG_DEBUG("|DomainDestroy||END|returnS||domainName: {}", domainName);
+    return VirtrustRc::OK;
+}
+
+VirtrustRc DomainList(const std::unique_ptr<ConnCtx> &conn, unsigned int flags,
+                      std::unordered_map<std::string, DomainInfo> &domainInfos, bool printErrToCli)
+{
+    // 使用按位与操作来检查value是否包含无效的标志
+    VIRTRUST_LOG_DEBUG("|DomainList||START||");
+    if ((flags & LIST_DOMAINS_MASK) != flags) {
+        VIRTRUST_LOG_ERROR("|DomainList|END|returnF||invalid flags, support value "
+                           "see DomainListFlags.");
+        return VirtrustRc::ERROR;
+    }
+    domainInfos.clear();
+
+    int tsbVmNum = 0;
+    Description *tsbVmInfo = nullptr;
+    if (GetVRoots(&tsbVmNum, &tsbVmInfo) != 0) {
+
+        VIRTRUST_LOG_ERROR("|DomainList|END|returnF||failed to get tsb domains");
+        return VirtrustRc::ERROR;
+    }
+
+    virDomainPtr *virtVmInfo;
+    int virtVmNum = Libvirt::GetInstance().virConnectListAllDomains(conn->Get(), &virtVmInfo, flags);
+    if (virtVmNum < 0) {
+        VIRTRUST_LOG_ERROR("|DomainList|END|returnF||failed to get virsh domains");
+        FreeDescription(&tsbVmInfo);
+        return VirtrustRc::ERROR;
+    }
+
+    auto [tsbVmMap, virtVmMap] = ToMaps(tsbVmNum, tsbVmInfo, virtVmNum, virtVmInfo, flags);
+    std::unordered_map<std::string, std::pair<LogLevel, std::string>> errUuids;
+    auto rc = ConsistencyCheck(tsbVmMap, virtVmMap, errUuids);
+
+    domainInfos = virtVmMap;
+    for (const auto &it : errUuids) {
+        auto msg = fmt::format("[tsb, libvirt]=[{}, {}]{}", tsbVmMap.find(it.first) != tsbVmMap.end(),
+                               virtVmMap.find(it.first) != virtVmMap.end(), it.second.second);
+        switch (it.second.first) {
+            case LogLevel::ERROR:
+                VIRTRUST_LOG_ERROR(msg);
+                break;
+            case LogLevel::WARN:
+                VIRTRUST_LOG_WARN(msg);
+                break;
+            default:
+                VIRTRUST_LOG_ERROR("Unsupported LigLevel: {}", static_cast<int>(it.second.first));
+        }
+        if (printErrToCli && !rc && it.second.first != LogLevel::ERROR) {
+            fmt::print(stderr, "\n{}\n", msg);
+        }
+        domainInfos.erase(it.first);
+    }
+    FreeDescription(&tsbVmInfo);
+    if (virtVmInfo != nullptr) {
+        free(virtVmInfo);
+    }
+    VIRTRUST_LOG_DEBUG("|DomainList|END|returnS||");
+    return VirtrustRc::OK;
+}
+
+VirtrustRc DomainMigrate(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName,
+                         const std::string &destUri)
+{
+    auto &libvirt = Libvirt::GetInstance();
+    auto destConn = std::make_unique<ConnCtx>();
+    if (!destConn->SetUri(destUri)) {
+        VIRTRUST_LOG_ERROR("destUri is not valid: {}", destUri);
+        return VirtrustRc::ERROR;
+    }
+    auto domain = std::make_unique<DomainCtx>();
+    if (domain->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("failed to find domain: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    if (libvirt.virDomainMigrate3(domain->Get(), destConn->Get(), nullptr, 0, 0) == nullptr) {
+        VIRTRUST_LOG_ERROR("failed to migrate domain: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    return VirtrustRc::OK;
+}
+
+VirtrustRc DomainStart(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName, unsigned int flags,
+                       bool isOnlyTsb)
+{
+    VIRTRUST_LOG_DEBUG("|DomainStart||START||domainName: {}", domainName);
+    FileLock fileLock(LOCK_FILE);
+    if (!fileLock.IsLocked()) {
+        return VirtrustRc::ERROR;
+    }
+    // 如果带--only-tsb仅更新tsb资源
+    if (isOnlyTsb) {
+        std::string uuidStr = domainName;
+        VIRTRUST_LOG_INFO("only update tsb resource");
+        if (domainName.size() != 36) {
+            VIRTRUST_LOG_DEBUG("|DomainStart|END|returnF||invalid domain UUID: {}", domainName);
+            return VirtrustRc::ERROR;
+        }
+        if (StopVRoot(uuidStr.data()) != 0) {
+            VIRTRUST_LOG_DEBUG("|DomainStart|END|returnF||start vRoot failed,UUID: {}", domainName);
+            return VirtrustRc::ERROR;
+        }
+        return VirtrustRc::OK;
+    }
+    auto domain = std::make_unique<DomainCtx>(conn, domainName);
+    if (domain->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("failed to find domain: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+
+    std::string uuid = GetUUIDStr(domain->Get());
+    VIRTRUST_LOG_INFO("Perform checking on: {} before start", domainName);
+    if (!CheckGuestBeforeStart(domainName, uuid)) {
+        VIRTRUST_LOG_ERROR("Check domain failed,domainName: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    auto tsbRc = StartVRoot(uuid.data());
+    if (tsbRc != 0) {
+        VIRTRUST_LOG_ERROR("start vRoot failed: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    if (Libvirt::GetInstance().virDomainCreateWithFlags(domain->Get(), flags) < 0) {
+        VIRTRUST_LOG_ERROR("failed to start domain: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    VIRTRUST_LOG_DEBUG("|DomainStart||END|returnS|domainName: {}", domainName);
+    return VirtrustRc::OK;
+}
+
+VirtrustRc DomainUndefine(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName, unsigned int flags,
+                          bool isOnlyTsb)
+{
+    VIRTRUST_LOG_DEBUG("|DomainUndefine||START||domainName: {}", domainName);
+    FileLock fileLock(LOCK_FILE);
+    if (!fileLock.IsLocked()) {
+        return VirtrustRc::ERROR;
+    }
+    if (isOnlyTsb) {
+        return UndefineTsbResource(domainName);
+    }
+    if (domainName.empty() || domainName.size() > MAX_NAME_LENGTH) {
+        VIRTRUST_LOG_ERROR("DomainUndefine|END|returnF||domain name length is [1, {}]", MAX_NAME_LENGTH);
+        return VirtrustRc::ERROR;
+    }
+    if (flags != DOMAIN_UNDEFINE_NVRAM && flags != DOMAIN_UNDEFINE_KEEP_NVRAM && flags != 0) {
+        VIRTRUST_LOG_ERROR("DomainUndefine|END|returnF||flags only suppport:{},and {}",
+                           static_cast<int>(DOMAIN_UNDEFINE_NVRAM), static_cast<int>(DOMAIN_UNDEFINE_KEEP_NVRAM));
+        return VirtrustRc::ERROR;
+    }
+    auto &libvirt = Libvirt::GetInstance();
+
+    auto domain = std::make_unique<DomainCtx>(conn, domainName);
+    if (domain->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("|DomainUndefine|END|returnF||failed to find domain: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    virDomainInfo info;
+    if (libvirt.virDomainGetInfo(domain->Get(), &info) < 0) {
+        VIRTRUST_LOG_ERROR("|DomainUndefine|END|returnF||failed to get domain info: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    if (info.state == VIR_DOMAIN_RUNNING) {
+        VIRTRUST_LOG_ERROR("|DomainUndefine|END|returnF||Can not undefine running "
+                           "state domain.");
+        return VirtrustRc::ERROR;
+    }
+    char uuid[VIR_UUID_STRING_BUFLEN];
+    if (libvirt.virDomainGetUUIDString(domain->Get(), uuid) < 0) {
+        VIRTRUST_LOG_ERROR("|DomainUndefine|END|returnF||failed to get domain uuid: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+
+    if (UndefineDomainWithRetry(domain, domainName, flags, libvirt) != VirtrustRc::OK) {
+        return VirtrustRc::ERROR;
+    }
+
+    int tsbRet = RemoveVRoot(uuid);
+    if (tsbRet != 0) {
+        VIRTRUST_LOG_ERROR("|DomainUndefine|END|returnF||tsb resource remove "
+                           "failed, maybe not exist tsb resource uuid: "
+                           "{},domainName: {},use virsh to undefine domain.",
+                           uuid, domainName);
+        return VirtrustRc::ERROR;
+    }
+    VIRTRUST_LOG_DEBUG("|DomainUndefine|END|returnS||domainName: {}", domainName);
+    return VirtrustRc::OK;
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/api/domain.h b/virtrust/src/virtrust/api/domain.h
new file mode 100644
index 0000000000000000000000000000000000000000..c5e121be45e0c0a2adacff0cf88e49925e1af1ae
--- /dev/null
+++ b/virtrust/src/virtrust/api/domain.h
@@ -0,0 +1,75 @@
+// Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+#pragma once
+
+#include <string>
+#include <unordered_map>
+#include <vector>
+
+#include "virtrust/api/context.h"
+#include "virtrust/api/defines.h"
+
+namespace virtrust {
+/**
+ * 创建虚拟机
+ * @param conn 连接参数
+ * @param args 参数 参考virt-install --help
+ * 名称字段必须指定。arg[0]为virt-install的路径 如：、usr/bin/virt-install
+ * --allow-store-measurements可选 是否鞥新tsb的度量值
+ * @return VirtrustRc
+ */
+VirtrustRc DomainCreate(const std::unique_ptr<ConnCtx> &conn, const std::vector<std::string> &args);
+
+/**
+ * 停止虚拟机
+ * @param conn 连接参数
+ * @param flags 见DomainDestroyFlags中的选项
+ * @param domainName 虚拟机名称，isOnlyTsb为true时只更新tsb相关资源
+ * 为虚拟机UUID，当isOnlyTsb为true时将忽略flags入参
+ * @param isOnlyTsb 是否只更新tsb资源，为true时只更新tsb资源
+ * @return VirtrustRc
+ */
+VirtrustRc DomainDestroy(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName, unsigned int flags,
+                         bool isOnlyTsb = false);
+
+VirtrustRc DomainMigrate(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName,
+                         const std::string &destUri);
+
+/**
+ * 启动虚拟机
+ * @param conn 连接参数
+ * @param flags 见DomainStartFlags中的选项
+ * @param domainName 虚拟机名称，isOnlyTsb为true时只更新tsb相关资源
+ * 为虚拟机UUID，当isOnlyTsb为true时将忽略flags入参
+ * @param isOnlyTsb 是否只更新tsb资源，为true时只更新tsb资源
+ * @return VirtrustRc
+ */
+VirtrustRc DomainStart(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName, unsigned int flags,
+                       bool isOnlyTsb = false);
+
+/**
+ * 删除虚拟机
+ * @param conn 连接参数
+ * @param flags 默认为0，其他值
+ * 见DomainUndefineFlags,DOMAIN_UNDEFINE_NVRAM和DOMAIN_UNDEFINE_KEEP_NVRAM仅支持同一时间指定一种
+ * @param domainName 虚拟机名称，isOnlyTsb为true时只更新tsb相关资源
+ * 为虚拟机UUID，当isOnlyTsb为true时将忽略flags入参
+ * @param isOnlyTsb 是否只删除tsb资源，为true时只删除tsb资源
+ * @return VirtrustRc
+ */
+VirtrustRc DomainUndefine(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName, unsigned int flags = 0,
+                          bool isOnlyTsb = false);
+
+/**
+ * 展示虚拟机
+ * @param conn 连接参数
+ * @param flags
+ * 见DomainListFlag选项，可组合LIST_DOMAINS_ACTIVE|LIST_DOMAINS_INACTIVE
+ * @param dmoainInfos 查询到的虚拟机信息
+ * @param printErrToCli
+ * 是否屏显tsb资源和libvirt资源不一致的错误信息，如果libvirt有但是tsb没有不会屏显，日志会有warn日志
+ * @return VirtrustRc
+ */
+VirtrustRc DomainList(const std::unique_ptr<ConnCtx> &conn, unsigned int flags,
+                      std::unordered_map<std::string, DomainInfo> &domainInfos, bool printErrToCli = false);
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/api/domain_test.cpp b/virtrust/src/virtrust/api/domain_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..35e04fee1ead18478dd5eed468e96a95289508dd
--- /dev/null
+++ b/virtrust/src/virtrust/api/domain_test.cpp
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <gtest/gtest.h>
+
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "virtrust/api/context.h"
+#include "virtrust/api/defines.h"
+#include "virtrust/api/domain.h"
+#include "virtrust/base/logger.h"
+#include "virtrust/crypto/sm3.h"
+#include "virtrust/dllib/libvirt.h"
+#include "virtrust/utils/file_io.h"
+#include "virtrust/utils/foreign_mounter.h"
+#include "virtrust/utils/virt_xml_parser.h"
+
+namespace virtrust {
+
+// Test that basic compilation works
+TEST(DomainTest, BasicCompilation)
+{
+    // Basic compile-time test - just ensure the functions exist and can be called
+    EXPECT_TRUE(true);
+}
+
+// Test that VerifyConfig can be instantiated and used
+TEST(DomainTest, VerifyConfigBasics)
+{
+    // Test that VerifyConfig can be constructed with basic parameters
+    VerifyConfig config("test-guest", "/path/to/disk", "/path/to/loader");
+
+    // Test basic getter functions exist and work
+    EXPECT_EQ(config.GetGuestName(), "test-guest");
+    EXPECT_EQ(config.GetDiskPath(), "/path/to/disk");
+    EXPECT_EQ(config.GetLoaderPath(), "/path/to/loader");
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/api/file_lock.h b/virtrust/src/virtrust/api/file_lock.h
new file mode 100644
index 0000000000000000000000000000000000000000..866e8770331be2bd49494e86aaa66db6ca06d5be
--- /dev/null
+++ b/virtrust/src/virtrust/api/file_lock.h
@@ -0,0 +1,51 @@
+// Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+#pragma once
+
+#include <fcntl.h>
+#include <sys/file.h>
+#include <unistd.h>
+
+#include <cerrno>
+#include <cstring>
+
+#include "virtrust/base/logger.h"
+
+namespace virtrust {
+
+class FileLock {
+public:
+    FileLock(const char *fileName) : fd_(open(fileName, O_RDWR | O_CREAT | O_CLOEXEC, LOCK_FILE_PERMISSIONS))
+    {
+        if (fd_ == -1) {
+            VIRTRUST_LOG_ERROR("Failed to open file {}, msg {}", fileName, strerror(errno));
+        } else {
+            VIRTRUST_LOG_ERROR("Failed to lock file {}, msg {}", fileName, strerror(errno));
+            close(fd_);
+            fd_ = -1;
+        }
+    }
+
+    ~FileLock()
+    {
+        if (fd_ != -1) {
+            flock(fd_, LOCK_UN);
+            close(fd_);
+        }
+    }
+
+    bool IsLocked() const
+    {
+        return fd_ != -1;
+    }
+    int GetFileDescriptor() const
+    {
+        return fd_;
+    }
+
+private:
+    static constexpr mode_t LOCK_FILE_PERMISSIONS = 0666;
+    int fd_ = -1;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/CMakeLists.txt b/virtrust/src/virtrust/base/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..95f97fa4e2191d749ea75469b154de63f2dff0fc
--- /dev/null
+++ b/virtrust/src/virtrust/base/CMakeLists.txt
@@ -0,0 +1,21 @@
+# Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    ${CMAKE_CURRENT_LIST_DIR}/custom_logger.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/log_adapt.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/str_utils.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/exception.cpp)
+
+# add_virtrust_test_if(exception_test ${BUILD_TEST})
+add_virtrust_test_if(custom_logger_test ${BUILD_TEST})
+add_virtrust_test_if(str_utils_test ${BUILD_TEST})
+
+install(
+  FILES ${CMAKE_CURRENT_LIST_DIR}/custom_logger.h
+  DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/virtrust/base
+  PERMISSIONS OWNER_READ)
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    PARENT_SCOPE)
diff --git a/virtrust/src/virtrust/base/custom_logger.cpp b/virtrust/src/virtrust/base/custom_logger.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..14e825ddb69c2666f64d51edf15dbfec10d6b6af
--- /dev/null
+++ b/virtrust/src/virtrust/base/custom_logger.cpp
@@ -0,0 +1,122 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust/base/custom_logger.h"
+
+#include <iostream>
+#include <string>
+
+#include "spdlog/fmt/bundled/chrono.h"
+#include "spdlog/fmt/bundled/core.h"
+
+#include "virtrust/base/log_adapt.h"
+#include "virtrust/base/logger.h"
+#include "virtrust/utils/enum_check.h"
+
+namespace virtrust {
+using LogLevelCheck = EnumCheck<LogLevel, LogLevel::TRACE, LogLevel::DEBUG, LogLevel::INFO, LogLevel::WARN,
+                                LogLevel::ERROR, LogLevel::CRITICAL>;
+
+namespace {
+std::mutex mutex;
+constexpr int DEFAULT_STR_TIME_LEN = 24;
+constexpr auto DEFAULT_LOG_FUNCTION = [](LogLevel level, std::string_view msg) {
+    std::chrono::time_point<std::chrono::system_clock> now = std::chrono::system_clock::now();
+    fmt::print("[{} {:%Y-%m-%d %H-%M-%S}] {}\n", LogLevelToStr(level), now, msg);
+};
+} // namespace
+
+std::string LogLevelToStr(LogLevel level)
+{
+    switch (level) {
+        case LogLevel::TRACE:
+            return "TRACE";
+        case LogLevel::DEBUG:
+            return "DEBUG";
+        case LogLevel::INFO:
+            return "INFO ";
+        case LogLevel::WARN:
+            return "WARN ";
+        case LogLevel::ERROR:
+            return "ERROR";
+        case LogLevel::CRITICAL:
+            return "FATAL";
+        default:
+            return "UNKNOWN";
+    }
+}
+
+Logger *Logger::Instance()
+{
+    static Logger logger;
+    return &logger;
+}
+
+void Logger::Log(LogLevel level, std::string_view msg)
+{
+    if (logFunction_ != nullptr) {
+        logFunction_(level, msg);
+    } else {
+        if (LogAdapt::gSpdLogger != nullptr && LogAdapt::gSpdLogger->spdLogger != nullptr &&
+            static_cast<int>(level) >= static_cast<int>(displayLogLevel_)) {
+            LogAdapt::gSpdLogger->spdLogger->log(static_cast<spdlog::level::level_enum>(static_cast<int>(level)),
+                                                 msg.data());
+        }
+    }
+}
+
+void Logger::SetDisplayLogLevel(LogLevel level)
+{
+    if (static_cast<int>(level) >= static_cast<int>(LogLevel::UNKNOWN)) {
+        fmt::print(stderr, "log level is invalid : {}", static_cast<int>(level));
+    }
+
+    if (LogAdapt::gSpdLogger != nullptr && LogAdapt::gSpdLogger->spdLogger != nullptr) {
+        LogAdapt::gSpdLogger->spdLogger->set_level(static_cast<spdlog::level::level_enum>(static_cast<int>(level)));
+        displayLogLevel_ = level;
+    } else {
+        fmt::print(stderr, "failed to set log level\n");
+    }
+}
+
+void Logger::Reset()
+{
+    logFunction_ = nullptr;
+    if (LogAdapt::gSpdLogger != nullptr && LogAdapt::gSpdLogger->spdLogger != nullptr) {
+        LogAdapt::gSpdLogger->spdLogger->set_level(
+            static_cast<spdlog::level::level_enum>(static_cast<int>(LogLevel::INFO)));
+    }
+    displayLogLevel_ = LogLevel::INFO;
+}
+
+VirtrustRc Logger::InitLog(int logLevel, const char *path, int rotationFileSize, int rotationFileCount)
+{
+
+    if (logLevel < static_cast<int>(LogLevel::TRACE) || logLevel > static_cast<int>(LogLevel::CRITICAL)) {
+        fmt::print(stderr, "Invalid log level: {}", logLevel);
+        return VirtrustRc::ERROR;
+    }
+
+    int logType = (path != nullptr) ? FILE_TYPE : STDOUT_TYPE;
+    auto rc = LogAdapt::ValidateParams(logType, path, rotationFileSize, rotationFileCount);
+    if (rc != VirtrustRc::OK) {
+        fmt::print(stderr, "LogAdapt param validation failed, return: {}, msg: {}", static_cast<uint32_t>(rc),
+                   LogAdapt::gLastErrorMessage);
+        return rc;
+    }
+    displayLogLevel_ = static_cast<LogLevel>(logLevel);
+    return VirtrustRc::OK;
+}
+
+bool Logger::SetCustomLogFunction(const std::function<CustomLogFunTy> &func)
+{
+    std::lock_guard<std::mutex> lock(mutex);
+    if (func == nullptr) {
+        DEFAULT_LOG_FUNCTION(LogLevel::ERROR, "Failed to set external log function as log function is nullptr.");
+        return false;
+    } else {
+        logFunction_ = func;
+        return true;
+    }
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/custom_logger.h b/virtrust/src/virtrust/base/custom_logger.h
new file mode 100644
index 0000000000000000000000000000000000000000..327476ed835f1331c83dcdb25370c0e5a5b1d3fe
--- /dev/null
+++ b/virtrust/src/virtrust/base/custom_logger.h
@@ -0,0 +1,80 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <functional>
+#include <mutex>
+#include <sstream>
+#include <string>
+
+#include "virtrust/api/defines.h"
+
+namespace virtrust {
+const int32_t DEFAULT_ROTATION_FILE_SIZE = 20 * 1024 * 1024;
+const int32_t DEFAULT_ROTATION_FILE_COUNT = 20;
+
+enum class LogLevel {
+    TRACE = 0,
+    DEBUG = 1,
+    INFO = 2,
+    WARN = 3,
+    ERROR = 4,
+    CRITICAL = 5,
+    UNKNOWN,
+};
+
+std::string LogLevelToStr(LogLevel level);
+
+class Logger {
+public:
+    using CustomLogFunTy = void(LogLevel level, std::string_view msg);
+
+    Logger(const Logger &) = delete;
+    Logger(Logger &&) = delete;
+    Logger &operator=(const Logger &) = delete;
+    Logger &operator=(Logger &&) = delete;
+
+    ~Logger()
+    {
+        logFunction_ = nullptr;
+    }
+
+    static Logger *Instance();
+
+    void Log(LogLevel level, std::string_view msg);
+
+    // For cpp-style function, lambda works
+    // NOTE Please make sure you do not use a "capture" lambda for log function
+    bool SetCustomLogFunction(const std::function<CustomLogFunTy> &func);
+
+    void SetDisplayLogLevel(LogLevel level);
+
+    LogLevel GetDisplayLogLevel()
+    {
+        return displayLogLevel_;
+    }
+
+    void Reset();
+
+    /**
+     * 初始化日志相关
+     * @param path[IN] 日志路径 nullptr
+     * 不输出到文件，要输出到文件时是带文件名的路径，路径需存在。
+     * @param logLevel[IN] 日志级别 默认INFO。
+     * @param rotationFileSize[IN]
+     * 单个日志文件大小，单位字节bytes,默认20*1024*1024*1024（20M）范围[1*1024*1024,500*1024*1024]。
+     * @param rotationFileCount[IN] 日志保存数量 超过该数量 之前日志将被删除
+     * 默认20 范围[1,64]。
+     * @return VirtrustRc::OK 失败错误码
+     */
+    VirtrustRc InitLog(int logLevel = static_cast<int>(LogLevel::INFO), const char *path = nullptr,
+                       int rotationFileSize = DEFAULT_ROTATION_FILE_SIZE,
+                       int rotationFileCount = DEFAULT_ROTATION_FILE_COUNT);
+
+private:
+    Logger() = default;
+    std::function<CustomLogFunTy> logFunction_ = nullptr;
+    LogLevel displayLogLevel_ = LogLevel::INFO;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/custom_logger_test.cpp b/virtrust/src/virtrust/base/custom_logger_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..0011d99a3399c180aef47050118a50792cf18495
--- /dev/null
+++ b/virtrust/src/virtrust/base/custom_logger_test.cpp
@@ -0,0 +1,151 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <thread>
+
+#include "gtest/gtest.h"
+#include "spdlog/fmt/fmt.h"
+
+#include "virtrust/base/custom_logger.h"
+#include "virtrust/base/logger.h"
+
+namespace virtrust {
+
+TEST(CustomLogger, SetCustomLogFunction)
+{
+    // Test setting a custom log function
+    bool result = Logger::Instance()->SetCustomLogFunction(
+        [](LogLevel level, std::string_view msg) { fmt::print("[{}] {}\n", LogLevelToStr(level), msg); });
+    EXPECT_TRUE(result);
+
+    // Test setting nullptr function
+    result = Logger::Instance()->SetCustomLogFunction(nullptr);
+    EXPECT_FALSE(result);
+
+    // Reset the logger
+    Logger::Instance()->Reset();
+}
+
+TEST(CustomLogger, LogLevelConversion)
+{
+    // Test conversion of log levels to strings
+    EXPECT_EQ(LogLevelToStr(LogLevel::TRACE), "TRACE");
+    EXPECT_EQ(LogLevelToStr(LogLevel::DEBUG), "DEBUG");
+    EXPECT_EQ(LogLevelToStr(LogLevel::INFO), "INFO");
+    EXPECT_EQ(LogLevelToStr(LogLevel::WARN), "WARN");
+    EXPECT_EQ(LogLevelToStr(LogLevel::ERROR), "ERROR");
+    EXPECT_EQ(LogLevelToStr(LogLevel::CRITICAL), "CRITICAL");
+    EXPECT_EQ(LogLevelToStr(LogLevel::UNKNOWN), "UNKNOWN");
+}
+
+TEST(CustomLogger, InstanceSingleton)
+{
+    // Test that Logger follows singleton pattern
+    Logger *logger1 = Logger::Instance();
+    Logger *logger2 = Logger::Instance();
+    EXPECT_EQ(logger1, logger2);
+}
+
+TEST(CustomLogger, logWithCustomFunction)
+{
+    // Test logging with custom function
+    std::string captured_log;
+
+    // this log function is actually corrupted when we leave this test
+    // Note this is bad practice, do not use capture lambda for log function
+    Logger::Instance()->SetCustomLogFunction([&captured_log](LogLevel level, std::string_view msg) {
+        captured_log = fmt::format("[{}] {}", LogLevelToStr(level), msg);
+    });
+
+    Logger::Instance()->Log(LogLevel::INFO, "Test message");
+    EXPECT_FALSE(captured_log.empty());
+
+    // Reset the logger
+    Logger::Instance()->Reset();
+}
+
+TEST(CustomLogger, logWithoutCustomFunction)
+{
+    // Test logging without custom function (should use default)
+    // This test mainly ensures no crash occurs
+    Logger::Instance()->Log(LogLevel::INFO, "Default log message");
+
+    // Test with different log levels
+    Logger::Instance()->Log(LogLevel::TRACE, "DTrace message");
+    Logger::Instance()->Log(LogLevel::DEBUG, "Debug message");
+    Logger::Instance()->Log(LogLevel::WARN, "Warn message");
+    Logger::Instance()->Log(LogLevel::ERROR, "Error message");
+    Logger::Instance()->Log(LogLevel::CRITICAL, "Critical message");
+}
+
+TEST(CustomLogger, ResetFunctionality)
+{
+    // Test that Reset clears the custom log function
+    Logger::Instance()->SetCustomLogFunction(
+        [](LogLevel level, std::string_view msg) { fmt::print("[{}] {}\n", LogLevelToStr(level), msg); });
+
+    // Verify custom function is set
+    // Node: we can't directly test the function pointer comparison, but we can
+    // verify behavior after reset
+    Logger::Instance()->Log(LogLevel::INFO, "Message before reset");
+
+    // Reset the logger
+    Logger::Instance()->Reset();
+
+    // verify that after reset, we can still log without issues
+    Logger::Instance()->Log(LogLevel::INFO, "Message after reset");
+
+    // Reset the logger
+    Logger::Instance()->Reset();
+}
+
+TEST(CustomLogger, DiaplayLogLevel)
+{
+    // Test getting and setting display log level
+    Logger::Instance()->InitLog();
+    auto initial_level = Logger::Instance()->GetDisplayLogLevel();
+    EXPECT_EQ(initial_level, LogLevel::INFO);
+
+    // Init log first
+    Logger::Instance()->InitLog();
+
+    // Change display level
+    Logger::Instance()->SetDisplayLogLevel(LogLevel::DEBUG);
+
+    auto new_level = Logger::Instance()->GetDisplayLogLevel();
+    EXPECT_EQ(new_level, LogLevel::DEBUG);
+
+    // Reset the logger
+    Logger::Instance()->Reset();
+}
+
+TEST(CustomLogger, ThreadSafety)
+{
+    // Test that logging is thread-safe
+    std::vector<std::thread> threads;
+    std::atomic<int> log_count{0};
+
+    // Create multiple threads that log simultaneously
+    threads.reserve(10);
+    for (int i = 0; i < 10; i++) {
+        threads.emplace_back([&log_count]() {
+            for (int j = 0; j < 10; j++) {
+                Logger::Instance()->Log(LogLevel::INFO, "Thread safety test");
+                log_count++;
+            }
+        });
+    }
+
+    // Wait for all threads to complete
+    for (auto &t : threads) {
+        t.join();
+    }
+
+    // Verify all logs were processed
+    EXPECT_EQ(log_count.load(), 100);
+
+    // Reset the logger
+    Logger::Instance()->Reset();
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/exception.cpp b/virtrust/src/virtrust/base/exception.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..0ceb004cd98dab97a55528a95deeb22ff4aba8f7
--- /dev/null
+++ b/virtrust/src/virtrust/base/exception.cpp
@@ -0,0 +1,26 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust/base/exception.h"
+
+#include <numeric>
+
+#include "spdlog/fmt/fmt.h"
+
+namespace virtrust {
+EnforceNotMet::EnforceNotMet(const char *file, const int line, const char *condition, const std::string &msg)
+    : msgStack_{fmt::format("[Enforce fail at {}:{}] {}. {}", file, line, condition, msg)}
+{
+    fullMsg_ = this->msg();
+}
+
+std::string EnforceNotMet::msg() const
+{
+    return std::accumulate(msgStack_.begin(), msgStack_.end(), std::string(""));
+}
+
+const char *EnforceNotMet::what() const noexcept
+{
+    return fullMsg_.c_str();
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/exception.h b/virtrust/src/virtrust/base/exception.h
new file mode 100644
index 0000000000000000000000000000000000000000..94d1e9d05d477b162abfaddec02d2dbd192e74fc
--- /dev/null
+++ b/virtrust/src/virtrust/base/exception.h
@@ -0,0 +1,133 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <exception>
+#include <functional>
+#include <vector>
+
+#include "virtrust/base/str_utils.h"
+
+namespace virtrust {
+class EnforceNotMet : public std::exception {
+public:
+    EnforceNotMet(const char *file, const int line, const char *condition, const std::string &msg);
+    std::string msg() const;
+
+    inline const std::vector<std::string> &msg_stack() const
+    {
+        return msgStack_;
+    }
+
+    virtual const char *what() const noexcept override;
+
+private:
+    std::vector<std::string> msgStack_;
+    std::string fullMsg_;
+};
+
+#define VIRTRUST_ENFORCE(condition, ...)                                                                          \
+    do {                                                                                                          \
+        if (!(condition)) {                                                                                       \
+            throw ::virtrust::EnforceNotMet(__FILE__, __LINE__, #condition, ::virtrust::MakeString(__VA_ARGS__)); \
+        }                                                                                                         \
+    } while (false)
+
+// Check condition, and returns error code on error
+#define VIRTRUST_CHECK_ROF(condition, error_code, ...) \
+    do {                                               \
+        if (!(condition)) {                            \
+            VIRTRUST_ERROR(__VA_ARGS__);               \
+            return error_code;                         \
+        }                                              \
+    } while (false)
+
+namespace enforce_detail {
+
+struct EnforceOK {};
+
+class EnforceFailMessage {
+public:
+    constexpr EnforceFailMessage(EnforceOK) : msg_(nullptr)
+    {}
+
+    EnforceFailMessage(EnforceFailMessage &&) = default;
+    EnforceFailMessage(const EnforceFailMessage &) = delete;
+    EnforceFailMessage &operator=(EnforceFailMessage &&) = delete;
+    EnforceFailMessage &operator=(const EnforceFailMessage &) = delete;
+
+    EnforceFailMessage(std::string &&msg)
+    {
+        msg_ = new std::string(std::move(msg));
+    }
+
+    inline bool bad() const
+    {
+        return msg_ != nullptr;
+    }
+
+    std::string get_message_and_free(std::string &&extra) const
+    {
+        std::string r;
+        if (extra.empty()) {
+            r = std::move(*msg_);
+        } else {
+            r = ::virtrust::MakeString(*msg_, ". ", extra);
+        }
+        delete msg_;
+        return r;
+    }
+
+private:
+    std::string *msg_ = nullptr;
+};
+
+#define BINARY_COMP_HELPER(name, op)                                                             \
+    template <typename T1, typename T2> inline EnforceFailMessage name(const T1 &x, const T2 &y) \
+    {                                                                                            \
+        if (x op y) {                                                                            \
+            return EnforceOK();                                                                  \
+        }                                                                                        \
+        return MakeString(x, " vs ", y);                                                         \
+    }
+
+BINARY_COMP_HELPER(Equals, ==)
+BINARY_COMP_HELPER(NotEquals, !=)
+BINARY_COMP_HELPER(Greater, >)
+BINARY_COMP_HELPER(GreaterEquals, >=)
+BINARY_COMP_HELPER(Less, <)
+BINARY_COMP_HELPER(LessEquals, <=)
+#undef BINARY_COMP_HELPER
+
+#define VIRTRUST_ENFORCE_THAT_IMPL(condition, expr, ...)                                      \
+    do {                                                                                      \
+        const ::virtrust::enforce_detail::EnforceFailMessage &r = (condition);                \
+        if (r.bad()) {                                                                        \
+            throw ::virtrust::EnforceNotMet(__FILE__, __LINE__, expr,                         \
+                                            r.get_message_and_free(MakeString(__VA_ARGS__))); \
+        }                                                                                     \
+    } while (false)
+
+#define VIRTRUST_ENFORCE_THAT(condition, ...) VIRTRUST_ENFORCE_THAT_IMPL((condition), #condition, __VA_ARGS__)
+
+} // namespace enforce_detail
+
+#define VIRTRUST_ENFORCE_EQ(x, y, ...) \
+    VIRTRUST_ENFORCE_THAT_IMPL(::virtrust::enforce_detail::Equals((x), (y)), #x "==" #y, __VA_ARGS__)
+
+#define VIRTRUST_ENFORCE_NE(x, y, ...) \
+    VIRTRUST_ENFORCE_THAT_IMPL(::virtrust::enforce_detail::NotEquals((x), (y)), #x "!=" #y, __VA_ARGS__)
+
+#define VIRTRUST_ENFORCE_LE(x, y, ...) \
+    VIRTRUST_ENFORCE_THAT_IMPL(::virtrust::enforce_detail::Less((x), (y)), #x "<" #y, __VA_ARGS__)
+
+#define VIRTRUST_ENFORCE_LT(x, y, ...) \
+    VIRTRUST_ENFORCE_THAT_IMPL(::virtrust::enforce_detail::LessEquals((x), (y)), #x "<=" #y, __VA_ARGS__)
+
+#define VIRTRUST_ENFORCE_GE(x, y, ...) \
+    VIRTRUST_ENFORCE_THAT_IMPL(::virtrust::enforce_detail::GreaterEquals((x), (y)), #x ">=" #y, __VA_ARGS__)
+
+#define VIRTRUST_ENFORCE_GT(x, y, ...) \
+    VIRTRUST_ENFORCE_THAT_IMPL(::virtrust::enforce_detail::Greater((x), (y)), #x ">" #y, __VA_ARGS__)
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/exception_test.cpp b/virtrust/src/virtrust/base/exception_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..c7f8e20cad031dc9049e21f0655e0456750fdb60
--- /dev/null
+++ b/virtrust/src/virtrust/base/exception_test.cpp
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+#include "spdlog/fmt/bundled/core.h"
+
+#include "virtrust/base/exception.h"
+#include "virtrust/base/logger.h"
+
+namespace virtrust {
+
+TEST(Exception, Enforce)
+{
+    ASSERT_THROW(VIRTRUST_ENFORCE(false), EnforceNotMet);
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE(true));
+}
+
+TEST(Exception, Compares)
+{
+    ASSERT_THROW(VIRTRUST_ENFORCE_EQ(0, 1), EnforceNotMet);
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE_EQ(1, 1));
+
+    ASSERT_THROW(VIRTRUST_ENFORCE_LE(1, 0), EnforceNotMet);
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE_LE(0, 1));
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE_LE(1, 1));
+
+    ASSERT_THROW(VIRTRUST_ENFORCE_GE(0, 1), EnforceNotMet);
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE_GE(1, 0));
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE_GE(1, 1));
+
+    ASSERT_THROW(VIRTRUST_ENFORCE_LT(1, 0), EnforceNotMet);
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE_LT(0, 1));
+
+    ASSERT_THROW(VIRTRUST_ENFORCE_GT(0, 1), EnforceNotMet);
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE_Gt(1, 0));
+}
+
+TEST(Exception, CompareWithMessages)
+{
+    try {
+        VIRTRUST_ENFORCE_EQ(1, 2, "Expected 1 to equal 2");
+        FAIL() << "Should have thrown EnforceNotMet exception";
+    } catch (const EnforceNotMet &e) {
+        EXPECT_NE(std::string(e.what()).find("1 vs 2"), std::string::npos);
+        EXPECT_NE(std::string(e.what()).find("Excepted 1 to equal 2"), std::string::npos);
+    }
+
+    try {
+        VIRTRUST_ENFORCE_GT(1, 2, "1 should be greater than 2");
+        FAIL() << "Should have thrown EnforceNotMet exception";
+    } catch (const EnforceNotMet &e) {
+        EXPECT_NE(std::string(e.what()).find("1 vs 2"), std::string::npos);
+        EXPECT_NE(std::string(e.what()).find("1 should be greater than 2"), std::string::npos);
+    }
+}
+
+TEST(Exception, EnforceThat)
+{
+    // Test successful enforcement
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE_THAT(enforce_detail::Equals(1, 1), "Values should be equal"));
+
+    try {
+        ASSERT_ENFORCE_THAT(enforce_detail::Equals(1, 2), "Values should be equal");
+        FAIL() << "Should have thrown EnforceNotMet exception";
+    } catch (const EnforceNotMet &e) {
+        EXPECT_NE(std::string(e.what()).find("1 vs 2"), std::string::npos);
+    }
+}
+
+TEST(Exception, ExceptionMessageDetails)
+{
+    try {
+        VIRTRUST_ENFORCE(false, "Test message with ", 42);
+        FAIL() << "Should have thrown EnforceNotMet exception";
+    } catch (const EnforceNotMet &e) {
+        // Check that the message contains the excepted content
+        std::string what_msg = e.what();
+
+        VIRTRUST_LOG_INFO(what_msg);
+
+        EXPECT_NE(what_msg.find("Test message with 42"), std::string::npos);
+
+        // Check that we can get the message stack
+        const auto &msg_stack = e.msg_stack();
+        EXPECT_FALSE(msg_stack.empty());
+    }
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/log_adapt.cpp b/virtrust/src/virtrust/base/log_adapt.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..13b639ee00225b1b9b504b7bc6594e3dde8b3ce4
--- /dev/null
+++ b/virtrust/src/virtrust/base/log_adapt.cpp
@@ -0,0 +1,216 @@
+#include "log_adapt.h"
+
+#include <sys/stat.h>
+
+#include <iostream>
+
+#include "spdlog/sinks/rotating_file_sink.h"
+#include "spdlog/sinks/stdout_sinks.h"
+
+#include "virtrust/api/defines.h"
+#include "virtrust/base/custom_logger.h"
+namespace virtrust {
+std::unique_ptr<LogAdapt> LogAdapt::gSpdLogger = nullptr;
+thread_local std::string LogAdapt::gLastErrorMessage;
+int LogAdapt::loglevel = static_cast<int>(LogLevel::INFO);
+
+constexpr auto ROTATION_FILE_SIZE_MIN = 1024 * 1024;
+constexpr auto ROTATION_FILE_SIZE_MAX = 5 * 1024 * 1024;
+constexpr auto ROTATION_FILE_COUNT_MAX = 64;
+namespace {
+bool CanonicalPath(std::string &path)
+{
+
+    if (path.empty() || path.size() > PATH_MAX) {
+        return false;
+    }
+    char pathBuf[PATH_MAX + 1] = {0};
+    if (realpath(path.c_str(), pathBuf) == nullptr) {
+        return false;
+    }
+    path = pathBuf;
+    return true;
+}
+
+bool GetFolderPath(std::string &filePath, std::string &folderPath)
+{
+    const size_t pos = filePath.find_last_of("/");
+    if (pos == std::string::npos) {
+        return false;
+    }
+    folderPath = filePath.substr(0, pos);
+    return true;
+}
+
+bool Exist(const std::string &path, const int &mode)
+{
+    return access(path.c_str(), mode) != -1;
+}
+
+bool IsAbsolutePath(const std::string &path)
+{
+    if (path.empty()) {
+        return false;
+    }
+    if (path[0] != '/') {
+        return false;
+    }
+    if (strstr(path.c_str(), "/../") != nullptr || strstr(path.c_str(), "/./") != nullptr) {
+        return false;
+    }
+    return true;
+}
+} // namespace
+
+VirtrustRc LogAdapt::ValidateParams(int logType, const char *path, int rotationFileSize, int rotationFileCount)
+{
+    if (logType != STDOUT_TYPE && logType != FILE_TYPE) {
+        gLastErrorMessage = "Invalid log type, which should be 0,1";
+        return VirtrustRc::ERROR;
+    }
+    if (logType == STDOUT_TYPE) {
+        return VirtrustRc::OK;
+    }
+
+    if (path == nullptr) {
+        gLastErrorMessage = "Path is empty";
+        return VirtrustRc::ERROR;
+    }
+    if (rotationFileSize > ROTATION_FILE_SIZE_MAX || rotationFileSize < ROTATION_FILE_SIZE_MIN) {
+        gLastErrorMessage = "Invalid rotation file size, which should be 1MB to 500MB";
+        return VirtrustRc::ERROR;
+    }
+    if (rotationFileCount > ROTATION_FILE_COUNT_MAX || rotationFileCount < 1) {
+        gLastErrorMessage = "Invalid rotation file count, which should be lest than 65";
+        return VirtrustRc::ERROR;
+    }
+    return VirtrustRc::OK;
+}
+
+VirtrustRc LogAdapt::CreateInstance(int &logType, int logLevel, const char *path, int rotationFileSize,
+                                    int rotationFileCount)
+{
+    if (gSpdLogger != nullptr) {
+        return VirtrustRc::OK;
+    }
+    loglevel = logLevel;
+    std::string realPath;
+    if (path != nullptr) {
+        realPath = std::string(path);
+        if (!IsAbsolutePath(realPath)) {
+            std::cerr << "Log folder path: " << realPath << "is not absolute path." << std::endl;
+            return VirtrustRc::ERROR;
+        }
+        std::string folderPath;
+        if (!GetFolderPath(realPath, folderPath)) {
+            std::cerr << "Get folder path: " << realPath << "failed." << std::endl;
+            return VirtrustRc::ERROR;
+        }
+
+        if (!Exist(folderPath, F_OK | R_OK | W_OK)) {
+            std::cerr << "Access denied or logpath: " << folderPath << " does not exist." << std::endl;
+            return VirtrustRc::ERROR;
+        }
+
+        if (!CanonicalPath(folderPath)) {
+            std::cerr << "Get real path: " << realPath << "failed." << std::endl;
+            return VirtrustRc::ERROR;
+        }
+    }
+    VirtrustRc ret = SetTmpLogger(logType, realPath, rotationFileSize, rotationFileCount, loglevel);
+    if (ret != VirtrustRc::OK) {
+        return ret;
+    }
+    return VirtrustRc::OK;
+}
+
+VirtrustRc LogAdapt::Initialize()
+{
+    try {
+        if (this->logType_ == STDOUT_TYPE) {
+            std::string console = "console";
+            if (!spdlog::get(console)) {
+                this->spdLogger = spdlog::stdout_logger_mt(console);
+            } else {
+                this->spdLogger = spdlog::get(console);
+            }
+        } else if (this->logType_ == FILE_TYPE) {
+            std::string logName = "log:" + this->filePath_;
+            spdlog::file_event_handlers handlers;
+            handlers.after_open = [](spdlog::filename_t filename, [[maybe_unused]] std::FILE *fstream) {
+                chmod(filename.c_str(), S_IRUSR | S_IWUSR);
+            };
+            if (!spdlog::get(logName)) {
+                this->spdLogger = spdlog::rotating_logger_mt(logName, this->filePath_, this->rotationFileSize_,
+                                                             this->rotationFileCount_, false, handlers);
+            } else {
+                this->spdLogger = spdlog::get(logName);
+            }
+            spdlog::flush_every(std::chrono::seconds(1));
+        }
+        if (this->spdLogger == nullptr) {
+            std::cerr << "spdLogger init failed" << std::endl;
+            return VirtrustRc::ERROR;
+        }
+
+        this->spdLogger->set_pattern("%Y-%m-%d %H:%M:%S.%f %t %l %v");
+        this->spdLogger->set_level(static_cast<spdlog::level::level_enum>(this->logLevel_));
+        this->spdLogger->flush_on(static_cast<spdlog::level::level_enum>(this->logLevel_));
+        if (this->logLevel_ < static_cast<int>(spdlog::level::info)) {
+        }
+    } catch (const spdlog::spdlog_ex &ex) {
+        gLastErrorMessage = "Failed to create log";
+        gLastErrorMessage = ex.what();
+        return VirtrustRc::ERROR;
+    }
+    return VirtrustRc::OK;
+}
+
+VirtrustRc LogAdapt::Log(int level, const char *prefix, const char *message) const
+{
+    if (level < static_cast<int>(LogLevel::TRACE) || level > static_cast<int>(LogLevel::CRITICAL)) {
+        gLastErrorMessage = "Invalid log level, which should be 0-5";
+        return VirtrustRc::ERROR;
+    }
+    this->spdLogger->log(static_cast<spdlog::level::level_enum>(level), "{}]{}", prefix, message);
+    return VirtrustRc::OK;
+}
+
+void LogAdapt::Flush()
+{
+    if (gSpdLogger != nullptr) {
+        gSpdLogger->spdLogger->flush();
+    }
+}
+
+int LogAdapt::GetLogLevel()
+{
+    return loglevel;
+}
+
+VirtrustRc LogAdapt::SetTmpLogger(int logType, std::string realPath, int rotationFileSize, int rotationFileCount,
+                                  int logLevel)
+{
+    std::unique_ptr<LogAdapt> tmpLogger =
+        std::make_unique<LogAdapt>(logType, realPath, rotationFileSize, rotationFileCount);
+    if (tmpLogger == nullptr) {
+        std::cerr << "tmpLogger init failed" << std::endl;
+        return VirtrustRc::ERROR;
+    }
+
+    tmpLogger->SetLogLevel(logLevel);
+    VirtrustRc ret = tmpLogger->Initialize();
+    if (ret != VirtrustRc::OK) {
+        std::cerr << "LogAdapt initialize failed" << std::endl;
+        return ret;
+    }
+    gSpdLogger = std::move(tmpLogger);
+    return VirtrustRc::OK;
+}
+
+void LogAdapt::UnInitialize()
+{
+    gSpdLogger = nullptr;
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/log_adapt.h b/virtrust/src/virtrust/base/log_adapt.h
new file mode 100644
index 0000000000000000000000000000000000000000..394b6866b2ed4332c757910e62b61d45f39574bc
--- /dev/null
+++ b/virtrust/src/virtrust/base/log_adapt.h
@@ -0,0 +1,60 @@
+#ifndef LOG_ADAPT_H
+#define LOG_ADAPT_H
+#include <iostream>
+#include <sstream>
+#include <string>
+#include <utility>
+
+#include "spdlog/common.h"
+#include "spdlog/spdlog.h"
+
+#include "virtrust/api/defines.h"
+namespace virtrust {
+const int STDOUT_TYPE = 0;
+const int FILE_TYPE = 0;
+
+class LogAdapt {
+public:
+    LogAdapt(int logType, std::string path, int rotationFileSize, int rotationFileCount)
+        : logType_(logType), rotationFileSize_(rotationFileSize), rotationFileCount_(rotationFileCount) {};
+    ~LogAdapt() = default;
+
+    VirtrustRc Initialize();
+    static void UnInitialize();
+
+    static int GetLogLevel();
+    inline void SetLogLevel(int logLevel)
+    {
+        if (logLevel < 0) {
+            std::cerr << "logLevel is invalid. logLevel is" << logLevel << std::endl;
+            return;
+        }
+        logLevel_ = logLevel;
+    }
+    [[nodiscard]] inline bool IsLogLevelEnabled(int nowLevel) const
+    {
+        return nowLevel >= logLevel_;
+    }
+    VirtrustRc Log(int level, const char *prefix, const char *message) const;
+
+    static VirtrustRc CreateInstance(int &logType, int logLevel, const char *path, int rotationFileSize,
+                                     int rotationFileCount);
+    static VirtrustRc SetTmpLogger(int logType, std::string realPath, int rotationFileSize, int rotationFileCount,
+                                   int logLevel);
+    static std::unique_ptr<LogAdapt> gSpdLogger;
+    std::shared_ptr<spdlog::logger> spdLogger;
+    static void Flush();
+    static int loglevel;
+    static VirtrustRc ValidateParams(int logType, const char *path, int rotationFileSize, int rotationFileCount);
+    static thread_local std::string gLastErrorMessage;
+
+private:
+    int logType_;
+    int logLevel_{0};
+    std::string filePath_;
+    int rotationFileSize_;
+    int rotationFileCount_;
+};
+
+} // namespace virtrust
+#endif
diff --git a/virtrust/src/virtrust/base/logger.h b/virtrust/src/virtrust/base/logger.h
new file mode 100644
index 0000000000000000000000000000000000000000..1ad709cbe1967f68ff92d1ce6a6f88e782cac099
--- /dev/null
+++ b/virtrust/src/virtrust/base/logger.h
@@ -0,0 +1,54 @@
+#pragma once
+
+#include <sys/time.h>
+
+#include <atomic>
+#include <cstring>
+#include <functional>
+#include <iostream>
+#include <mutex>
+#include <sstream>
+#include <string>
+
+#include "spdlog/fmt/fmt.h"
+
+#include "virtrust/base/custom_logger.h"
+#include "virtrust/base/str_utils.h"
+
+#ifndef VIRTRUST_LIKELY
+#define VIRTRUST_LIKELY(x) (__builtin_expect(!!(x), 1) != 0)
+#endif
+
+#ifndef VIRTRUST_UNLIKELY
+#define VIRTRUST_UNLIKELY(x) (__builtin_expect(!!(x), 0) != 0)
+#endif
+
+#ifndef VIRTRUST_LOG_FILENAME
+#define VIRTRUST_LOG_FILENAME (strrchr(__FILE__, '/') ? strrchr(__FILE__, '/') + 1 : __FILE__)
+#endif
+
+#define VIRTRUST_LOG(level, ...)                                                                                       \
+    do {                                                                                                               \
+        auto logger = ::virtrust::Logger::Instance();                                                                  \
+        if (logger != nullptr) {                                                                                       \
+            logger->Log(level,                                                                                         \
+                        fmt::format("[VIRTRUST {}:{}]{}", VIRTRUST_LOG_FILENAME, __LINE__, fmt::format(__VA_ARGS__))); \
+        }                                                                                                              \
+    } while (0)
+
+#define VIRTRUST_LOG_TRACE(...) VIRTRUST_LOG(::virtrust::LogLevel::TRACE, __VA_ARGS__)
+#define VIRTRUST_LOG_DEBUG(...) VIRTRUST_LOG(::virtrust::LogLevel::DEBUG, __VA_ARGS__)
+#define VIRTRUST_LOG_INFO(...) VIRTRUST_LOG(::virtrust::LogLevel::INFO, __VA_ARGS__)
+#define VIRTRUST_LOG_WARN(...) VIRTRUST_LOG(::virtrust::LogLevel::WARN, __VA_ARGS__)
+#define VIRTRUST_LOG_ERROR(...) VIRTRUST_LOG(::virtrust::LogLevel::ERROR, __VA_ARGS__)
+
+#define VIRTRUST_ASSERT_LOG_RETURN(args, ret)  \
+    if (VIRTRUST_UNLIKELY(!(args))) {          \
+        VIRTRUST_LOG_ERROR("Assert" << #args); \
+        return (ret);                          \
+    }
+#define VIRTRUST_ASSERT_LOG_RETURN_VOID(args)  \
+    if (VIRTRUST_UNLIKELY(!(args))) {          \
+        VIRTRUST_LOG_ERROR("Assert" << #args); \
+        return (ret);                          \
+    }
diff --git a/virtrust/src/virtrust/base/str_utils.cpp b/virtrust/src/virtrust/base/str_utils.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..1e842a6ad74ae903d23afdb970d78a5fe1a55502
--- /dev/null
+++ b/virtrust/src/virtrust/base/str_utils.cpp
@@ -0,0 +1,26 @@
+#include "virtrust/base/str_utils.h"
+
+#include <sstream>
+#include <string>
+#include <vector>
+
+namespace virtrust {
+
+void StrSplit(std::string_view src, std::string_view sep, std::vector<std::string> &out)
+{
+
+    if (src.empty() || sep.empty()) {
+        return;
+    }
+    std::string::size_type pos1 = 0;
+    std::string::size_type pos2 = src.find(sep);
+    while (pos2 != std::string::npos) {
+        out.emplace_back(src.substr(pos1, pos2 - pos1));
+        pos1 = pos2 + sep.size();
+        pos2 = src.find(sep, pos1);
+    }
+    if (pos1 != src.size())
+        out.emplace_back(src.substr(pos1));
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/str_utils.h b/virtrust/src/virtrust/base/str_utils.h
new file mode 100644
index 0000000000000000000000000000000000000000..ef2cca7e97a3236e98f2b362e576569548f30524
--- /dev/null
+++ b/virtrust/src/virtrust/base/str_utils.h
@@ -0,0 +1,134 @@
+#pragma once
+
+#include <sstream>
+#include <string>
+#include <vector>
+
+namespace virtrust {
+
+inline void MakeStringInternal(std::stringstream &)
+{}
+
+template <typename T> inline void MakeStringInternal(std::stringstream &ss, const T &t)
+{
+    ss << t;
+}
+
+template <> inline void MakeStringInternal(std::stringstream &ss, const std::stringstream &t)
+{
+
+    ss << t.str();
+}
+
+template <typename T, typename... Args>
+inline void MakeStringInternal(std::stringstream &ss, const T &t, const Args &...args)
+{
+    MakeStringInternal(ss, t);
+    MakeStringInternal(ss, args...);
+}
+
+template <typename... Args> std::string MakeString(const Args &...args)
+{
+    std::stringstream ss;
+    MakeStringInternal(ss, args...);
+    return std::string(ss.str());
+}
+
+template <typename T> std::string MakeString(const std::vector<T> &v, const std::string &delim = "")
+{
+    std::stringstream ss;
+    for (auto it = v.begin(); it != v.end(); ++it) {
+        if (it != v.begin()) {
+            MakeStringInternal(ss, delim);
+        }
+        MakeStringInternal(ss, *it);
+    }
+    return std::string(ss.str());
+}
+
+template <> inline std::string MakeString(const std::string &args)
+{
+    return args;
+}
+
+inline std::string MakeString(const char *cstr)
+{
+    return {cstr};
+}
+
+void StrSplit(std::string_view src, std::string_view sep, std::vector<std::string> &out);
+
+inline std::vector<std::string> StrSplit(std::string_view src, std::string_view sep)
+{
+    std::vector<std::string> out;
+    StrSplit(src, sep, out);
+    return out;
+}
+
+// 按照空白符分割字符串
+inline std::vector<std::string> StrSplit(const std::string &str)
+{
+    std::istringstream iss(str);
+    std::vector<std::string> rets;
+    std::string token;
+    while (iss >> token) { // 自动按空白分割病跳过多余空白
+        rets.push_back(token);
+    }
+    return rets;
+}
+// 去除收尾的指定字符
+inline std::string StrTrim(const std::string &str, char ch)
+{
+
+    if (str.empty()) {
+        return str;
+    }
+    size_t start = str.find_first_not_of(ch);
+    if (start == std::string::npos) {
+        return ""; // 全是目标字符
+    }
+    size_t end = str.find_last_of(ch);
+    return str.substr(start, end - start + 1);
+}
+
+// 去除首尾的空白符
+inline std::string StrTrimWhitespace(const std::string &str)
+{
+    const std::string whitespace = "\t\n\v\f\r";
+    size_t start = str.find_first_not_of(whitespace);
+    if (start == std::string::npos) {
+
+        return "";
+    }
+    size_t end = str.find_last_of(whitespace);
+    return str.substr(start, end - start + 1);
+}
+
+// 统计字符出现次数
+
+inline size_t StrCountChar(const std::string &str, char target)
+{
+    int cnt = 0;
+    for (const char ch : str) {
+        if (ch == target) {
+            cnt++;
+        }
+    }
+    return cnt;
+}
+
+inline bool StrStartsWith(const std::string_view &s, const std::string_view &prefix)
+{
+    return s.size() >= prefix.size() && s.compare(0, prefix.size(), prefix) == 0;
+}
+
+inline bool startsWithIgnoreSpaces(const std::string &str, const std::string_view &prefix)
+{
+    size_t start = str.find_first_not_of(' ');
+    if (start == std::string::npos) {
+        return false;
+    }
+    return str.substr(start).find(prefix) == 0;
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/str_utils_test.cpp b/virtrust/src/virtrust/base/str_utils_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..3578192d747ef7d722de41adcddcaf6f3616a7d7
--- /dev/null
+++ b/virtrust/src/virtrust/base/str_utils_test.cpp
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust/base/str_utils.h"
+
+namespace virtrust {
+
+TEST(StrUtils, MakeString)
+{
+    // Test basic functionality
+    EXPECT_EQ(MakeString(), "");
+    EXPECT_EQ(MakeString("hello"), "hello");
+    EXPECT_EQ(MakeString("hello", " ", "world"), "hello world");
+    EXPECT_EQ(MakeString(123), "123");
+    EXPECT_EQ(MakeString(123, " ", 456), "123 456");
+    EXPECT_EQ(MakeString("Number:", 42), "Number:42");
+
+    // Test with Vector
+    std::vector<int> nums = {1, 2, 3, 4, 5};
+    EXPECT_EQ(MakeString(nums), "1 2 3 4 5");
+
+    std::vector<std::string> strs = {"a", "b", "c"};
+    EXPECT_EQ(MakeString(strs), "a b c");
+
+    // Test with custom delimiter
+    EXPECT_EQ(MakeString<int>(nums, ","), "1,2,3,4,5");
+}
+
+TEST(StrUtils, Split)
+{
+    // Test Split with separator
+    std::vector<std::string> result;
+    StrSplit("a,b,c", ",", result);
+    ASSERT_EQ(result.size(), (size_t)3);
+    EXPECT_EQ(result[0], "a");
+    EXPECT_EQ(result[1], "b");
+    EXPECT_EQ(result[2], "c");
+
+    // Test Split with empty string
+    result.clear();
+    StrSplit("", ",", result);
+    ASSERT_EQ(result.size(), (size_t)0);
+
+    // Test Split with no separator
+    result.clear();
+    StrSplit("abc", ",", result);
+    ASSERT_EQ(result.size(), (size_t)1);
+    EXPECT_EQ(result[0], "abc");
+
+    // Test Split with empty separator
+    result.clear();
+    StrSplit("abc", "", result);
+    ASSERT_EQ(result.size(), (size_t)0);
+
+    // Test Split with multiple consecutive separators
+    result.clear();
+    StrSplit("a,,b,,c", ",", result);
+    ASSERT_EQ(result.size(), (size_t)5);
+    EXPECT_EQ(result[0], "a");
+    EXPECT_EQ(result[1], "");
+    EXPECT_EQ(result[2], "b");
+    EXPECT_EQ(result[3], "");
+    EXPECT_EQ(result[4], "c");
+
+    // Test Split with trailing separator
+    result.clear();
+    StrSplit("a,b,", ",", result);
+    ASSERT_EQ(result.size(), (size_t)2);
+    EXPECT_EQ(result[0], "a");
+    EXPECT_EQ(result[1], "b");
+
+    // Test Split with leading separator
+    result.clear();
+    StrSplit(",a,b", ",", result);
+    ASSERT_EQ(result.size(), (size_t)3);
+    EXPECT_EQ(result[0], "");
+    EXPECT_EQ(result[1], "a");
+    EXPECT_EQ(result[2], "b");
+}
+
+TEST(StrUtils, SplitWithEmptyString)
+{
+    // Test Split with empty string (no separator)
+    std::vector<std::string> result = StrSplit("a,b,c", ",");
+    ASSERT_EQ(result.size(), (size_t)3);
+    EXPECT_EQ(result[0], "a");
+    EXPECT_EQ(result[1], "b");
+    EXPECT_EQ(result[2], "c");
+}
+
+TEST(StrUtils, SplitWhitespace)
+{
+    // Test Split with whitespace separator
+    std::vector<std::string> result = StrSplit("  hello   world  ");
+    ASSERT_EQ(result.size(), (size_t)2);
+    EXPECT_EQ(result[0], "hello");
+    EXPECT_EQ(result[1], "world");
+
+    // Test Split with multiple whitespace
+    result = StrSplit("a\t\nb\r\fc");
+    ASSERT_EQ(result.size(), (size_t)3);
+    EXPECT_EQ(result[0], "a");
+    EXPECT_EQ(result[1], "b");
+    EXPECT_EQ(result[2], "c");
+
+    // Test Split with empty string
+    result = StrSplit("");
+    ASSERT_EQ(result.size(), (size_t)0);
+
+    // Test Split with only whitespace
+    result = StrSplit("   \t\n  ");
+    ASSERT_EQ(result.size(), (size_t)0);
+}
+
+TEST(StrUtils, Trim)
+{
+    // Test Trim with specified character
+    EXPECT_EQ(StrTrim("aaaHelloaaa", 'a'), "hello");
+    EXPECT_EQ(StrTrim("bbbWorldbbb", 'b'), "World");
+    EXPECT_EQ(StrTrim("Hello", 'x'), "Hello");
+    EXPECT_EQ(StrTrim("aaaa", 'a'), "");
+    EXPECT_EQ(StrTrim("", 'a'), "");
+    EXPECT_EQ(StrTrim("  Hello  ", ' '), "Hello");
+}
+
+TEST(StrUtils, TrimWhitespace)
+{
+    // Test TrimWhitespace
+    EXPECT_EQ(StrTrimWhitespace("  Hello  "), "hello");
+    EXPECT_EQ(StrTrimWhitespace("\t\nHello\r\f"), "Hello");
+    EXPECT_EQ(StrTrimWhitespace("Hello"), "Hello");
+    EXPECT_EQ(StrTrimWhitespace(""), "");
+    EXPECT_EQ(StrTrimWhitespace("    "), "");
+    EXPECT_EQ(StrTrimWhitespace("\t\n\r\f\v"), "");
+}
+
+TEST(StrUtils, CountChar)
+{
+    // Test CountChar
+    EXPECT_EQ(StrCountChar("hello world", 'l'), (size_t)3);
+    EXPECT_EQ(StrCountChar("abcdef", 'z'), (size_t)0);
+    EXPECT_EQ(StrCountChar("", 'a'), (size_t)0);
+    EXPECT_EQ(StrCountChar("aaaaaa", 'a'), (size_t)6);
+    EXPECT_EQ(StrCountChar("Hello World", ' '), (size_t)1);
+}
+
+TEST(StrUtils, StartsWith)
+{
+    // Test StartsWith
+    EXPECT_TRUE(StrStartsWith("Hello World", "Hello"));
+    EXPECT_FALSE(StrStartsWith("Hello World", "World"));
+    EXPECT_TRUE(StrStartsWith("Hello", "Hello"));
+    EXPECT_FALSE(StrStartsWith("Hello", "Hello World"));
+    EXPECT_TRUE(StrStartsWith("", ""));
+    EXPECT_FALSE(StrStartsWith("", "Hello"));
+    EXPECT_TRUE(StrStartsWith("Hello World", ""));
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/crypto/CMakeLists.txt b/virtrust/src/virtrust/crypto/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..fbe1678b7af0cb3b8cc060a5840db74c15f657b3
--- /dev/null
+++ b/virtrust/src/virtrust/crypto/CMakeLists.txt
@@ -0,0 +1,10 @@
+# Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+set(VIRTRUST_SOURCE_FILES ${VIRTRUST_SOURCE_FILES}
+                          ${CMAKE_CURRENT_LIST_DIR}/sm3.cpp)
+
+# add_virtrust_test_if(sm3_test ${BUILD_TEST})
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    PARENT_SCOPE)
diff --git a/virtrust/src/virtrust/crypto/sm3.cpp b/virtrust/src/virtrust/crypto/sm3.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..7de0411b67a05dfbb919dce3ac9f39ec19c3a9b0
--- /dev/null
+++ b/virtrust/src/virtrust/crypto/sm3.cpp
@@ -0,0 +1,152 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+#include "virtrust/crypto/sm3.h"
+
+#include <vector>
+
+#include <securec.h>
+
+#include "virtrust/base/logger.h"
+#include "virtrust/dllib/openssl.h"
+
+namespace virtrust {
+
+Sm3::Sm3()
+    : md_(SmartEVP_MD(Openssl::GetInstance().EVP_MD_fetch(nullptr, "sm3", nullptr))),
+      context_(SmartEVP_MD_CTX(Openssl::GetInstance().EVP_MD_CTX_new()))
+{
+    Reset();
+}
+
+Sm3Rc Sm3::Reset()
+{
+    if (context_.Get() == nullptr || md_.Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Sm3::Reset() Failed, context_ or md_ is nullptr");
+        return Sm3Rc::ERROR;
+    }
+
+    auto ret = Openssl::GetInstance().EVP_MD_CTX_reset(context_.Get());
+    if (ret != OPENSSL_OK) {
+        VIRTRUST_LOG_ERROR("Sm3::Reset() Failed, EVP_MD_CTX_reset return:{}", ret);
+        return Sm3Rc::ERROR;
+    }
+
+    // NOTE we do not need to reset md_-
+    ret = Openssl::GetInstance().EVP_DigestInit(context_.Get(), md_.Get());
+    if (ret != OPENSSL_OK) {
+        VIRTRUST_LOG_ERROR("Sm3::Reset() Failed, EVP_DigestInit return:{}", ret);
+        return Sm3Rc::ERROR;
+    }
+
+    return Sm3Rc::OK;
+}
+
+Sm3Rc Sm3::Update(std::string_view data)
+{
+    if (data.size() > UPDATE_SIZE_LIMIT) {
+        VIRTRUST_LOG_ERROR("Sm3::Update() Failed, input data size:{}, exceeds limit:{}", data.size(),
+                           UPDATE_SIZE_LIMIT);
+        return Sm3Rc::ERROR;
+    }
+
+    if (context_.Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Sm3::Update() Failed, context is nullptr");
+        return Sm3Rc::ERROR;
+    }
+
+    auto ret = Openssl::GetInstance().EVP_DigestUpdate(context_.Get(), data.data(), data.size());
+    if (ret != OPENSSL_OK) {
+        VIRTRUST_LOG_ERROR("Sm3::Update() Failed, EVP_DigestUpdate  returns: {}", ret);
+        return Sm3Rc::ERROR;
+    }
+
+    return Sm3Rc::OK;
+}
+
+std::vector<uint8_t> Sm3::CumulativeHash() const
+{
+    if (context_.Get() == nullptr || md_.Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Sm3::CumulativeHash() Failed, context_ or md_ is nullptr");
+        return {};
+    }
+
+    unsigned int out_len = 0;
+    std::vector<uint8_t> out(DigestSize());
+
+    auto ctx_snapshot = SmartEVP_MD_CTX(Openssl::GetInstance().EVP_MD_CTX_new());
+    if (ctx_snapshot.Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Sm3::CumulativeHash() Failed, EVP_MD_CTX_new returns nullptr");
+        return {};
+    }
+
+    auto ret = Openssl::GetInstance().EVP_MD_CTX_copy_ex(ctx_snapshot.Get(), context_.Get());
+    if (ret != OPENSSL_OK) {
+        VIRTRUST_LOG_ERROR("Sm3::CumulativeHash() Failed, EVP_MD_CTX_copy_ex returns:{}", ret);
+        return {};
+    }
+
+    ret = Openssl::GetInstance().EVP_DigestFinal_ex(ctx_snapshot.Get(), out.data(), &out_len);
+    if (ret != OPENSSL_OK) {
+        VIRTRUST_LOG_ERROR("Sm3::CumulativeHash() Failed, EVP_DigestFinal_ex returns:{}", ret);
+        return {};
+    }
+
+    if (out_len != DigestSize()) {
+        VIRTRUST_LOG_ERROR("Sm3::CumulativeHash() Failed, EVP_DigestFinal_ex "
+                           "output len incorrect:{}",
+                           out_len);
+        return {};
+    }
+
+    return out;
+}
+
+std::array<uint8_t, Sm3::DigestSize()> DoSm3(std::string_view data)
+{
+    auto sm3 = Sm3();
+    if (sm3.Update(data) != Sm3Rc::OK) { // data.size limit will be captured here
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, Update error");
+        return {};
+    }
+
+    auto buf = sm3.CumulativeHash();
+    if (buf.size() < Sm3::DigestSize()) {
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, CumulativeHash output len incorrent:{}", buf.size());
+        return {};
+    }
+
+    std::array<uint8_t, Sm3::DigestSize()> out{};
+    auto ret = memcpy_s(out.data(), out.size(), buf.data(), buf.size());
+    if (ret != EOK) {
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, memcpy_s error. ret is: {}", ret);
+        return {};
+    }
+
+    return out;
+}
+
+Sm3Rc DoSm3(std::string_view data, std::vector<uint8_t> &out)
+{
+    auto sm3 = Sm3();
+    if (sm3.Update(data) != Sm3Rc::OK) { // data.size limit will be captured here
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, update error");
+        return Sm3Rc::ERROR;
+    }
+
+    auto buf = sm3.CumulativeHash();
+    if (buf.size() < Sm3::DigestSize()) {
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, CumulativeHash output len incorrent:{}", buf.size());
+        return Sm3Rc::ERROR;
+    }
+
+    auto ret = memcpy_s(out.data(), out.size(), buf.data(), buf.size());
+    if (ret != EOK) {
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, memcpy_s error. ret is: {}", ret);
+        return Sm3Rc::ERROR;
+    }
+
+    return Sm3Rc::OK;
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/crypto/sm3.h b/virtrust/src/virtrust/crypto/sm3.h
new file mode 100644
index 0000000000000000000000000000000000000000..76e9c4324bab9fc2a868045b9b3693f0df57bc9d
--- /dev/null
+++ b/virtrust/src/virtrust/crypto/sm3.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+#include <cstddef>
+#include <cstdint>
+#include <memory>
+#include <vector>
+
+#include "virtrust/dllib/openssl.h"
+#include "virtrust/dllib/openssl_defines.h"
+#include "virtrust/utils/smart_deleter.h"
+
+namespace virtrust {
+
+VIRTRUST_MAKE_SMART(EVP_MD_CTX, Openssl::GetInstance().EVP_MD_CTX_free);
+VIRTRUST_MAKE_SMART(EVP_MD, Openssl::GetInstance().EVP_MD_free);
+
+enum class Sm3Rc : uint32_t {
+    OK = 0,
+    ERROR = 1
+};
+
+class Sm3 {
+public:
+    Sm3();
+    Sm3Rc Reset();
+    Sm3Rc Update(std::string_view data);
+    std::vector<uint8_t> CumulativeHash() const;
+
+    static constexpr size_t DigestSize()
+    {
+        return DIGEST_SIZE;
+    }
+
+private:
+    SmartEVP_MD md_;
+    SmartEVP_MD_CTX context_;
+    static constexpr size_t DIGEST_SIZE = 32;
+    static constexpr size_t UPDATE_SIZE_LIMIT = 1024 * 1024 * 1024; // 1G
+};
+
+std::array<uint8_t, Sm3::DigestSize()> DoSm3(std::string_view data);
+Sm3Rc DoSm3(std::string_view data, std::vector<uint8_t> &out);
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/crypto/sm3_test.cpp b/virtrust/src/virtrust/crypto/sm3_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..4cd20784d90820551fecf44bf0a3491cb967b285
--- /dev/null
+++ b/virtrust/src/virtrust/crypto/sm3_test.cpp
@@ -0,0 +1,251 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <string>
+#include <vector>
+
+#include "gtest/gtest.h"
+
+#include "virtrust/crypto/sm3.h"
+#include "virtrust/dllib/openssl.h"
+
+namespace virtrust::test {
+namespace {
+// The following two test vectors are taken from
+// https://www.oscca.gov.cn/sca/xxgk/2010-12/17/1002389/files/302a3ada057c4a73830536d03e683110.pdf
+const std::vector<std::string> SM3_TEST_DATA = {"abc",
+                                                "66c7f0f462eeedd9d1f2d46bdc10e4e24167c4875cf2f7a2297da02b8f4ba8e0",
+                                                "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd",
+                                                "debe9ff92275b8a138604889c18e5a4d6fdb70e5387e5765293dcba39c0c5732",
+                                                "dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd"}；
+
+    inline std::string
+    BytesToHexString(const std::vector<uint_8> &bytes)
+{
+    std::ostringstream oss;
+    oss << std::hex << std::setfill('0'); // Set output to hex and pad with '0'
+
+    for (unsigned char byte : bytes) {
+        oss << std::setw(2) << static_cast<int>(byte); // Format each bute as 2-digit hex
+    }
+
+    return oss.str();
+}
+
+} // namespace
+
+TEST(Sm3Test, Works)
+{
+    std::string msg = "123";
+    auto result1 = DoSm3(msg);
+    auto result2 = DoSm3(msg);
+
+    EXPECT_EQ(result1.size(), Sm3::DigestSize());
+    EXPECT_EQ(result1.size(), result2.size());
+    EXPECT_EQ(memcmp(result1.data(), result2.data(), result1.size()), 0);
+}
+
+TEST(Sm3Test, Test1)
+{
+    auto hash = Sm3();
+    hash.Update(SM3_TEST_DATA[0]);
+    auto ret = BytesToHexString(hash.CumulativeHash());
+    EXPECT_EQ(ret.size(), SM3_TEST_DATA[1].size());
+    EXPECT_EQ(ret, SM3_TEST_DATA[1]);
+}
+
+TEST(Sm3Test, Test2)
+{
+    auto hash = Sm3();
+    hash.Update(SM3_TEST_DATA[2]);
+    auto ret = BytesToHexString(hash.CumulativeHash());
+    EXPECT_EQ(ret.size(), SM3_TEST_DATA[3].size());
+    EXPECT_EQ(ret, SM3_TEST_DATA[3]);
+}
+
+TEST(Sm3Test, Test3)
+{
+    auto hash = Sm3();
+    hash.Update(SM3_TEST_DATA[0]);
+    hash.Update(SM3_TEST_DATA[4]);
+    auto ret = BytesToHexString(hash.CumulativeHash());
+    EXPECT_EQ(ret.size(), SM3_TEST_DATA[3].size());
+    EXPECT_EQ(ret, SM3_TEST_DATA[3]);
+}
+
+TEST(Sm3Test, Test4)
+{
+    auto hash = Sm3();
+    hash.Update(SM3_TEST_DATA[0]);
+    hash.Reset();
+    hash.Update(SM3_TEST_DATA[2]);
+    auto ret = BytesToHexString(hash.CumulativeHash());
+    EXPECT_EQ(ret.size(), SM3_TEST_DATA[3].size());
+    EXPECT_EQ(ret, SM3_TEST_DATA[3]);
+}
+
+// Test empty string
+TEST(Sm3Test, EmptyString)
+{
+    auto hash = Sm3();
+    hash.Update("");
+    auto result = hash.CumulativeHash();
+    EXPECT_EQ(result.size(), Sm3::DigestSize());
+    EXPECT_FALSE(result.empty());
+}
+
+// Test various string sizes
+TEST(Sm3Test, VariousSizes)
+{
+    // Small strings
+    std::Vector<std::string> testString = {"", "a", "ab", "abc", "abcd"};
+    for (const auto &str : testString) {
+        auto hash = Sm3();
+        hash.Update(str);
+        auto result = hash.CumulativeHash();
+        EXPECT_EQ(result.size(), Sm3::DigestSize());
+    }
+
+    // Large strings
+    std::string largeStr(1000, 'x');
+    auto hash = Sm3();
+    hash.Update(largeStr);
+    auto result = hash.CumulativeHash();
+    EXPECT_EQ(result.size(), Sm3::DigestSize());
+}
+
+// Test Update with size limit
+TEST(Sm3Test, UpdateSizeLimit)
+{
+    // Test within limit
+    std::string smallData(1000, 'x');
+    auto hash = Sm3();
+    EXPECT_EQ(hash.Update(smallData), Sm3Rc::OK);
+
+    // Test exceeding limit (should return ERROR)
+    std::string largeData(1024 * 1024 * 1024 + 1, 'x'); // limit
+    EXPECT_EQ(hash.Update(largeData), Sm3Rc::ERROR);
+}
+
+// Test cumulative hash with empty context
+TEST(Sm3Test, CumulativeHashWithNullContext)
+{
+    // This test requires mocking or directly testing the internal state
+    // The actual implementation handles null checks, but we want to ensure
+    // the function behaves correctly
+    auto hash = Sm3();
+    // Normally the context is initialized, but we can still verify it works
+    hash.Update("test");
+    auto result = hash.CumulativeHash();
+    EXPECT_EQ(result.size(), Sm3::DigestSize());
+}
+
+// Test reset functionality
+TEST(Sm3Test, ResetFunctionality)
+{
+    auto hash = Sm3();
+
+    // Update with some data
+    hash.Update("hello");
+    auto intermediateHash = hash.CumulativeHash();
+    EXPECT_EQ(intermediateHash.size(), Sm3::DigestSize());
+
+    // Reset and update with different data
+    hash.Reset();
+    hash.Update("world");
+    auto finalHash = hash.CumulativeHash();
+    EXPECT_EQ(finalHash.size(), Sm3::DigestSize());
+
+    // Hashes should be different
+    EXPECT_NE(memcmp(intermediateHash.data(), finalHash.data(), intermediateHash.size()), 0);
+}
+
+// Test DoSm3 with vector output
+TEST(Sm3Test, DoSm3VectorOutput)
+{
+    std::string testData = "test data";
+    std::vector<uint_8> output(Sm3::DigestSize());
+
+    auto result = DoSm3(testData, output);
+    EXPECT_EQ(result, Sm3Rc::OK);
+    EXPECT_EQ(output.size(), Sm3::DigestSize());
+
+    // Verify the output is not empty
+    bool allZero = true;
+    for (unit8_t byte : output) {
+        if (byte != 0) {
+            allZero = false;
+            break;
+        }
+    }
+    EXPECT_FALSE(allZero);
+}
+
+// Test DoSm3 with array output (existing test)
+TEST(Sm3Test, DoSm3ArrayOutput)
+{
+    std::string testData = "test data";
+    auto result = DoSm3(testData);
+
+    EXPECT_EQ(result.size(), Sm3::DigestSize());
+
+    // Verify the output is not all zeros
+    bool allZero = true;
+    for (unit8_t byte : result) {
+        if (byte != 0) {
+            allZero = false;
+            break;
+        }
+    }
+    EXPECT_FALSE(allZero);
+}
+
+// Test Hash consistency across multiple updates
+TEST(Sm3Test, MultipleUpdatesConsistency)
+{
+    std::string data1 = "hello";
+    std::string data2 = "";
+    std::string data3 = "world";
+
+    // Single update
+    auto hash1 = Sm3();
+    hash1.Update(data1 + data2 + data3);
+    auto result1 = hash1.CumulativeHash();
+
+    // Multiple updates
+    auto hash2 = Sm3();
+    hash2.Update(data1);
+    hash2.Update(data2);
+    hash2.Update(data3);
+    auto result2 = hash2.CumulativeHash();
+
+    // Results should be identical
+    EXPECT_EQ(result1.size(), result2.size());
+    EXPECT_EQ(memcmp(result1.data(), result2.data(), result1.size()), 0);
+}
+
+// Test Hash concatenation
+TEST(Sm3Test, HashConcatenation)
+{
+    std::string data1 = "first";
+    std::string data2 = "second";
+
+    auto hash1 = Sm3();
+    hash1.Update(data1);
+    auto hash1Result = hash1.CumulativeHash();
+
+    auto hash2 = Sm3();
+    hash2.Update(data2);
+    auto hash2Result = hash2.CumulativeHash();
+
+    auto hash3 = Sm3();
+    hash3.Update(data1 + data2);
+    auto hash3Result = hash3.CumulativeHash();
+
+    // Hashes should be different
+    EXPECT_NE(memcmp(hash1Result.data(), hash2Result.data(), hash1Result.size()), 0);
+    EXPECT_NE(memcmp(hash1Result.data(), hash3Result.data(), hash1Result.size()), 0);
+    EXPECT_NE(memcmp(hash2Result.data(), hash3Result.data(), hash2Result.size()), 0);
+}
+} // namespace virtrust::test
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/CMakeLists.txt b/virtrust/src/virtrust/dllib/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..e2d1b7743494201f7354fe9416a68aa9c8078f2c
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/CMakeLists.txt
@@ -0,0 +1,18 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+set(VIRTRUST_SOURCE_FILES ${VIRTRUST_SOURCE_FILES})
+
+# add_virtrust_test_if(libxml2_test ${BUILD_TEST})
+
+# HACK libguestfs has memory leaks, so we disable this test under asan
+#
+# if(NOT CMAKE_BUILD_TYPE STREQUAL "Asan") add_virtrust_test_if(libguestfs_test
+# ${BUILD_TEST}) endif()
+
+# add_virtrust_test_if(libvirt_test ${BUILD_TEST})
+# add_virtrust_test_if(openssl_test ${BUILD_TEST})
+# add_virtrust_test_if(dllib_test ${BUILD_TEST})
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    PARENT_SCOPE)
diff --git a/virtrust/src/virtrust/dllib/common.h b/virtrust/src/virtrust/dllib/common.h
new file mode 100644
index 0000000000000000000000000000000000000000..c7e031b4793b67d96c974e9aacfd0d7093b1fc6f
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/common.h
@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <dlfcn.h>
+
+#include <cstdint>
+#include <functional>
+#include <memory>
+#include <numeric>
+#include <stdexcept>
+#include <string_view>
+
+#include "virtrust/base/str_utils.h"
+
+namespace virtrust {
+
+// Dllib Return Code
+enum class DllibRc : uint32_t {
+    OK = 0,
+    ERROR = 1,
+};
+
+template <class R, class... Args> class DlFun {
+public:
+    using FunTy = R (*)(Args...);
+
+    DlFun() = default;
+
+    DlFun(std::string_view name, FunTy funptr)
+        : funName_(name), funptr_(funptr ? std::function<R(Args...)>(funptr) : std::function<R(Args...)>(nullptr))
+    {}
+
+    std::function<R(Args...)> Get() const
+    {
+        return funptr_;
+    }
+
+    std::string GetName() const
+    {
+        return funName_;
+    }
+
+    R operator()(Args... args) const
+    {
+        if (!funptr_) {
+            throw std::runtime_error(std::string("[") + __FILE__ + ":" + std::to_string(__LINE__) +
+                                     "] Fatal Error: function " + funName_ +
+                                     " is nullptr, maybe previous dlsym failed.");
+        }
+        return funptr_(std::forward<Args>(args)...);
+    }
+
+private:
+    std::string funName_ = "unknown";
+    std::function<R(Args...)> funptr_ = nullptr;
+};
+
+class DlLibBase {
+public:
+    // Check whether dlopen and dlsym has succeed
+    DllibRc CheckOk() const
+    {
+        return ok_ ? DllibRc::OK : DllibRc::ERROR;
+    }
+
+    size_t Size() const
+    {
+        return size_;
+    }
+
+protected:
+    explicit DlLibBase(std::string_view lib) : libName_(lib)
+    {}
+
+    virtual ~DlLibBase()
+    {
+        SelfDlClose();
+    }
+
+    void SelfDlClose()
+    {
+        // the stored pointer
+        if (libptr_ != nullptr) {
+            dlclose(libptr_);
+            libptr_ = nullptr;
+        }
+
+        // reset to default
+        size_ = 0;
+        ok_ = true;
+    }
+
+    DllibRc SelfDlOpen()
+    {
+        libptr_ = dlopen(libName_.data(), RTLD_NOW | RTLD_GLOBAL);
+        return libptr_ != nullptr ? DllibRc::OK : DllibRc::ERROR;
+    }
+
+    template <class R, class... Args> void SelfDlSym(std::string_view funName, DlFun<R, Args...> &outFun)
+    {
+        if (libptr_ == nullptr || funName.empty()) {
+            return;
+        }
+
+        void *funPtr = dlsym(libptr_, funName.data());
+        if (funPtr == nullptr) {
+            ok_ = false;
+        }
+        size_++; // always add up internal size counter
+        outFun = DlFun<R, Args...>(funName, reinterpret_cast<R (*)(Args...)>(funPtr));
+    }
+
+private:
+    void *libptr_ = nullptr;
+    const std::string libName_ = "unknown";
+
+    // funCache_ stores all dlsym function raw pointers
+    // WARNING: DO NOT manually manipulate those pointers
+    std::vector<void *> funCache_; // cache DO NOT own pointers, those pointers should read only
+    size_t size_ = 0;
+    bool ok_ = true;
+};
+
+// The second argument is the templateHelper which helps template deduction
+#define DLLIB_SELF_DLSYM(NAME) SelfDlSym(#NAME, NAME)
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/dllib_test.cpp b/virtrust/src/virtrust/dllib/dllib_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..8479712da16142142f3830374cab60c38976d58a
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/dllib_test.cpp
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust/dllib/libguestfs.h"
+#include "virtrust/dllib/libvirt.h"
+#include "virtrust/dllib/libxml2.h"
+#include "virtrust/dllib/openssl.h"
+
+namespace virtrust {
+
+TEST(DynamicLibraryTest, OpensslInitialization)
+{
+    // Test taht Openssl can be initialied properly
+    auto &openssl = Openssl::GetInstance();
+    EXPECT_EQ(openssl.CheckOK(), DllibRc::OK);
+
+    // Test that the library was loaded
+    EXPECT_GT(openssl.Size(), (size_t)0);
+}
+
+TEST(DynamicLibraryTest, OpensslFunctionPointers)
+{
+    // Test taht all key openssl function pointers are valid
+    auto &openssl = Openssl::GetInstance();
+
+    // Test that function pointers are not null
+    EXPECT_NE(openssl.EVP_MD_CTX_new.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_MD_CTX_free.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_DigestInit.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_DigestUpdate.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_DigestFinal_ex.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_MD_fetch.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_MD_free.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_MD_CTX_reset.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_MD_CTX_copy_ex.Get(), nullptr);
+}
+
+TEST(DynamicLibraryTest, OpensslReloadFunctionality)
+{
+    // Test reload functionality
+    auto &openssl = Openssl::GetInstance();
+
+    // Check initial state
+    EXPECT_EQ(openssl.CheckOK(), DllibRc::OK);
+
+    // Reload the library
+    auto ret = openssl.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+
+    // Verify it's still working after reload
+    EXPECT_EQ(openssl.CheckOK(), DllibRc::OK);
+}
+
+TEST(DynamicLibraryTest, LibvirtInitialization)
+{
+    // Test that libvirt can be initialied properly
+    auto &libvirt = Libvirt::GetInstance();
+    // Note: we don't assert CheckOK() as libvirt might not be available in test
+    // environment But we can verify it doesn't crash
+    EXPECT_NE(&libvirt, nullptr);
+}
+
+TEST(DynamicLibraryTest, LibguestfsInitialization)
+{
+    auto &libguestfs = Libguestfs::GetInstance();
+    // Note: we don't assert CheckOK() as libguestfs might not be available in
+    // test environment But we can verify it doesn't crash
+    EXPECT_NE(&libguestfs, nullptr);
+}
+
+TEST(DynamicLibraryTest, Libxml2Initialization)
+{
+    // Test that libxml2 can be initialied properly
+    auto &libxml2 = Libxml2::GetInstance();
+    // Note: we don't assert CheckOK() as libxml2 might not be available in test
+    // environment But we can verify it doesn't crash
+    EXPECT_NE(&libxml2, nullptr);
+}
+
+TEST(DynamicLibraryTest, SingletonPattern)
+{
+    // Test that all dynamic library classes follow singleton pattern
+    auto &openssl1 = Openssl::GetInstance();
+    auto &openssl2 = Openssl::GetInstance();
+    EXPECT_EQ(&openssl1, &openssl2);
+
+    auto &libvirt1 = Libvirt::GetInstance();
+    auto &libvirt2 = Libvirt::GetInstance();
+    EXPECT_EQ(&libvirt1, &libvirt2);
+
+    auto &libguestfs1 = Libguestfs::GetInstance();
+    auto &libguestfs2 = Libguestfs::GetInstance();
+    EXPECT_EQ(&libguestfs1, &libguestfs2);
+
+    auto &libxml21 = Libxml2::GetInstance();
+    auto &libxml22 = Libxml2::GetInstance();
+    EXPECT_EQ(&libxml21, &libxml22);
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libguestfs.h b/virtrust/src/virtrust/dllib/libguestfs.h
new file mode 100644
index 0000000000000000000000000000000000000000..7b7f4741f7cb8b32a8e91beac1866aca0c57e850
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libguestfs.h
@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <dlfcn.h>
+
+#include <cstdarg>
+#include <cstdint>
+#include <functional>
+#include <string_view>
+
+#include "virtrust/dllib/common.h"
+#include "virtrust/dllib/libguestfs_defines.h"
+
+namespace virtrust {
+
+// libguestfs api
+class Libguestfs : public DlLibBase {
+public:
+    ~Libguestfs() = default;
+    Libguestfs(const Libguestfs &) = delete;
+    void operator=(const Libguestfs &) = delete;
+
+    // Singleton instance
+    static Libguestfs &GetInstance()
+    {
+        static Libguestfs instance;
+        return instance;
+    }
+
+    // Reload all functions
+    DllibRc Reload()
+    {
+        SelfDlClose();
+        LoadAll();
+        return CheckOk();
+    }
+
+    // Declare all functions that you need
+    // NOTE Please make sure the class instance is inited before calling those
+    // functions
+
+    // Create guestfs context
+    DlFun<guestfs_h *> guestfs_create;
+
+    DlFun<int, guestfs_h *, const char *> guestfs_set_backend;
+
+    DlFun<int, guestfs_h *, const char *, const struct guestfs_add_drive_opts_argv> guestfs_add_drive_opts_argv;
+
+    DlFun<int, guestfs_h *> guestfs_launch;
+
+    DlFun<char **, guestfs_h *> guestfs_inspect_os;
+
+    DlFun<char **, guestfs_h *, const char *> guestfs_inspect_get_mountpoints;
+
+    DlFun<int, guestfs_h *, const char *, const char *> guestfs_mount_ro;
+
+    DlFun<int, guestfs_h *> guestfs_umount_all;
+
+    DlFun<void, guestfs_h *> guestfs_close;
+
+    DlFun<int, guestfs_h *, int> guestfs_set_trace;
+
+    DlFun<int, guestfs_h *, const char *> guestfs_exists;
+
+    DlFun<int, guestfs_h *, const char *> guestfs_is_file;
+
+    DlFun<char *, guestfs_h *, const char *, size_t *> guestfs_read_file;
+
+private:
+    void LoadAll()
+    {
+        // NOTE explicitly dlopen shared library
+        auto ret = SelfDlOpen();
+        if (ret != DllibRc::OK) {
+            return;
+        }
+        DLLIB_SELF_DLSYM(guestfs_create);
+        DLLIB_SELF_DLSYM(guestfs_set_backend);
+        DLLIB_SELF_DLSYM(guestfs_add_drive_opts_argv);
+        DLLIB_SELF_DLSYM(guestfs_launch);
+        DLLIB_SELF_DLSYM(guestfs_inspect_os);
+        DLLIB_SELF_DLSYM(guestfs_inspect_get_mountpoints);
+        DLLIB_SELF_DLSYM(guestfs_mount_ro);
+        DLLIB_SELF_DLSYM(guestfs_umount_all);
+        DLLIB_SELF_DLSYM(guestfs_close);
+        DLLIB_SELF_DLSYM(guestfs_set_trace);
+        DLLIB_SELF_DLSYM(guestfs_exists);
+        DLLIB_SELF_DLSYM(guestfs_is_file);
+        DLLIB_SELF_DLSYM(guestfs_read_file);
+    }
+
+    Libguestfs() : DlLibBase(LIB_NAME)
+    {
+        LoadAll();
+    }
+
+    static constexpr std::string_view LIB_NAME = "libguestfs.so";
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libguestfs_defines.h b/virtrust/src/virtrust/dllib/libguestfs_defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..5745de20caa32d9ae2a93901a41dc9cebf8a07b6
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libguestfs_defines.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <dlfcn.h>
+
+#include <cstdint>
+#include <functional>
+#include <string_view>
+
+namespace virtrust {
+
+// see: libguestfs.h, it's a forward declaration in original header file
+struct guestfs_h;
+
+struct guestfs_add_drive_opts_argv {
+    uint64_t bitmask;
+#define GUESTFS_ADD_DRIVE_OPTS_READONLY_BITMASK (UINT64_C(1) << 0)
+    int readonly;
+#define GUESTFS_ADD_DRIVE_OPTS_FORMAT_BITMASK (UINT64_C(1) << 1)
+    const char *format;
+#define GUESTFS_ADD_DRIVE_OPTS_IFACE_BITMASK (UINT64_C(1) << 2)
+    const char *iface;
+#define GUESTFS_ADD_DRIVE_OPTS_NAME_BITMASK (UINT64_C(1) << 3)
+    const char *name;
+#define GUESTFS_ADD_DRIVE_OPTS_LABEL_BITMASK (UINT64_C(1) << 4)
+    const char *label;
+#define GUESTFS_ADD_DRIVE_OPTS_PROTOCOL_BITMASK (UINT64_C(1) << 5)
+    const char *protocol;
+#define GUESTFS_ADD_DRIVE_OPTS_SERVER_BITMASK (UINT64_C(1) << 6)
+    char *const *server;
+#define GUESTFS_ADD_DRIVE_OPTS_USERNAME_BITMASK (UINT64_C(1) << 7)
+    const char *username;
+#define GUESTFS_ADD_DRIVE_OPTS_SECRET_BITMASK (UINT64_C(1) << 8)
+    const char *secret;
+#define GUESTFS_ADD_DRIVE_OPTS_CACHEMODE_BITMASK (UINT64_C(1) << 9)
+    const char *cachemode;
+#define GUESTFS_ADD_DRIVE_OPTS_DISCARD_BITMASK (UINT64_C(1) << 10)
+    const char *discard;
+#define GUESTFS_ADD_DRIVE_OPTS_COPYONREAD_BITMASK (UINT64_C(1) << 11)
+    int copyonread;
+#define GUESTFS_ADD_DRIVE_OPTS_BLOCKSIZE_BITMASK (UINT64_C(1) << 12)
+    int blocksize;
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libguestfs_test.cpp b/virtrust/src/virtrust/dllib/libguestfs_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..8661b3ade4162fb5d206473f9dcd0398d2daaba0
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libguestfs_test.cpp
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust/dllib/libguestfs.h"
+
+namespace virtrust {
+
+TEST(LibGuestfsTest, works)
+{
+    // Init
+    auto &libguestfs = Libguestfs::GetInstance();
+    EXPECT_EQ(libguestfs.CheckOK(), DllibRc::OK);
+
+    // Explicity reload
+    auto ret = libguestfs.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+
+    // Call Function
+    auto *g = libguestfs.guestfs_create();
+    EXPECT_NE(g, nullptr);
+
+    // quit
+    if (g != nullptr) {
+        libguestfs.guestfs_close(g);
+    }
+}
+
+TEST(LibGuestfsTest, SingletonPattern)
+{
+    // Test that libguestfs follow singleton pattern
+    auto &libguestfs1 = Libguestfs::GetInstance();
+    auto &libguestfs2 = Libguestfs::GetInstance();
+    EXPECT_EQ(&libguestfs1, &libguestfs2);
+}
+
+TEST(LibGuestfsTest, CheckOKFunction)
+{
+    // Test the CheckOK function
+    auto &libguestfs = Libguestfs::GetInstance();
+    EXPECT_EQ(libguestfs.CheckOK(), DllibRc::OK);
+
+    // Test size function
+    EXPECT_GT(libguestfs.size(), (size_t)0);
+}
+
+TEST(LibGuestfsTest, ReloadFunction)
+{
+    // Test reloading functionality
+    auto &libguestfs = Libguestfs::GetInstance();
+
+    // check inital state
+    EXPECT_EQ(libguestfs.CheckOK(), DllibRc::OK);
+
+    // Reload the library
+    auto ret = libguestfs.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+
+    // Verify it's still working after reload
+    EXPECT_EQ(libguestfs.CheckOK(), DllibRc::OK);
+}
+
+TEST(LibGuestfsTest, FunctionPointerValidity)
+{
+    // Test that all function pointer are valid
+    auto &libguestfs = Libguestfs::GetInstance();
+
+    // Test a few key functions for validity
+    EXPECT_NE(libguestfs.guestfs_create.Get(), nullptr);
+    EXPECT_NE(libguestfs.guestfs_launch.Get(), nullptr);
+    EXPECT_NE(libguestfs.guestfs_close.Get(), nullptr);
+
+    // Test that functions can be called (without actaully executing)
+    EXPECT_FALSE(libguestfs.guestfs_create.GetName());
+    EXPECT_FALSE(libguestfs.guestfs_launch.GetName());
+    EXPECT_FALSE(libguestfs.guestfs_close.GetName());
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libvirt.h b/virtrust/src/virtrust/dllib/libvirt.h
new file mode 100644
index 0000000000000000000000000000000000000000..a88a87fa1d5e6e88b3ea222d0d66e539994f1be5
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libvirt.h
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <dlfcn.h>
+
+#include <string_view>
+
+#include "virtrust/dllib/common.h"
+#include "virtrust/dllib/libvirt_defines.h"
+
+namespace virtrust {
+
+// libvirt api
+class Libvirt : public DlLibBase {
+public:
+    ~Libvirt() = default;
+    Libvirt(const Libvirt &) = delete;
+    void operator=(const Libvirt &) = delete;
+
+    // Singleton instance
+    static Libvirt &GetInstance()
+    {
+        static Libvirt instance;
+        return instance;
+    }
+
+    // Reload all functions
+    DllibRc Reload()
+    {
+        SelfDlClose();
+        LoadAll();
+        return CheckOk();
+    }
+
+    // Set log level
+    DllibRc SetErrorFunction(virErrorFunc func)
+    {
+        auto ret = GetInstance().CheckOk();
+        if (ret != DllibRc::OK) {
+            return ret;
+        }
+        virSetErrorFunc(nullptr, func);
+        return DllibRc::OK;
+    }
+
+    // Declare all functions that you need
+    // NOTE Please make sure the class instance is inited before calling those
+    // functions
+    DlFun<virConnectPtr, const char *> virConnectOpen;
+    DlFun<virDomainPtr, virConnectPtr, const char *> virDomainLookupByName;
+    DlFun<int, virDomainPtr, unsigned int> virDomainCreateWithFlags;
+    DlFun<int, virConnectPtr> virConnectClose;
+    DlFun<int, virDomainPtr> virDomainFree;
+    DlFun<int, virDomainPtr, unsigned int> virDomainShutdownFlags;
+    DlFun<int, virConnectPtr> virConnectNumOfDomains;
+    DlFun<int, virConnectPtr, virDomainPtr **, unsigned int> virConnectListAllDomains;
+    DlFun<unsigned int, virDomainPtr> virDomainGetID;
+    DlFun<const char *, virDomainPtr> virDomainGetName;
+    DlFun<int, virDomainPtr, virDomainInfo *> virDomainGetInfo;
+    DlFun<int, virDomainPtr, unsigned int> virDomainDestroyFlags;
+    DlFun<int, virDomainPtr, unsigned int> virDomainUndefineFlags;
+    DlFun<void, void *, virErrorFunc> virSetErrorFunc;
+    DlFun<int, virDomainPtr, char *> virDomainGetUUIDString;
+    DlFun<virDomainPtr, virDomainPtr, virConnectPtr, virTypedParameterPtr, unsigned int, unsigned int>
+        virDomainMigrate3;
+
+private:
+    void LoadAll()
+    {
+        // NOTE explicitly dlopen shared library
+        auto ret = SelfDlOpen();
+        if (ret != DllibRc::OK) {
+            return;
+        }
+        DLLIB_SELF_DLSYM(virConnectOpen);
+        DLLIB_SELF_DLSYM(virDomainLookupByName);
+        DLLIB_SELF_DLSYM(virDomainCreateWithFlags);
+        DLLIB_SELF_DLSYM(virConnectClose);
+        DLLIB_SELF_DLSYM(virDomainFree);
+        DLLIB_SELF_DLSYM(virDomainShutdownFlags);
+        DLLIB_SELF_DLSYM(virConnectNumOfDomains);
+        DLLIB_SELF_DLSYM(virConnectListAllDomains);
+        DLLIB_SELF_DLSYM(virDomainGetID);
+        DLLIB_SELF_DLSYM(virDomainGetName);
+        DLLIB_SELF_DLSYM(virDomainGetInfo);
+        DLLIB_SELF_DLSYM(virDomainDestroyFlags);
+        DLLIB_SELF_DLSYM(virDomainUndefineFlags);
+        DLLIB_SELF_DLSYM(virSetErrorFunc);
+        DLLIB_SELF_DLSYM(virDomainGetUUIDString);
+        DLLIB_SELF_DLSYM(virDomainMigrate3);
+    }
+
+    Libvirt() : DlLibBase(LIB_NAME)
+    {
+        LoadAll();
+    }
+
+    static constexpr std::string_view LIB_NAME = "libvirt.so";
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libvirt_defines.h b/virtrust/src/virtrust/dllib/libvirt_defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..c888b9b3a4a16d8b66c5b24e0256dfadbea60975
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libvirt_defines.h
@@ -0,0 +1,212 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <string>
+
+#include "virtrust/base/custom_logger.h"
+
+namespace virtrust {
+
+using virConnectPtr = int *;
+using virDomainPtr = int *;
+using virNetworkPtr = int *;
+using virTypedParameterPtr = int *;
+
+/**
+ * virDomainState:
+ *
+ * A domain may be in different states at a given point in time
+ *
+ * Since: 0.0.1
+ */
+typedef enum {
+    VIR_DOMAIN_NOSTATE = 0,     /* no state (Since: 0.0.1) */
+    VIR_DOMAIN_RUNNING = 1,     /* the domain is running (Since: 0.0.1) */
+    VIR_DOMAIN_BLOCKED = 2,     /* the domain is blocked on resource (Since: 0.0.1) */
+    VIR_DOMAIN_PAUSED = 3,      /* the domain is paused by user (Since: 0.0.1) */
+    VIR_DOMAIN_SHUTDOWN = 4,    /* the domain is being shut down (Since: 0.0.1) */
+    VIR_DOMAIN_SHUTOFF = 5,     /* the domain is shut off (Since: 0.0.1) */
+    VIR_DOMAIN_CRASHED = 6,     /* the domain is crashed (Since: 0.0.2) */
+    VIR_DOMAIN_PMSUSPENDED = 7, /* the domain is suspended by guest
+                                   power management (Since: 0.9.11) */
+} virDomainState;
+
+/**
+ * virDomainInfo:
+ *
+ * a virDomainInfo is a structure filled by virDomainGetInfo() and extracting
+ * runtime information for a given active Domain
+ *
+ * Since: 0.0.1
+ */
+using virDomainInfo = struct _virDomainInfo;
+
+struct _virDomainInfo {
+    unsigned char state;        /* the running state, one of virDomainState */
+    unsigned long maxMem;       /* the maximum memory in KBytes allowed */
+    unsigned long memory;       /* the memory in KBytes used by the domain */
+    unsigned short nrVirtCpu;   /* the number of virtual CPUs for the domain */
+    unsigned long long cpuTime; /* the CPU time used in nanoseconds */
+};
+
+/**
+ * virConnectListAllDomainsFlags:
+ *
+ * Flags used to tune which domains are listed by virConnectListAllDomains().
+ * Note that these flags come in groups; if all bits from a group are 0,
+ * then that group is not used to filter results.
+ *
+ * Since: 0.9.13
+ */
+typedef enum {
+    VIR_CONNECT_LIST_DOMAINS_ACTIVE = 1 << 0,   /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_INACTIVE = 1 << 1, /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_PERSISTENT = 1 << 2, /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_TRANSIENT = 1 << 3,  /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_RUNNING = 1 << 4, /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_PAUSED = 1 << 5,  /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_SHUTOFF = 1 << 6, /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_OTHER = 1 << 7,   /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_MANAGEDSAVE = 1 << 8,    /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_NO_MANAGEDSAVE = 1 << 9, /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_AUTOSTART = 1 << 10,    /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_NO_AUTOSTART = 1 << 11, /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_HAS_SNAPSHOT = 1 << 12, /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_NO_SNAPSHOT = 1 << 13,  /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_HAS_CHECKPOINT = 1 << 14, /* (Since: 5.6.0) */
+    VIR_CONNECT_LIST_DOMAINS_NO_CHECKPOINT = 1 << 15,  /* (Since: 5.6.0) */
+} virConnectListAllDomainsFlags;
+
+/**
+ * virDomainCreateFlags:
+ *
+ * Flags OR'ed together to provide specific behaviour when creating a
+ * Domain.
+ *
+ * Since: 0.0.1
+ */
+typedef enum {
+    VIR_DOMAIN_NONE = 0,                    /* Default behavior (Since: 0.0.1) */
+    VIR_DOMAIN_START_PAUSED = 1 << 0,       /* Launch guest in paused state (Since: 0.8.2) */
+    VIR_DOMAIN_START_AUTODESTROY = 1 << 1,  /* Automatically kill guest when virConnectPtr is closed (Since:
+                                               0.9.3) */
+    VIR_DOMAIN_START_BYPASS_CACHE = 1 << 2, /* Avoid file system cache pollution (Since: 0.9.4) */
+    VIR_DOMAIN_START_FORCE_BOOT = 1 << 3,   /* Boot, discarding any managed save (Since: 0.9.5) */
+    VIR_DOMAIN_START_VALIDATE = 1 << 4,     /* Validate the XML document against schema (Since: 1.2.12) */
+    VIR_DOMAIN_START_RESET_NVRAM = 1 << 5,  /* Re-initialize NVRAM from template (Since: 8.1.0) */
+} virDomainCreateFlags;
+
+/**
+ * virDomainDestroyFlagsValues:
+ *
+ * Flags used to provide specific behaviour to the
+ * virDomainDestroyFlags() function
+ *
+ * Since: 0.9.4
+ */
+typedef enum {
+    VIR_DOMAIN_DESTROY_DEFAULT = 0,          /* Default behavior - could lead to data loss!! (Since: 0.9.10) */
+    VIR_DOMAIN_DESTROY_GRACEFUL = 1 << 0,    /* only SIGTERM, no SIGKILL (Since: 0.9.10) */
+    VIR_DOMAIN_DESTROY_REMOVE_LOGS = 1 << 1, /* remove VM logs on destroy (Since: 8.3.0) */
+} virDomainDestroyFlagsValues;
+
+/**
+ * virDomainUndefineFlagsValues:
+ *
+ * Since: 0.9.4
+ */
+typedef enum {
+    VIR_DOMAIN_UNDEFINE_MANAGED_SAVE = (1 << 0),         /* Also remove any
+                                                            managed save (Since: 0.9.4) */
+    VIR_DOMAIN_UNDEFINE_SNAPSHOTS_METADATA = (1 << 1),   /* If last use of domain,
+                                                            then also remove any
+                                                            snapshot metadata (Since: 0.9.5) */
+    VIR_DOMAIN_UNDEFINE_NVRAM = (1 << 2),                /* Also remove any
+                                                            nvram file (Since: 1.2.9) */
+    VIR_DOMAIN_UNDEFINE_KEEP_NVRAM = (1 << 3),           /* Keep nvram file (Since: 2.3.0) */
+    VIR_DOMAIN_UNDEFINE_CHECKPOINTS_METADATA = (1 << 4), /* If last use of domain,
+                                                            then also remove any
+                                                            checkpoint metadata (Since: 5.6.0) */
+    VIR_DOMAIN_UNDEFINE_TPM = (1 << 5),                  /* Also remove any
+                                                            TPM state (Since: 8.9.0) */
+    VIR_DOMAIN_UNDEFINE_KEEP_TPM = (1 << 6),             /* Keep TPM state (Since: 8.9.0) */
+                                                         /* Future undefine control flags should come here. */
+} virDomainUndefineFlagsValues;
+
+/**
+ * virErrorLevel:
+ *
+ * Indicates the level of an error
+ *
+ * Since: 0.1.0
+ */
+typedef enum {
+    VIR_ERR_NONE = 0,    /* (Since: 0.1.0) */
+    VIR_ERR_WARNING = 1, /* A simple warning (Since: 0.1.0) */
+    VIR_ERR_ERROR = 2    /* An error (Since: 0.1.0) */
+} virErrorLevel;
+
+inline LogLevel virErrorLevelToLogLevel(virErrorLevel level)
+{
+    switch (level) {
+        case VIR_ERR_WARNING: {
+            return LogLevel::WARN;
+        }
+        case VIR_ERR_ERROR: {
+            return LogLevel::ERROR;
+        }
+        default:
+            return LogLevel::UNKNOWN;
+    }
+}
+
+/**
+ * virError:
+ *
+ * A libvirt Error instance.
+ *
+ * The conn, dom and net fields should be used with extreme care.
+ * Reference counts are not incremented so the underlying objects
+ * may be deleted without notice after the error has been delivered.
+ *
+ * Since: 0.1.0
+ */
+using virError = struct _virError;
+
+/**
+ * virErrorPtr:
+ *
+ * Since: 0.1.0
+ */
+using virErrorPtr = virError *;
+
+struct _virError {
+    int code;            /* The error code, a virErrorNumber */
+    int domain;          /* What part of the library raised this error */
+    char *message;       /* human-readable informative error message */
+    virErrorLevel level; /* how consequent is the error */
+    virConnectPtr conn;  /* connection if available, deprecated
+                                          see note above */
+    virDomainPtr dom;    /* domain if available, deprecated
+                                        see note above */
+    char *str1;          /* extra string information */
+    char *str2;          /* extra string information */
+    char *str3;          /* extra string information */
+    int int1;            /* extra number information */
+    int int2;            /* extra number information */
+    virNetworkPtr net;   /* network if available, deprecated
+                                         see note above */
+};
+
+using virErrorFunc = void (*)(void *userData, virErrorPtr error);
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libvirt_test.cpp b/virtrust/src/virtrust/dllib/libvirt_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..becc6a1e2671a506bba93b88277f2152172db398
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libvirt_test.cpp
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust/dllib/libvirt.h"
+
+namespace virtrust {
+
+TEST(LibvirtTest, works)
+{
+    // Init
+    auto &libvirt = Libvirt::GetInstance();
+    EXPECT_EQ(libvirt.CheckOK(), DllibRc::OK);
+
+    // Explicity reload
+    auto ret = libvirt.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+}
+
+TEST(LibvirtTest, SingletonPattern)
+{
+    // Test that libvirt follow singleton pattern
+    auto &libvirt1 = Libvirt::GetInstance();
+    auto &libvirt2 = Libvirt::GetInstance();
+    EXPECT_EQ(&libvirt1, &libvirt2);
+}
+
+TEST(LibvirtTest, CheckOKFunction)
+{
+    // Test the CheckOK function
+    auto &libvirt = Libvirt::GetInstance();
+    EXPECT_EQ(libvirt.CheckOK(), DllibRc::OK);
+
+    // Test size function
+    EXPECT_GT(libvirt.size(), (size_t)0);
+}
+
+TEST(LibvirtTest, ReloadFunction)
+{
+    // Test reloading functionality
+    auto &libvirt = Libvirt::GetInstance();
+
+    // check inital state
+    EXPECT_EQ(libvirt.CheckOK(), DllibRc::OK);
+
+    // Reload the library
+    auto ret = libvirt.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+
+    // Verify it's still working after reload
+    EXPECT_EQ(libvirt.CheckOK(), DllibRc::OK);
+}
+
+TEST(LibvirtTest, FunctionPointerValidity)
+{
+    // Test that all function pointer are valid
+    auto &libvirt = Libvirt::GetInstance();
+
+    // Test a few key functions for validity
+    EXPECT_NE(libvirt.virConnectOpen.Get(), nullptr);
+    EXPECT_NE(libvirt.virDomainLookupByName.Get(), nullptr);
+    EXPECT_NE(libvirt.virDomainFree.Get(), nullptr);
+
+    // Test that functions can be called (without actaully executing)
+    EXPECT_FALSE(libvirt.virConnectOpen.GetName());
+    EXPECT_FALSE(libvirt.virDomainLookupByName.GetName());
+    EXPECT_FALSE(libvirt.virDomainFree.GetName());
+}
+
+TEST(LibvirtTest, SetErrorFunction)
+{
+    // Test the SetErrorFunction functionality
+    auto &libvirt = Libvirt::GetInstance();
+
+    // Test that SetErrorFunction can be called without crashing
+    auto ret = libvirt.SetErrorFunction(nullptr);
+    EXPECT_EQ(ret, DllibRc::OK);
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libxml2.h b/virtrust/src/virtrust/dllib/libxml2.h
new file mode 100644
index 0000000000000000000000000000000000000000..fd7f5a8eeb78026ae329b824e3092a425fe1cfd6
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libxml2.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <dlfcn.h>
+
+#include <string_view>
+
+#include "virtrust/dllib/common.h"
+#include "virtrust/dllib/libxml2_defines.h"
+
+namespace virtrust {
+
+// libxml2 api
+class Libxml2 : public DlLibBase {
+public:
+    ~Libxml2() = default;
+    Libxml2(const Libxml2 &) = delete;
+    void operator=(const Libxml2 &) = delete;
+
+    // Singleton instance
+    static Libxml2 &GetInstance()
+    {
+        static Libxml2 instance;
+        return instance;
+    }
+
+    // Reload all functions
+    DllibRc Reload()
+    {
+        SelfDlClose();
+        LoadAll();
+        return CheckOk();
+    }
+
+    // Declare all functions that you need
+    // NOTE Please make sure the class instance is inited before calling those
+    // functions
+    DlFun<xmlDoc *, const char *> xmlParseFile;
+    DlFun<void, xmlDoc *> xmlFreeDoc;
+    DlFun<xmlNode *, const xmlDoc *> xmlDocGetRootElement;
+    DlFun<xmlChar *, const xmlNode *, const xmlChar *> xmlGetProp;
+    DlFun<void, void *> xmlFree;
+
+private:
+    void LoadAll()
+    {
+        // NOTE explicitly dlopen shared library
+        auto ret = SelfDlOpen();
+        if (ret != DllibRc::OK) {
+            return;
+        }
+        DLLIB_SELF_DLSYM(xmlParseFile);
+        DLLIB_SELF_DLSYM(xmlFreeDoc);
+        DLLIB_SELF_DLSYM(xmlDocGetRootElement);
+        DLLIB_SELF_DLSYM(xmlGetProp);
+        DLLIB_SELF_DLSYM(xmlFree);
+    }
+
+    Libxml2() : DlLibBase(LIB_NAME)
+    {
+        LoadAll();
+    }
+
+    static constexpr std::string_view LIB_NAME = "libxml2.so";
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libxml2_defines.h b/virtrust/src/virtrust/dllib/libxml2_defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..132bf0c1398dad7629ec1b4ff3e74ace3471201c
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libxml2_defines.h
@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+namespace virtrust {
+
+using xmlChar = unsigned char;
+
+// ---------------------------------------------------------------------------
+// Type definition from libxml2/libxml/tree.h
+// ---------------------------------------------------------------------------
+
+/*
+ * The different element types carried by an XML tree.
+ *
+ * NOTE: This is synchronized with DOM Level1 values
+ *       See http://www.w3.org/TR/REC-DOM-Level-1/
+ *
+ * Actually this had diverged a bit, and now XML_DOCUMENT_TYPE_NODE should
+ * be deprecated to use an XML_DTD_NODE.
+ */
+typedef enum {
+    XML_ELEMENT_NODE = 1,
+    XML_ATTRIBUTE_NODE = 2,
+    XML_TEXT_NODE = 3,
+    XML_CDATA_SECTION_NODE = 4,
+    XML_ENTITY_REF_NODE = 5,
+    XML_ENTITY_NODE = 6,
+    XML_PI_NODE = 7,
+    XML_COMMENT_NODE = 8,
+    XML_DOCUMENT_NODE = 9,
+    XML_DOCUMENT_TYPE_NODE = 10,
+    XML_DOCUMENT_FRAG_NODE = 11,
+    XML_NOTATION_NODE = 12,
+    XML_HTML_DOCUMENT_NODE = 13,
+    XML_DTD_NODE = 14,
+    XML_ELEMENT_DECL = 15,
+    XML_ATTRIBUTE_DECL = 16,
+    XML_ENTITY_DECL = 17,
+    XML_NAMESPACE_DECL = 18,
+    XML_XINCLUDE_START = 19,
+    XML_XINCLUDE_END = 20
+    /* XML_DOCB_DOCUMENT_NODE=	21 */ /* removed */
+} xmlElementType;
+
+/**
+ * xmlNs:
+ *
+ * An XML namespace.
+ * Note that prefix == NULL is valid, it defines the default namespace
+ * within the subtree (until overridden).
+ *
+ * xmlNsType is unified with xmlElementType.
+ */
+using xmlNs = struct _xmlNs;
+using xmlNsType = xmlElementType;
+
+struct _xmlNs {
+    struct _xmlNs *next;     /* next Ns link for this node  */
+    xmlNsType type;          /* global or local */
+    const xmlChar *href;     /* URL for the namespace */
+    const xmlChar *prefix;   /* prefix for the namespace */
+    void *_private;          /* application data */
+    struct _xmlDoc *context; /* normally an xmlDoc */
+};
+
+/**
+ * xmlDoc:
+ *
+ * An XML document.
+ */
+using xmlDoc = struct _xmlDoc;
+using xmlDocPtr = xmlDoc *;
+
+struct _xmlDoc {
+    void *_private;            /* application data */
+    xmlElementType type;       /* XML_DOCUMENT_NODE, must be second ! */
+    char *name;                /* name/filename/URI of the document */
+    struct _xmlNode *children; /* the document tree */
+    struct _xmlNode *last;     /* last child link */
+    struct _xmlNode *parent;   /* child->parent link */
+    struct _xmlNode *next;     /* next sibling link  */
+    struct _xmlNode *prev;     /* previous sibling link  */
+    struct _xmlDoc *doc;       /* autoreference to itself */
+
+    /* End of common part */
+    int compression;           /* level of zlib compression */
+    int standalone;            /* standalone document (no external refs)
+                    1 if standalone="yes"
+                    0 if standalone="no"
+                   -1 if there is no XML declaration
+                   -2 if there is an XML declaration, but no
+                   standalone attribute was specified */
+    struct _xmlDtd *intSubset; /* the document internal subset */
+    struct _xmlDtd *extSubset; /* the document external subset */
+    struct _xmlNs *oldNs;      /* Global namespace, the old way */
+    const xmlChar *version;    /* the XML version string */
+    const xmlChar *encoding;   /* external initial encoding, if any */
+    void *ids;                 /* Hash table for ID attributes if any */
+    void *refs;                /* Hash table for IDREFs attributes if any */
+    const xmlChar *URL;        /* The URI for that document */
+    int charset;               /* Internal flag for charset handling,
+                  actually an xmlCharEncoding */
+    struct _xmlDict *dict;     /* dict used to allocate names or NULL */
+    void *psvi;                /* for type/PSVI information */
+    int parseFlags;            /* set of xmlParserOption used to parse the
+                  document */
+    int properties;            /* set of xmlDocProperties for this document
+                  set at the end of parsing */
+};
+
+/**
+ * xmlNode:
+ *
+ * A node in an XML tree.
+ */
+using xmlNode = struct _xmlNode;
+using xmlNodePtr = xmlNode *;
+
+struct _xmlNode {
+    void *_private;            /* application data */
+    xmlElementType type;       /* type number, must be second ! */
+    const xmlChar *name;       /* the name of the node, or the entity */
+    struct _xmlNode *children; /* parent->childs link */
+    struct _xmlNode *last;     /* last child link */
+    struct _xmlNode *parent;   /* child->parent link */
+    struct _xmlNode *next;     /* next sibling link  */
+    struct _xmlNode *prev;     /* previous sibling link  */
+    struct _xmlDoc *doc;       /* the containing document */
+
+    /* End of common part */
+    xmlNs *ns;                   /* pointer to the associated namespace */
+    xmlChar *content;            /* the content */
+    struct _xmlAttr *properties; /* properties list */
+    xmlNs *nsDef;                /* namespace definitions on this node */
+    void *psvi;                  /* for type/PSVI information */
+    unsigned short line;         /* line number */
+    unsigned short extra;        /* extra data for XPath/XSLT */
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/dllib/libxml2_test.cpp b/virtrust/src/virtrust/dllib/libxml2_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..1b445844635b5343c4c50316fec68d69eb4a929c
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libxml2_test.cpp
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust/dllib/libxml2.h"
+
+namespace virtrust {
+
+TEST(Libxml2Test, works)
+{
+    // Init
+    auto &libxml2 = Libxml2::GetInstance();
+    EXPECT_EQ(libxml2.CheckOK(), DllibRc::OK);
+
+    // Explicity reload
+    auto ret = libxml2.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+
+    // Call Function
+    auto *fun_ret = libxml2.xmlParseFile("12312"); // with wrong param
+    EXPECT_EQ(fun_ret, nullptr);
+}
+
+TEST(Libxml2Test, SingletonPattern)
+{
+    // Test that libxml2 follows singleton pattern
+    auto &libxml21 = Libxml2::GetInstance();
+    auto &libxml22 = Libxml2::GetInstance();
+    EXPECT_EQ(&libxml21, &libxml22);
+}
+
+TEST(Libxml2Test, CheckOKFunction)
+{
+    // Test the CheckOK function
+    auto &libxml2 = Libxml2::GetInstance();
+    EXPECT_EQ(libxml2.CheckOK(), DllibRc::OK);
+
+    // Test size function
+    EXPECT_GT(libxml2.size(), (size_t)0);
+}
+
+TEST(Libxml2Test, ReloadFunction)
+{
+    // Test reloading functionality
+    auto &libxml2 = Libxml2::GetInstance();
+
+    // check inital state
+    EXPECT_EQ(libxml2.CheckOK(), DllibRc::OK);
+
+    // Reload the library
+    auto ret = libxml2.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+
+    // Verify it's still working after reload
+    EXPECT_EQ(libxml2.CheckOK(), DllibRc::OK);
+}
+
+TEST(Libxml2Test, FunctionPointerValidity)
+{
+    // Test that all function pointer are valid
+    auto &libxml2 = Libxml2::GetInstance();
+
+    // Test a few key functions for validity
+    EXPECT_NE(libxml2.xmlParseFile.Get(), nullptr);
+    EXPECT_NE(libxml2.xmlFreeDoc.Get(), nullptr);
+    EXPECT_NE(libxml2.xmlDocGetRootElement.Get(), nullptr);
+
+    // Test that functions can be called (without actaully executing)
+    EXPECT_FALSE(libxml2.xmlParseFile.GetName());
+    EXPECT_FALSE(libxml2.xmlFreeDoc.GetName());
+    EXPECT_FALSE(libxml2.xmlDocGetRootElement.GetName());
+}
+
+TEST(Libxml2Test, XmlParsingFunctionality)
+{
+    // Test xml parsing functionality with invalid file
+    auto &libxml2 = Libxml2::GetInstance();
+
+    // Test that xmlParseFile returns nullptr for invalid file (expected behavior)
+    auto *doc = libxml2.xmlParseFile("nonexistent.xml");
+    EXPECT_EQ(doc, nullptr);
+
+    // Test that we can xmlFreeDoc on nullptr (should not crash)
+    libxml2.xmlFreeDoc(nullptr);
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/openssl.h b/virtrust/src/virtrust/dllib/openssl.h
new file mode 100644
index 0000000000000000000000000000000000000000..0b07fa121f573471c46bfc6444677138fce2dfe2
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/openssl.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <dlfcn.h>
+
+#include <cstdint>
+#include <functional>
+#include <string_view>
+
+#include "virtrust/dllib/common.h"
+#include "virtrust/dllib/openssl_defines.h"
+
+namespace virtrust {
+
+// openssl api
+class Openssl : public DlLibBase {
+public:
+    ~Openssl() = default;
+    Openssl(const Openssl &) = delete;
+    void operator=(const Openssl &) = delete;
+
+    // Singleton instance
+    static Openssl &GetInstance()
+    {
+        static Openssl instance;
+        return instance;
+    }
+
+    // Reload all functions
+    DllibRc Reload()
+    {
+        SelfDlClose();
+        LoadAll();
+        return CheckOk();
+    }
+
+    // Declare all functions that you need
+    // NOTE Please make sure the class instance is inited before calling those
+    // functions
+
+    // Fetch openssl message digest context
+    DlFun<EVP_MD *, OSSL_LIB_CTX *, const char *, const char *> EVP_MD_fetch;
+
+    // Get the output size of the message digest algorithm (e.g. SM3), this
+    // function is the same as EVP_MD_size
+    DlFun<int, const EVP_MD *> EVP_MD_get_size;
+
+    // Create new message digest context
+    DlFun<EVP_MD_CTX *> EVP_MD_CTX_new;
+
+    // Reset md context
+    DlFun<int, EVP_MD_CTX *> EVP_MD_CTX_reset;
+
+    // Copy md context
+    DlFun<int, EVP_MD_CTX *, const EVP_MD_CTX *> EVP_MD_CTX_copy_ex;
+
+    // Init
+    DlFun<int, EVP_MD_CTX *, EVP_MD *> EVP_DigestInit;
+
+    // Update
+    DlFun<int, EVP_MD_CTX *, const void *, size_t> EVP_DigestUpdate;
+
+    // Final
+    DlFun<int, EVP_MD_CTX *, unsigned char *, unsigned int *> EVP_DigestFinal_ex;
+
+    // Free
+    DlFun<void, EVP_MD *> EVP_MD_free;
+    DlFun<void, EVP_MD_CTX *> EVP_MD_CTX_free;
+
+private:
+    void LoadAll()
+    {
+        // NOTE explicitly dlopen shared library
+        auto ret = SelfDlOpen();
+        if (ret != DllibRc::OK) {
+            return;
+        }
+        DLLIB_SELF_DLSYM(EVP_MD_fetch);
+        DLLIB_SELF_DLSYM(EVP_MD_get_size);
+        DLLIB_SELF_DLSYM(EVP_MD_CTX_new);
+        DLLIB_SELF_DLSYM(EVP_MD_CTX_reset);
+        DLLIB_SELF_DLSYM(EVP_MD_CTX_copy_ex);
+        DLLIB_SELF_DLSYM(EVP_DigestInit);
+        DLLIB_SELF_DLSYM(EVP_DigestUpdate);
+        DLLIB_SELF_DLSYM(EVP_DigestFinal_ex);
+        DLLIB_SELF_DLSYM(EVP_MD_free);
+        DLLIB_SELF_DLSYM(EVP_MD_CTX_free);
+    }
+
+    Openssl() : DlLibBase(LIB_NAME)
+    {
+        LoadAll();
+    }
+
+    static constexpr std::string_view LIB_NAME = "libcrypto.so";
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/dllib/openssl_defines.h b/virtrust/src/virtrust/dllib/openssl_defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..86e1043c44097460bf23d307cc10ffd5bc6b229a
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/openssl_defines.h
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+namespace virtrust {
+
+using EVP_MD = struct evp_md_st;
+using EVP_MD_CTX = struct evp_md_ctx_st;
+using OSSL_LIB_CTX = struct ossl_lib_ctx_st;
+
+// openssl return value check
+constexpr int OPENSSL_OK = 1;
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/openssl_test.cpp b/virtrust/src/virtrust/dllib/openssl_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..64561450eb050555078b9a44d181975093381a5c
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/openssl_test.cpp
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust/dllib/openssl.h"
+
+namespace virtrust {
+
+TEST(OpensslTest, works)
+{
+    // Init
+    auto &openssl = Openssl::GetInstance();
+    EXPECT_EQ(openssl.CheckOK(), DllibRc::OK);
+
+    // Explicity reload
+    auto ret = openssl.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+
+    // Call Function
+    auto *ptr = openssl.EVP_MD_CTX_new(""); // with wrong param
+    EXPECT_EQ(ptr, nullptr);
+
+    // Quit
+    openssl.EVP_MD_CTX_free(ptr);
+}
+
+TEST(OpensslTest, SingletonPattern)
+{
+    // Test that openssl follows singleton pattern
+    auto &openssl1 = Openssl::GetInstance();
+    auto &openssl2 = Openssl::GetInstance();
+    EXPECT_EQ(&openssl1, &openssl2);
+}
+
+TEST(OpensslTest, CheckOKFunction)
+{
+    // Test the CheckOK function
+    auto &openssl = Openssl::GetInstance();
+    EXPECT_EQ(openssl.CheckOK(), DllibRc::OK);
+
+    // Test size function
+    EXPECT_GT(openssl.size(), (size_t)0);
+}
+
+TEST(OpensslTest, ReloadFunction)
+{
+    // Test reloading functionality
+    auto &openssl = Openssl::GetInstance();
+
+    // check inital state
+    EXPECT_EQ(openssl.CheckOK(), DllibRc::OK);
+
+    // Reload the library
+    auto ret = openssl.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+
+    // Verify it's still working after reload
+    EXPECT_EQ(openssl.CheckOK(), DllibRc::OK);
+}
+
+TEST(OpensslTest, FunctionPointerValidity)
+{
+    // Test that all function pointer are valid
+    auto &openssl = Openssl::GetInstance();
+
+    // Test a few key functions for validity
+    EXPECT_NE(openssl.EVP_MD_CTX_new.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_MD_CTX_free.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_DigestInit.Get(), nullptr);
+
+    // Test that functions can be called (without actaully executing)
+    EXPECT_FALSE(openssl.EVP_MD_CTX_new.GetName());
+    EXPECT_FALSE(openssl.EVP_MD_CTX_free.GetName());
+    EXPECT_FALSE(openssl.EVP_DigestInit.GetName());
+}
+
+TEST(OpensslTest, DigestFunctionality)
+{
+    // Test basic functionality
+    auto &openssl = Openssl::GetInstance();
+
+    // Test that EVP_MD_CTX_new creates a invalid context
+    auto *ctx = openssl.EVP_MD_CTX_new();
+    EXPECT_NE(ctx, nullptr);
+
+    // Test that EVP_MD_CTX_free cleans up properly
+    openssl.EVP_MD_CTX_free(ctx);
+
+    // Test that EVP_MD_CTX_reset works
+    ctx = openssl.EVP_MD_CTX_new();
+    EXPECT_NE(ctx, nullptr);
+    EXPECT_EQ(openssl.EVP_MD_CTX_reset(ctx), 1); // Should return OPENSSL_OK
+    openssl.EVP_MD_CTX_free(ctx);
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/link/CMakeLists.txt b/virtrust/src/virtrust/link/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..a523966ff870d2a4c0a18db95fe53024aeaaf783
--- /dev/null
+++ b/virtrust/src/virtrust/link/CMakeLists.txt
@@ -0,0 +1,14 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    # ${CMAKE_CURRENT_LIST_DIR}/link_client.cpp
+    # ${CMAKE_CURRENT_LIST_DIR}/link_server.cpp
+    # ${CMAKE_CURRENT_LIST_DIR}/utils.cpp
+)
+
+# add_virtrust_test_if(link_test ${BUILD_TEST})
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    PARENT_SCOPE)
diff --git a/virtrust/src/virtrust/link/defines.h b/virtrust/src/virtrust/link/defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..832c939e379e58292497ef5011b5b531029811fe
--- /dev/null
+++ b/virtrust/src/virtrust/link/defines.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include <array>
+#include <cstdint>
+#include <string>
+#include <string_view>
+
+#include "virtrust/base/logger.h"
+
+namespace virtrust {
+enum class LinkRc : uint32_t {
+    OK = 0,
+    ERROR = 1,
+};
+
+struct LinkConfig {
+    std::string caPath;
+    std::string certPath;
+    std::string skPath;
+    std::string ip;
+    std::string ipMask;
+    uint16_t port;
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/link/link_config_builder.h b/virtrust/src/virtrust/link/link_config_builder.h
new file mode 100644
index 0000000000000000000000000000000000000000..274760e2f98a2f2ffc34b0be0ad9e8644d574b89
--- /dev/null
+++ b/virtrust/src/virtrust/link/link_config_builder.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <array>
+#include <cstdint>
+#include <string>
+#include <string_view>
+
+#include "virtrust/link/defines.h"
+
+namespace virtrust {
+
+class LinkConfigBuilder {
+public:
+#define VIRTRUST_LINK_BUILDER_ADD(TYPE, NAME) \
+    LinkConfigBuilder NAME(TYPE NAME)         \
+    {                                         \
+        config_.NAME = NAME;                  \
+        return *this;                         \
+    }
+
+    VIRTRUST_LINK_BUILDER_ADD(const std::string &, caPath)
+    VIRTRUST_LINK_BUILDER_ADD(const std::string &, certPath)
+    VIRTRUST_LINK_BUILDER_ADD(const std::string &, skPath)
+    VIRTRUST_LINK_BUILDER_ADD(const std::string &, ip)
+    VIRTRUST_LINK_BUILDER_ADD(const std::string &, ipMask)
+    VIRTRUST_LINK_BUILDER_ADD(uint16_t, port)
+
+#undef VIRTRUST_LINK_BUILDER_ADD
+
+    LinkConfig Build()
+    {
+        return config_;
+    }
+
+private:
+    LinkConfig config_;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/link/link_test.cpp b/virtrust/src/virtrust/link/link_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..a7bdf331f4c243f3944663751c1a16ba7c7c704a
--- /dev/null
+++ b/virtrust/src/virtrust/link/link_test.cpp
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <filesystem>
+#include <future>
+
+#include "gtest/gtest.h"
+#include "spdlog/fmt/bundled/core.h"
+
+#include "virtrust/link/link_client.h"
+#include "virtrust/link/link_config_builder.h"
+#include "virtrust/link/link_server.h"
+
+namespace virtrust {
+
+namespace {
+constexpr std::string_view TEST_CA_CERT_FILENAME = "ca/cert.pem";
+constexpr std::string_view TEST_SERVER_CERT_FILENAME = "server/cert.pem";
+constexpr std::string_view TEST_SERVER_SK_FILENAME = "server/sk.pem";
+constexpr std::string_view TEST_CLIENT_CERT_FILENAME = "client/cert.pem";
+constexpr std::string_view TEST_CLIENT_SK_FILENAME = "client/sk.pem";
+
+constexpr std::string_view TEST_ADDR = "127.0.0.1";
+constexpr std::string_view TEST_ADDR_MASK = "127.0.0.0/128";
+constexpr uint16_t TEST_SERVER_PORT = "10086";
+constexpr uint16_t TEST_CLIENT_PORT = "10087";
+
+inline std::filesystem::path GetTestDir()
+{
+    // GET the project root path (which is the directory)
+    auto filePath = std::filesystem::path(__FILE__);
+    return (filePath / ".." / ".." / ".." / ".." / "test").lexically_normal();
+}
+
+#define GET_PATH(ROLE, TYPE) (GetTestDir() / TEST_##ROLE##_##TYPE##_FILENAME).lexically_normal().string()
+
+} // namespace
+
+TEST(LinkTest, SimpleDemo)
+{
+    auto s = std::async([]() {
+        LinkServer link(LinkConfigBuilder()
+                            .caPath(GET_PATH(CA, CERT))
+                            .certPath(GET_PATH(SERVER, CERT))
+                            .skPath(GET_PATH(SERVER, SK))
+                            .ip(std::string(TEST_ADDR))
+                            .ipMask(std::string(TEST_ADDR_MASK))
+                            .port(TEST_SERVER_PORT)
+                            .Build());
+        return link.Start();
+    });
+    auto c = std::async([]() {
+        LinkClient link(LinkConfigBuilder()
+                            .caPath(GET_PATH(CA, CERT))
+                            .certPath(GET_PATH(CLIENT, CERT))
+                            .skPath(GET_PATH(CLIENT, SK))
+                            .ip(std::string(TEST_ADDR))
+                            .ipMask(std::string(TEST_ADDR_MASK))
+                            .port(TEST_CLIENT_PORT)
+                            .Build());
+        auto ret = link.Start();
+        if (ret != LinkRc::OK) {
+            return ret;
+        };
+        return link.Connect(TEST_ADDR, TEST_SERVER_PORT);
+    });
+    EXPECT_EQ(s.get(), LinkRc::OK);
+    EXPECT_EQ(c.get(), LinkRc::OK);
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/CMakeLists.txt b/virtrust/src/virtrust/utils/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..4199d2df653899aa9cd42a41d897718b5c004535
--- /dev/null
+++ b/virtrust/src/virtrust/utils/CMakeLists.txt
@@ -0,0 +1,17 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    ${CMAKE_CURRENT_LIST_DIR}/file_io.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/virt_xml_parser.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/migrate_helper.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/foreign_mounter.cpp)
+
+# add_virtrust_test_if(file_io_test ${BUILD_TEST})
+# add_virtrust_sh_test_if(virt_xml_parser_test ${BUILD_TEST})
+# add_virtrust_sh_test_if(foreign_mounter_test ${BUILD_TEST})
+# add_virtrust_test_if(migrate_helper_test ${BUILD_TEST})
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    PARENT_SCOPE)
diff --git a/virtrust/src/virtrust/utils/enum_check.h b/virtrust/src/virtrust/utils/enum_check.h
new file mode 100644
index 0000000000000000000000000000000000000000..5a981f5c9091b43d34ca1ebbef48d6dc031028ac
--- /dev/null
+++ b/virtrust/src/virtrust/utils/enum_check.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+namespace virtrust {
+
+// Define templates for enum range check
+
+template <typename EnumType, EnumType... Values> class EnumCheck {};
+
+template <typename EnumType> class EnumCheck<EnumType> {
+public:
+    template <typename IntType> static bool constexpr IsValue(IntType)
+    {
+        return false;
+    }
+};
+
+template <typename EnumType, EnumType V, EnumType... Next>
+class EnumCheck<EnumType, V, Next...> : private EnumCheck<EnumType, Next...> {
+    using Super = EnumCheck<EnumType, Next...>;
+
+public:
+    template <typename IntType> static bool constexpr IsValue(IntType v)
+    {
+        return v == static_cast<IntType>(V) || Super::IsValue(v);
+    }
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/file_io.cpp b/virtrust/src/virtrust/utils/file_io.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..f107cee0876fc006e3efc69a213a90f775a49e06
--- /dev/null
+++ b/virtrust/src/virtrust/utils/file_io.cpp
@@ -0,0 +1,244 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include "virtrust/utils/file_io.h"
+
+#include <cerrno>
+#include <cstring>
+#include <exception>
+#include <filesystem>
+#include <iostream>
+#include <string>
+#include <utility>
+
+#include "spdlog/fmt/fmt.h"
+#include "spdlog/spdlog.h"
+
+#include "virtrust/base/exception.h"
+#include "virtrust/base/logger.h"
+
+namespace virtrust {
+#define FILE_IO_THROW(msg_prefix)                                                                                  \
+    VIRTRUST_ENFORCE(false, fmt::format("|{}|END|||error on file {}, failure {}", msg_prefix, fileName_, e.what(), \
+                                        std::strerror(errno), errno))
+
+FileInputStream::FileInputStream(std::string fileName) : fileName_(std::move(fileName)), fileLen_(0)
+{
+#ifndef __arm64__
+    in_.exceptions(std::ifstream::badbit | std::ifstream::failbit);
+#endif
+    try {
+        in_.open(fileName_, std::ios::binary | std::ios::ate);
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("Open for read");
+    }
+    fileLen_ = Tellg();
+    Seekg(0);
+}
+
+bool FileInputStream::operator!() const
+{
+    return !static_cast<bool>(in_);
+}
+
+FileInputStream::operator bool() const
+{
+    return static_cast<bool>(in_);
+}
+
+bool FileInputStream::Eof() const
+{
+    return in_.eof();
+}
+
+FileInputStream &FileInputStream::GetLine(std::string *ret, char delim)
+{
+    try {
+        std::getline(in_, *ret, delim);
+    } catch (const std::ifstream::failure &e) {
+        if (!in_.eof() || in_.bad()) {
+            FILE_IO_THROW("GetLine");
+        }
+    }
+
+    return *this;
+}
+
+FileInputStream &FileInputStream::Read(void *buf, size_t length)
+{
+    try {
+        in_.read(static_cast<char *>(buf), length);
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("Read");
+    }
+    return *this;
+}
+
+FileInputStream &FileInputStream::Seekg(size_t pos)
+{
+    try {
+        // clear EOF/FAIL bit
+        in_.clear();
+        in_.seekg(pos);
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("Seekg");
+    }
+    return *this;
+}
+
+size_t FileInputStream::Tellg()
+{
+    size_t ret = 0;
+    try {
+        auto backup = in_.rdstate();
+        in_.clear();
+        // tellg fail if eofbit is set.
+        ret = in_.tellg();
+        in_.clear(backup);
+    } catch (const std::ifstream::failure &e) {
+        if (in_.bad()) {
+            FILE_IO_THROW("Tellg");
+        }
+    }
+    return ret;
+}
+
+void FileInputStream::TransferTo(std::ostringstream &oss)
+{
+    try {
+        // clear EOF/FAIL bit
+        in_.clear();
+        in_.seekg(0);
+        oss << in_.rdbuf();
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("TransferTo");
+    }
+}
+
+std::string FileInputStream::ReadAll()
+{
+    try {
+        std::ostringstream oss;
+        TransferTo(oss);
+        return oss.str();
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("ReadAll");
+    }
+    return "";
+}
+
+size_t FileInputStream::GetLength() const
+{
+    return fileLen_;
+}
+
+const std::string &FileInputStream::GetName() const
+{
+    return fileName_;
+}
+
+void FileInputStream::Close()
+{
+    try {
+        in_.close();
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("Close");
+    }
+    fileLen_ = 0;
+}
+
+std::unique_ptr<FileInputStream> FileInputStream::Spawn()
+{
+    auto ret = std::make_unique<FileInputStream>(fileName_);
+    ret->Seekg(Tellg());
+    return ret;
+}
+
+FileOutputStream::FileOutputStream(std::string fileName, bool trunc, bool exitFailInDestructor)
+    : fileName_(std::move(fileName)), exitFailInDestructor_(exitFailInDestructor)
+{
+    std::filesystem::path fp(fileName_);
+    // empty if relative path to pwd.
+    if (!fp.parent_path().empty() && !std::filesystem::exists(fp.parent_path())) {
+        VIRTRUST_ENFORCE(std::filesystem::create_directories(fp.parent_path()), "Failed to create dir ({})",
+                         fp.parent_path().string());
+    }
+    out_.exceptions(std::ofstream::badbit | std::ofstream::failbit);
+    try {
+        out_.open(fileName_, std::ios::binary | (trunc ? std::ios::trunc : std::ios::app));
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Open for write");
+    }
+}
+
+FileOutputStream::~FileOutputStream()
+{
+    try {
+        Close();
+    } catch (const std::exception &e) {
+        SPDLOG_ERROR("IO error in destructor: < {} >", e.what());
+        if (exitFailInDestructor_) {
+            _exit(-1);
+        }
+    }
+}
+
+void FileOutputStream::Write(const void *buf, size_t length)
+{
+    try {
+        out_.write(static_cast<const char *>(buf), length);
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Write");
+    }
+}
+
+void FileOutputStream::Write(std::string_view buf)
+{
+    try {
+        out_.write(buf.data(), buf.size());
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Write");
+    }
+}
+
+const std::string &FileOutputStream::GetName() const
+{
+    return fileName_;
+}
+
+size_t FileOutputStream::Tellp()
+{
+    size_t ret = 0;
+    try {
+        ret = out_.tellp();
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Tellp");
+    }
+    return ret;
+}
+
+void FileOutputStream::Flush()
+{
+    try {
+        if (out_.is_open() && out_.good()) {
+            out_.flush();
+        }
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Flush");
+    }
+}
+
+void FileOutputStream::Close()
+{
+    try {
+        if (out_.is_open() && out_.good()) {
+            Flush();
+            out_.close();
+        }
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Close");
+    }
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/file_io.h b/virtrust/src/virtrust/utils/file_io.h
new file mode 100644
index 0000000000000000000000000000000000000000..6a83f1ef2bfd9543e5bc52e1106212a022ff6c6f
--- /dev/null
+++ b/virtrust/src/virtrust/utils/file_io.h
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <fstream>
+#include <memory>
+#include <string>
+
+namespace virtrust {
+class FileInputStream {
+public:
+    explicit FileInputStream(std::string fileName);
+
+    ~FileInputStream() = default;
+
+    bool operator!() const;
+
+    explicit operator bool() const;
+
+    bool Eof() const;
+
+    FileInputStream &GetLine(std::string *ret, char delim);
+
+    FileInputStream &Read(void *buf, size_t length);
+
+    FileInputStream &Seekg(size_t pos);
+
+    size_t Tellg();
+
+    void TransferTo(std::ostringstream &oss);
+
+    std::string ReadAll();
+
+    size_t GetLength() const;
+
+    const std::string &GetName() const;
+
+    void Close();
+
+    static bool IsStreaming()
+    {
+        return false;
+    }
+
+    std::unique_ptr<FileInputStream> Spawn();
+
+private:
+    const std::string fileName_;
+    std::ifstream in_;
+    size_t fileLen_;
+};
+
+class FileOutputStream {
+public:
+    explicit FileOutputStream(std::string fileName, bool trunc = true, bool exitFailInDestructor = true);
+
+    ~FileOutputStream();
+
+    void Write(const void *buf, size_t length);
+    void Write(std::string_view buf);
+
+    const std::string &GetName() const;
+
+    size_t Tellp();
+
+    void Close();
+
+    void Flush();
+
+    static bool IsStreaming()
+    {
+        return false;
+    }
+
+private:
+    const std::string fileName_;
+    const bool exitFailInDestructor_;
+    std::ofstream out_;
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/file_io_test.cpp b/virtrust/src/virtrust/utils/file_io_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..2a4ac92ad1f6cddc66b0be6fd141a04ad687fb05
--- /dev/null
+++ b/virtrust/src/virtrust/utils/file_io_test.cpp
@@ -0,0 +1,303 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <filesystem>
+#include <sstream>
+#include <fstream>
+
+#include "gtest/gtest.h"
+
+#include "virtrust/base/logger.h"
+#include "virtrust/utils/file_io.h"
+
+namespace virtrust {
+
+namespace {
+constexpr size_t MAX_BYTES_LENGTH = 64;
+constexpr std::string_view TEST_FILE_CONTENT = "this is a test file.\n";
+constexpr std::string_view TEST_FILE_CONTENT_LONG = "this is a test file.\nwith multiple lines\nand more content.\n";
+
+std::string GetTestFilePath()
+{
+  // Get the project root path (Which is the directory)
+  auto filePath = std::filesystem::path(__FILE__);
+  return (filePath / ".." / ".." / ".." / ".." / "test" / "data" / "test.txt").lexically_normal().string();
+}
+
+std::string GetTempFilePath(const std::string &suffix = "")
+{
+  // Get the project root path (Which is the directory)
+  auto filePath = std::filesystem::path(__FILE__);
+  return (filePath / ".." / ".." / ".." / ".." / "test" / "data" / ("temp_file" + suffix + ".txt"))
+  .lexically_normal()
+  .string();
+}
+
+} // namespace
+
+TEST(FileIO, Works)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+  std::string content = fis.ReadAll();
+  ASSERT_EQ(content, TEST_FILE_CONTENT);
+}
+
+TEST(FileIO, ReadAll)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+  std::string content = fis.ReadAll();
+  ASSERT_EQ(content, TEST_FILE_CONTENT);
+}
+
+TEST(FileIO, GetLength)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+  size_t length = fis.GetLength();
+  ASSERT_EQ(length, TEST_FILE_CONTENT.length());
+}
+
+TEST(FileIO, GetName)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+  const std::string &name = fis.GetName();
+  ASSERT_EQ(name, path);
+}
+
+TEST(FileIO, Eof)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+
+  // Initially not at EOF
+  ASSERT_FALSE(fis.Eof());
+  
+  // Read all content
+  // NOTE EOF/FAIL bit get cleared inside this function
+  std::string content = fis.ReadAll();
+  EXPECT_FALSE(content.empty());
+}
+
+TEST(FileIO, SeekgAndTellg)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+
+  // Get initial position
+  size_t initialPos = fis.Tellg();
+  ASSERT_EQ(initialPos, static_cast<size_t>(0));
+  
+  // Read part of the file
+  std::string content;
+  fis.GetLine(&content, '\n');
+
+  // Get current position
+  size_t currentPos = fis.Tellg();
+  ASSERT_GT(currentPos, initialPos);
+
+  // Seek back to beginning
+  fis.Seekg(0);
+  size_t newPos = fis.Tellg();
+  ASSERT_EQ(newPos, static_cast<size_t>(0));
+}
+
+TEST(FileIO, TransferTo)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+  
+  std::ostringstream oss;
+  fis.TransferTo(oss);
+
+  ASSERT_EQ(oss.str(), TEST_FILE_CONTENT);
+}
+
+TEST(FileIO, GetLine)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+  
+  std::string line;
+  fis.GetLine(&line, '\n');
+
+  ASSERT_EQ(line, "this is a test file.");
+}
+
+TEST(FileIO, Spawn)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+  
+  // Save current position
+  size_t originalPos = fis.Tellg();
+
+  // Spawn a new stream from current position
+  auto spawnedStream = fis.Spawn();
+
+  // Both streams should be at same position
+  ASSERT_EQ(spawnedStream->Tellg(), originalPos);
+
+  // Original stream should still work
+  std::string line;
+  fis.GetLine(&line, '\n');
+  EXPECT_FALSE(line, "this is a test file.");
+}
+
+TEST(FileIO, FileStreamOperators)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+  
+  // Test boolean conversion operators
+  ASSERT_TRUE(static_cast<bool>(fis));
+  ASSERT_FALSE(!fis);
+
+  // Test with invalid file (should throw)
+  try {
+    FileInputStream invalidFis("nonexistent_file.txt");
+    FAIL() << "Should have thrown exception";
+  } catch (...) {
+    // Excepted
+  }
+}
+
+TEST(FileIO, FileInputStreamRead)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+  size_t length = TEST_FILE_CONTENT.size();
+  //Test Read method with buffer
+  char buffer[MAX_BYTES_LENGTH];
+  fis.Read(buffer, length);
+
+  std::string content(buffer, length);
+  ASSERT_EQ(content, TEST_FILE_CONTENT);
+  fis.Close();
+}
+
+TEST(FileIO, FileOutputStreamConstructAndDestroy)
+{
+  std::string tempPath = GetTempFilePath("_construct");
+  
+  // Test construction with trunc=true (default)
+  {
+    FileOutputStream fos(tempPath, true);
+    ASSERT_EQ(fos.GetName(), tempPath);
+  }
+
+  // Verify file was created
+  std::ifstream testFile(tempPath);
+  ASSERT_TRUE(testFile.good());
+  testFile.close();
+
+  // Test construction with trunc=false (append mode)
+  {
+    FileOutputStream fos(tempPath, false);
+    ASSERT_EQ(fos.GetName(), tempPath);
+  }
+
+  // Clean up
+  std::filesystem::remove(tempPath);
+}
+
+TEST(FileIO, FileOutputStreamWrite)
+{
+  std::string tempPath = GetTempFilePath("_write");
+  
+  {
+    FileOutputStream fos(tempPath);
+
+    // Test Write with buffer
+    const char* testData = "Hello World!";
+    fos.Write(testData, strlen(testData));
+
+    // Test Write with string_view
+    std::string_view testStr = "Test string";
+    fos.Write(testStr);
+
+    // Test Write with string
+    std::string testStr2 = "Another test";
+    fos.Write(testStr2.data(), testStr2.size());
+  }
+
+  // Verify content was written
+  std::ifstream testFile(tempPath);
+  std::ostringstream oss;
+  oss << testFile.rdbuf();
+  std::string content = oss.str();
+
+  ASSERT_NE(content.find("Hello World!"), std::string::npos);
+  ASSERT_NE(content.find("Test string"), std::string::npos);
+  ASSERT_NE(content.find("Another test"), std::string::npos);
+
+  testFile.close();
+  std::filesystem::remove(tempPath);
+}
+
+TEST(FileIO, FileOutputStreamTellpAndFlush)
+{
+  std::string tempPath = GetTempFilePath("_tellp");
+  
+  {
+    FileOutputStream fos(tempPath);
+
+    // Initial position should be 0
+    size_t initialPos = fos.Tellp();
+    ASSERT_EQ(initialPos, static_cast<size_t>(0));
+
+    // Write some data
+    const char* testData = "Test data";
+    fos.Write(testData, strlen(testData));
+
+    // Position should be advanced
+    size_t afterWritePos = fos.Tellp();
+    ASSERT_EQ(afterWritePos, strlen(testData));
+
+    // Test flush
+    fos.Flush();
+  }
+
+  // Verify content was written
+  std::ifstream testFile(tempPath);
+  std::ostringstream oss;
+  oss << testFile.rdbuf();
+  std::string content = oss.str();
+
+  ASSERT_EQ(content, "Test data");
+
+  testFile.close();
+  std::filesystem::remove(tempPath);
+}
+
+TEST(FileIO, FileOutputStreamClose)
+{
+  std::string tempPath = GetTempFilePath("_close");
+  
+  {
+    FileOutputStream fos(tempPath);
+    const char* testData = "Test data";
+    fos.Write(testData, strlen(testData));
+  }
+
+  // File should be closed and accessible
+  std::ifstream testFile(tempPath);
+  ASSERT_TRUE(testFile.good());
+
+  std::string content((std::istreambuf_iterator<char>(testFile)),
+  std::istreambuf_iterator<char>());
+
+  ASSERT_EQ(content, "Test data");
+
+  testFile.close();
+  std::filesystem::remove(tempPath);
+}
+
+TEST(FileIO, FileOutputStreamIsStreaming)
+{
+  ASSERT_FALSE(FileOutputStream::IsStreaming());
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/foreign_mounter.cpp b/virtrust/src/virtrust/utils/foreign_mounter.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..177214fa14fe6e570c06a4cc9cbd20bb56b741d1
--- /dev/null
+++ b/virtrust/src/virtrust/utils/foreign_mounter.cpp
@@ -0,0 +1,371 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include "virtrust/utils/foreign_mounter.h"
+
+#include <cstring>
+#include <string>
+#include <string_view>
+
+#include "spdlog/fmt/fmt.h"
+
+#include "virtrust/base/logger.h"
+#include "virtrust/base/str_utils.h"
+#include "virtrust/crypto/sm3.h"
+#include "virtrust/dllib/common.h"
+
+namespace virtrust {
+
+namespace {
+constexpr std::string_view DEFAULT_SHIM_EFI_REGEX_PATH = "/boot/efi/EFI/{}/shimaa64.efi";
+constexpr std::string_view DEFAULT_GRUB_EFI_REGEX_PATH = "/boot/efi/EFI/{}/grubaa64.efi";
+constexpr std::string_view DEFAULT_GRUB_CFG_REGEX_PATH = "/boot/efi/EFI/{}/grub.cfg";
+constexpr std::string_view DEFAULT_BOOT_PATH = "/boot";
+constexpr std::string_view DEFAULT_INITRD_PREFIX = "initrd";
+constexpr std::string_view DEFAULT_LINUZ_PREFIX = "linux";
+constexpr char PATH_SEPARATOR = '/';
+constexpr std::string_view BACKEND_VALUE = "direct";
+
+inline ForeignMounterRc ParseRc(DllibRc rc)
+{
+    switch (rc) {
+        case DllibRc::OK:
+            return ForeignMounterRc::OK;
+        default:
+            return ForeignMounterRc::ERROR;
+    }
+}
+
+std::string LinuxDistroToString(LinuxDistro distro)
+{
+    switch (distro) {
+        case LinuxDistro::OPENEULER:
+            return "openEuler";
+        case LinuxDistro::CENTOS:
+            return "centos";
+        case LinuxDistro::UBUNTU:
+            return "ubuntu";
+        case LinuxDistro::DEBIAN:
+            return "debian";
+        case LinuxDistro::FEDORA:
+            return "fedora";
+        default:
+            return "unknown";
+    }
+}
+
+size_t CountStrings(char **strs)
+{
+    size_t c = 0;
+    if (strs != nullptr) {
+        while (strs[c] != nullptr) {
+            c++;
+        }
+    }
+    return c;
+}
+
+void GuestfsFreeStringList(char **strs)
+{
+    if (strs == nullptr) {
+        return;
+    }
+    for (size_t i = 0; strs[i] != nullptr; ++i) {
+        free(strs[i]);
+    }
+    free(strs);
+}
+} // namespace
+
+VerifyConfig::VerifyConfig(const std::string &guestName, const std::string &diskPath, const std::string &loaderPath,
+                           const LinuxDistro distro)
+    : guestName_(guestName), diskPath_(diskPath), loaderPath_(loaderPath), linuxDistro_(distro)
+{}
+
+std::string VerifyConfig::GetGuestName()
+{
+    return guestName_;
+}
+
+std::string VerifyConfig::GetDiskPath()
+{
+    return diskPath_;
+}
+
+std::string VerifyConfig::GetLoaderPath()
+{
+    return loaderPath_;
+}
+
+std::string VerifyConfig::GetShimPath()
+{
+    if (shimPath_.empty()) {
+        shimPath_ = fmt::format(DEFAULT_SHIM_EFI_REGEX_PATH, LinuxDistroToString(linuxDistro_));
+    }
+    return shimPath_;
+}
+
+std::string VerifyConfig::GetGrubPath()
+{
+    if (grubPath_.empty()) {
+        grubPath_ = fmt::format(DEFAULT_GRUB_EFI_REGEX_PATH, LinuxDistroToString(linuxDistro_));
+    }
+    return grubPath_;
+}
+
+std::string VerifyConfig::GetGrubCfgPath()
+{
+    if (grubCfgPath_.empty()) {
+        grubCfgPath_ = fmt::format(DEFAULT_GRUB_CFG_REGEX_PATH, LinuxDistroToString(linuxDistro_));
+    }
+    return grubCfgPath_;
+}
+
+std::string VerifyConfig::GetInitrdPath()
+{
+    return initrdPath_;
+}
+
+std::string VerifyConfig::GetLinuzPath()
+{
+    return linuzPath_;
+}
+
+void VerifyConfig::ParseGrubCfgContent(const std::string &content)
+{
+    std::istringstream iss(content);
+    std::string line;
+    bool findInitrd = false;
+    bool findLinuz = false;
+    while (std::getline(iss, line)) {
+        line = StrTrimWhitespace(line);
+        if (line.empty()) {
+            continue;
+        }
+        // find line which starts with "initrd" or "linux"
+        if (StrStartsWith(line, DEFAULT_INITRD_PREFIX)) {
+            initrdPath_ = ParseGrubCfgLine(line);
+            if (initrdPath_.empty()) {
+                VIRTRUST_LOG_ERROR("|ParseGrubCfgContent|END|||Get initrd path from grub.cfg failed.");
+                return;
+            }
+            findInitrd = true;
+        } else if (StrStartsWith(line, DEFAULT_LINUZ_PREFIX)) {
+            linuzPath_ = ParseGrubCfgLine(line);
+            if (linuzPath_.empty()) {
+                VIRTRUST_LOG_ERROR("|ParseGrubCfgContent|END|||Get linuz path from grub.cfg failed.");
+                return;
+            }
+            findLinuz = true;
+        }
+        // found all
+        if (findInitrd && findLinuz) {
+            return;
+        }
+    }
+}
+
+std::string VerifyConfig::ParseGrubCfgLine(const std::string &line)
+{
+    constexpr int lineSplitLimit = 2;
+
+    auto parts = StrSplit(line);
+    // if there are fewer than two substrings
+    if (parts.size() < lineSplitLimit) {
+        return "";
+    }
+    // the second substring is file name or path
+    std::string filename = parts[1];
+
+    // NOTE by cjm. We should check if the path is absolute
+    // prefix already exists
+    if (StrStartsWith(filename, DEFAULT_BOOT_PATH)) {
+        return filename;
+    }
+    // add prefix
+    return fmt::format("{}/{}", DEFAULT_BOOT_PATH, StrTrim(filename, PATH_SEPARATOR));
+}
+
+ForeignMounterRc ForeignMounter::TryInit()
+{
+    if (libguestfs_.CheckOk() != DllibRc::OK) {
+        return ParseRc(libguestfs_.Reload());
+    }
+
+    if (handle_ == nullptr) {
+        handle_ = libguestfs_.guestfs_create();
+    }
+
+    if (handle_ == nullptr) {
+        VIRTRUST_LOG_ERROR("|TryInit|END|returnF||Failed to create the guestfs handle.");
+        return ForeignMounterRc::ERROR;
+    }
+    return ForeignMounterRc::OK;
+}
+
+ForeignMounterRc ForeignMounter::Mount(std::string_view imgPath, size_t osIndex)
+{
+    // Check whether our dllib has been successfully loaded
+    if (!CheckOk()) {
+        return ForeignMounterRc::ERROR;
+    }
+
+    auto res = libguestfs_.guestfs_set_backend(handle_, BACKEND_VALUE.data());
+    if (res == -1) {
+        VIRTRUST_LOG_ERROR("|Mount|END|returnF||Guestfs set backend failed.");
+        return ForeignMounterRc::ERROR;
+    }
+
+    struct guestfs_add_drive_opts_argv optargs = {
+        .bitmask = GUESTFS_ADD_DRIVE_OPTS_FORMAT_BITMASK | GUESTFS_ADD_DRIVE_OPTS_CACHEMODE_BITMASK,
+        .format = "qcow2",
+        .cachemode = "unsafe" // quick but unsafe
+    };
+    // Load qcow2 format image from imgPath
+    // see: https://gitee.com/openeuler/qemu/issues/IADWBA
+    res = libguestfs_.guestfs_add_drive_opts_argv(handle_, imgPath.data(), optargs);
+    if (res == -1) {
+        VIRTRUST_LOG_ERROR("|Mount|END|returnF||Guestfs adds drive opts failed.");
+        return ForeignMounterRc::ERROR;
+    }
+
+    res = libguestfs_.guestfs_launch(handle_);
+    if (res == -1) {
+        VIRTRUST_LOG_ERROR("|Mount|END|returnF||Guestfs launch failed.");
+        return ForeignMounterRc::ERROR;
+    }
+
+    char **roots = libguestfs_.guestfs_inspect_os(handle_);
+    if (roots == nullptr) {
+        VIRTRUST_LOG_ERROR("|Mount|END|returnF||No operating system found in image.");
+        return ForeignMounterRc::ERROR;
+    }
+
+    size_t osCnt = CountStrings(roots);
+    if (osIndex >= osCnt) {
+        VIRTRUST_LOG_ERROR("|Mount|END|returnF||There are {} os in image, index out of range: {}.", osCnt, osIndex);
+        return ForeignMounterRc::ERROR;
+    }
+
+    char *root = roots[osIndex];
+    ForeignMounterRc rc = MountFilesystems(root);
+    GuestfsFreeStringList(roots);
+
+    if (rc == ForeignMounterRc::OK) {
+        isMount_ = true;
+    }
+    return rc;
+}
+
+ForeignMounterRc ForeignMounter::MountFilesystems(const std::string &root)
+{
+    // collect mountpoints and devices
+    char **mountpoints = libguestfs_.guestfs_inspect_get_mountpoints(handle_, root.c_str());
+    if (mountpoints == nullptr) {
+        VIRTRUST_LOG_ERROR("|MountFilesystems|END|returnF||Get mountpoints failed.");
+        return ForeignMounterRc::ERROR;
+    }
+    std::vector<MounterInfo> mps;
+    constexpr int stepLen = 2;
+    for (int i = 0; mountpoints[i] != nullptr && mountpoints[i + 1] != nullptr; i += stepLen) {
+        mps.push_back(MounterInfo{mountpoints[i], mountpoints[i + 1], StrCountChar(mountpoints[i], PATH_SEPARATOR)});
+    }
+
+    // sort by directory level in ascending
+    std::sort(mps.begin(), mps.end(), [](auto &a, auto &b) {
+        return a.dirLevel != b.dirLevel ? a.dirLevel < b.dirLevel : a.mpt.size() < b.mpt.size();
+    });
+
+    // mount all file system
+    for (auto &mp : mps) {
+        auto &mountpoint = mp.mpt;
+        auto &device = mp.device;
+        // mount device to mountpoint
+        int ret = libguestfs_.guestfs_mount_ro(handle_, device.c_str(), mountpoint.c_str());
+        if (ret == -1) {
+            VIRTRUST_LOG_ERROR("|MountFilesystems|END|returnF||Mount {} to {} failed.", device, mountpoint);
+            return ForeignMounterRc::ERROR;
+        }
+    }
+
+    GuestfsFreeStringList(mountpoints);
+    return ForeignMounterRc::OK;
+}
+
+ForeignMounterRc ForeignMounter::ReadFile(std::string_view filePath, std::string &fileContent)
+{
+    if (!isMount_) {
+        VIRTRUST_LOG_ERROR("|ReadFile|END|||The image has not been loaded.");
+        return ForeignMounterRc::ERROR;
+    }
+
+    // check file whether exist in image
+    int exists = libguestfs_.guestfs_exists(handle_, filePath.data());
+    if (exists != 1) {
+        VIRTRUST_LOG_ERROR("|ReadFile|END||file path is: {}|File not exist in image.", filePath);
+        return ForeignMounterRc::FILE_NOT_EXIST;
+    }
+
+    // check whether is a file
+    int isFile = libguestfs_.guestfs_is_file(handle_, filePath.data());
+    if (isFile != 1) {
+        VIRTRUST_LOG_ERROR("|ReadFile|END|||file path is: {}|It is not a file.", filePath);
+        return ForeignMounterRc::ERROR;
+    }
+
+    // read content
+    size_t size;
+    char *content = libguestfs_.guestfs_read_file(handle_, filePath.data(), &size);
+    if (content == nullptr) {
+        VIRTRUST_LOG_ERROR("|ReadFile|END|||file path is: {}|Read this file failed.", filePath);
+        return ForeignMounterRc::ERROR;
+    }
+
+    fileContent = std::string(content, size);
+    free(content);
+    return ForeignMounterRc::OK;
+}
+
+ForeignMounterRc ForeignMounter::DoSm3OnVmFile(std::string_view filePath, std::vector<uint8_t> &sm3Data)
+{
+    std::string fileContent;
+    ForeignMounterRc rc = ReadFile(filePath, fileContent);
+    if (rc == ForeignMounterRc::FILE_NOT_EXIST) {
+        return rc;
+    }
+
+    if (rc != ForeignMounterRc::OK) {
+        VIRTRUST_LOG_ERROR("|DoSm3OnVmFile|END|returnF||Read file failed: {}.", filePath);
+        return ForeignMounterRc::ERROR;
+    }
+    if (virtrust::DoSm3(fileContent, sm3Data) != Sm3Rc::OK) {
+        return ForeignMounterRc::ERROR;
+    }
+    return ForeignMounterRc::OK;
+}
+
+ForeignMounterRc ForeignMounter::Unmount() noexcept
+{
+    if (handle_ == nullptr) {
+        return ForeignMounterRc::OK;
+    }
+    isMount_ = false;
+    if (libguestfs_.guestfs_umount_all(handle_) == -1) {
+        VIRTRUST_LOG_ERROR("|Unmount|END|||Guestfs umount all failed.");
+        return ForeignMounterRc::ERROR;
+    }
+    return ForeignMounterRc::OK;
+}
+
+ForeignMounterRc ForeignMounter::EnableStrErrTrace()
+{
+    return libguestfs_.guestfs_set_trace(handle_, 1) == 0 ? ForeignMounterRc::OK : ForeignMounterRc::ERROR;
+}
+
+ForeignMounterRc ForeignMounter::DisableStrErrTrace()
+{
+    return libguestfs_.guestfs_set_trace(handle_, 0) == 0 ? ForeignMounterRc::OK : ForeignMounterRc::ERROR;
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/foreign_mounter.h b/virtrust/src/virtrust/utils/foreign_mounter.h
new file mode 100644
index 0000000000000000000000000000000000000000..0d2e2a4e1e6404b787ad33a5e87e4ed5f26e2c3e
--- /dev/null
+++ b/virtrust/src/virtrust/utils/foreign_mounter.h
@@ -0,0 +1,129 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <string>
+#include <string_view>
+
+#include "virtrust/base/logger.h"
+#include "virtrust/dllib/libguestfs.h"
+
+namespace virtrust {
+
+enum class LinuxDistro {
+    OPENEULER,
+    CENTOS,
+    UBUNTU,
+    DEBIAN,
+    FEDORA
+};
+
+class VerifyConfig {
+public:
+    VerifyConfig() = default;
+
+    VerifyConfig(const std::string &guestName, const std::string &diskPath, const std::string &loaderPath,
+                 LinuxDistro distro = LinuxDistro::OPENEULER);
+
+    std::string GetGuestName();
+    std::string GetDiskPath();
+    std::string GetLoaderPath();
+    std::string GetShimPath();
+    std::string GetGrubPath();
+    std::string GetGrubCfgPath();
+    std::string GetInitrdPath();
+    std::string GetLinuzPath();
+
+    void ParseGrubCfgContent(const std::string &content);
+
+private:
+    std::string guestName_;
+    std::string diskPath_;
+    std::string loaderPath_;
+    std::string shimPath_;
+    std::string grubPath_;
+    std::string grubCfgPath_;
+    std::string initrdPath_;
+    std::string linuzPath_;
+    LinuxDistro linuxDistro_;
+
+    std::string ParseGrubCfgLine(const std::string &line);
+};
+
+enum class ForeignMounterRc : uint32_t {
+    OK = 0,
+    ERROR = 1,
+    FILE_NOT_EXIST = 2,
+};
+
+struct MounterInfo {
+    std::string mpt;    // mount point
+    std::string device; // mount device
+    size_t dirLevel;
+};
+
+class ForeignMounter {
+public:
+    ForeignMounter()
+    {
+        // try to init handle, discarding the return process
+        TryInit();
+    };
+
+    ~ForeignMounter() noexcept
+    {
+        Unmount();
+        if (handle_ != nullptr) {
+            libguestfs_.guestfs_close(handle_);
+            handle_ = nullptr;
+        }
+    };
+
+    ForeignMounter(const ForeignMounter &) = delete;
+    ForeignMounter &operator=(const ForeignMounter &) = delete;
+    ForeignMounter(ForeignMounter &&) = delete;
+    ForeignMounter &operator=(ForeignMounter &&) = delete;
+
+    // low-level api, try to initialize handle
+    ForeignMounterRc TryInit();
+
+    // Mount virtual machine img path to filesystem
+    ForeignMounterRc Mount(std::string_view imgPath, size_t osIndex = 0);
+
+    // Read file content to string
+    ForeignMounterRc ReadFile(std::string_view filePath, std::string &content);
+
+    // Get file sm3
+    ForeignMounterRc DoSm3OnVmFile(std::string_view filePath, std::vector<uint8_t> &sm3Data);
+
+    // Unmount
+    ForeignMounterRc Unmount() noexcept;
+
+    // Check if everything is okay
+    bool CheckOk()
+    {
+        return handle_ != nullptr && libguestfs_.CheckOk() == DllibRc::OK;
+    }
+
+    bool CheckMount() const
+    {
+        return isMount_;
+    }
+
+    // Enable trace from libguestfs
+    ForeignMounterRc EnableStrErrTrace();
+
+    // Disable trace from libguestfs
+    ForeignMounterRc DisableStrErrTrace();
+
+private:
+    bool isMount_ = false;
+    guestfs_h *handle_ = nullptr;
+    Libguestfs &libguestfs_ = Libguestfs::GetInstance();
+
+    ForeignMounterRc MountFilesystems(const std::string &root);
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/foreign_mounter_test.cpp b/virtrust/src/virtrust/utils/foreign_mounter_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..d5609fea3a08d7021b82cc46ada8b3e4e74c68ba
--- /dev/null
+++ b/virtrust/src/virtrust/utils/foreign_mounter_test.cpp
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <filesystem>
+#include <fstream>
+
+#include "gtest/gtest.h"
+
+#include "virtrust/utils/foreign_mounter.h"
+#include "virtrust/utils/file_io.h"
+
+namespace virtrust::test {
+
+namespace {
+  constexpr std::string_view IMAGE_PATH = "/data/openEuler-24.03-LTS-SP1-aarch64.gcow2";
+  constexpr std::string_view VM_FILE_PATH = "/root/vnTestFile.txt";
+  constexpr std::string_view VM_FILE_CONTENT = "This is a file in VM.\n";
+}
+
+namespace {
+constexpr std::string_view TEST_INITRD_PATH = "/boot/initramfs-6.6.0-72.0.0.76.oe2403sp1.aarch64.img";
+constexpr std::string_view TEST_LINUZ_PATH = "/boot/vmlinuz-6.6.0-72.0.0.76.oe2403sp1.aarch64";
+std::string GetTestFilePath()
+{
+  auto filePath = std::filesystem::path(__FILE__);
+  return (filePath / ".." / ".." / ".." / ".." / "test" / "data" / "grub.cfg").lexically_normal().string();
+}
+} // namespace
+
+TEST(VerifyConfig, Works)
+{
+  std::string filePath(GetTestFilePath());
+  FileInputStream fis (filePath);
+
+  VerifyConfig config;
+  config.ParseGrubCfgContent(fis.ReadAll());
+
+  EXPECT_EQ(config.GetInitrdPath(), TEST_INITRD_PATH);
+
+  EXPECT_EQ(config.GetLinuzPath(), TEST_LINUZ_PATH);
+}
+
+TEST(DISABLED_ForeignMounterTest, Works)
+{
+  auto mounter = ForeignMounter();
+  EXPECT_TRUE(mounter.CheckOK());
+
+  ForeignMounterRc rc;
+
+  rc = mounter.EnableStrErrTrace();
+  EXPECT_EQ(rc, ForeignMounterRc::OK);
+
+  rc = mounter.DisableStrErrTrace();
+  EXPECT_EQ(rc, ForeignMounterRc::OK);
+}
+
+TEST(DISABLED_ForeignMounterTest, Mount)
+{
+  auto mounter = ForeignMounter();
+  EXPECT_TRUE(mounter.CheckOK());
+
+  ForeignMounterRc rc;
+
+  rc = mounter.TryInit();
+  EXPECT_EQ(rc, ForeignMounterRc::OK);
+
+  rc = mounter.Mount(IMAGE_PATH);
+  EXPECT_EQ(rc, ForeignMounterRc::OK);
+
+  std::string content;
+  mounter.ReadFile(VM_FILE_PATH, content);
+  EXPECT_EQ(content, VM_FILE_CONTENT);
+
+  rc = mounter.UnMount();
+  EXPECT_EQ(rc, ForeignMounterRc::OK);
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/migrate_helper.cpp b/virtrust/src/virtrust/utils/migrate_helper.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..61d241bd4e886960b7897a46606895c202adb5da
--- /dev/null
+++ b/virtrust/src/virtrust/utils/migrate_helper.cpp
@@ -0,0 +1,7 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include "virtrust/utils/migrate_helper.h"
+
+namespace virtrust {} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/migrate_helper.h b/virtrust/src/virtrust/utils/migrate_helper.h
new file mode 100644
index 0000000000000000000000000000000000000000..52faf356327717ddb44f95f87013988cdc367936
--- /dev/null
+++ b/virtrust/src/virtrust/utils/migrate_helper.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <string>
+#include <utility>
+
+#include "virtrust/api/context.h"
+
+namespace virtrust {
+
+class MigrateHelper {
+public:
+    explicit MigrateHelper() = default;
+    ~MigrateHelper() = default;
+
+    explicit MigrateHelper(std::string destUri) : destUri_(std::move(destUri))
+    {}
+
+    void SetDstUri(const std::string &destUri)
+    {
+        destUri_ = destUri;
+    }
+
+    std::string GetDstUri()
+    {
+        return destUri_;
+    }
+
+    // step 1: get report that the hardware is okay
+    void GetReport();
+
+    // step 2: get the private shared key pair
+    void GetKey();
+
+    // step 3: key exchange to get a shared key
+    void ExchangeKey();
+
+private:
+    ConnCtx conn_;
+    std::string destUri_;
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/migrate_helper_test.cpp b/virtrust/src/virtrust/utils/migrate_helper_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..9471afeec2e798145b922e2dac36b498ca10db96
--- /dev/null
+++ b/virtrust/src/virtrust/utils/migrate_helper_test.cpp
@@ -0,0 +1,186 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <filesystem>
+#include <string>
+
+#include "gtest/gtest.h"
+
+#include "virtrust/base/logger.h"
+#include "virtrust/utils/file_io.h"
+#include "virtrust/utils/foreign_mounter.h"
+#include "virtrust/utils/migrate_helper.h"
+#include "virtrust/utils/virt_xml_parser.h"
+
+namespace virtrust {
+
+namespace {
+std::string GetTestFilePath()
+{
+  // Get the project root path (which is the directory)
+  auto filePath = std::filesystem::path(__FILE__);
+  return (filePath / ".." / ".." / ".." / ".." / "test" / "data" / "test.txt").lexically_normal().string();
+}
+
+const std::string TEST_XML_CONTENT = R"(<?xml version='1.0' encoding="UTF-8"?>
+<domain type='kvm'>
+  <name>test-domain</name>
+  <memory unit='KiB'>1048576</memory>
+  <vcpu placement='static'>2</vcpu>
+  <os>
+    <type arch='x86_64'>hvm</type>
+  </os>
+</domain>)";
+
+} // namespace
+
+TEST(UtilsTest, FileIoWorks)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+  std::string connent = fis.ReadAll();
+  EXPECT_FALSE(connent.enpty());
+}
+
+TEST(UtilsTest, FileIoReadALL)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+  std::string connent = fis.ReadAll();
+  EXPECT_FALSE(connent.enpty());
+}
+
+TEST(UtilsTest, FileIoGetLength)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+  size_t length = fis.GetLength();
+  EXPECT_GT(length, static_cast<size_t>(0));
+}
+
+TEST(UtilsTest, FileIoGetName)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+  const std::string &name = fis.GetName();
+  EXPECT_EQ(name, path);
+}
+
+TEST(UtilsTest, FileIoEof)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+
+  // Initially not at EOF
+  EXPECT_FALSE(fis.Eof());
+  
+  // Read all content
+  std::string content = fis.ReadAll();
+  EXPECT_FALSE(content.empty());
+}
+
+TEST(UtilsTest, FileIoSeekgAndTellg)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+
+  // Get initial position
+  size_t initialPos = fis.Tellg();
+  EXPECT_EQ(initialPos, static_cast<size_t>(0));
+  
+  // Read part of the file
+  std::string content;
+  fis.GetLine(&content, '\n');
+
+  // Get current position
+  size_t currentPos = fis.Tellg();
+  EXPECT_GT(currentPos, initialPos);
+
+  // Seek back to beginning
+  fis.Seekg(0);
+  size_t newPos = fis.Tellg();
+  EXPECT_EQ(newPos, static_cast<size_t>(0));
+}
+
+TEST(UtilsTest, FileIoTransferTo)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+  
+  std::ostringstream oss;
+  fis.TransferTo(oss);
+
+  EXPECT_FALSE(oss.str().empty());
+}
+
+TEST(UtilsTest, FileIoGetLine)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+  
+  std::string line;
+  fis.GetLine(&line, '\n');
+
+  EXPECT_FALSE(line.empty());
+}
+
+TEST(UtilsTest, FileIoGetSpawn)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+  
+  // Save current position
+  size_t originalPos = fis.Tellg();
+
+  // Spawn a new stream from current position
+  auto spawnedStream = fis.Spawn();
+
+  // Both streams should be at same position
+  ASSERT_EQ(spawnedStream->Tellg(), originalPos);
+
+  // Original stream should still work
+  std::string line;
+  fis.GetLine(&line, '\n');
+  EXPECT_FALSE(line.empty());
+}
+
+TEST(UtilsTest, FileIoFileStreamOperators)
+{
+  std::string path(GetTestFilePath());
+  FileInputStream fis = FileInputStream(path);
+  
+  // Test boolean conversion operators
+  EXPECT_TRUE(static_cast<bool>(fis));
+  EXPECT_FALSE(!fis);
+
+  // Test with invalid file (should not throw in constructor but fail on usage)
+  try {
+    FileInputStream invalidFis("nonexistent_file.txt");
+    // Just test that construction didn't crash, but subsequent operations should fail
+  } catch (...) {
+    // Excepted
+  }
+}
+
+TEST(UtilsTest, ForeignMounter)
+{
+  // This is a placeholder test - the actual implementation might depend on
+  // system-specific mount points which are not available in test environment
+  // We mainly test taht the class can be instantiated and basic operations work
+  
+  // Test defaulf construstor
+  ForeignMounter mounter;
+  EXPECT_TRUE(true); // Basic check taht it compiles and can be constructed
+}
+
+TEST(UtilsTest, MigrateHelper)
+{
+  // This is a placeholder test - the actual implementation might depend on
+  // complex migration operations that are hard to test without proper environment
+  
+  // Test defaulf construstor
+  MigrateHelper helper;
+  EXPECT_TRUE(true); // Basic check taht it compiles and can be constructed
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/smart_deleter.h b/virtrust/src/virtrust/utils/smart_deleter.h
new file mode 100644
index 0000000000000000000000000000000000000000..145e365c19532eeba647dec3f76971c40981cbaf
--- /dev/null
+++ b/virtrust/src/virtrust/utils/smart_deleter.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+namespace virtrust {
+
+template <class T> class SmartDeleter {
+public:
+    SmartDeleter()
+    {
+        core_ = nullptr;
+    }
+
+    explicit SmartDeleter(T *ptr)
+    {
+        core_ = ptr;
+    }
+
+    T *Get() const
+    {
+        return core_;
+    }
+
+protected:
+    T *core_ = nullptr;
+};
+
+#define VIRTRUST_MAKE_DESTRUCTOR(NAME, DELETER) \
+    ~NAME()                                     \
+    {                                           \
+        if (this->core_ != nullptr) {           \
+            DELETER(this->core_);               \
+            this->core_ = nullptr;              \
+        }                                       \
+    }
+
+#define CONCAT_IMPL(x, y) x##y
+#define CONCAT(x, y) CONCAT_IMPL(x, y)
+
+#define VIRTRUST_MAKE_SMART(T, DELETER)                                 \
+    class CONCAT(Smart, T) : public SmartDeleter<T> {                   \
+    public:                                                             \
+        using SmartDeleter<T>::SmartDeleter;                            \
+        CONCAT(Smart, T)(const CONCAT(Smart, T) &) = delete;            \
+        CONCAT(Smart, T) &operator=(const CONCAT(Smart, T) &) = delete; \
+        VIRTRUST_MAKE_DESTRUCTOR(CONCAT(Smart, T), DELETER)             \
+    }
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/virt_xml_parser.cpp b/virtrust/src/virtrust/utils/virt_xml_parser.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..2f39e442b684f2e3d5c014a0d584fe359483ff4f
--- /dev/null
+++ b/virtrust/src/virtrust/utils/virt_xml_parser.cpp
@@ -0,0 +1,173 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include "virtrust/utils/virt_xml_parser.h"
+
+#include <filesystem>
+
+namespace virtrust {
+
+namespace {
+constexpr std::string_view VIRT_XML_DISK_PATH = "/domain/devices/disk/source";
+const xmlChar VIRT_XML_FILE_PROP[] = "file";
+constexpr std::string_view VIRT_XML_LOADER_PATH = "/domain/os/loader";
+constexpr std::string_view VIRT_XML_NAME_PATH = "/domain/name";
+constexpr std::string_view PATH_SEPARATOR = "/";
+} // namespace
+
+void VirtXmlParser::SearchCurrLevel(std::vector<xmlNodePtr> &currLevel, std::vector<xmlNodePtr> &nextLevel,
+                                    const std::string &nodeName)
+{
+    for (xmlNodePtr parent : currLevel) {
+        for (xmlNodePtr node = parent->children; node != nullptr; node = node->next) {
+            bool pathMatch = node->type == XML_ELEMENT_NODE && nodeName == MakeString(node->name);
+            if (pathMatch) {
+                nextLevel.push_back(node);
+            }
+        }
+    }
+}
+
+std::vector<xmlNodePtr> VirtXmlParser::FindNodesByPath(std::string_view absPath)
+{
+    std::vector<xmlNodePtr> ret;
+    auto root = libxml2_.xmlDocGetRootElement(doc_);
+    if (root == nullptr) {
+        VIRTRUST_LOG_ERROR("|FindNodesByPath|END|||Get xml root node failed.");
+        return ret;
+    }
+    if (absPath.empty()) {
+        VIRTRUST_LOG_ERROR("|FindNodesByPath|END|||Input path is empty.");
+        return ret;
+    }
+    if (absPath[0] != '/') {
+        VIRTRUST_LOG_ERROR("|FindNodesByPath|END||file path: {}|It's not a absolutely path.", absPath);
+        return ret;
+    }
+
+    std::vector<std::string> parts = StrSplit(StrTrim(std::string(absPath), PATH_SEPARATOR[0]), PATH_SEPARATOR);
+
+    std::vector<xmlNodePtr> currLevel = {root};
+    if (parts[0] != MakeString(root->name)) {
+        VIRTRUST_LOG_ERROR("|FindNodesByPath|END||file path: {}|The name of root "
+                           "node in xml file is wrong.",
+                           absPath);
+        return ret;
+    }
+
+    for (size_t i = 1; i < parts.size(); ++i) {
+        const auto &nodeName = parts[i];
+        std::vector<xmlNodePtr> nextLevel;
+        SearchCurrLevel(currLevel, nextLevel, nodeName);
+        if (nextLevel.empty()) { // No matchs found
+            return ret;
+        }
+        currLevel = std::move(nextLevel);
+    }
+    return currLevel;
+}
+
+bool VirtXmlParser::LoadFile(std::string_view filename)
+{
+    if (filename.empty()) {
+        VIRTRUST_LOG_ERROR("|LoadFile|END|returnF||File name is empty.");
+        return false;
+    }
+
+    if (!std::filesystem::exists(filename) || !std::filesystem::is_regular_file(filename)) {
+        VIRTRUST_LOG_ERROR("|LoadFile|END|returnF||The file does not exist: {}.", filename);
+        return false;
+    }
+
+    // the reamining document tree if the file was wellformed, nullptr otherwise
+    if (doc_ != nullptr) {
+        VIRTRUST_LOG_WARN("|LoadFile|END|||Already load file, will load new one.");
+        libxml2_.xmlFreeDoc(doc_);
+        doc_ = nullptr;
+    }
+    doc_ = libxml2_.xmlParseFile(filename.data());
+    return doc_ != nullptr;
+}
+
+std::string VirtXmlParser::GetDiskPath()
+{
+    auto nodes = FindNodesByPath(VIRT_XML_DISK_PATH);
+    if (nodes.empty()) {
+        VIRTRUST_LOG_ERROR("|GetDiskPath|END||node path: {}|Get disk path from xml failed.", VIRT_XML_DISK_PATH);
+        return "";
+    }
+
+    if (nodes.size() != 1) {
+        VIRTRUST_LOG_ERROR("|GetDiskPath|END|||The node of disk path in xml is not only.");
+        return "";
+    }
+
+    xmlNodePtr node = nodes[0];
+    xmlChar *diskPath = libxml2_.xmlGetProp(node, VIRT_XML_FILE_PROP);
+    if (diskPath == nullptr) {
+        VIRTRUST_LOG_ERROR("|GetDiskPath|END||node path: {}|Target node does not "
+                           "have property: {}.",
+                           VIRT_XML_DISK_PATH, reinterpret_cast<const char *>(VIRT_XML_FILE_PROP));
+        return "";
+    }
+
+    std::string ret = MakeString(diskPath);
+    free(diskPath);
+    return ret;
+}
+
+std::string VirtXmlParser::GetLoaderPath()
+{
+    auto nodes = FindNodesByPath(VIRT_XML_LOADER_PATH);
+    if (nodes.empty()) {
+        VIRTRUST_LOG_ERROR("|GetLoaderPath|END|||Get loader path from xml failed: {}.", VIRT_XML_LOADER_PATH);
+        return "";
+    }
+
+    if (nodes.size() != 1) {
+        VIRTRUST_LOG_ERROR("|GetLoaderPath|END|||The node of loader path in xml is not only.");
+        return "";
+    }
+
+    xmlNodePtr node = nodes[0];
+    if (node->children == nullptr || node->children->content == nullptr) {
+        VIRTRUST_LOG_ERROR("|GetLoaderPath|END||node path: {}|Target node does not "
+                           "have any child nodes.",
+                           VIRT_XML_LOADER_PATH);
+        return "";
+    }
+    return MakeString(node->children->content);
+}
+
+std::string VirtXmlParser::GetVmName()
+{
+    auto nodes = FindNodesByPath(VIRT_XML_NAME_PATH);
+    if (nodes.empty()) {
+        VIRTRUST_LOG_ERROR("|GetVmName|END|||Get VM name from xml failed.");
+        return "";
+    }
+
+    if (nodes.size() != 1) {
+        VIRTRUST_LOG_ERROR("|GetVmName|END|||The node of VM name in xml is not only.");
+        return "";
+    }
+
+    xmlNodePtr node = nodes[0];
+    if (node->children == nullptr || node->children->content == nullptr) {
+        VIRTRUST_LOG_ERROR("|GetVmName|END||node path: {}|Target node does not "
+                           "have any child nodes.",
+                           VIRT_XML_NAME_PATH);
+        return "";
+    }
+    return MakeString(node->children->content);
+}
+
+VerifyConfig VirtXmlParser::Parse(const std::string &filePath)
+{
+    LoadFile(filePath);
+    VerifyConfig config(GetVmName(), GetDiskPath(), GetLoaderPath());
+    return config;
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/virt_xml_parser.h b/virtrust/src/virtrust/utils/virt_xml_parser.h
new file mode 100644
index 0000000000000000000000000000000000000000..ccdc6b8eb4a674a884d17d2fb6543df13392384f
--- /dev/null
+++ b/virtrust/src/virtrust/utils/virt_xml_parser.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <string>
+
+#include "virtrust/base/logger.h"
+#include "virtrust/dllib/libxml2.h"
+#include "virtrust/utils/foreign_mounter.h"
+
+namespace virtrust {
+
+using NodeConditionMatchFunc = std::function<bool(const xmlNodePtr)>;
+
+class VirtXmlParser {
+public:
+    VirtXmlParser() = default;
+
+    ~VirtXmlParser()
+    {
+        if (doc_ != nullptr) {
+            libxml2_.xmlFreeDoc(doc_);
+        }
+    }
+
+    std::vector<xmlNodePtr> FindNodesByPath(std::string_view absPath);
+
+    // Load the VM xml file, the function reloads the file each time it is called.
+    bool LoadFile(std::string_view filename);
+
+    std::string GetVmName();
+
+    std::string GetDiskPath();
+
+    std::string GetLoaderPath();
+
+    VerifyConfig Parse(const std::string &filePath);
+
+private:
+    Libxml2 &libxml2_ = Libxml2::GetInstance();
+    xmlDocPtr doc_ = nullptr;
+
+    void SearchCurrLevel(std::vector<xmlNodePtr> &currLevel, std::vector<xmlNodePtr> &nextLevel,
+                         const std::string &nodeName);
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/virt_xml_paser_test.cpp b/virtrust/src/virtrust/utils/virt_xml_paser_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..c918b989fb0d1762f470b29d02bf0ac72f77688c
--- /dev/null
+++ b/virtrust/src/virtrust/utils/virt_xml_paser_test.cpp
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <filesystem>
+#include <fstream>
+
+#include "gtest/gtest.h"
+
+#include "virtrust/utils/virt_xml_parser.h"
+
+namespace virtrust {
+
+namespace {
+std::string GetTestXml()
+{
+  auto filePath = std::filesystem::path(__FILE__);
+  return (filePath / ".." / ".." / ".." / ".." / "test" / "data" / "test.xml").lexically_normal().string();
+}
+
+constexpr std::string_view TEST_GUEST_NAME = "open-euler-vm";
+constexpr std::string_view TEST_DISK_PATH = "/data/images/openEuler-24.03-LTS-SP1-aarch64.gcow2";
+constexpr std::string_view TEST_LOADER_PATH = "/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw";
+constexpr std::string_view TEST_SHIM_PATH = "/boot/efi/EFI/openEuler/shimaa64.efi";
+constexpr std::string_view TEST_GRUB_PATH = "/boot/efi/EFI/openEuler/grubaa64";
+constexpr std::string_view TEST_GRUB_CFG_PATH = "/boot/efi/EFI/openEuler/grub.cfg";
+} // namespace
+
+
+TEST(VirtXmlParserTest, ParseTest)
+{
+  auto parse = VirtXmlParser();
+  auto config = parse.Parse(GetTestXml());
+
+  EXPECT_EQ(config.GetGuestName(), TEST_GUEST_NAME);
+  EXPECT_EQ(config.GetDiskPath(), TEST_DISK_PATH);
+  EXPECT_EQ(config.GetLoaderPath(), TEST_LOADER_PATH);
+  EXPECT_EQ(config.GetShimPath(), TEST_SHIM_PATH);
+  EXPECT_EQ(config.GetGrubPath(), TEST_GRUB_PATH);
+  EXPECT_EQ(config.GetGrubCfgPath(), TEST_GRUB_CFG_PATH);
+}
+
+TEST(VirtXmlParserTest, LoadFileTest)
+{
+  // Test valid file loading
+  auto parse = VirtXmlParser();
+  EXPECT_TRUE(parse.LoadFile(GetTestXml()));
+
+  // Test invalid file path
+  EXPECT_FALSE(parse.LoadFile("/non/existent/file.xml"));
+
+  // Test empty file name
+  EXPECT_FALSE(parse.LoadFile(""));
+}
+
+TEST(VirtXmlParserTest, FindNodesByPathTest)
+{
+  auto parse = VirtXmlParser();
+  EXPECT_TRUE(parse.LoadFile(GetTestXml()));
+
+  // Test valid file path
+  auto nodes = parse.FindNodesByPath("/domain/name");
+  EXPECT_EQ(nodes.size(), 1);
+
+  // Test invalid file path
+  auto emptyNodes = parse.FindNodesByPath("/domain/nonexistent");
+  EXPECT_TRUE(emptyNodes.empty());
+
+  // Test empty path
+  auto emptyPathNodes = parse.FindNodesByPath("");
+  EXPECT_TRUE(emptyPathNodes.empty());
+
+  // Test non-absolute path
+  auto nonAbsNodes = parse.FindNodesByPath("domain/name");
+  EXPECT_TRUE(nonAbsNodes.empty());
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/test/CMakeLists.txt b/virtrust/test/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..d24c58019d836da0abf63f59dc41642d77a9678c
--- /dev/null
+++ b/virtrust/test/CMakeLists.txt
@@ -0,0 +1,74 @@
+# Copyright (c)
+
+find_program(OPENSSL_EXECUTABLE openssl)
+
+if(OPENSSL_EXECUTABLE)
+  message(STATUS "Openssl executable found at: ${OPENSSL_EXECUTABLE}")
+  message(
+    STATUS "Generate test certificates at: ${CMAKE_CURRENT_LIST_DIR}/cert")
+
+  # create ca sk and root cert
+  execute_process(
+    COMMAND
+      ${OPENSSL_EXECUTABLE} req -x509 -newkey rsa:2048 -nodes -keyout sk.pem
+      -out cert.pem -days 365 -subj
+      "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=example.com" -nodes
+    WORKING_DIRECTORY ${CMAKE_CURRENT_LIST_DIR}/ca
+    OUTPUT_QUIET)
+
+  # -----------------
+  # server
+  # -----------------
+
+  # create server's sk
+  execute_process(
+    COMMAND ${OPENSSL_EXECUTABLE} genrsa -out sk.pem 2048
+    WORKING_DIRECTORY ${CMAKE_CURRENT_LIST_DIR}/server
+    OUTPUT_QUIET)
+
+  # create csr for server
+  execute_process(
+    COMMAND ${OPENSSL_EXECUTABLE} req -new -key sk.pem -out server.csr -subj
+            "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=example.com"
+    WORKING_DIRECTORY ${CMAKE_CURRENT_LIST_DIR}/server
+    OUTPUT_QUIET)
+
+  # Make CA sign server's csr
+  execute_process(
+    COMMAND ${OPENSSL_EXECUTABLE} x509 -req -in server.csr -CA ../ca/cert.pem
+            -CAkey ../ca/sk.pem -CAcreateserial -out cert.pem -days 365 -sha256
+    WORKING_DIRECTORY ${CMAKE_CURRENT_LIST_DIR}/server
+    OUTPUT_QUIET)
+
+  # ------------
+  # client
+  # -----------
+
+  # create client's sk
+  execute_process(
+    COMMAND ${OPENSSL_EXECUTABLE} genrsa -out sk.pem 2048
+    WORKING_DIRECTORY ${CMAKE_CURRENT_LIST_DIR}/client
+    OUTPUT_QUIET)
+
+  # create csr for client
+  execute_process(
+    COMMAND ${OPENSSL_EXECUTABLE} req -new -key sk.pem -out client.csr -subj
+            "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=example.com"
+    WORKING_DIRECTORY ${CMAKE_CURRENT_LIST_DIR}/client
+    OUTPUT_QUIET)
+
+  # Make CA sign client's csr
+  execute_process(
+    COMMAND ${OPENSSL_EXECUTABLE} x509 -req -in client.csr -CA ../ca/cert.pem
+            -CAkey ../ca/sk.pem -CAcreateserial -out cert.pem -days 365 -sha256
+    WORKING_DIRECTORY ${CMAKE_CURRENT_LIST_DIR}/client
+    OUTPUT_QUIET)
+
+  message(
+    STATUS
+      "Generated test certificates generated at: ${CMAKE_CURRENT_LIST_DIR}/cert"
+  )
+else()
+  message(
+    WARNING "Openssl executable not found. Test certificates not generated.")
+endif()
diff --git a/virtrust/test/ca/.keep b/virtrust/test/ca/.keep
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/virtrust/test/client/.keep b/virtrust/test/client/.keep
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/virtrust/test/data/config.json b/virtrust/test/data/config.json
new file mode 100644
index 0000000000000000000000000000000000000000..6d14510298db756eebd8eff575d67af74d86d777
--- /dev/null
+++ b/virtrust/test/data/config.json
@@ -0,0 +1,9 @@
+{
+    "caPath": "ca-cert.pem",
+    "certPath": "server-cert.pem",
+    "skPath": "server-sk.pem",
+    "ip": "127.0.0.1",
+    "ipMask": "127.0.0.1/8",
+    "port": 10086,
+    "localPort": 10087
+}
\ No newline at end of file
diff --git a/virtrust/test/data/test.txt b/virtrust/test/data/test.txt
new file mode 100644
index 0000000000000000000000000000000000000000..68a4528a66e893157754557f235a5088de0fb74f
--- /dev/null
+++ b/virtrust/test/data/test.txt
@@ -0,0 +1 @@
+this is a test file
\ No newline at end of file
diff --git a/virtrust/test/data/test.xml b/virtrust/test/data/test.xml
new file mode 100644
index 0000000000000000000000000000000000000000..e902066a84589025432985ffccefa23b30c46010
--- /dev/null
+++ b/virtrust/test/data/test.xml
@@ -0,0 +1,84 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. DO NOT EDIT IT DIRECTLY.
+OVERWRITTEN AND LOST. Changs to this xml configuration should be made using:
+  virsh edit open-euler-vm
+or other application using the libvirt API.
+-->
+<domain type='qemu'>
+  <name>open-euler-vm</name>
+  <uuid>496eef9e-003f-46b8-a81d-178753825fa7</uuid>
+  <memory unit='KiB'>4194304</memory>
+  <currentMemory unit='KiB'>4194304</currentMemory>
+  <vcpu placement='static'>4</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-i440fx-8.2'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+  </features>
+  <cpu mode='custom' match='exact' check='none'>
+    <model fallback='forbid'>qemu64</model>
+  </cpu>
+  <clock offset='utc'>
+    <timer name='rtc' tickpolicy='catchup'/>
+    <timer name='pit' tickpolicy='delay'/>
+    <timer name='hpet' present='no'/>
+  </clock>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <pm>
+    <suspend-to-mem enabled='no'/>
+    <suspend-to-disk enabled='no'/>
+  </pm>
+  <devices>
+    <emulator>/usr/libexec/qemu-kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2'/>
+      <source file='/data/images/openEuler-24.03-LTS-SP1-x86_64.qcow2'/>
+      <target dev='hda' bus='ide'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='usb' index='0' model='ich9-ehci1'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x7'/>
+    </controller>
+    <controller type='usb' index='0' model='ich9-uhci1'>
+      <master startport='0'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='usb' index='0' model='ich9-uhci2'>
+      <master startport='2'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x1'/>
+    </controller>
+    <controller type='usb' index='0' model='ich9-uhci3'>
+      <master startport='4'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x2'/>
+    </controller>
+    <controller type='pci' index='0' model='pci-root'/>
+    <controller type='ide' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
+    </controller>
+    <interface type='network'>
+      <mac address='52:54:00:cd:6c:d2'/>
+      <source network='default'/>
+      <model type='e1000'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target type='isa-serial' port='0'>
+        <model name='isa-serial'/>
+      </target>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='mouse' bus='ps2'/>
+    <input type='keyboard' bus='ps2'/>
+    <audio id='1' type='none'/>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
\ No newline at end of file
diff --git a/virtrust/test/server/.keep b/virtrust/test/server/.keep
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391