diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..92a36816d57be80297d688498a8a50f28a10eb2c
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,23 @@
+# Test data
+*.pem
+*.srl
+*.csr
+*.cert
+
+# Build file
+virtrust/build/*
+
+.vscode
+
+*.claude
+
+transcript.txt
+
+.cache
+
+*.pb.cc
+*.pb.h
+
+# ides
+
+.idea
\ No newline at end of file
diff --git a/.workflow/virtrust.yml b/.workflow/virtrust.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8c3a8a22ba07be7b1269cb89bfed99a8bdca661b
--- /dev/null
+++ b/.workflow/virtrust.yml
@@ -0,0 +1,33 @@
+version: '1.0'
+name: pipeline-20251111
+displayName: pipeline-20251111
+triggers:
+  trigger: auto
+  push:
+    branches:
+      prefix:
+        - ''
+stages:
+  - name: stage-9b022c7d
+    displayName: virtrust
+    strategy: naturally
+    trigger: auto
+    executor: []
+    steps:
+      - step: build@gcc
+        name: build_gcc
+        displayName: GCC 构建
+        gccVersion: '9.4'
+        commands:
+          - '# 新建build目录，切换到build目录'
+          - 'mkdir build && cd build '
+          - '# 生成Unix平台的makefiles文件并执行构建'
+          - cmake -G 'Unix Makefiles' ../ && make -j
+        artifacts:
+          - name: BUILD_ARTIFACT
+            path:
+              - ./bin
+        caches: []
+        notify: []
+        strategy:
+          retry: '0'
diff --git a/virtrust/.clang-format b/virtrust/.clang-format
new file mode 100644
index 0000000000000000000000000000000000000000..fe3bd44ae7cb48736e0f0c4060be7998f349723c
--- /dev/null
+++ b/virtrust/.clang-format
@@ -0,0 +1,112 @@
+Language:        Cpp
+BasedOnStyle:  Google
+AccessModifierOffset: -4
+AlignAfterOpenBracket: Align
+AlignConsecutiveAssignments: false
+AlignConsecutiveDeclarations: false
+AlignOperands:   true
+AlignTrailingComments: true
+AllowAllParametersOfDeclarationOnNextLine: false
+AllowShortBlocksOnASingleLine: false
+AllowShortCaseLabelsOnASingleLine: false
+AllowShortFunctionsOnASingleLine: None
+AllowShortIfStatementsOnASingleLine: false
+AllowShortLoopsOnASingleLine: false
+AlwaysBreakAfterDefinitionReturnType: None
+AlwaysBreakAfterReturnType: None
+AlwaysBreakBeforeMultilineStrings: false
+AlwaysBreakTemplateDeclarations: false
+# AllowShortEnumsOnASingleLine: false
+BinPackArguments: true
+BinPackParameters: true
+BraceWrapping:
+  AfterClass:      false
+  AfterControlStatement: false
+  AfterEnum:       false
+  AfterFunction:   true
+  AfterNamespace:  false
+  AfterObjCDeclaration: false
+  AfterStruct:     false
+  AfterUnion:      false
+  AfterExternBlock: false
+  BeforeCatch:     false
+  BeforeElse:      false
+  IndentBraces:    false
+  SplitEmptyFunction: false
+  SplitEmptyRecord: false
+  SplitEmptyNamespace: false
+BreakBeforeBinaryOperators: None
+BreakBeforeBraces: Custom
+BreakBeforeInheritanceComma: false
+BreakBeforeTernaryOperators: true
+BreakConstructorInitializersBeforeComma: false
+BreakConstructorInitializers: BeforeColon
+BreakAfterJavaFieldAnnotations: false
+BreakStringLiterals: true
+ColumnLimit:     120
+CommentPragmas:  '^ IWYU pragma:'
+CompactNamespaces: false
+ConstructorInitializerAllOnOneLineOrOnePerLine: true
+ConstructorInitializerIndentWidth: 4
+ContinuationIndentWidth: 4
+Cpp11BracedListStyle: true
+DerivePointerAlignment: false
+DisableFormat:   false
+ExperimentalAutoDetectBinPacking: false
+FixNamespaceComments: true
+ForEachMacros:
+  - foreach
+  - Q_FOREACH
+  - BOOST_FOREACH
+IncludeBlocks:   Regroup
+IncludeCategories:
+  - Regex:           '^<.*\.h>'
+    Priority:        1
+  - Regex:           '^<.*'
+    Priority:        2
+  - Regex:           '.*\.pb\.h"$'
+    Priority:        5
+  - Regex:           '^"virtrust.*'
+    Priority:        4
+  - Regex:           '^".*'
+    Priority:        3
+IncludeIsMainRegex: '(Test)?$'
+IndentCaseLabels: true
+IndentPPDirectives: None
+IndentWidth:     4
+IndentWrappedFunctionNames: false
+JavaScriptQuotes: Leave
+JavaScriptWrapImports: true
+KeepEmptyLinesAtTheStartOfBlocks: true
+MacroBlockBegin: ''
+MacroBlockEnd:   ''
+MaxEmptyLinesToKeep: 1
+NamespaceIndentation: None
+ObjCBlockIndentWidth: 4
+ObjCSpaceAfterProperty: false
+ObjCSpaceBeforeProtocolList: true
+PenaltyBreakAssignment: 2
+PenaltyBreakBeforeFirstCallParameter: 19
+PenaltyBreakComment: 300
+PenaltyBreakFirstLessLess: 80
+PenaltyBreakString: 1000
+PenaltyExcessCharacter: 1000000
+PenaltyReturnTypeOnItsOwnLine: 80
+PointerAlignment: Right
+ReflowComments:  true
+SortIncludes:    true
+SortUsingDeclarations: true
+SpaceAfterCStyleCast: false
+SpaceAfterTemplateKeyword: true
+SpaceBeforeAssignmentOperators: true
+SpaceBeforeParens: ControlStatements
+SpaceInEmptyParentheses: false
+SpacesBeforeTrailingComments: 1
+SpacesInAngles:  false
+SpacesInContainerLiterals: false
+SpacesInCStyleCastParentheses: false
+SpacesInParentheses: false
+SpacesInSquareBrackets: false
+Standard:        Cpp11
+TabWidth:        4
+UseTab:          Never
\ No newline at end of file
diff --git a/virtrust/.projectile b/virtrust/.projectile
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/virtrust/CLAUDE.md b/virtrust/CLAUDE.md
new file mode 100644
index 0000000000000000000000000000000000000000..524f3789ac31214768f939b7e713904f7f1e9792
--- /dev/null
+++ b/virtrust/CLAUDE.md
@@ -0,0 +1,148 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+This is the **virtrust** project - a TSB (Trusted Security Boot) Agent for virtualized Trusted Computing Module (vTPCM) support on openEuler 24.03 LTS SP3. The project provides trusted computing virtualization capabilities with focus on virtual machine domain management and trust measurement.
+
+## Build System
+
+This project uses CMake with a custom dependency management system.
+
+### Build Commands
+
+```bash
+# Configure build (Release build by default)
+mkdir build && cd build
+cmake ..
+
+# Configure with specific build type
+cmake -DCMAKE_BUILD_TYPE=Debug ..
+cmake -DCMAKE_BUILD_TYPE=Coverage ..
+cmake -DCMAKE_BUILD_TYPE=Asan ..
+
+# Configure options
+cmake -DBUILD_TEST=On ..          # Enable tests (default: On)
+cmake -DUSE_MOCK_TSB_AGENT=On .. # Use mock TSB agent (default: On, DO NOT USE IN PRODUCTION)
+
+# Build
+cmake --build .
+
+# Run all tests
+ctest --output-on-failure
+
+# Run single test (after build)
+./build/bin/custom_logger_test
+
+# Format code
+./format-all.sh
+
+# Generate coverage report (when built with Coverage type)
+make coverage
+
+# Build script alternative
+./build.sh                    # Build with Release configuration
+./build.sh cicd_default      # Same as above
+```
+
+### Key Build Targets
+
+- `virtrust-shared` - Main shared library
+- `virtrust-obj` - Object library containing all components
+- `mock-tsb-agent` - Mock TSB agent implementation for testing
+
+## Project Structure
+
+### Core Components
+
+- **src/virtrust/** - Main library implementation
+  - `api/` - Public API including domain management (`domain.cpp`, `context.cpp`)
+  - `base/` - Core utilities (logging, exceptions, string utils)
+  - `crypto/` - Cryptographic implementations (SM3 hash)
+  - `dllib/` - Dynamic library loading
+  - `link/` - Linking functionality
+  - `utils/` - Additional utilities
+
+- **src/mock/** - Mock TSB agent implementation
+  - `tsb_agent_itf.h` - TSB agent interface definitions
+  - `tsb_agent_impl.cpp` - Mock implementation
+  - `tsb_agent_adaptor.cpp` - Adaptation layer
+
+- **src/virtrust-sh/** - Shell interface components
+- **src/libvirtrustd/** - Daemon library components
+
+### Testing Infrastructure
+
+Tests are co-located with source files (e.g., `domain_test.cpp` alongside `domain.cpp`). The project uses custom CMake macros for test creation:
+
+- `add_virtrust_test_if()` - For standard library tests
+- `add_virtrust_sh_test_if()` - For shell interface tests
+- `add_libvirtrustd_test_if()` - For daemon library tests
+
+### Dependencies
+
+Dependencies are managed through the CMake deps system in `cmake/deps/`:
+- OpenSSL (crypto)
+- libboundscheck (security)
+- spdlog (logging)
+- gtest (testing)
+- rapidjson (JSON parsing)
+
+Dependencies are automatically downloaded and built as part of the CMake configuration process.
+
+## Key APIs and Concepts
+
+### Domain Management
+The project provides virtual domain lifecycle management through the API in `src/virtrust/api/`:
+- Domain creation, start, stop, destroy operations
+- Domain listing with filtering (active/inactive)
+- Trust measurement and verification for VMs
+
+### TSB Agent Interface
+The TSB agent interface (`src/mock/tsb_agent_itf.h`) defines:
+- Virtual TPM (vTPCM) management functions
+- Trust measurement and reporting
+- Migration support for trusted VMs
+- Security policy management
+
+### Security Architecture
+- SM3 cryptographic hash implementation
+- Trust chain validation (BIOS → bootloader → kernel → TSB)
+- Memory safety through bounds checking
+- Secure logging and exception handling
+
+## Development Notes
+
+- **Mock vs Production**: Default build uses `USE_MOCK_TSB_AGENT=On` for development. Production builds must set this to Off.
+- **Memory Management**: TSB agent interface uses malloc/free - remember to free allocated memory.
+- **Error Handling**: Comprehensive error codes defined in `tsb_agent_itf.h` and `api/defines.h`.
+- **Logging**: Custom logging adaptation in `base/` with spdlog backend.
+- **Standards**: C17 and C++17 standards are enforced.
+
+## Testing
+
+Tests use gtest framework and can be run with `ctest`. The build automatically sets up proper library paths for test execution using environment variables.
+
+### Test Structure
+- Tests are co-located with source files (e.g., `domain_test.cpp` alongside `domain.cpp`)
+- Individual test executables are built in `build/bin/` directory
+- Test certificates are auto-generated during build using OpenSSL
+
+### Running Tests
+```bash
+# Run all tests
+ctest --output-on-failure
+
+# Run specific test
+./build/bin/custom_logger_test
+./build/bin/domain_test
+```
+
+Coverage reporting is available with `cmake -DCMAKE_BUILD_TYPE=Coverage` and `make coverage`.
+
+## Code Formatting
+
+The project includes automated code formatting:
+- `./format-all.sh` - Formats C++ and CMake files using clang-format and cmake-format
+- `.clang-format` configuration defines code style rules
diff --git a/virtrust/CMakeLists.txt b/virtrust/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..162e9c1b8b45256553d7d66be031fb55cabd5db6
--- /dev/null
+++ b/virtrust/CMakeLists.txt
@@ -0,0 +1,192 @@
+cmake_minimum_required(VERSION 3.22)
+project(virtrust CXX C)
+
+option(BUILD_TEST "Enable/Disable tests" On)
+option(USE_MOCK_TSB_AGENT "Use Mocked Tsb Agent (DO NOT USE IN PRODUCTION)" On)
+
+set(USER_DEPS_DIR
+    "${PROJECT_SOURCE_DIR}/external"
+    CACHE
+      STRING
+      "Pre-Build Dependency Directory, default to ${PROJECT_SOURCE_DIR}/external"
+)
+
+if(NOT BUILD_TEST AND CMAKE_BUILD_TYPE STREQUAL "Asan")
+  message(
+    WARNING
+      "CMAKE_BUILD_TYPE is Asan but BUILD_TEST has been set to Off, turn on BUILD_TEST automatically."
+  )
+  set(BUILD_TEST On)
+endif()
+
+if(NOT BUILD_TEST AND CMAKE_BUILD_TYPE STREQUAL "Coverage")
+  message(
+    WARNING
+      "CMAKE_BUILD_TYPE is Coverage but BUILD_TEST has been set to Off, turn on BUILD_TEST automatically."
+  )
+  set(BUILD_TEST On)
+endif()
+
+if(NOT BUILD_TEST AND CMAKE_BUILD_TYPE STREQUAL "Fuzz")
+  message(
+    WARNING
+      "CMAKE_BUILD_TYPE is Fuzz but BUILD_TEST has been set to Off, turn on BUILD_TEST automatically."
+  )
+  set(BUILD_TEST On)
+  message(FATAL "Fuzz is not currently supported!")
+endif()
+
+if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES)
+  set(CMAKE_BUILD_TYPE
+      "Release"
+      CACHE
+        STRING
+        "Choose the type of build, e.g. Debug, Release, Coverage, Asan, Fuzz"
+        FORCE)
+  message(
+    WARNING
+      "CMAKE_BUILD_TYPE not specified, defaulting to '${CMAKE_BUILD_TYPE}'")
+endif()
+
+if(USE_MOCK_TSB_AGENT)
+  add_compile_definitions(USE_MOCK_TSB_AGENT)
+  if(CMAKE_BUILD_TYPE STREQUAL "Release")
+    message(
+      WARNING
+        "USE_MOCK_TSB_AGENT has been set to On while building with Release, please make sure this is intentional."
+    )
+  endif()
+endif()
+
+if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
+  set_property(CACHE CMAKE_INSTALL_PREFIX PROPERTY VALUE ${PROJECT_BINARY_DIR})
+  message(
+    WARNING
+      "CMAKE_INSTALL_PREFIX not specified, defaulting to '${PROJECT_BINARY_DIR}'"
+  )
+endif()
+
+cmake_policy(GET CMP0097 NEW)
+
+set(CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake/")
+set(CMAKE_EXPORT_COMPILE_COMMANDS On)
+
+include(GNUInstallDirs)
+
+set(CMAKE_DEPS_PREFIX ${CMAKE_BINARY_DIR}/deps)
+set(CMAKE_DEPS_SRCDIR ${CMAKE_DEPS_PREFIX}/src)
+set(CMAKE_DEPS_LIBDIR ${CMAKE_DEPS_PREFIX}/${CMAKE_INSTALL_LIBDIR})
+set(CMAKE_DEPS_BINDIR ${CMAKE_DEPS_PREFIX}/${CMAKE_INSTALL_LIBDIR})
+set(CMAKE_DEPS_INCLUDEDIR ${CMAKE_DEPS_PREFIX}/${CMAKE_INSTALL_INCLUDEDIR})
+
+# Explicitly create build/deps directory
+file(MAKE_DIRECTORY ${CMAKE_DEPS_SRCDIR})
+file(MAKE_DIRECTORY ${CMAKE_DEPS_LIBDIR})
+file(MAKE_DIRECTORY ${CMAKE_DEPS_BINDIR})
+file(MAKE_DIRECTORY ${CMAKE_DEPS_INCLUDEDIR})
+
+set(CMAKE_C_STANDARD 17)
+set(CMAKE_CXX_STANDARD 17)
+
+set(CMAKE_POSITION_INDEPENDENT_CODE On)
+
+set(CMAKE_CXX_FLAGS_RELEASE "")
+set(CMAKE_CXX_FLAGS_DEBUG "")
+
+include(SetToolchainFlags)
+set_toolchain_flags()
+
+# HACK compiler flags, try remove this in the future
+add_compiler_flags(-Wno-missing-field-initializers) # for dllib guestfs
+add_compiler_flags(-Wno-unused-parameter) # for tsb interface
+add_compiler_flags(-Wno-deprecated-declarations) # rapidjson headers
+add_compiler_flags(-Wno-error=pragmas) # rapidjson headers
+add_compiler_flags(-Wno-class-memaccess) # rapidjson headers
+add_compiler_flags(-Wno-implicit-fallthrough) # rapidjson headers
+add_compiler_flags(-Wno-template-body) # rapidjson headers
+
+get_property(
+  virtrust_link_options
+  DIRECTORY
+  PROPERTY LINK_OPTIONS)
+
+message(STATUS "=============================================================")
+message(STATUS "User Options and Configurations")
+message(STATUS "=============================================================")
+message(STATUS "CMake Version    :${CMAKE_VERSION}")
+message(STATUS "Build Type    :${CMAKE_BUILD_TYPE}")
+message(STATUS "CPU Type    :${CMAKE_SYSTEM_PROCESSOR}")
+message(STATUS "Compiler   :${CMAKE_CXX_COMPILER_ID}")
+message(STATUS "Compiler Version  :${CMAKE_CXX_COMPILER_VERSION}")
+message(STATUS "C Standard  :${CMAKE_C_STANDARD}")
+message(STATUS "C++ Standard  :${CMAKE_CXX_STANDARD}")
+message(STATUS "Compiler Flags  :\n${CMAKE_CXX_FLAGS}")
+message(STATUS "Linker Flags  :\n${virtrust_link_options}")
+message(STATUS "Exe Linker Flags  :\n${CMAKE_EXE_LINKER_FLAGS}")
+message(STATUS "CMAKE_INSTALL_PREFIX  :${CMAKE_INSTALL_PREFIX}")
+message(STATUS "CMAKE_DEPS_SRCDIR  :${CMAKE_DEPS_SRCDIR}")
+message(STATUS "(opt) BUILD_TEST  :${BUILD_TEST}")
+message(STATUS "(opt) USE_MOCK_TSB_AGENT  :${USE_MOCK_TSB_AGENT}")
+
+include(FetchContent)
+include(ExternalProject)
+
+set(FETCHCONTENT_BASE_DIR ${CMAKE_DEPS_PREFIX}/src)
+
+include(ImportLibs)
+include(deps/openssl)
+include(deps/libboundscheck)
+include(deps/spdlog)
+include(deps/gtest)
+include(deps/rapidjson)
+
+set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY
+    ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR})
+set(CMAKE_LIBRARY_OUTPUT_DIRECTORY
+    ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR})
+set(CMAKE_INCLUDE_OUTPUT_DIRECTORY
+    ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_INCLUDEDIRDIR})
+set(CMAKE_RUNTIME_OUTPUT_DIRECTORY
+    ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_BINDIR})
+
+include(AddVirtrustTestIf)
+
+if(BUILD_TEST)
+  include(CTest)
+  enable_testing()
+  list(APPEND CMAKE_CTEST_ARGUMENTS "--output-on-failure")
+endif()
+
+add_subdirectory(src)
+
+if(BUILD_TEST)
+  add_subdirectory(test)
+endif()
+
+if(CMAKE_BUILD_TYPE STREQUAL "Coverage")
+  find_program(LCOV_PATH lcov)
+  find_program(GENHTML_PATH genhtml)
+  if(LCOV_PATH AND GENHTML_PATH)
+    add_custom_target(
+      coverage
+      COMMAND
+        ${LCOV_PATH} --capture --directory . --exclude "build/*" --exclude
+        "external/*" --exclude "/usr/*" --output-file coverage.info
+        --ignore-errors mismatch,inconsistent,unused
+      COMMAND ${GENHTML_PATH} coverage.info --output-directory
+              ${CMAKE_BINARY_DIR}/coverage_report --ignore-errors inconsistent
+      WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
+      COMMENT "Generating code coverage report..."
+      VERBATIM)
+  else()
+    add_custom_target(
+      coverage
+      COMMAND ${CMAKE_COMMAND} -E echo
+              "lcov and/or genhtml not found. Generating gcov files instead."
+      COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_BINARY_DIR}/gcov_report
+      COMMAND find src -name "*.gcda" -exec gcov -pb {} +
+      WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
+      COMMENT "Generating gcov coverage report..."
+      VERBATIM)
+  endif()
+endif()
diff --git a/virtrust/README.md b/virtrust/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..6d2b216608215cadbc8d6df75a8e903717a9fe25
--- /dev/null
+++ b/virtrust/README.md
@@ -0,0 +1,332 @@
+# TSB-agent/virtrust
+
+A Trusted Security Boot (TSB) Agent that provides virtualized Trusted Computing Module (vTPCM) support for openEuler 24.03 LTS SP3. This project enables trusted computing virtualization capabilities with a focus on virtual machine domain management and trust measurement.
+
+## Project Overview
+
+TSB-agent/virtrust is a sophisticated trusted computing solution for virtualized environments that implements:
+
+- **Virtualized Trusted Computing Module (vTPCM)** management
+- **Trust Chain Validation** for complete boot chain measurement and verification
+- **Secure VM Migration** with encrypted certificate verification
+- **Security Policy Management** for configurable security controls
+- **Domain Management** for virtual machine lifecycle operations
+
+The project is particularly focused on Chinese cryptographic standards (SM3) and openEuler integration, providing a comprehensive security architecture for virtualized environments.
+
+## Architecture
+
+### Project Structure
+
+```
+TSB-agent/virtrust/
+├── cmake/                                    # 构建系统配置
+│   ├── AddVirtrustTestIf.cmake               # 测试配置脚本
+│   ├── ImportLibs.cmake                      # 库导入配置
+│   └── SetToolchainFlags.cmake               # 工具链配置
+├── docs/                                     # 项目文档
+│   ├── 001-introduction.md                   # 项目介绍
+│   ├── 002-virtrust-api.md                   # API文档
+│   ├── 003-virtrust-sh.md                    # Shell接口文档
+│   └── 004-virtrustd.md                      # 守护进程文档
+├── src/                                      # 源代码目录
+│   ├── libvirtrustd/                         # 守护进程库
+│   │   ├── defines.h                         # 定义文件
+│   │   ├── main.cpp                          # 主程序
+│   │   ├── utils.cpp/.h                      # 工具函数
+│   │   └── CMakeLists.txt                    # 构建配置
+│   ├── tsb_agent/                            # TSB代理模块
+│   │   ├── mock/                             # 模拟实现
+│   │   │   ├── tsb_agent_adaptor.cpp         # 适配器实现
+│   │   │   ├── tsb_agent_impl.cpp/.h         # 代理实现
+│   │   │   ├── tsb_agent_impl_test.cpp       # 单元测试
+│   │   │   ├── tsb_agent_test.cpp            # 代理测试
+│   │   │   └── v_root.h                      # 虚拟根定义
+│   │   ├── tsb_agent.h                       # 代理头文件
+│   │   └── CMakeLists.txt                    # 构建配置
+│   ├── virtrust/                             # 核心库实现
+│   │   ├── api/                              # 公共API接口
+│   │   │   ├── context.cpp/.h                # API上下文管理
+│   │   │   ├── define_private.h              # 私有定义
+│   │   │   ├── defines.h                     # 公共定义
+│   │   │   ├── domain.cpp/.h                 # 虚拟机域生命周期操作
+│   │   │   ├── domain_test.cpp               # 域操作测试
+│   │   │   ├── file_lock.h                   # 文件锁实现
+│   │   │   └── CMakeLists.txt                # 构建配置
+│   │   ├── base/                             # 核心工具库
+│   │   │   ├── custom_logger.cpp/.h          # 高性能日志系统
+│   │   │   ├── custom_logger_test.cpp        # 日志测试
+│   │   │   ├── exception.cpp/.h              # 异常处理框架
+│   │   │   ├── exception_test.cpp            # 异常测试
+│   │   │   ├── log_adapt.cpp/.h              # 日志适配层
+│   │   │   ├── log_adapt_test.cpp            # 日志适配测试
+│   │   │   ├── logger.h                      # 日志器定义
+│   │   │   ├── str_utils.cpp/.h              # 字符串工具
+│   │   │   ├── str_utils_test.cpp            # 字符串工具测试
+│   │   │   └── CMakeLists.txt                # 构建配置
+│   │   ├── crypto/                           # 加密算法实现
+│   │   │   ├── sm3.cpp/.h                    # 国密SM3算法
+│   │   │   ├── sm3_test.cpp                  # SM3算法测试
+│   │   │   └── CMakeLists.txt                # 构建配置
+│   │   ├── dllib/                            # 动态库加载抽象
+│   │   │   ├── common.h                      # 公共定义
+│   │   │   ├── libguestfs_defines.h          # libguestfs定义
+│   │   │   ├── libguestfs.h                  # libguestfs接口
+│   │   │   ├── libguestfs_test.cpp           # libguestfs测试
+│   │   │   ├── libvirt_defines.h             # libvirt定义
+│   │   │   ├── libvirt.h                     # libvirt接口
+│   │   │   ├── libvirt_test.cpp              # libvirt测试
+│   │   │   ├── libxml2_defines.h             # libxml2定义
+│   │   │   ├── libxml2.h                     # libxml2接口
+│   │   │   ├── libxml2_test.cpp              # libxml2测试
+│   │   │   ├── openssl_defines.h             # OpenSSL定义
+│   │   │   ├── openssl.h                     # OpenSSL接口
+│   │   │   ├── openssl_test.cpp              # OpenSSL测试
+│   │   │   ├── dllib_test.cpp                # 动态库测试
+│   │   │   └── CMakeLists.txt                # 构建配置
+│   │   ├── link/                             # 链接功能模块
+│   │   │   ├── proto/                        # 协议定义
+│   │   │   │   ├── migrate.grpc.pb.cc/.h     # gRPC迁移协议
+│   │   │   │   ├── migrate.pb.cc/.h          # 迁移协议
+│   │   │   │   ├── migrate.proto             # 协议定义文件
+│   │   │   │   └── proto_tools.h             # 协议工具
+│   │   │   ├── grpc_client.cpp/.h            # gRPC客户端
+│   │   │   ├── grpc_client_test.cpp          # gRPC客户端测试
+│   │   │   ├── grpc_server.cpp/.h            # gRPC服务器
+│   │   │   ├── grpc_server_test.cpp          # gRPC服务器测试
+│   │   │   ├── link_config_builder.h         # 链接配置构建器
+│   │   │   ├── link_test.cpp                 # 链接测试
+│   │   │   ├── migration_service_impl.cpp/.h # 迁移服务实现
+│   │   │   ├── migration_service_impl_test.cpp # 迁移服务测试
+│   │   │   ├── migration_session.cpp/.h      # 迁移会话管理
+│   │   │   ├── migration_session_test.cpp    # 迁移会话测试
+│   │   │   ├── proto_tools_test.cpp          # 协议工具测试
+│   │   │   ├── defines.h                     # 链接模块定义
+│   │   │   └── CMakeLists.txt                # 构建配置
+│   │   ├── utils/                            # 工具函数模块
+│   │   │   ├── async_timer.h                 # 异步定时器
+│   │   │   ├── async_timer_test.cpp          # 异步定时器测试
+│   │   │   ├── enum_check.h                  # 枚举检查工具
+│   │   │   ├── file_io.cpp/.h                # 文件I/O操作
+│   │   │   ├── file_io_test.cpp              # 文件I/O测试
+│   │   │   ├── foreign_mounter.cpp/.h        # 外部文件系统挂载
+│   │   │   ├── foreign_mounter_test.cpp      # 外部挂载测试
+│   │   │   ├── migrate_helper.cpp/.h         # 迁移辅助工具
+│   │   │   ├── migrate_helper_test.cpp       # 迁移辅助测试
+│   │   │   ├── smart_deleter.h               # 智能删除器
+│   │   │   ├── virt_xml_parser.cpp/.h        # 虚拟化XML解析器
+│   │   │   ├── virt_xml_parser_test.cpp      # XML解析器测试
+│   │   │   └── CMakeLists.txt                # 构建配置
+│   │   └── CMakeLists.txt                    # 主构建配置
+│   ├── virtrust-sh/                          # Shell接口
+│   │   ├── operator/                         # 命令操作符
+│   │   │   ├── op_create.cpp/.h              # 域创建操作
+│   │   │   ├── op_create_test.cpp            # 创建操作测试
+│   │   │   ├── op_destroy.cpp/.h             # 域销毁操作
+│   │   │   ├── op_destroy_test.cpp           # 销毁操作测试
+│   │   │   ├── op_itf.cpp/.h                 # 操作接口
+│   │   │   ├── op_list.cpp/.h                # 域列表操作
+│   │   │   ├── op_list_test.cpp              # 列表操作测试
+│   │   │   ├── op_migrate.cpp/.h             # 域迁移操作
+│   │   │   ├── op_migrate_test.cpp           # 迁移操作测试
+│   │   │   ├── op_start.cpp/.h               # 域启动操作
+│   │   │   ├── op_start_test.cpp             # 启动操作测试
+│   │   │   ├── op_undefine.cpp/.h            # 域取消定义操作
+│   │   │   ├── op_undefine_test.cpp          # 取消定义测试
+│   │   │   ├── op_utils.h                    # 操作工具函数
+│   │   │   └── CMakeLists.txt                # 构建配置
+│   │   ├── defines.h                         # Shell定义
+│   │   ├── main.cpp                          # 主程序入口
+│   │   └── CMakeLists.txt                    # 构建配置
+│   └── CMakeLists.txt                        # 主源码构建配置
+├── test/                                     # 测试基础设施
+│   ├── ca/                                   # 证书颁发机构
+│   │   ├── cert.pem                          # CA证书
+│   │   ├── cert.srl                          # 证书序列号
+│   │   └── sk.pem                            # CA私钥
+│   ├── client/                               # 客户端证书
+│   │   ├── cert.pem                          # 客户端证书
+│   │   ├── client.csr                        # 客户端证书签名请求
+│   │   └── sk.pem                            # 客户端私钥
+│   ├── data/                                 # 测试数据
+│   │   ├── config.json                       # 配置文件
+│   │   ├── grub.cfg                          # GRUB配置
+│   │   ├── test.txt                          # 测试文本
+│   │   └── test.xml                          # 测试XML
+│   ├── server/                               # 服务器证书
+│   │   ├── cert.pem                          # 服务器证书
+│   │   ├── server.csr                        # 服务器证书签名请求
+│   │   └── sk.pem                            # 服务器私钥
+│   └── CMakeLists.txt                        # 测试构建配置
+├── build.sh                                  # 构建脚本
+├── CLAUDE.md                                 # Claude AI助手文档
+├── CMakeLists.txt                            # 主构建配置
+├── format-all.sh                             # 代码格式化脚本
+├── README.md                                 # 项目说明文档
+└── transcript.txt                            # 项目记录文档
+```
+
+### Core Components
+
+## External Dependencies
+- **OpenSSL 3.3.2** - Cryptographic operations (built statically)
+- **libboundscheck** - Memory safety and bounds checking
+- **RapidJSON** - JSON parsing and generation
+- **libvirt** - Virtualization API integration
+- **libguestfs** - Guest filesystem access
+- **libxml2** - XML processing
+
+## Features
+
+### Domain Management API
+- **VM Lifecycle**: Create, start, stop, destroy, migrate, list virtual machine domains
+- **Trust Measurement**: Boot chain validation and measurement verification
+- **Security Policy**: Configurable security policies and controls
+- **Resource Management**: Memory, CPU, and storage resource allocation
+
+### vTPCM Management
+- **Virtual TPM**: Creation, startup, stop, and removal of virtual TPM instances
+- **Trust Reporting**: Generation and verification of trust reports
+- **Migration Support**: Secure migration of trusted VMs between hosts
+- **Policy Control**: Security policy enforcement and management
+
+### Command Line Interface
+- **virtrust-sh**: Interactive shell for domain management operations
+- **Operators**: Specialized commands for different operations
+- **Batch Processing**: Support for scriptable operations
+
+### Security Architecture
+- **Trust Chain Validation**: BIOS → bootloader → kernel → TSB validation
+- **Memory Safety**: Bounds checking and secure memory management
+- **Cryptographic Security**: SM3 hash algorithm implementation
+- **Secure Migration**: Encrypted VM migration with certificate verification
+
+## Building from Source
+
+### Prerequisites
+- **openEuler 24.03 LTS SP3** or compatible Linux distribution
+- **CMake 3.14.1+**
+- **GCC 8+** or **Clang 10+** with C++17 support
+- **Git**
+
+### Build Commands
+
+```bash
+# Clone the repository
+git clone https://gitee.com/jamie-cui/TSB-agent.git
+cd TSB-agent/virtrust
+
+# Configure build (Release mode with tests)
+cmake -B build -DCMAKE_BUILD_TYPE=Release -DENABLE_TESTING=ON
+
+# Build all components
+cmake --build build -- -j$(nproc)
+
+# Run tests
+cd build
+ctest --output-on-failure
+
+# Install (optional)
+sudo cmake --install build
+```
+
+### Build Options
+
+| Option | Description | Default |
+|--------|-------------|---------|
+| `CMAKE_BUILD_TYPE` | Build configuration (Debug/Release/RelWithDebInfo) | Release |
+| `ENABLE_TESTING` | Enable unit tests | ON |
+| `ENABLE_COVERAGE` | Enable code coverage reporting | OFF |
+
+### Memory Safety
+
+The project includes comprehensive bounds checking:
+
+```bash
+# Build with libboundscheck
+cmake -B build -DENABLE_BOUNDS_CHECK=ON
+cmake --build build
+
+# Run with bounds checking
+LD_LIBRARY_PATH=/path/to/libboundscheck ./build/bin/virtrust-sh
+```
+
+## Testing
+
+### Unit Tests
+```bash
+# Run all tests
+cd build
+ctest
+
+# Run specific test suite
+./bin/custom_logger_test
+./bin/domain_test
+./bin/sm3_test
+```
+
+### Coverage Report
+```bash
+# Enable coverage
+cmake -B build -DENABLE_COVERAGE=ON -DCMAKE_BUILD_TYPE=Debug
+cmake --build build
+ctest
+
+# Generate coverage report
+lcov --capture --directory build --output-file coverage.info
+genhtml coverage.info --output-directory coverage_report
+```
+
+### Code Formatting
+```bash
+# Format all source code
+./format-all.sh
+
+# Or use clang-format directly
+find src -name "*.cpp" -o -name "*.h" | xargs clang-format -i
+```
+
+## Security Considerations
+
+### Trust Chain Validation
+The system implements complete trust chain validation:
+1. **BIOS/UEFI** measurements
+2. **Bootloader** integrity verification
+3. **Kernel** module verification
+4. **TSB Agent** validation
+5. **Application** layer measurements
+
+### Memory Safety
+- Comprehensive bounds checking with libboundscheck
+- Secure memory allocation and deallocation
+- Protection against buffer overflows and memory corruption
+- Automatic memory leak detection in debug builds
+
+### Cryptographic Security
+- SM3 hash algorithm implementation for Chinese cryptographic standards
+- Certificate-based authentication for migration
+- Encrypted communication channels
+- Secure key storage and management
+
+## Contributing
+
+### Development Workflow
+1. Fork the repository
+2. Create a feature branch (`git checkout -b feature/amazing-feature`)
+3. Make your changes with proper tests
+4. Ensure code formatting (`./format-all.sh`)
+5. Run tests (`ctest --output-on-failure`)
+6. Submit a pull request
+
+### Code Style
+- Follow Google C++ Style Guide
+- Use clang-format for consistent formatting
+- Include comprehensive unit tests
+- Document public APIs with Doxygen
+- Use meaningful commit messages
+
+### Testing Requirements
+- All new features must include unit tests
+- Maintain code coverage above 80%
+- Test both positive and negative scenarios
+- Include integration tests for complex workflows
diff --git a/virtrust/build.sh b/virtrust/build.sh
new file mode 100755
index 0000000000000000000000000000000000000000..9c707e14ada85bc3a9077d0e9df0bd9eb622f56e
--- /dev/null
+++ b/virtrust/build.sh
@@ -0,0 +1,110 @@
+#!/bin/bash
+
+#
+# Copyright (c) Huawei Technologies Co., Ltd. 2021-2021. All rights reserved.
+#
+
+###
+### build.sh --- build project
+### Usage:
+###     build.sh <target> [-D] [-C] [-t <target>]
+### Options:
+###     <target>            Build target useby Make
+###     -h, --help          show this help message and exit
+###     -t || --target      Specifying build target, default is `all`
+###                         Support targets:
+###                             cicd_default: build default target
+
+
+# 函数内命令（后台命令） 失败时退出脚本
+#set -o errtrace
+# 脚本内命令(前台命令)失败时，立即退出脚本
+#set -o errexit
+
+build_target='cicd_default'
+build_type='Release'
+build_asan='Off'
+enable_test='On'
+
+# 获取项目根目录(目前为构建脚本所在目录)
+PROJECT_ROOT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+OUTPUT_DIR=${PROJECT_ROOT_DIR}/output
+
+echo "PROJECT_ROOT_DIR $PROJECT_ROOT_DIR"
+
+# 日志打印辅助函数
+function log_info() {
+    if [ $# -lt 1 ]; then
+        return
+    fi
+
+    echo "$(date +"%F %T") [INFO] $*"
+}
+
+function help() {
+    sed -rn 's/^### ?//;T;p;' "$0"
+}
+
+# 解析命令行参数
+function parse_args() {
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+        -h | --help)
+            help
+            exit
+            ;;
+        -t | --target)
+            if [[ $# -gt 1 && "$2" != "-"* ]]; then
+                build_target="$2"
+                shift 2
+            else 
+                log_info "Error: Argument required after -t||--target."
+                exit 1
+            fi
+            ;;
+        *)
+            [ "$1" != ""] && build_target="$1"
+            shift
+            ;;
+        esac
+    done
+}
+
+
+function build_output() {
+    log_info "***** start build cmake ${OUTPUT_DIR}*****"
+    mkdir -p build
+    pushd build
+    cmake .. -DCMAKE_BUILD_TYPE=${build_type} \
+        -DBUILD_TEST=${enable_test}\
+        -DUSE_MOCK_TSB_AGENT=On \
+        -DCMAKE_INSTALL_PREFIX=${OUTPUT_DIR}/virtrust \
+    make
+    make install
+    popd
+}
+
+function build_cmake() {
+    log_info "***** start build cmake *****"
+    log_info "building target ${build_target}"
+    if [[ "${build_target}" == "cicd_default" ]]; then
+        build_type='Release'
+        enable_test='Off'
+        build_output
+    fi
+
+    local ret=$?
+    if [[ $ret -ne 0 ]]; then
+        log_info "***** build cmake failed *****"
+        echo_failure
+        exit 1
+    fi
+}
+
+echo $(date +"%Y-%m-%d %H-%M"): "$0" "$@"
+START_TIME=$(date +%s.%N)
+
+cd ${PROJECT_ROOT_DIR}
+
+parse_args "$@"
+build_cmake
diff --git a/virtrust/cmake/AddVirtrustTestIf.cmake b/virtrust/cmake/AddVirtrustTestIf.cmake
new file mode 100644
index 0000000000000000000000000000000000000000..3ea6cc8ec2e56e3cd6035c5e55a262eda4c3f835
--- /dev/null
+++ b/virtrust/cmake/AddVirtrustTestIf.cmake
@@ -0,0 +1,81 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+macro(add_virtrust_test_if NAME)
+  if(BUILD_TEST)
+    add_executable(${NAME} ${NAME}.cpp)
+    target_link_libraries(${NAME} PRIVATE virtrust-shared Deps::gtest)
+    add_test(NAME ${NAME} COMMAND ${NAME})
+    target_include_directories(
+      ${NAME}
+      PRIVATE $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>
+              ${CMAKE_BINARY_DIR}/src/virtrust # for protobuf
+              ${CMAKE_BINARY_DIR}/src # for protobuf
+              ${CMAKE_DEPS_INCLUDEDIR})
+    set_tests_properties(
+      ${NAME}
+      PROPERTIES
+        WORKING_DIRECTORY
+        ${CMAKE_BINARY_DIR}
+        ENVIRONMENT
+        "LD_LIBRARY_PATH=${CMAKE_LIBRARY_OUTPUT_DIRECTORY}:${CMAKE_DEPS_LIBDIR}:$ENV{LD_LIBRARY_PATH}"
+    )
+    # Set RPATH for the test executable
+    set_target_properties(
+      ${NAME}
+      PROPERTIES INSTALL_RPATH
+                 "${CMAKE_LIBRARY_OUTPUT_DIRECTORY};${CMAKE_DEPS_LIBDIR}"
+                 BUILD_WITH_INSTALL_RPATH TRUE)
+  endif()
+endmacro()
+
+macro(add_virtrust_sh_test_if NAME)
+  if(BUILD_TEST)
+    add_executable(${NAME} ${NAME}.cpp)
+    target_link_libraries(${NAME} PRIVATE virtrust-sh-obj virtrust-shared
+                                          Deps::gtest)
+    add_test(NAME ${NAME} COMMAND ${NAME})
+    target_include_directories(
+      ${NAME} PRIVATE $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>
+                      ${CMAKE_DEPS_INCLUDEDIR})
+    set_tests_properties(
+      ${NAME}
+      PROPERTIES
+        WORKING_DIRECTORY
+        ${CMAKE_BINARY_DIR}
+        ENVIRONMENT
+        "LD_LIBRARY_PATH=${CMAKE_LIBRARY_OUTPUT_DIRECTORY}:${CMAKE_DEPS_LIBDIR}:$ENV{LD_LIBRARY_PATH}"
+    )
+    # Set RPATH for the test executable
+    set_target_properties(
+      ${NAME}
+      PROPERTIES INSTALL_RPATH
+                 "${CMAKE_LIBRARY_OUTPUT_DIRECTORY};${CMAKE_DEPS_LIBDIR}"
+                 BUILD_WITH_INSTALL_RPATH TRUE)
+  endif()
+endmacro()
+
+macro(add_libvirtrustd_test_if NAME)
+  if(BUILD_TEST)
+    add_executable(${NAME} ${NAME}.cpp)
+    target_link_libraries(${NAME} PRIVATE libvirtrustd-obj virtrust-shared
+                                          Deps::gtest)
+    add_test(NAME ${NAME} COMMAND ${NAME})
+    target_include_directories(
+      ${NAME} PRIVATE $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>
+                      ${CMAKE_DEPS_INCLUDEDIR})
+    set_tests_properties(
+      ${NAME}
+      PROPERTIES
+        WORKING_DIRECTORY
+        ${CMAKE_BINARY_DIR}
+        ENVIRONMENT
+        "LD_LIBRARY_PATH=${CMAKE_LIBRARY_OUTPUT_DIRECTORY}:${CMAKE_DEPS_LIBDIR}:$ENV{LD_LIBRARY_PATH}"
+    )
+    # Set RPATH for the test executable
+    set_target_properties(
+      ${NAME}
+      PROPERTIES INSTALL_RPATH
+                 "${CMAKE_LIBRARY_OUTPUT_DIRECTORY};${CMAKE_DEPS_LIBDIR}"
+                 BUILD_WITH_INSTALL_RPATH TRUE)
+  endif()
+endmacro()
diff --git a/virtrust/cmake/ImportLibs.cmake b/virtrust/cmake/ImportLibs.cmake
new file mode 100644
index 0000000000000000000000000000000000000000..ffa6b695f6a7bf43104b5c46555f34804fde12fa
--- /dev/null
+++ b/virtrust/cmake/ImportLibs.cmake
@@ -0,0 +1,19 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+macro(import_static_lib_from LIBNAME LIB)
+  add_library(${LIBNAME} STATIC IMPORTED)
+  set_target_properties(
+    ${LIBNAME}
+    PROPERTIES IMPORTED_LOCATION
+               ${CMAKE_DEPS_LIBDIR}/${LIBNAME}${CMAKE_STATIC_LIBRARY_SUFFIX})
+  add_dependencies(${LIBNAME} ${LIB})
+endmacro()
+
+macro(import_shared_lib_from LIBNAME LIB)
+  add_library(${LIBNAME} SHARED IMPORTED)
+  set_target_properties(
+    ${LIBNAME}
+    PROPERTIES IMPORTED_LOCATION
+               ${CMAKE_DEPS_LIBDIR}/${LIBNAME}${CMAKE_SHARED_LIBRARY_SUFFIX})
+  add_dependencies(${LIBNAME} ${LIB})
+endmacro()
diff --git a/virtrust/cmake/SetToolchainFlags.cmake b/virtrust/cmake/SetToolchainFlags.cmake
new file mode 100644
index 0000000000000000000000000000000000000000..1c90b9557d96bfe1ebb7c7bcab7d3c36c049fe16
--- /dev/null
+++ b/virtrust/cmake/SetToolchainFlags.cmake
@@ -0,0 +1,150 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+include(CheckCXXCompilerFlag)
+include(CheckCompilerFlag)
+include(CheckLinkerFlag)
+
+# CXX Compiler Flags
+function(add_compiler_flags flag)
+  string(FIND "${CMAKE_CXX_FLAGS}" "${flag}" flag_already_set)
+  if(flag_already_set EQUAL -1)
+    message(STATUS "Adding CXX compiler flag: ${flag} ...")
+    check_cxx_compiler_flag("${flag}" flag_supported)
+    if(flag_supported)
+      set(CMAKE_CXX_FLAGS
+          "${CMAKE_CXX_FLAGS} ${flag}"
+          PARENT_SCOPE)
+    endif()
+    unset(flag_supported CACHE)
+  endif()
+endfunction()
+
+# C Compiler Flags
+function(add_c_compiler_flags flag)
+  string(FIND "${CMAKE_CXX_FLAGS}" "${flag}" flag_already_set)
+  if(flag_already_set EQUAL -1)
+    message(STATUS "Adding C compiler flag: ${flag} ...")
+    check_compiler_flag(C "${flag}" flag_supported)
+    if(flag_supported)
+      set(CMAKE_CXX_FLAGS
+          "${CMAKE_CXX_FLAGS} ${flag}"
+          PARENT_SCOPE)
+    endif()
+    unset(flag_supported CACHE)
+  endif()
+endfunction()
+
+# Linker Flags
+function(add_linker_flags flag)
+  get_property(
+    virtrust_link_options
+    DIRECTORY
+    PROPERTY LINK_OPTIONS)
+  string(FIND "${virtrust_link_options}" "${flag}" flag_already_set)
+  if(flag_already_set EQUAL -1)
+    message(STATUS "Adding linker flag: ${flag} ...")
+    check_linker_flag(CXX "${flag}" flag_supported)
+    if(flag_supported)
+      add_link_options(${flag})
+    endif()
+    unset(flag_supported CACHE)
+  endif()
+endfunction()
+
+# Setup Toolchain
+
+macro(set_toolchain_flags)
+
+  # do no add runtime path information
+  if(NOT BUILD_TEST)
+    set(CMAKE_SKIP_RPATH TRUE)
+    set(CMAKE_SKIP_BUILD_RPATH TRUE)
+  endif()
+
+  # all warnings are treated as errors
+  add_compiler_flags(-Wall)
+  add_compiler_flags(-Wextra)
+  add_compiler_flags(-Werror)
+
+  # compiler flags
+  add_compiler_flags(-pipe)
+  add_compiler_flags(-fno-common)
+  add_compiler_flags(-fstrong-eval-order)
+  add_compiler_flags(-fms-extensions)
+  add_compiler_flags(-fno-strict-aliasing)
+  add_compiler_flags(-freg-struct-return)
+
+  # REVIEW additional warnnings
+  add_compiler_flags(-Winvalid-pch)
+  add_compiler_flags(-Wunused)
+  add_compiler_flags(-Wunused-variable)
+  add_compiler_flags(-Wunused-value)
+  add_compiler_flags(-Wcast-align)
+  add_compiler_flags(-Wcast-equal)
+  add_compiler_flags(-Wwrite-strings)
+  add_compiler_flags(-Wdata-time)
+  add_compiler_flags(-Wstrict-prototypes)
+  add_compiler_flags(-Wdelete-non-virtual-dtor)
+  add_compiler_flags(-Wtrampolines)
+  add_compiler_flags(-Woverloaded-virtual)
+
+  # common linker flags (good-to-have)
+  add_linker_flags(-Wl, -Bsymbolic)
+  add_linker_flags(-rdynamic)
+  add_linker_flags(-Wl, --no-undefined)
+
+  #
+  if(CMAKE_BUILD_TYPE STREQUAL "Release")
+    add_compiler_flags(-fstrack-protector-strong)
+    add_compiler_flags(-fPIC)
+    add_compiler_flags(-fPIE)
+    add_compiler_flags(-D_FORTIRY_SOURCE=2)
+    add_compiler_flags(-O2)
+    add_compiler_flags(-ftrapv)
+
+    add_linker_flags(-pie)
+    add_linker_flags(-s)
+    add_linker_flags(-Wl,-z,relro,-z,now)
+    add_linker_flags(-Wl,-z,noexecstack)
+  elseif(CMAKE_BUILD_TYPE STREQUAL "Debug")
+    add_compiler_flags(-g)
+  elseif(CMAKE_BUILD_TYPE STREQUAL "Coverage")
+    add_compiler_flags(-g)
+
+    # HACK it's strange that check_cxx_compiler_flags() function fail to add
+    # --coverage flag, so we add this manually
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} --coverage")
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fprofile-arcs")
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -ftest-coverage")
+
+    # NOTE the following liner flags only work on executables, which does not
+    # get included in general linker flags
+    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} --coverage")
+    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -lgcov")
+  elseif(CMAKE_BUILD_TYPE STREQUAL "Asan")
+    add_compiler_flags(-g)
+
+    # https://cmake.org/pipermail/cmake/2019-October/070180.html
+    set(_saved_CRT ${CMAKE_REQUIRED_LIBRARIES})
+    set(CMAKE_REQUIRED_LIBRARIES "-fsanitize=address;asan")
+
+    add_compiler_flags(-fsanitize=address)
+    add_compiler_flags(-fsanitize=leak)
+    add_compiler_flags(-fsanitize=undefined)
+    add_compiler_flags(-fsanitize=pointer-compare)
+    add_compiler_flags(-fsanitize=pointer-subtract)
+
+    add_linker_flags(-fno-pie)
+    add_linker_flags(-fsanitize=address)
+    add_linker_flags(-fsanitize=leak)
+    add_linker_flags(-fsanitize=undefined)
+    add_linker_flags(-fsanitize=pointer-compare)
+    add_linker_flags(-fsanitize=pointer-subtract)
+
+    set(CMAKE_REQUIRED_LIBRARIES ${_saved_CRT})
+  elseif(CMAKE_BUILD_TYPE STREQUAL "Fuzz")
+    # TODO
+    add_compiler_flags(-g)
+  endif()
+
+endmacro()
diff --git a/virtrust/cmake/deps/gtest.cmake b/virtrust/cmake/deps/gtest.cmake
new file mode 100644
index 0000000000000000000000000000000000000000..aa5f158eab2add1b8527dea87fb1e0addcb9f255
--- /dev/null
+++ b/virtrust/cmake/deps/gtest.cmake
@@ -0,0 +1,40 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+ExternalProject_Add(
+  googletest
+  URL https://github.com/google/googletest/archive/refs/tags/v1.15.2.tar.gz
+  URL_HASH
+    SHA256=7b42b4d6ed48810c5362c265a17faebe90dc2373c885e5216439d37927f02926
+  CMAKE_ARGS -DCMAKE_POSITION_INDEPENDENT_CODE=On #
+             -DCMAKE_CXX_STANDARD=17 #
+             -DCMAKE_C_STANDARD_REQUIRED=Yes #
+             -DCMAKE_INSTALL_PREFIX=${CMAKE_DEPS_PREFIX} #
+             -DBUILD_GMOCK=On #
+  PREFIX ${CMAKE_DEPS_PREFIX}
+  UPDATE_COMMAND ""
+  BUILD_BYPRODUCTS ${CMAKE_DEPS_LIBDIR}/libgtest${CMAKE_STATIC_LIBRARY_SUFFIX}
+  BUILD_BYPRODUCTS
+    ${CMAKE_DEPS_LIBDIR}/libgtest_main${CMAKE_STATIC_LIBRARY_SUFFIX}
+  BUILD_BYPRODUCTS ${CMAKE_DEPS_LIBDIR}/libgmock${CMAKE_STATIC_LIBRARY_SUFFIX}
+  BUILD_BYPRODUCTS
+    ${CMAKE_DEPS_LIBDIR}/libgmock_main${CMAKE_STATIC_LIBRARY_SUFFIX}
+  EXCLUDE_FROM_ALL true
+  DOWNLOAD_EXTRACT_TIMESTAMP On
+  LOG_DOWNLOAD On
+  LOG_CONFIGURE On
+  LOG_BUILD On
+  LOG_INSTALL On)
+
+import_static_lib_from(libgtest googletest)
+import_static_lib_from(libgtest_main googletest)
+import_static_lib_from(libgmock_main googletest)
+import_static_lib_from(libgmock googletest)
+
+target_link_libraries(libgtest_main INTERFACE libgtest)
+target_link_libraries(libgmock_main INTERFACE libgmock)
+
+# -----------------------------
+# Alias Target for External Use
+# -----------------------------
+add_library(Deps::gtest ALIAS libgtest_main)
+add_library(Deps::gmock ALIAS libgmock_main)
diff --git a/virtrust/cmake/deps/libboundscheck.cmake b/virtrust/cmake/deps/libboundscheck.cmake
new file mode 100644
index 0000000000000000000000000000000000000000..561775b7034faa4d2975764427e16f799ff88d32
--- /dev/null
+++ b/virtrust/cmake/deps/libboundscheck.cmake
@@ -0,0 +1,31 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+ExternalProject_Add(
+  libboundscheck-src
+  GIT_REPOSITORY https://github.com/openeuler-mirror/libboundscheck
+  GIT_TAG master
+  PREFIX ${CMAKE_DEPS_PREFIX}
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ${CMAKE_MAKE_PROGRAM}
+  UPDATE_COMMAND ""
+  INSTALL_COMMAND cp include/securec.h ${CMAKE_DEPS_INCLUDEDIR}
+  COMMAND cp include/securectype.h ${CMAKE_DEPS_INCLUDEDIR}
+  COMMAND cp lib/libboundscheck${CMAKE_SHARED_LIBRARY_SUFFIX}
+          ${CMAKE_DEPS_LIBDIR}
+  BUILD_IN_SOURCE On
+  EXCLUDE_FROM_ALL true
+  LOG_DOWNLOAD On
+  LOG_CONFIGURE On
+  LOG_BUILD On
+  LOG_INSTALL On)
+
+add_library(libboundscheck-itf INTERFACE)
+target_link_directories(libboundscheck-itf INTERFACE ${CMAKE_DEPS_LIBDIR})
+target_link_libraries(libboundscheck-itf
+                      INTERFACE libboundscheck${CMAKE_SHARED_LIBRARY_SUFFIX})
+add_dependencies(libboundscheck-itf libboundscheck-src)
+
+# -----------------------------
+# Alias Target for External Use
+# -----------------------------
+add_library(Deps::secure_c ALIAS libboundscheck-itf)
diff --git a/virtrust/cmake/deps/openssl.cmake b/virtrust/cmake/deps/openssl.cmake
new file mode 100644
index 0000000000000000000000000000000000000000..83f15cb4be98ae0fc5bf98fcd9c1b5cd509680ac
--- /dev/null
+++ b/virtrust/cmake/deps/openssl.cmake
@@ -0,0 +1,34 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+ExternalProject_Add(
+  openssl
+  PREFIX ${CMAKE_DEPS_PREFIX}
+  URL https://github.com/openssl/openssl/archive/refs/tags/openssl-3.3.2.tar.gz
+  URL_HASH
+    SHA256=bedbb16955555f99b1a7b1ba90fc97879eb41025081be359ecd6a9fcbdf1c8d2
+  CONFIGURE_COMMAND
+    ./Configure no-legacy no-weak-ssl-ciphers no-tests no-shared no-ui-console
+    no-docs no-apps --banner=Finished --release --libdir=${CMAKE_INSTALL_LIBDIR}
+    --prefix=${CMAKE_DEPS_PREFIX} -w
+  BUILD_COMMAND make build_sw
+  UPDATE_COMMAND ""
+  INSTALL_COMMAND make install_sw
+  BUILD_IN_SOURCE On
+  DOWNLOAD_EXTRACT_TIMESTAMP On
+  BUILD_BYPRODUCTS ${CMAKE_DEPS_LIBDIR}/libcrypto${CMAKE_STATIC_LIBRARY_SUFFIX}
+  BUILD_BYPRODUCTS ${CMAKE_DEPS_LIBDIR}/libssl${CMAKE_STATIC_LIBRARY_SUFFIX}
+  EXCLUDE_FROM_ALL true
+  LOG_DOWNLOAD On
+  LOG_CONFIGURE On
+  LOG_BUILD On
+  LOG_INSTALL On)
+
+import_static_lib_from(libcrypto openssl)
+import_static_lib_from(libssl openssl)
+
+target_link_libraries(libssl INTERFACE libcrypto)
+
+# -----------------------------
+# Alias Target for External Use
+# -----------------------------
+add_library(Deps::openssl ALIAS libssl)
diff --git a/virtrust/cmake/deps/rapidjson.cmake b/virtrust/cmake/deps/rapidjson.cmake
new file mode 100644
index 0000000000000000000000000000000000000000..9a4afb2cd59e345706fc856307e7bff27c0dd5a3
--- /dev/null
+++ b/virtrust/cmake/deps/rapidjson.cmake
@@ -0,0 +1,33 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+# HACK compiler flags
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-error=pragmas")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-class-memaccess")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-implicit-fallthrough")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-template-body")
+
+ExternalProject_Add(
+  rapidjson
+  URL https://github.com/Tencent/rapidjson/archive/refs/tags/v1.1.0.tar.gz
+  URL_HASH
+    SHA256=bf7ced29704a1e696fbccf2a2b4ea068e7774fa37f6d7dd4039d0787f8bed98e
+  CMAKE_ARGS -DCMAKE_INSTALL_PREFIX=${CMAKE_DEPS_PREFIX}
+             -DCMAKE_CXX_FLAGS=${CMAKE_CXX_FLAGS} -DCMAKE_SKIP_RPATH=TRUE
+  PREFIX ${CMAKE_DEPS_PREFIX}
+  UPDATE_COMMAND ""
+  EXCLUDE_FROM_ALL true
+  DOWNLOAD_EXTRACT_TIMESTAMP On
+  LOG_DOWNLOAD On
+  LOG_CONFIGURE On
+  LOG_BUILD On
+  LOG_INSTALL On)
+
+# NOTE rapidjson is a header-only lib
+add_library(librapidjson INTERFACE)
+target_include_directories(librapidjson INTERFACE ${CMAKE_DEPS_INCLUDEDIR})
+add_dependencies(librapidjson rapidjson)
+
+# -----------------------------
+# Alias Target for External Use
+# -----------------------------
+add_library(Deps::rapidjson ALIAS librapidjson)
diff --git a/virtrust/cmake/deps/spdlog.cmake b/virtrust/cmake/deps/spdlog.cmake
new file mode 100644
index 0000000000000000000000000000000000000000..90416d05d8a6e38a4049b44042f9c47abfcd7b5f
--- /dev/null
+++ b/virtrust/cmake/deps/spdlog.cmake
@@ -0,0 +1,31 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+# HACK spdlog installs in lib64
+file(MAKE_DIRECTORY ${CMAKE_DEPS_PREFIX}/lib64)
+
+ExternalProject_Add(
+  spdlog
+  URL https://github.com/gabime/spdlog/archive/refs/tags/v1.14.1.tar.gz
+  URL_HASH
+    SHA256=1586508029a7d0670dfcb2d97575dcdc242d3868a259742b69f100801ab4e16b
+  CMAKE_ARGS -DCMAKE_POSITION_INDEPENDENT_CODE=On
+             -DCMAKE_CXX_STANDARD=17
+             -DCMAKE_C_STANDARD_REQUIRED=Yes
+             -DCMAKE_INSTALL_PREFIX=${CMAKE_DEPS_PREFIX}
+             -DCMAKE_CPP_FLAGS=-isystem\ ${CMAKE_DEPS_INCLUDEDIR}
+  PREFIX ${CMAKE_DEPS_PREFIX}
+  UPDATE_COMMAND ""
+  EXCLUDE_FROM_ALL true
+  DOWNLOAD_EXTRACT_TIMESTAMP On
+  BUILD_BYPRODUCTS ${CMAKE_DEPS_LIBDIR}/libspdlog${CMAKE_STATIC_LIBRARY_SUFFIX}
+  LOG_DOWNLOAD On
+  LOG_CONFIGURE On
+  LOG_BUILD On
+  LOG_INSTALL On)
+
+import_static_lib_from(libspdlog spdlog)
+
+# -----------------------------
+# Alias Target for External Use
+# -----------------------------
+add_library(Deps::spdlog ALIAS libspdlog)
diff --git a/virtrust/docs/001-introduction.md b/virtrust/docs/001-introduction.md
new file mode 100644
index 0000000000000000000000000000000000000000..b204e8ffdb98569c078993d07776b0ee4dbbc24a
--- /dev/null
+++ b/virtrust/docs/001-introduction.md
@@ -0,0 +1,151 @@
+# 简介
+
+virtrust 是一个为 openEuler 24.03 LTS SP3 平台设计的可信安全启动（TSB）代理，提供虚拟化可信计算模块（vTPCM）支持，专注于虚拟机域管理和可信度量功能。本仓库实现了完整的可信虚拟机生命周期管理、安全迁移以及相关工具链。
+
+## 项目概述
+
+### 核心功能
+
+- **可信虚拟机管理**：提供虚拟机完整的生命周期管理，包括创建、启动、停止、销毁和迁移操作
+- **可信计算支持**：基于国密 SM3 算法的信任链验证，支持 vTPCM（虚拟化可信计算模块）管理
+- **安全迁移**：支持虚拟机在不同主机间的安全迁移，具备证书验证和完整性检查
+- **开发工具**：提供命令行工具 virtrust-sh和守护进程 libvirtrustd，方便用户操作和系统集成
+
+## 环境要求
+
+### 支持的操作系统
+- openEuler 24.03 SP1
+- openEuler 24.03 SP2
+
+### 编译依赖
+
+```bash
+# 基础编译工具
+sudo dnf install gcc g++ cmake make
+
+# 开发库
+sudo dnf install grpc grpc-devel grpc-plugins protobuf-devel protobuf-compiler
+sudo dnf install libboundscheck-devel
+
+# 运行时依赖
+sudo dnf install libxml2-devel libguestfs-devel openssl-devel libvirt-devel
+
+# 其他依赖（项目会自动下载）
+# - spdlog（日志）
+# - gtest（测试框架）
+# - rapidjson（JSON解析）
+```
+
+## 编译指南
+
+### 使用 CMake 直接编译
+
+```bash
+# 创建构建目录
+mkdir -p build && cd build
+
+# 配置构建（Release 构建）
+cmake ..
+
+# 配置构建（指定构建类型）
+cmake -DCMAKE_BUILD_TYPE=Debug ..          # 调试构建
+cmake -DCMAKE_BUILD_TYPE=Coverage ..       # 覆盖率构建
+cmake -DCMAKE_BUILD_TYPE=Asan ..           # 地址消毒构建
+
+# 配置选项
+cmake -DBUILD_TEST=On ..                   # 启用测试（默认开启）
+cmake -DUSE_MOCK_TSB_AGENT=Off ..          # 生产构建（禁用模拟代理）
+
+# 编译
+cmake --build . -j$(nproc)
+
+# 安装
+make install
+```
+
+### 使用构建脚本
+
+```bash
+# 默认构建（Release，禁用测试）
+./build.sh
+
+# 指定构建目标
+./build.sh cicd_default
+```
+
+## 单元测试
+
+### 运行所有测试
+
+```bash
+cd build
+
+# 运行所有测试
+ctest --output-on-failure
+
+# 生成覆盖率报告（需要 Coverage 构建）
+make coverage
+```
+
+## 产出物
+
+### 库文件
+
+- **`libvirtrust.so`** - 主要共享库，提供所有核心功能
+- **`libvirtrust.a`** - 静态库版本（可选）
+
+### 可执行文件
+
+- **`virtrust-sh`** - 命令行工具，用于管理虚拟机
+- **`libvirtrustd`** - 守护进程，提供后台服务
+- **`mock-tsb-agent`** - 模拟 TSB 代理（开发测试用）
+
+### 测试可执行文件
+
+在 `build/bin/` 目录下生成所有测试程序：
+
+- `domain_test`
+- `custom_logger_test`
+- `sm3_test`
+- `str_utils_test`
+- `exception_test`
+- 以及其他模块的测试程序
+
+### 配置和运行时文件
+
+- **日志文件**：`/tmp/virtrust.log`
+- **gRPC 套接字**：`/tmp/grpc.sock`
+- **覆盖率报告**：`build/coverage/index.html`（Coverage 构建）
+
+## 开发指南
+
+### 代码风格
+
+项目使用自动化代码格式化：
+
+```bash
+# 格式化所有代码
+./format-all.sh
+```
+
+- 使用 clang-format 格式化 C++ 代码
+- 使用 cmake-format 格式化 CMake 文件
+- 配置文件：`.clang-format`
+
+### 开发模式 vs 生产模式
+
+- **开发模式**（默认）：`USE_MOCK_TSB_AGENT=On`
+  - 使用模拟 TSB 代理
+  - 启用完整测试套件
+  - 便于开发和调试
+
+- **生产模式**：`USE_MOCK_TSB_AGENT=Off`
+  - 使用真实 TSB 代理
+  - 禁用测试以减小二进制体积
+  - 用于生产环境部署
+
+### 调试支持
+
+- **Debug 构建**：包含调试信息，支持 gdb
+- **Asan 构建**：启用地址消毒，检测内存错误
+- **Coverage 构建**：生成代码覆盖率报告
diff --git a/virtrust/docs/002-virtrust-api.md b/virtrust/docs/002-virtrust-api.md
new file mode 100644
index 0000000000000000000000000000000000000000..bf2aae16841d1a1715a56c40bbcf8b568680b37e
--- /dev/null
+++ b/virtrust/docs/002-virtrust-api.md
@@ -0,0 +1,234 @@
+# Virtrust API 接口文档
+
+本文档描述了 virtrust 库对外提供的主要 API 接口，这些接口主要用于虚拟机域管理，包括创建、启动、停止、迁移和查询等操作。
+
+## 核心数据结构
+
+### 连接上下文 (ConnCtx)
+- **作用**：表示与 libvirt 的连接上下文
+- **默认 URI**：`qemu:///session`
+- **创建方式**：使用 `std::make_unique<ConnCtx>()` 创建，可通过 `SetUri()` 方法设置连接地址
+
+### 返回值 (VirtrustRc)
+所有 API 函数都返回 `VirtrustRc` 枚举类型的返回值：
+- `OK = 0`：操作成功
+- `ERROR = 1`：一般错误
+- `CHECK_FAILED = 2`：检查失败
+- `INCONSISTENT_RESOURCE = 3`：资源不一致
+
+## API 接口详情
+
+### 1. DomainCreate - 创建虚拟机
+
+```cpp
+VirtrustRc DomainCreate(const std::unique_ptr<ConnCtx> &conn, const std::vector<std::string> &args);
+```
+
+**参数说明**：
+- `conn`：连接上下文，必须是有效的连接
+- `args`：参数向量，参考 `virt-install --help` 的参数格式
+  - `args[0]`：必须为 virt-install 的路径，如 `/usr/bin/virt-install`
+  - 必须指定虚拟机名称字段
+  - `--allow-store-measurements`：可选参数，允许更新 TSB 的度量值
+
+**功能描述**：
+创建一个新的虚拟机实例。该函数内部调用 virt-install 工具来创建虚拟机，并处理相关的 TSB 资源初始化。
+
+**返回值**：
+- 成功返回 `VirtrustRc::OK`
+- 失败返回相应的错误码
+
+**注意事项**：
+- 名称字段是必须的
+- 确保 virt-install 路径正确且可执行
+- 支持所有 virt-install 的标准参数
+
+### 2. DomainDestroy - 停止虚拟机
+
+```cpp
+VirtrustRc DomainDestroy(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName, 
+                         unsigned int flags, bool isOnlyTsb = false);
+```
+
+**参数说明**：
+- `conn`：连接上下文
+- `domainName`：虚拟机名称或 UUID
+  - 当 `isOnlyTsb` 为 true 时，只更新 TSB 相关资源
+  - 当 `isOnlyTsb` 为 true 时，使用 UUID 时将忽略 flags 入参
+- `flags`：销毁标志，参考 `DomainDestroyFlags`（当前仅定义 `DOMAIN_DESTROY_NONE = 0`）
+- `isOnlyTsb`：是否只更新 TSB 资源的标志
+  - `true`：仅更新 TSB 资源，不执行实际的虚拟机销毁
+  - `false`：执行完整的虚拟机销毁操作
+
+**功能描述**：
+停止指定的虚拟机。可选择是否只处理 TSB 资源或执行完整的销毁操作。
+
+### 3. DomainMigrate - 迁移虚拟机
+
+```cpp
+VirtrustRc DomainMigrate(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName,
+                         const std::string &destUri, unsigned int flags = 0);
+```
+
+**参数说明**：
+- `conn`：连接上下文
+- `domainName`：虚拟机名称
+- `destUri`：目标端地址，格式为 `<protocol>://<hostip>:<port>/<path>`
+  - 示例：`qemu+tls://7.7.7.7:8080/system`
+- `flags`：迁移标志
+  - 默认为 0：不删除源端虚拟机
+  - `MIGRATE_UNDEFINE_SOURCE`：迁移成功后取消定义源端虚拟机
+
+**功能描述**：
+将虚拟机从当前主机迁移到目标主机。支持安全的迁移过程，包括 TSB 资源的同步。
+
+**返回值**：
+- 成功返回 `VirtrustRc::OK`
+- 失败返回相应的错误码
+
+### 4. DomainStart - 启动虚拟机
+
+```cpp
+VirtrustRc DomainStart(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName, 
+                       unsigned int flags, bool isOnlyTsb = false);
+```
+
+**参数说明**：
+- `conn`：连接上下文
+- `domainName`：虚拟机名称或 UUID
+  - 当 `isOnlyTsb` 为 true 时，只更新 TSB 相关资源
+  - 当 `isOnlyTsb` 为 true 时，使用 UUID 时将忽略 flags 入参
+- `flags`：启动标志，参考 `DomainStartFlags`（当前仅定义 `DOMAIN_START_NONE = 0`）
+- `isOnlyTsb`：是否只更新 TSB 资源的标志
+  - `true`：仅更新 TSB 资源
+  - `false`：执行完整的虚拟机启动操作
+
+**功能描述**：
+启动指定的虚拟机。可以选择仅处理 TSB 资源或执行完整的启动流程。
+
+### 5. DomainUndefine - 删除虚拟机
+
+```cpp
+VirtrustRc DomainUndefine(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName, 
+                          unsigned int flags = 0, bool isOnlyTsb = false);
+```
+
+**参数说明**：
+- `conn`：连接上下文
+- `domainName`：虚拟机名称或 UUID
+  - 当 `isOnlyTsb` 为 true 时，只更新 TSB 相关资源
+  - 当 `isOnlyTsb` 为 true 时，使用 UUID 时将忽略 flags 入参
+- `flags`：删除标志
+  - 默认为 0：适用于不产生 NVRAM 文件的情况
+  - `DOMAIN_UNDEFINE_NVRAM`：删除 NVRAM 文件
+  - `DOMAIN_UNDEFINE_KEEP_NVRAM`：保留 NVRAM 文件
+  - 注意：`DOMAIN_UNDEFINE_NVRAM` 和 `DOMAIN_UNDEFINE_KEEP_NVRAM` 不能同时指定
+- `isOnlyTsb`：是否只删除 TSB 资源
+  - `true`：仅删除 TSB 资源
+  - `false`：执行完整的虚拟机删除操作
+
+**功能描述**：
+删除虚拟机的定义。处理 NVRAM 文件和 TSB 资源的清理。
+
+### 6. DomainList - 展示虚拟机
+
+```cpp
+VirtrustRc DomainList(const std::unique_ptr<ConnCtx> &conn, unsigned int flags,
+                      std::unordered_map<std::string, DomainInfo> &domainInfos, 
+                      bool printErrToCli = false);
+```
+
+**参数说明**：
+- `conn`：连接上下文
+- `flags`：列表标志，可组合使用
+  - `LIST_DOMAINS_ACTIVE`：列出活动的虚拟机
+  - `LIST_DOMAINS_INACTIVE`：列出非活动的虚拟机
+  - 示例：`LIST_DOMAINS_ACTIVE | LIST_DOMAINS_INACTIVE`
+- `domainInfos`：输出参数，查询到的虚拟机信息映射表
+  - 键：虚拟机名称
+  - 值：`DomainInfo` 结构体
+- `printErrToCli`：是否在命令行显示 TSB 和 libvirt 资源不一致的错误信息
+  - `true`：显示错误信息（注意：libvirt 有但 TSB 没有的情况不会显示，但会有 warn 日志）
+  - `false`：不显示错误信息
+
+**DomainInfo 结构体**：
+```cpp
+struct DomainInfo {
+    std::string domainName;        // 虚拟机名称
+    unsigned char state;           // 运行状态，virDomainState 枚举值
+    unsigned long maxMem;          // 最大允许内存（KB）
+    unsigned long memory;          // 当前使用内存（KB）
+    unsigned short nrVirtCpu;      // 虚拟 CPU 数量
+    unsigned long long cpuTime;    // CPU 使用时间（纳秒）
+};
+```
+
+**功能描述**：
+查询并列出符合条件的虚拟机信息，同时检查 TSB 资源和 libvirt 资源的一致性。
+
+## 使用示例
+
+### 基本使用流程
+
+```cpp
+#include "virtrust/api/domain.h"
+
+// 创建连接上下文
+auto conn = std::make_unique<ConnCtx>();
+conn->SetUri("qemu:///session");
+
+// 创建虚拟机
+std::vector<std::string> args = {
+    "/usr/bin/virt-install",
+    "--name", "test-vm",
+    "--memory", "2048",
+    "--vcpus", "2",
+    "--disk", "path=/var/lib/libvirt/images/test-vm.qcow2,size=10",
+    "--cdrom", "/path/to/install.iso",
+    "--network", "network=default",
+    "--allow-store-measurements"
+};
+
+auto result = DomainCreate(conn, args);
+if (result != VirtrustRc::OK) {
+    // 处理错误
+}
+
+// 启动虚拟机
+result = DomainStart(conn, "test-vm", DOMAIN_START_NONE, false);
+
+// 查询虚拟机信息
+std::unordered_map<std::string, DomainInfo> domainInfos;
+result = DomainList(conn, LIST_DOMAINS_ACTIVE, domainInfos, true);
+
+// 停止虚拟机
+result = DomainDestroy(conn, "test-vm", DOMAIN_DESTROY_NONE, false);
+
+// 删除虚拟机
+result = DomainUndefine(conn, "test-vm", 0, false);
+```
+
+## 错误处理
+
+所有 API 函数都返回 `VirtrustRc` 枚举值，建议在调用后检查返回值：
+
+```cpp
+auto rc = DomainCreate(conn, args);
+switch (rc) {
+    case VirtrustRc::OK:
+        // 操作成功
+        break;
+    case VirtrustRc::ERROR:
+        // 一般错误
+        break;
+    case VirtrustRc::CHECK_FAILED:
+        // 检查失败
+        break;
+    case VirtrustRc::INCONSISTENT_RESOURCE:
+        // 资源不一致
+        break;
+    default:
+        // 未知错误
+        break;
+}
+```
diff --git a/virtrust/docs/003-virtrust-sh.md b/virtrust/docs/003-virtrust-sh.md
new file mode 100644
index 0000000000000000000000000000000000000000..5ca71f079808833b08dba8d4a022cbd5744766da
--- /dev/null
+++ b/virtrust/docs/003-virtrust-sh.md
@@ -0,0 +1,238 @@
+# Virtrust Shell (virtrust-sh) 用户手册
+
+## 概述
+
+Virtrust Shell (virtrust-sh) 是 virtrust 项目的命令行界面工具，为用户提供了交互式的虚拟机管理功能。它基于 virtrust API 库构建，支持虚拟机的完整生命周期管理操作。
+
+- **虚拟机生命周期管理**：创建、启动、停止、销毁、迁移和删除虚拟机
+
+## 安装和使用
+
+### 基本语法
+
+```bash
+virtrust-sh [options]... [<command_string>]
+virtrust-sh [options]... <command> [args...]
+```
+
+### 命令行选项
+
+| 选项 | 长选项 | 参数 | 描述 |
+|------|--------|------|------|
+| `-c` | `--connect=URI` | URI | 指定 hypervisor 连接 URI，默认为 `qemu:///session` |
+| `-d` | `--debug` | 无 | 启用调试模式，显示详细日志 |
+| `-h` | `--help` | 无 | 显示帮助信息 |
+| `-v` | `--version` | 无 | 显示版本信息 |
+
+### 支持的命令
+
+| 命令 | 描述 |
+|------|------|
+| `create` | 创建虚拟机实例 |
+| `destroy` | 销毁（停止）虚拟机域 |
+| `list` | 列出虚拟机信息 |
+| `migrate` | 迁移虚拟机到其他主机 |
+| `start` | 启动（先前定义的）非活动虚拟机域 |
+| `undefine` | 取消定义虚拟机域 |
+
+## 详细命令说明
+
+### 1. create - 创建虚拟机
+
+创建新的虚拟机实例，基于 libvirt 的 virt-install 工具实现。
+
+**基本语法**：
+```bash
+virtrust-sh create [virt-install 支持的参数...]
+```
+
+**参数说明**：
+- 所有参数将传递给 virt-install 工具
+- 必须包含虚拟机名称参数
+- 支持所有 virt-install 的标准参数
+
+**示例**：
+```bash
+# 创建基础虚拟机
+virtrust-sh create \
+  --name test-vm \
+  --memory 2048 \
+  --vcpus 2 \
+  --disk path=/var/lib/libvirt/images/test-vm.qcow2,size=10 \
+  --cdrom /path/to/install.iso f
+  --network network=default
+
+# 使用自定义连接 URI
+virtrust-sh -c qemu+tcp://host/system create \
+  --name test-vm \
+  --memory 1024 \
+  --vcpus 1 \
+  --disk path=/tmp/test.img,size=5
+```
+
+### 2. start - 启动虚拟机
+
+启动之前定义的虚拟机实例。
+
+**基本语法**：
+```bash
+virtrust-sh start <domain_name>
+```
+
+**参数说明**：
+- `domain_name`：要启动的虚拟机名称
+
+**示例**：
+```bash
+# 启动虚拟机
+virtrust-sh start test-vm
+
+# 使用调试模式启动
+virtrust-sh -d start test-vm
+```
+
+### 3. destroy - 停止虚拟机
+
+强制停止运行中的虚拟机。
+
+**基本语法**：
+```bash
+virtrust-sh destroy <domain_name>
+```
+
+**参数说明**：
+- `domain_name`：要停止的虚拟机名称
+
+**示例**：
+```bash
+# 停止虚拟机
+virtrust-sh destroy test-vm
+```
+
+### 4. undefine - 删除虚拟机定义
+
+删除虚拟机的配置定义，但不会删除磁盘镜像文件。
+
+**基本语法**：
+```bash
+virtrust-sh undefine <domain_name>
+```
+
+**参数说明**：
+- `domain_name`：要删除定义的虚拟机名称
+
+**示例**：
+```bash
+# 删除虚拟机定义
+virtrust-sh undefine test-vm
+```
+
+### 5. migrate - 迁移虚拟机
+
+将虚拟机迁移到其他主机。
+
+**基本语法**：
+```bash
+virtrust-sh migrate [option] <domain_name> <dest_uri> 
+```
+
+**参数说明**：
+- `domain_name`：要迁移的虚拟机名称
+- `dest_uri`：目标主机 URI，格式为 `<protocol>://<host>:<port>/<path>`
+- `option`：-h 帮助信息，--undefinesource 删除源端虚拟机
+
+**示例**：
+```bash
+# 迁移到远程主机
+virtrust-sh migrate test-vm qemu+tls://192.168.1.100:16509/system
+
+# 使用 TLS 加密迁移
+virtrust-sh migrate test-vm qemu+tls://dest-host/system
+```
+
+### 6. list - 列出虚拟机信息
+
+显示系统中虚拟机的状态和信息。
+
+**基本语法**：
+```bash
+virtrust-sh list [options]
+```
+
+**示例**：
+```bash
+# 列出所有虚拟机
+virtrust-sh list
+
+# 使用调试模式列出虚拟机
+virtrust-sh -d list
+```
+
+## 日志管理
+
+virtrust-sh 会将详细的操作日志写入当前工作目录下的 `virtrust.log` 文件。
+
+## 使用示例
+
+### 完整虚拟机生命周期管理
+
+```bash
+# 1. 创建虚拟机
+virtrust-sh create \
+  --name demo-vm \
+  --memory 4096 \
+  --vcpus 2 \
+  --disk path=/var/lib/libvirt/images/demo-vm.qcow2,size=20 \
+  --cdrom /tmp/ubuntu-22.04.iso \
+  --network network=default \
+  --graphics spice
+
+# 2. 启动虚拟机
+virtrust-sh start demo-vm
+
+# 3. 查看虚拟机状态
+virtrust-sh list
+
+# 4. 停止虚拟机
+virtrust-sh destroy demo-vm
+
+# 5. 删除虚拟机定义
+virtrust-sh undefine demo-vm
+```
+
+### 批量操作脚本
+
+```bash
+#!/bin/bash
+
+# 设置调试模式
+DEBUG_FLAG="-d"
+
+# 批量启动虚拟机
+for vm in vm1 vm2 vm3; do
+    echo "Starting $vm..."
+    virtrust-sh $DEBUG_FLAG start $vm
+done
+
+# 批量列出虚拟机状态
+echo "Virtual machine status:"
+virtrust-sh $DEBUG_FLAG list
+```
+
+### 远程管理示例
+
+```bash
+# 连接到远程 libvirt 守护进程
+REMOTE_URI="qemu+tcp://192.168.1.100/system"
+
+# 在远程主机上创建虚拟机
+virtrust-sh -c $REMOTE_URI create \
+  --name remote-vm \
+  --memory 2048 \
+  --vcpus 2 \
+  --disk path=/var/lib/libvirt/images/remote-vm.qcow2,size=10
+
+# 迁移虚拟机到远程主机
+virtrust-sh migrate local-vm qemu+tls://192.168.1.100/system
+```
+
diff --git a/virtrust/docs/004-virtrustd.md b/virtrust/docs/004-virtrustd.md
new file mode 100644
index 0000000000000000000000000000000000000000..7e2c2c8272c314218217afcafb2e718bd9e824b2
--- /dev/null
+++ b/virtrust/docs/004-virtrustd.md
@@ -0,0 +1,305 @@
+# Virtrust Daemon (virtrustd) 管理手册
+
+## 概述
+
+Virtrust Daemon (virtrustd) 是 virtrust 项目的守护进程服务，提供基于 gRPC 的远程 API 服务。它作为后端服务运行，接受来自客户端的虚拟机管理请求，并通过 virtrust API 库执行相应的操作。
+
+- **默认服务器地址**：127.0.0.1
+- **默认服务器端口**：5031
+- **默认 Unix Socket**：/tmp/grpc.sock
+- **默认日志文件**：/var/log/virtrustd.log
+
+## 系统架构
+
+### 服务组件
+
+```
+virtrustd 守护进程
+├── gRPC Server          # gRPC 服务器
+├── LinkConfig          # 链接配置管理
+├── 信号处理器          # SIGINT, SIGTERM, SIGPIPE 处理
+├── 日志系统            # 服务日志记录
+└── virtrust API        # 虚拟机管理 API 调用
+```
+
+### 通信流程
+
+```
+客户端应用
+    ↓ (gRPC/TLS)
+virtrustd 守护进程
+    ↓ (virtrust API)
+libvirt 虚拟化层
+```
+
+## 安装和部署
+
+### 系统要求
+
+- **操作系统**：openEuler 24.03 LTS SP1 或 openEuler 24.03 LTS SP2
+- **权限**：需要足够的权限来管理虚拟机
+- **依赖**：libvirt、gRPC 相关库
+
+### 安装步骤
+
+1. **编译安装**：
+```bash
+# 在 virtrust 项目目录下
+cmake -B build -DCMAKE_BUILD_TYPE=Release
+cmake --build build
+
+# 安装服务
+sudo cmake --install build
+```
+
+2. **创建配置文件**：
+```bash
+sudo mkdir -p /etc/virtrust
+sudo cp config-example.json /etc/virtrust/virtrustd.json
+```
+
+3. **创建日志目录**：
+```bash
+sudo mkdir -p /var/log
+sudo touch /var/log/virtrustd.log
+sudo chmod 644 /var/log/virtrustd.log
+```
+
+## 配置管理
+
+### 基本语法
+
+```bash
+virtrustd --config <config_file> [options]
+```
+
+### 命令行选项
+
+| 选项 | 长选项 | 参数 | 描述 |
+|------|--------|------|------|
+| 无 | `--config` | 文件路径 | 配置文件路径（必需） |
+| `-d` | `--debug` | 无 | 启用调试模式 |
+| 无 | `--help` | 无 | 显示帮助信息 |
+| 无 | `--version` | 无 | 显示版本信息 |
+
+### 配置文件格式
+
+配置文件使用 JSON 格式，包含以下字段：
+
+```json
+{
+  "server": {
+    "addr": "127.0.0.1",
+    "port": 5031,
+    "uds_path": "/tmp/grpc.sock"
+  },
+  "tls": {
+    "ca_path": "ca-cert.pem",
+    "cert_path": "server-cert.pem",
+    "key_path": "server-sk.pem"
+  }
+}
+```
+
+#### 配置字段说明
+
+**server 部分**：
+- `addr`：服务器监听地址，默认为 "127.0.0.1"
+- `port`：服务器监听端口，默认为 5031
+- `uds_path`：Unix Domain Socket 路径，默认为 "/tmp/grpc.sock"
+
+**tls 部分**：
+- `ca_path`：CA 证书文件路径，默认为 "ca-cert.pem"
+- `cert_path`：服务器证书文件路径，默认为 "server-cert.pem"
+- `key_path`：服务器私钥文件路径，默认为 "server-sk.pem"
+
+### 示例配置文件
+
+**基础配置 (basic.json)**：
+```json
+{
+  "server": {
+    "addr": "127.0.0.1",
+    "port": 5031,
+    "uds_path": "/tmp/grpc.sock"
+  },
+  "tls": {
+    "ca_path": "/etc/virtrust/certs/ca-cert.pem",
+    "cert_path": "/etc/virtrust/certs/server-cert.pem",
+    "key_path": "/etc/virtrust/certs/server-sk.pem"
+  }
+}
+```
+
+**生产环境配置 (production.json)**：
+```json
+{
+  "server": {
+    "addr": "0.0.0.0",
+    "port": 5031,
+    "uds_path": "/var/run/virtrustd.sock"
+  },
+  "tls": {
+    "ca_path": "/etc/ssl/certs/virtrust-ca.pem",
+    "cert_path": "/etc/ssl/private/virtrust-server.pem",
+    "key_path": "/etc/ssl/private/virtrust-server.key"
+  }
+}
+```
+
+## 运行和管理
+
+### 启动服务
+
+```bash
+# 基础启动
+sudo virtrustd --config /etc/virtrust/virtrustd.json
+
+# 调试模式启动
+sudo virtrustd --config /etc/virtrust/virtrustd.json --debug
+```
+
+### 系统服务配置
+
+创建 systemd 服务文件 `/etc/systemd/system/virtrustd.service`：
+
+```ini
+[Unit]
+Description=Virtrust Daemon
+After=network.target libvirtd.service
+Wants=libvirtd.service
+
+[Service]
+Type=simple
+User=root
+Group=root
+ExecStart=/usr/local/bin/virtrustd --config /etc/virtrust/virtrustd.json
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+```
+
+**服务管理命令**：
+```bash
+# 重新加载 systemd 配置
+sudo systemctl daemon-reload
+
+# 启动服务
+sudo systemctl start virtrustd
+
+# 停止服务
+sudo systemctl stop virtrustd
+
+# 重启服务
+sudo systemctl restart virtrustd
+
+# 查看服务状态
+sudo systemctl status virtrustd
+
+# 开机自启
+sudo systemctl enable virtrustd
+
+# 禁用开机自启
+sudo systemctl disable virtrustd
+```
+
+### 服务状态监控
+
+```bash
+# 检查服务是否运行
+sudo systemctl is-active virtrustd
+
+# 查看服务日志
+sudo journalctl -u virtrustd -f
+
+# 查看最近的错误日志
+sudo journalctl -u virtrustd --since "1 hour ago" -p err
+```
+
+## 日志管理
+
+### 日志文件位置
+
+- **日志文件**：`/var/log/virtrustd.log`
+- **系统日志**：通过 systemd journal 记录
+
+### 日志级别
+
+- **默认级别**：INFO
+- **调试模式**：DEBUG（使用 `--debug` 选项启用）
+
+### 日志轮转配置
+
+创建 logrotate 配置文件 `/etc/logrotate.d/virtrustd`：
+
+```
+/var/log/virtrustd.log {
+    daily
+    missingok
+    rotate 30
+    compress
+    delaycompress
+    notifempty
+    create 644 root root
+    postrotate
+        systemctl reload virtrustd
+    endscript
+}
+```
+
+## 安全配置
+
+### TLS 证书管理
+
+1. **生成 CA 证书**：
+```bash
+# 创建 CA 私钥
+openssl genrsa -out ca-key.pem 4096
+
+# 创建 CA 证书
+openssl req -new -x509 -days 365 -key ca-key.pem -out ca-cert.pem \
+  -subj "/C=CN/ST=State/L=City/O=Organization/CN=Virtrust-CA"
+```
+
+2. **生成服务器证书**：
+```bash
+# 生成服务器私钥
+openssl genrsa -out server-key.pem 2048
+
+# 生成证书签名请求
+openssl req -new -key server-key.pem -out server-req.pem \
+  -subj "/C=CN/ST=State/L=City/O=Organization/CN=virtrustd-server"
+
+# 签发服务器证书
+openssl x509 -req -days 365 -in server-req.pem -CA ca-cert.pem \
+  -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
+```
+
+3. **权限设置**：
+```bash
+# 设置证书文件权限
+sudo chown root:root ca-cert.pem server-cert.pem server-key.pem
+sudo chmod 644 ca-cert.pem server-cert.pem
+sudo chmod 600 server-key.pem
+
+# 移动到安全位置
+sudo mv ca-cert.pem server-cert.pem server-key.pem /etc/virtrust/certs/
+```
+
+4. **libvirt证书**：
+```bash
+参考 https://libvirt.org/kbase/tlscerts.html
+```
+
+### 防火墙配置
+
+```bash
+# 开放 gRPC 服务端口
+sudo firewall-cmd --permanent --add-port=5031/tcp
+# 开放 libvirt tls方式端口
+sudo firewall-cmd --permanent --add-port=16514/tcp
+sudo firewall-cmd --reload
+```
diff --git a/virtrust/format-all.sh b/virtrust/format-all.sh
new file mode 100755
index 0000000000000000000000000000000000000000..bfcbc17c1eddc58d26e1bb39f5185288bcba4524
--- /dev/null
+++ b/virtrust/format-all.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# Check if clang-format exists
+if ! command -v clang-format &> /dev/null; then
+    echo "clang-format not found"
+    exit 1
+fi
+
+# Check if cmake-format exists
+if ! command -v cmake-format &> /dev/null; then
+    echo "cmake-format not found"
+    exit 1
+fi
+
+# format c/c++ code
+find . -name "*.cpp" -o -name "*.hpp" -o -name "*.h" | xargs clang-format -i
+
+# format cmake code
+find . -name "CMakeLists.txt" -exec cmake-format -i {} \;
diff --git a/virtrust/src/CMakeLists.txt b/virtrust/src/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..0e6714f3eff77a5b4bf0a88ffc29d9cbc5cfbbd6
--- /dev/null
+++ b/virtrust/src/CMakeLists.txt
@@ -0,0 +1,13 @@
+# Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+# api
+add_subdirectory(virtrust)
+
+# cli
+add_subdirectory(virtrust-sh)
+
+# daemon
+add_subdirectory(libvirtrustd)
+
+# tsb_agent
+add_subdirectory(tsb_agent)
diff --git a/virtrust/src/libvirtrustd/CMakeLists.txt b/virtrust/src/libvirtrustd/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..5d3c4f408bb770e2dd26bf420039844c85fa6336
--- /dev/null
+++ b/virtrust/src/libvirtrustd/CMakeLists.txt
@@ -0,0 +1,11 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+# executable
+add_executable(libvirtrustd ${CMAKE_CURRENT_LIST_DIR}/main.cpp
+                            ${CMAKE_CURRENT_LIST_DIR}/utils.cpp)
+
+target_include_directories(
+  libvirtrustd PRIVATE ${CMAKE_DEPS_INCLUDEDIR}
+                       $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>)
+
+target_link_libraries(libvirtrustd PRIVATE virtrust-shared Deps::rapidjson)
diff --git a/virtrust/src/libvirtrustd/defines.h b/virtrust/src/libvirtrustd/defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..808a30f561beec887d87095ffde77e8913f08d84
--- /dev/null
+++ b/virtrust/src/libvirtrustd/defines.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <cstdint>
+#include <string_view>
+
+namespace virtrust {
+// version
+constexpr std::string_view LIBVIRTRUSTD_VERSION = "1.0.0";
+
+// default values
+constexpr std::string_view LIBVIRTRUSTD_SERVER_ADDR = "127.0.0.1";
+constexpr std::string_view LIBVIRTRUSTD_CA_PATH = "ca-cert.pem";
+constexpr std::string_view LIBVIRTRUSTD_CERT_PATH = "server-cert.pem";
+constexpr std::string_view LIBVIRTRUSTD_SK_PATH = "server-sk.pem";
+constexpr std::string_view LIBVIRTRUSTD_UDS_PATH = "/tmp/grpc.sock";
+constexpr const char *VIRTRUSTD_LOGFILE_NAME = "/var/log/virtrustd.log";
+constexpr uint16_t LIBVIRTRUSTD_SERVER_PORT = 5031;
+} // namespace virtrust
diff --git a/virtrust/src/libvirtrustd/main.cpp b/virtrust/src/libvirtrustd/main.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..dfad9721765e933e6ca5b4f16e85e0269cdd31ea
--- /dev/null
+++ b/virtrust/src/libvirtrustd/main.cpp
@@ -0,0 +1,139 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include <getopt.h>
+#include <unistd.h>
+
+#include <csignal>
+#include <thread>
+
+#include "libvirtrustd/defines.h"
+#include "libvirtrustd/utils.h"
+#include "spdlog/fmt/bundled/core.h"
+
+#include "virtrust/base/logger.h"
+#include "virtrust/link/defines.h"
+#include "virtrust/link/grpc_server.h"
+
+namespace virtrust {
+namespace {
+volatile sig_atomic_t g_stopFlag = 0;
+
+void SignalHandler(int signum)
+{
+    VIRTRUST_LOG_INFO("Received signal: {}", signum);
+    if (signum == SIGPIPE) {
+        VIRTRUST_LOG_INFO("SIGPIPE signal received, ignored.");
+
+        return;
+    }
+    g_stopFlag = 1;
+}
+
+void PrintVersion(std::string_view progname)
+{
+    fmt::print("{} version: {}\n", progname, LIBVIRTRUSTD_VERSION);
+}
+
+void PrintUsage(std::string_view progname)
+{
+    fmt::print("\n"
+               "  USAGE:\n"
+               "    {} <args> [options]\n"
+               "\n"
+               "  REQUIRED ARGS:\n"
+               "    --config           path to config file\n"
+               "\n"
+               "  OPTIONS:\n"
+               "    -d | --debug       run in debug mode\n"
+               "    --help             print this help\n"
+               "    --version          show version\n"
+               "\n",
+               progname);
+}
+
+int ProcessArgs(int argc, char **argv)
+{
+    int arg = -1;
+    int longindex = -1;
+    std::vector<option> opt = {
+        {"config", required_argument, nullptr, 'c'},
+        {"debug", no_argument, nullptr, 'd'},
+        {"help", no_argument, nullptr, 'h'},
+        {"version", no_argument, nullptr, 'v'},
+        {nullptr, 0, nullptr, 0},
+    };
+
+    std::string configPath;
+    // The leading + means no re-ordering, see man page of getopt_long
+    // The ":" after "c" means it has long arguments from cli, and is parsed to
+    // optarg
+    while ((arg = getopt_long(argc, argv, "+c:dhv", opt.data(), &longindex)) != -1) {
+        switch (arg) {
+            case 'c':
+                configPath = std::string(optarg);
+                break;
+            case 'd':
+                virtrust::Logger::Instance()->SetDisplayLogLevel(virtrust::LogLevel::DEBUG);
+                break;
+            case 'v':
+                PrintVersion(argv[0]);
+                return 0; // return with success
+            case 'h':
+                PrintUsage(argv[0]);
+                return 0; // return with success
+            case '?':
+            default:
+                PrintUsage(argv[0]);
+                return 1; // return with failure
+        }
+    }
+
+    if (configPath.empty()) {
+        fmt::print("\n"
+                   "  ERROR: Missing requried config files\n");
+        PrintUsage(argv[0]);
+        return 1; // return with success
+    }
+
+    auto ret = MakeLinkConfigFromJsonFile(configPath);
+    if (ret.has_value()) {
+        ConfigMgr::Instance().SetLinkConfig(ret.value());
+        GrpcServer sever(ret.value());
+        fmt::print("start link config. Exiting...{}, {}\n", ret.value().udsPath, ret.value().caPath);
+        LinkRc linkRc = sever.Start();
+        if (linkRc != LinkRc::OK) {
+            fmt::print("Failed to start link config. Exiting...\n");
+            return 1;
+        }
+
+        while (g_stopFlag == 0) {
+            std::this_thread::sleep_for(std::chrono::seconds(1));
+        }
+        sever.Stop();
+    } else {
+        // make link config failed
+        return 1;
+    }
+    return 0;
+}
+} // namespace
+} // namespace virtrust
+
+int main(int argc, char **argv)
+{
+    // register signal handler
+    signal(SIGINT, virtrust::SignalHandler);
+    signal(SIGTERM, virtrust::SignalHandler);
+    signal(SIGPIPE, virtrust::SignalHandler);
+
+    auto ret = virtrust::Logger::Instance()->InitLog(static_cast<int>(virtrust::LogLevel::INFO),
+                                                     virtrust::VIRTRUSTD_LOGFILE_NAME);
+    if (ret != virtrust::VirtrustRc::OK) {
+        fmt::print("\nInitLog failed\n");
+        return 1;
+    }
+
+    return virtrust::ProcessArgs(argc, argv);
+}
diff --git a/virtrust/src/libvirtrustd/utils.cpp b/virtrust/src/libvirtrustd/utils.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..8923e48dd2539e67eb474593c310e8f62c7ab2ac
--- /dev/null
+++ b/virtrust/src/libvirtrustd/utils.cpp
@@ -0,0 +1,172 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include <fstream>
+#include <optional>
+
+#include "libvirtrustd/defines.h"
+#include "rapidjson/document.h"
+#include "rapidjson/istreamwrapper.h"
+
+#include "virtrust/link/link_config_builder.h"
+
+namespace virtrust {
+
+namespace {
+
+constexpr uint32_t MAX_FILE_SIZE = 10 * 1024 * 1024; // 10* 1024 * 1024
+
+std::optional<std::string> CanonicalPath(const std::string &path)
+{
+    if (path.empty() || path.size() > 4096L) {
+        return std::nullopt;
+    }
+
+    /* It will callocate memory to store path*/
+    std::array<char, PATH_MAX> resolvedPath;
+    if (realpath(path.c_str(), resolvedPath.data()) == nullptr) {
+        return std::nullopt;
+    }
+    return resolvedPath.data();
+}
+
+bool IsAbsolutePath(const std::string &filePath)
+{
+    if (filePath.length() == 0) {
+        return false;
+    }
+    if (filePath[0] != '/') {
+        return false;
+    }
+    if (strstr(filePath.c_str(), "/../") != nullptr || strstr(filePath.c_str(), "/./") != nullptr) {
+        return false;
+    }
+    return true;
+}
+
+bool CheckFileAccess(const std::string &path, int mode)
+{
+    return access(path.c_str(), mode) != -1;
+}
+
+bool CheckFileStat(const std::string &filePath)
+{
+    struct stat st;
+    if (stat(filePath.c_str(), &st) != 0) {
+        return false;
+    }
+
+    if ((st.st_mode & S_IFMT) != S_IFREG || (st.st_size > MAX_FILE_SIZE)) {
+        return false;
+    }
+    return true;
+}
+
+bool CheckConfigFile(const std::string &path)
+{
+    if (!IsAbsolutePath(path)) {
+        VIRTRUST_LOG_ERROR("Got relatinve path.");
+        return false;
+    }
+    if (!CheckFileStat(path)) {
+        VIRTRUST_LOG_ERROR("Check path stat failed.");
+        return false;
+    }
+    if (!CheckFileAccess(path, F_OK | R_OK)) {
+        VIRTRUST_LOG_ERROR("File path access is not valid.");
+        return false;
+    }
+    return true;
+}
+
+std::optional<rapidjson::Document> ReadJsonFile(const std::string &path)
+{
+    // canonical path
+    auto realPath = CanonicalPath(path);
+    if (!realPath) {
+        VIRTRUST_LOG_ERROR("Canonical path failed.");
+        return std::nullopt;
+    }
+    // check the validity of path
+    if (!CheckConfigFile(realPath.value())) {
+        VIRTRUST_LOG_ERROR("Read config error. File access check failed: {}", realPath.value());
+        return std::nullopt;
+    }
+
+    // read path into ifstream
+    std::ifstream file(realPath.value());
+    if (!file.is_open()) {
+        VIRTRUST_LOG_ERROR("Read config error. Cannot open file: {}", realPath.value());
+        return std::nullopt;
+    }
+
+    // handle ifstream to rapidjson
+    rapidjson::IStreamWrapper isw(file);
+    rapidjson::Document doc;
+    doc.ParseStream(isw);
+
+    // in case of parse error
+    if (doc.HasParseError()) {
+        VIRTRUST_LOG_ERROR("Read config error. Cannto parse file into json: {}", realPath.value());
+        return std::nullopt;
+    }
+
+    return doc;
+}
+
+template <typename T>
+std::optional<T> FindJsonKey(const rapidjson::Document &jsonDoc, const std::string &key, T defaultValue)
+{
+    if (!jsonDoc.HasMember(key.data())) {
+        VIRTRUST_LOG_WARN("ParseJsonDocToConfig: Failed to find config key:{}, Set it to default value.", key);
+        return std::optional<T>(defaultValue);
+    }
+
+    const auto &value = jsonDoc[key.data()];
+    if constexpr (std::is_same_v<T, std::string>) {
+        return value.IsString() ? std::optional<T>(std::string(value.GetString())) : std::nullopt;
+    } else if constexpr (std::is_same_v<T, uint16_t>) {
+        return value.IsUint() ? std::optional<T>(value.GetUint()) : std::nullopt;
+    } else {
+        return std::nullopt;
+    }
+}
+
+LinkConfig ParseJsonDocToConfig(const rapidjson::Document &jsonDoc)
+{
+    auto configBuidler = LinkConfigBuilder();
+
+#define FIND_KEY(NAME, T, DEFAULT_VALUE)                          \
+    do {                                                          \
+        auto tmp = FindJsonKey<T>(jsonDoc, #NAME, DEFAULT_VALUE); \
+        if (tmp) {                                                \
+            configBuidler.NAME(tmp.value());                      \
+        }                                                         \
+    } while (0)
+
+    FIND_KEY(caPath, std::string, std::string(LIBVIRTRUSTD_SERVER_ADDR));
+    FIND_KEY(certPath, std::string, std::string(LIBVIRTRUSTD_CERT_PATH));
+    FIND_KEY(skPath, std::string, std::string(LIBVIRTRUSTD_SK_PATH));
+    FIND_KEY(ip, std::string, std::string(LIBVIRTRUSTD_SERVER_ADDR));
+    FIND_KEY(udsPath, std::string, std::string(LIBVIRTRUSTD_UDS_PATH));
+    FIND_KEY(port, uint16_t, LIBVIRTRUSTD_SERVER_PORT);
+
+#undef FIND_KEY
+    return configBuidler.Build();
+}
+
+} // namespace
+
+std::optional<LinkConfig> MakeLinkConfigFromJsonFile(const std::string &configPath)
+{
+    auto jsonDoc = ReadJsonFile(configPath);
+    if (!jsonDoc.has_value() || jsonDoc.value().IsNull()) {
+        return std::nullopt;
+    }
+    return ParseJsonDocToConfig(jsonDoc.value());
+}
+} // namespace virtrust
diff --git a/virtrust/src/libvirtrustd/utils.h b/virtrust/src/libvirtrustd/utils.h
new file mode 100644
index 0000000000000000000000000000000000000000..0d2641b6ef2ce8cf528803c5fb3ea1beda9de60d
--- /dev/null
+++ b/virtrust/src/libvirtrustd/utils.h
@@ -0,0 +1,13 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <optional>
+
+#include "virtrust/link/defines.h"
+
+namespace virtrust {
+std::optional<LinkConfig> MakeLinkConfigFromJsonFile(const std::string &configPath);
+} // namespace virtrust
diff --git a/virtrust/src/tsb_agent/CMakeLists.txt b/virtrust/src/tsb_agent/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..cb056024af3d4a071f758055f482b49eb87bd25f
--- /dev/null
+++ b/virtrust/src/tsb_agent/CMakeLists.txt
@@ -0,0 +1,17 @@
+# Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+# mock
+if(USE_MOCK_TSB_AGENT)
+  add_subdirectory(mock)
+else()
+  add_library(tsb-agent INTERFACE)
+  file(COPY /root/libinterfac.so DESTINATION ${CMAKE_DEPS_LIBDIR})
+  target_link_directories(tsb-agent INTERFACE ${CMAKE_DEPS_LIBDIR})
+  target_link_libraries(tsb-agent INTERFACE libinterfac.so)
+endif()
+
+# NOTE Make sure targets are linekd to tsb-agent
+target_link_libraries(virtrust-obj PRIVATE tsb-agent)
+target_link_libraries(virtrust-shared PRIVATE tsb-agent)
+target_link_libraries(virtrust-sh PRIVATE tsb-agent)
+target_link_libraries(libvirtrustd PRIVATE tsb-agent)
diff --git a/virtrust/src/tsb_agent/mock/CMakeLists.txt b/virtrust/src/tsb_agent/mock/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..dd16b39e00135a8d6f22269afc4a08c22eb6a1a4
--- /dev/null
+++ b/virtrust/src/tsb_agent/mock/CMakeLists.txt
@@ -0,0 +1,43 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+# Note mock/tsb-agent is a sepatate static lib
+
+add_library(tsb-agent OBJECT ${CMAKE_CURRENT_LIST_DIR}/tsb_agent_impl.cpp
+                             ${CMAKE_CURRENT_LIST_DIR}/tsb_agent_adaptor.cpp)
+
+target_include_directories(
+  tsb-agent PRIVATE ${CMAKE_DEPS_INCLUDEDIR}
+                    $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>)
+
+target_link_libraries(tsb-agent PRIVATE Deps::spdlog Deps::secure_c)
+
+# add mock tsb-agent test
+
+if(BUILD_TEST)
+  add_executable(tsb_agent_test tsb_agent_test.cpp)
+  target_link_libraries(tsb_agent_test PRIVATE tsb-agent Deps::gtest)
+  target_include_directories(
+    tsb_agent_test PRIVATE ${CMAKE_DEPS_INCLUDEDIR}
+                           $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>)
+
+  add_test(NAME tsb_agent_test COMMAND tsb_agent_test)
+  set_tests_properties(
+    tsb_agent_test
+    PROPERTIES
+      ENVIRONMENT
+      "LD_LIBRARY_PATH=${CMAKE_LIBRARY_OUTPUT_DIRECTORY}:$ENV{LD_LIBRARY_PATH}")
+
+  add_executable(tsb_agent_impl_test tsb_agent_impl_test.cpp)
+  target_link_libraries(tsb_agent_impl_test PRIVATE tsb-agent Deps::gtest)
+  target_include_directories(
+    tsb_agent_impl_test PRIVATE ${CMAKE_DEPS_INCLUDEDIR}
+                                $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>)
+
+  add_test(NAME tsb_agent_impl_test COMMAND tsb_agent_impl_test)
+  set_tests_properties(
+    tsb_agent_impl_test
+    PROPERTIES
+      ENVIRONMENT
+      "LD_LIBRARY_PATH=${CMAKE_LIBRARY_OUTPUT_DIRECTORY}:$ENV{LD_LIBRARY_PATH}")
+
+endif()
diff --git a/virtrust/src/tsb_agent/mock/tsb_agent_adaptor.cpp b/virtrust/src/tsb_agent/mock/tsb_agent_adaptor.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..f493746dce2b8533821ea052b09d46e30716ad97
--- /dev/null
+++ b/virtrust/src/tsb_agent/mock/tsb_agent_adaptor.cpp
@@ -0,0 +1,173 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include "tsb_agent/mock/tsb_agent_impl.h"
+#include "tsb_agent/tsb_agent.h"
+
+using namespace virtrust::mock;
+
+namespace {
+int ParseTsbAgentRc(TsbAgentRc rc)
+{
+    switch (rc) {
+        case TsbAgentRc::OK:
+            return 0;
+        case TsbAgentRc::ERROR:
+            return -1;
+
+        default:
+            return -1;
+    }
+}
+} // namespace
+
+// NOTE ALL memories are allocated inside APIs by using "mallloc", remeber to
+// free the pointer after use.
+
+int GetVRoots(int *vtpcmNums, struct Description **vtpcmInfo)
+{
+    auto &tsbAgent = TsbAgentImpl::GetInstance();
+
+    auto instances = tsbAgent.GetVRoots(); // get virt roots from mock tsb agent
+    *vtpcmNums = static_cast<int>(instances.size());
+
+    // 分配内存
+    if (*vtpcmNums > 0) {
+        *vtpcmInfo = static_cast<Description *>(malloc(*vtpcmNums * sizeof(Description)));
+
+        // 将 instances 中的数据复制到 *vtpcmInfo中
+        for (int i = 0; i < *vtpcmNums; i++) {
+            (*vtpcmInfo)[i] = instances[i];
+        }
+    } else {
+        *vtpcmInfo = nullptr;
+    }
+
+    return 0; // success
+}
+
+int CreateVRoot(struct Description *vtpcmInfo)
+{
+    auto &tsbAgent = TsbAgentImpl::GetInstance();
+    return ParseTsbAgentRc(tsbAgent.CreateVRoot(vtpcmInfo->uuid, vtpcmInfo->name));
+}
+
+int StartVRoot(char *uuid)
+{
+    auto &tsbAgent = TsbAgentImpl::GetInstance();
+    return ParseTsbAgentRc(tsbAgent.StartVRoot(uuid));
+}
+
+int StopVRoot(char *uuid)
+{
+    auto &tsbAgent = TsbAgentImpl::GetInstance();
+    return ParseTsbAgentRc(tsbAgent.StopVRoot(uuid));
+}
+
+int RemoveVRoot(char *uuid)
+{
+    auto &tsbAgent = TsbAgentImpl::GetInstance();
+    return ParseTsbAgentRc(tsbAgent.RemoveVRoot(uuid));
+}
+
+int UpdateMeasure(char *uuid, struct MeasureInfo *bios, struct MeasureInfo *shim, struct MeasureInfo *grub,
+                  struct MeasureInfo *grubCfg, struct MeasureInfo *kernel, struct MeasureInfo *initrd)
+{
+    auto &tsbAgent = TsbAgentImpl::GetInstance();
+    return ParseTsbAgentRc(tsbAgent.UpdateMeasure(uuid, *bios, *shim, *grub, *grubCfg, *kernel, *initrd));
+}
+
+int CheckMeasure(char *uuid, struct MeasureInfo *bios, struct MeasureInfo *shim, struct MeasureInfo *grub,
+                 struct MeasureInfo *grubCfg, struct MeasureInfo *kernel, struct MeasureInfo *initrd)
+{
+    auto &tsbAgent = TsbAgentImpl::GetInstance();
+    return ParseTsbAgentRc(tsbAgent.CheckMeasure(uuid, *bios, *shim, *grub, *grubCfg, *kernel, *initrd));
+}
+
+/**
+ * 迁移接口
+ */
+
+int GetReport(char *pUuid,                         // 物理机的uuid
+              char *vUuid,                         // 虚拟机的uuid
+              struct trust_report_new *hostreport, // 输出：host report
+              struct trust_report_new *vmreport    // 输出：virtual machine report
+)
+{
+    auto &tsbAgent = TsbAgentImpl::GetInstance();
+    return ParseTsbAgentRc(tsbAgent.GetReport(pUuid, vUuid, hostreport, vmreport));
+}
+
+int VerifyTrustReport(char *pUuid,                         // 物理机的uuid
+                      char *vUuid,                         // 虚拟机的uuid
+                      struct trust_report_new *hostreport, // 输出：host report
+                      struct trust_report_new *vmreport    // 输出：virtual machine report
+)
+{
+    auto &tsbAgent = TsbAgentImpl::GetInstance();
+    return ParseTsbAgentRc(tsbAgent.VerifyReport(pUuid, vUuid, hostreport, vmreport));
+}
+
+int MigrationGetCert(char *vUuid,   // 虚拟机的uuid
+                     char **cert,   // 输出：对 pubkey 签名的证书（BMC可验证）
+                     int *certLen,  // 输出：证书长度
+                     char **pubkey, // 输出：临时生成的随机密钥对的公钥
+                     int *pubkeyLen // 输出：公钥长度
+)
+{
+    auto &tsbAgent = TsbAgentImpl::GetInstance();
+    std::vector<uint8_t> out_cert;
+    std::vector<uint8_t> out_pubkey;
+    auto rc = tsbAgent.MigrationGetCert(vUuid, out_cert, out_pubkey);
+
+    if (cert == nullptr || pubkey == nullptr || rc != TsbAgentRc::OK || *cert != nullptr || *pubkey != nullptr) {
+        return ParseTsbAgentRc(TsbAgentRc::ERROR);
+    }
+
+    *certLen = out_cert.size();
+    *cert = static_cast<char *>(malloc(*certLen));
+    memcpy(cert, out_cert.data(), out_cert.size());
+
+    *pubkeyLen = out_pubkey.size();
+    *pubkey = static_cast<char *>(malloc(out_pubkey.size()));
+    memcpy(pubkey, out_pubkey.data(), out_pubkey.size());
+
+    return ParseTsbAgentRc(rc);
+}
+
+int MigrationCheckPeerPk(char *vUuid, // 虚拟机的uuid
+                         char *pk1,   // peer cert 公钥 (REVIEW: 改成 cert?)
+                         char *pk2    // peer 临时生成的随机密钥对的公钥, a.k.a. pubkey
+)
+{
+    return 0;
+}
+
+int MigrationGetVrootCipher(char *vUuid,   // 虚拟机的uuid
+                            char **cipher, // 输出：加密后的密码资源
+                            int *cipherLen // 输出：密文长度
+)
+{
+    static const char a[] = "fakeCipher";
+    size_t len = strlen(a) + 1;
+    *cipher = (char *)malloc(len * sizeof(char));
+    if (*cipher == NULL) {
+        return -1;
+    }
+    strcpy(*cipher, a);
+    return 0;
+}
+
+int MigrationImportVrootCipher(char *vUuid, // 虚拟机的uuid
+                               char *cipher // 加密后的密码资源
+)
+{
+    return 0;
+}
+
+int MigrationNotify(char *vUuid, // 虚拟机的uuid
+                    int status)
+{
+    return 0;
+}
diff --git a/virtrust/src/tsb_agent/mock/tsb_agent_impl.cpp b/virtrust/src/tsb_agent/mock/tsb_agent_impl.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..6191d22f2d50aec904c68581edd368c6e4363863
--- /dev/null
+++ b/virtrust/src/tsb_agent/mock/tsb_agent_impl.cpp
@@ -0,0 +1,312 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include "tsb_agent/mock/tsb_agent_impl.h"
+
+#include <algorithm>
+#include <fstream>
+#include <iostream>
+#include <sstream>
+#include <string_view>
+#include <vector>
+
+#include "spdlog/spdlog.h"
+
+namespace virtrust::mock {
+namespace {
+constexpr std::string_view TSB_AGENT_FILE_SEP = ",";
+constexpr uint32_t SM3_OUTPUT_BYTES = 32;
+constexpr std::string_view DEFAULT_VERSION = "v1.0";
+
+void StrSplit(std::string_view src, std::string_view sep, std::vector<std::string> &out)
+{
+    if (sep.empty() || src.empty()) {
+        return;
+    }
+    std::string::size_type pos1 = 0;
+    std::string::size_type pos2 = src.find(sep);
+
+    while (std::string::npos != pos2) {
+        out.emplace_back(src.substr(pos1, pos2 - pos1));
+        pos1 = pos2 + sep.size();
+        pos2 = src.find(sep, pos1);
+    }
+
+    if (pos1 != src.size()) {
+        out.emplace_back(src.substr(pos1));
+    }
+}
+
+template <size_t T> std::string ToStr(std::array<char, T> data)
+{
+    // HACK automatically convert char array to string depending on \0
+    // must ensure that the input char array has an ending poing
+    return data.data();
+}
+
+template <size_t T> std::array<char, T> FromStr(const std::string &in)
+{
+    if (in.size() + 1 > T) {
+        return {};
+    }
+    std::array<char, T> out;
+    // copy with extra '\0
+    memcpy_s(out.data(), out.size(), in.data(), in.size() + 1);
+    return out;
+}
+
+template <size_t T> std::string ToHexStr(std::array<char, T> data)
+{
+    std::stringstream sstream;
+    sstream << std::hex;
+    for (size_t i = 0; i < T; i++) {
+        sstream << static_cast<int>(data[i]);
+    }
+    return sstream.str();
+}
+
+template <size_t T> std::array<char, T> FromHexStr(const std::string &in)
+{
+    if (in.size() != T * 2) {
+        return {};
+    }
+
+    std::array<char, T> out;
+    for (size_t i = 0; i < T; i++) {
+        std::string byteString = in.substr(i * 2, 2);
+        auto byteValue = static_cast<uint8_t>(std::stoul(byteString, nullptr, 16));
+        out[i] = byteValue;
+    }
+    return out;
+}
+
+void SaveVRootsToFile(const std::string &file, const std::unordered_map<std::string, std::unique_ptr<VRoot>> &map)
+{
+    std::ofstream f(file);
+    if (f.is_open()) {
+        // encode line format
+        for (const auto &item : map) {
+            f << ToStr(item.second->GetData().uuid) << TSB_AGENT_FILE_SEP;                   // uuid
+            f << static_cast<uint32_t>(item.second->GetData().status) << TSB_AGENT_FILE_SEP; // status        }
+            f << ToStr(item.second->GetData().version) << TSB_AGENT_FILE_SEP;                // version
+            f << ToStr(item.second->GetData().name) << TSB_AGENT_FILE_SEP;                   // name
+            f << ToHexStr(item.second->GetData().bios) << TSB_AGENT_FILE_SEP;                // bios
+            f << ToHexStr(item.second->GetData().shim) << TSB_AGENT_FILE_SEP;                // shim
+            f << ToHexStr(item.second->GetData().grub) << TSB_AGENT_FILE_SEP;                // grub
+            f << ToHexStr(item.second->GetData().grubCfg) << TSB_AGENT_FILE_SEP;             // grubCfg
+            f << ToHexStr(item.second->GetData().kernel) << TSB_AGENT_FILE_SEP;              // kernel
+            f << ToHexStr(item.second->GetData().initrd) << TSB_AGENT_FILE_SEP;              // initrd
+            f << std::endl;
+        }
+        f.close();
+    }
+}
+
+std::unordered_map<std::string, std::unique_ptr<VRoot>> LoadVRootsFromFile(const std::string &file)
+{
+    // placeholder
+    std::unordered_map<std::string, std::unique_ptr<VRoot>> map;
+    std::ifstream f(file);
+    std::string line;
+    if (f.is_open()) {
+        while (getline(f, line)) {
+            // decode line format
+            std::vector<std::string> lineVec;
+            StrSplit(line, TSB_AGENT_FILE_SEP, lineVec);
+            // decode descriptions
+            VRootData data;
+            data.uuid = FromStr<VROOT_VM_UUID_MAX_LEN>(lineVec[0]);                // uuid
+            data.status = static_cast<VRootStatus>(std::atoi(lineVec[1].c_str())); // status
+            data.version = FromStr<VROOT_VERSION_LEN>(lineVec[2]);                 // version
+            data.name = FromStr<VROOT_VM_NAME_MAX_LEN>(lineVec[3]);                // name
+            data.bios = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[4]);            // bios
+            data.shim = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[5]);            // shim
+            data.grub = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[6]);            // grub
+            data.grubCfg = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[7]);         // grubCfg
+            data.kernel = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[8]);          // kernel
+            data.initrd = FromHexStr<VROOT_SM3_OUTPUT_BYTES>(lineVec[9]);          // initrd
+
+            // status are implicitly coverted to
+            map.emplace(lineVec[0] /*uuid*/, std::make_unique<VRoot>(data));
+        }
+        f.close();
+    }
+    return map;
+}
+} // namespace
+
+std::vector<Description> TsbAgentImpl::GetVRoots()
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    std::vector<Description> out;
+    out.reserve(vRootMap_.size());
+    for (const auto &vroot : vRootMap_) {
+        out.push_back(vroot.second->GetDescription());
+    }
+    return out;
+}
+
+TsbAgentRc TsbAgentImpl::CreateVRoot(const std::string &uuid, const std::string &name)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) != vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid already exist");
+        return TsbAgentRc::ERROR;
+    }
+
+    if (std::find_if(vRootMap_.begin(), vRootMap_.end(), [name](const auto &root) {
+            return name == root.second->GetDescription().name;
+        }) != vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid already exist");
+        return TsbAgentRc::ERROR;
+    }
+
+    VRootData desc;
+    if (memcpy_s(desc.uuid.data(), desc.uuid.size(), uuid.data(), uuid.size()) != EOK) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] copy uuid failed");
+
+        return TsbAgentRc::ERROR;
+    }
+    desc.uuid[uuid.size()] = '\0';
+
+    if (memcpy_s(desc.name.data(), desc.name.size(), name.data(), name.size()) != EOK) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] copy name failed");
+        return TsbAgentRc::ERROR;
+    }
+    desc.name[name.size()] = '\0';
+
+    if (memcpy_s(desc.version.data(), desc.version.size(), DEFAULT_VERSION.data(), DEFAULT_VERSION.size()) != EOK) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] copy version failed");
+        return TsbAgentRc::ERROR;
+    }
+    desc.version[DEFAULT_VERSION.size()] = '\0';
+
+    vRootMap_.emplace(uuid, std::make_unique<VRoot>(desc));
+    SaveVRootsToFile(storageFilePath_.c_str(), vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+TsbAgentRc TsbAgentImpl::StopVRoot(const std::string &uuid)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] Cannot find uuid: {}", uuid);
+        return TsbAgentRc::ERROR;
+    }
+    if (vRootMap_[uuid]->GetData().status != VRootStatus::RUNNING) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} status not RUNNING", uuid);
+        return TsbAgentRc::ERROR;
+    }
+    vRootMap_[uuid]->GetDataRef().status = VRootStatus::OFF;
+    SaveVRootsToFile(storageFilePath_, vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+TsbAgentRc TsbAgentImpl::StartVRoot(const std::string &uuid)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] Cannot find uuid: {}", uuid);
+
+        return TsbAgentRc::ERROR;
+    }
+    if (vRootMap_[uuid]->GetDataRef().status != VRootStatus::OFF) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} status not OFF", uuid);
+
+        return TsbAgentRc::ERROR;
+    }
+    vRootMap_[uuid]->GetDataRef().status = VRootStatus::RUNNING;
+    SaveVRootsToFile(storageFilePath_, vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+TsbAgentRc TsbAgentImpl::RemoveVRoot(const std::string &uuid)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} not found", uuid);
+        return TsbAgentRc::ERROR;
+    }
+    vRootMap_.erase(uuid);
+    SaveVRootsToFile(storageFilePath_, vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+TsbAgentRc TsbAgentImpl::UpdateMeasure(const std::string &uuid, MeasureInfo bios, MeasureInfo shim, MeasureInfo grub,
+                                       MeasureInfo grubCfg, MeasureInfo kernel, MeasureInfo initrd)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} not found", uuid);
+        return TsbAgentRc::ERROR;
+    }
+    // REVIEW
+    SaveVRootsToFile(storageFilePath_, vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+TsbAgentRc TsbAgentImpl::CheckMeasure(const std::string &uuid, MeasureInfo bios, MeasureInfo shim, MeasureInfo grub,
+                                      MeasureInfo grubCfg, MeasureInfo kernel, MeasureInfo initrd)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(uuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] uuid:{} not found", uuid);
+        return TsbAgentRc::ERROR;
+    }
+    // REVIEW
+    SaveVRootsToFile(storageFilePath_, vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+// Almost always return true with empty report
+TsbAgentRc TsbAgentImpl::GetReport(const std::string &pUuid, const std::string &vUuid,
+                                   struct trust_report_new *hostreport, struct trust_report_new *vmreport)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(vUuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] vUuid:{} not found", vUuid);
+        return TsbAgentRc::ERROR;
+    }
+
+    if (hostreport == nullptr) {
+        hostreport = (trust_report_new *)malloc(sizeof(trust_report_new));
+        SPDLOG_WARN("[MOCK-TSB-AGENT] malloc host report of {} internally", pUuid);
+    }
+
+    if (vmreport == nullptr) {
+        vmreport = (trust_report_new *)malloc(sizeof(trust_report_new));
+        SPDLOG_WARN("[MOCK-TSB-AGENT] malloc vm report of {} internally", vUuid);
+    }
+
+    SaveVRootsToFile(storageFilePath_, vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+// Almost always return true if report is not nullptr
+TsbAgentRc TsbAgentImpl::VerifyReport(const std::string &pUuid, const std::string &vUuid,
+                                      struct trust_report_new *hostreport, struct trust_report_new *vmreport)
+{
+    vRootMap_ = LoadVRootsFromFile(storageFilePath_.c_str());
+    if (vRootMap_.find(vUuid) == vRootMap_.end()) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] vUuid:{} not found", vUuid);
+        return TsbAgentRc::ERROR;
+    }
+
+    if (hostreport == nullptr || vmreport == nullptr) {
+        SPDLOG_ERROR("[MOCK-TSB-AGENT] host report or vm report is nullptr!");
+        return TsbAgentRc::ERROR;
+    }
+
+    SaveVRootsToFile(storageFilePath_, vRootMap_);
+    return TsbAgentRc::OK;
+}
+
+// Almost always return true with empty report
+TsbAgentRc TsbAgentImpl::MigrationGetCert(const std::string &vUuid, std::vector<uint8_t> &cert,
+                                          std::vector<uint8_t> &pubkey)
+{
+    return TsbAgentRc::OK;
+}
+
+} // namespace virtrust::mock
diff --git a/virtrust/src/tsb_agent/mock/tsb_agent_impl.h b/virtrust/src/tsb_agent/mock/tsb_agent_impl.h
new file mode 100644
index 0000000000000000000000000000000000000000..f15340cc3a0ca7946c519ed64549dfeeb94095aa
--- /dev/null
+++ b/virtrust/src/tsb_agent/mock/tsb_agent_impl.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <filesystem>
+#include <memory>
+#include <string>
+#include <unordered_map>
+#include <vector>
+
+#include "tsb_agent/mock/v_root.h"
+#include "tsb_agent/tsb_agent.h"
+
+namespace virtrust::mock {
+constexpr std::string_view STORAGE_FILENAME = "mock-tsb-agent.save";
+
+enum class TsbAgentRc { OK, ERROR };
+
+class TsbAgentImpl {
+public:
+    // Destructor
+    ~TsbAgentImpl() = default;
+
+    TsbAgentImpl(const TsbAgentImpl &) = delete;
+
+    TsbAgentImpl &operator=(const TsbAgentImpl &) = delete;
+
+    // Get singleton isntance
+    static TsbAgentImpl &GetInstance()
+    {
+        static TsbAgentImpl instance;
+        return instance;
+    }
+
+    std::string GetPath()
+    {
+        return storageFilePath_.c_str();
+    }
+
+    // Clear all virtual roots (for testing)
+    void ClearAllVRoots();
+
+    // Lifetime management
+
+    std::vector<Description> GetVRoots();
+
+    TsbAgentRc CreateVRoot(const std::string &uuid, const std::string &name);
+
+    TsbAgentRc StartVRoot(const std::string &uuid);
+
+    TsbAgentRc StopVRoot(const std::string &uuid);
+
+    TsbAgentRc RemoveVRoot(const std::string &uuid);
+
+    // Update measure values
+    TsbAgentRc UpdateMeasure(const std::string &uuid, MeasureInfo bios, MeasureInfo shim, MeasureInfo grub,
+                             MeasureInfo grubCfg, MeasureInfo kernel, MeasureInfo initrd);
+
+    TsbAgentRc CheckMeasure(const std::string &uuid, MeasureInfo bios, MeasureInfo shim, MeasureInfo grub,
+                            MeasureInfo grubCfg, MeasureInfo kernel, MeasureInfo initrd);
+
+    // Migration
+
+    TsbAgentRc GetReport(const std::string &pUuid, const std::string &vUuid, struct trust_report_new *hostreport,
+                         struct trust_report_new *vmreport);
+
+    TsbAgentRc VerifyReport(const std::string &pUuid, const std::string &vUuid, struct trust_report_new *hostreport,
+                            struct trust_report_new *vmreport);
+
+    TsbAgentRc MigrationGetCert(const std::string &vUuid, std::vector<uint8_t> &cert, std::vector<uint8_t> &pubkey);
+
+    // TsbAgentRc MigrationGetVRootCipher(char *vUuid, char **cipher);
+
+    // TsbAgentRc MigrationImportVRootCipher(char *vUuid, char *cipher);
+
+    // TsbAgentRc MigrationNotify(char *vUuid, int status);
+
+private:
+    TsbAgentImpl() = default;
+    std::unordered_map<std::string, std::unique_ptr<VRoot>> vRootMap_;
+
+    // REVIEW migration data
+    std::vector<char> pk_;
+
+    // default to current location
+    std::filesystem::path storageFilePath_ = std::filesystem::current_path() / STORAGE_FILENAME;
+};
+} // namespace virtrust::mock
diff --git a/virtrust/src/tsb_agent/mock/tsb_agent_impl_test.cpp b/virtrust/src/tsb_agent/mock/tsb_agent_impl_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..97c57dda07cd44a70cb37fe6fe86d67761fc63de
--- /dev/null
+++ b/virtrust/src/tsb_agent/mock/tsb_agent_impl_test.cpp
@@ -0,0 +1,339 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <gtest/gtest.h>
+
+#include <algorithm>
+#include <fstream>
+#include <sstream>
+#include <string>
+
+// Include the TSB agent header
+#include "tsb_agent/mock/tsb_agent_impl.h"
+
+namespace virtrust::mock {
+
+// Test fixture for TSB agent tests
+class TsbAgentTest : public ::testing::Test {
+protected:
+    std::string temp_file_path;
+
+    void SetUp() override
+    {
+        // Clear any existing test file
+        temp_file_path = TsbAgentImpl::GetInstance().GetPath();
+        std::ofstream(temp_file_path).close();
+    }
+
+    void TearDown() override
+    {
+        // Clean up the temporary file
+        std::remove(temp_file_path.c_str());
+    }
+
+    // Helper method to get the current number of virtual roots
+    static size_t GetRootCount()
+    {
+        auto &agent = TsbAgentImpl::GetInstance();
+        return agent.GetVRoots().size();
+    }
+
+    // Helper method to check if a virtual root exists
+    static bool VRootExists(const std::string &uuid)
+    {
+        auto &agent = TsbAgentImpl::GetInstance();
+        auto vroots = agent.GetVRoots();
+        return std::find_if(vroots.begin(), vroots.end(), [&uuid](const Description &desc) {
+                   return std::string(desc.uuid) == uuid;
+               }) != vroots.end();
+    }
+
+    // Helper method to check if a virtual root is running
+    static bool VRootIsRunning(const std::string &uuid)
+    {
+        auto &agent = TsbAgentImpl::GetInstance();
+        auto vroots = agent.GetVRoots();
+        auto it = std::find_if(vroots.begin(), vroots.end(),
+                               [&uuid](const Description &desc) { return std::string(desc.uuid) == uuid; });
+        if (it == vroots.end()) {
+            return false;
+        }
+        return it->state == static_cast<int>(VRootStatus::RUNNING);
+    }
+
+    // Helper method to create a virtual root and verify it was created
+    static bool CreateVRootAndVerify(const std::string &uuid)
+    {
+        auto &agent = TsbAgentImpl::GetInstance();
+        auto result = agent.CreateVRoot(uuid, "123");
+        EXPECT_EQ(result, TsbAgentRc::OK) << "Creating virtual root with UUID " << uuid << " should succeed";
+        EXPECT_TRUE(VRootExists(uuid)) << "Virtual root with UUID " << uuid << " should exist";
+        return result == TsbAgentRc::OK;
+    }
+
+    // Helper method to start a virtual root and verify it was started
+    static bool StartVRootAndVerify(const std::string &uuid)
+    {
+        auto &agent = TsbAgentImpl::GetInstance();
+        auto result = agent.StartVRoot(uuid);
+        EXPECT_EQ(result, TsbAgentRc::OK) << "Starting virtual root with UUID " << uuid << " should succeed";
+        EXPECT_TRUE(VRootIsRunning(uuid)) << "Virtual root with UUID " << uuid << " should be running";
+        return result == TsbAgentRc::OK;
+    }
+
+    // Helper method to destroy a virtual root and verify it was destroyed
+    static bool StopVRootAndVerify(const std::string &uuid)
+    {
+        auto &agent = TsbAgentImpl::GetInstance();
+        auto result = agent.StopVRoot(uuid);
+        EXPECT_EQ(result, TsbAgentRc::OK) << "Destroying virtual root with UUID " << uuid << " should succeed";
+        EXPECT_FALSE(VRootExists(uuid)) << "Virtual root with UUID " << uuid << " should not exist";
+        return result == TsbAgentRc::OK;
+    }
+
+    // Helper method to undefine a virtual root and verify it was undefined
+    static bool RemoveVRootAndVerify(const std::string &uuid)
+    {
+        auto &agent = TsbAgentImpl::GetInstance();
+        auto result = agent.RemoveVRoot(uuid);
+        EXPECT_EQ(result, TsbAgentRc::OK) << "Undefining virtual root with UUID " << uuid << " should succeed";
+        EXPECT_FALSE(VRootExists(uuid)) << "Virtual root with UUID " << uuid << " should not exist";
+        return result == TsbAgentRc::OK;
+    }
+};
+
+// Test case: Verify that the TSB agent instance is a singleton
+TEST_F(TsbAgentTest, SingletonInstance)
+{
+    auto &instance1 = TsbAgentImpl::GetInstance();
+    auto &instance2 = TsbAgentImpl::GetInstance();
+    EXPECT_EQ(&instance1, &instance2) << "TSB agent should be a singleton";
+}
+
+// Test case: Test creating a virtual root
+TEST_F(TsbAgentTest, CreateVRoot)
+{
+    auto &agent = TsbAgentImpl::GetInstance();
+
+    // Create a virtual root with a specific UUID
+    const std::string &uuid = "12345";
+    auto result = agent.CreateVRoot(uuid, "123");
+
+    EXPECT_EQ(result, TsbAgentRc::OK) << "Creating virtual root should succeed";
+
+    // Verify the virtual root was created
+    auto vroots = agent.GetVRoots();
+    EXPECT_EQ(vroots.size(), 1UL) << "Should have one virtual root";
+    EXPECT_EQ(vroots[0].uuid, uuid) << "Virtual root UUID should match";
+}
+
+// Test case: Test creating multiple virtual roots
+TEST_F(TsbAgentTest, CreateMultipleVRoots)
+{
+    auto &agent = TsbAgentImpl::GetInstance();
+
+    // Create multiple virtual roots
+    const std::string &uuid1 = "100";
+    const std::string &uuid2 = "200";
+    const std::string &uuid3 = "300";
+
+    EXPECT_EQ(agent.CreateVRoot(uuid1, "111"), TsbAgentRc::OK) << "Creating first virtual root should succeed";
+    EXPECT_EQ(agent.CreateVRoot(uuid2, "222"), TsbAgentRc::OK) << "Creating second virtual root should succeed";
+    EXPECT_EQ(agent.CreateVRoot(uuid3, "333"), TsbAgentRc::OK) << "Creating third virtual root should succeed";
+
+    // Verify all virtual roots was created
+    auto vroots = agent.GetVRoots();
+    EXPECT_EQ(vroots.size(), (size_t)3) << "Should have three virtual roots";
+
+    EXPECT_NE(std::find_if(vroots.begin(), vroots.end(),
+                           [&uuid1](const Description &desc) { return std::string(desc.uuid) == uuid1; }),
+              vroots.end())
+        << "Virtual root UUID 100 should exist";
+
+    EXPECT_NE(std::find_if(vroots.begin(), vroots.end(),
+                           [&uuid2](const Description &desc) { return std::string(desc.uuid) == uuid2; }),
+              vroots.end())
+        << "Virtual root UUID 200 should exist";
+
+    EXPECT_NE(std::find_if(vroots.begin(), vroots.end(),
+                           [&uuid3](const Description &desc) { return std::string(desc.uuid) == uuid3; }),
+              vroots.end())
+        << "Virtual root UUID 300 should exist";
+}
+
+// Test case: Test destroying a virtual root
+TEST_F(TsbAgentTest, DestroyVRoots)
+{
+    auto &agent = TsbAgentImpl::GetInstance();
+
+    // Create a virtual root with a specific UUID
+    const std::string &uuid = "12345";
+    EXPECT_EQ(agent.CreateVRoot(uuid, "123"), TsbAgentRc::OK) << "Creating virtual root should succeed";
+
+    // Verify it exists
+    auto vroots = agent.GetVRoots();
+    EXPECT_EQ(vroots.size(), 1UL) << "Should have one virtual root";
+
+    // Destroy (stop) the virtual root
+    EXPECT_EQ(agent.StopVRoot(uuid), TsbAgentRc::ERROR) << "Destroying non-started virtual root should fail";
+
+    // start the virtual root
+    EXPECT_EQ(agent.StartVRoot(uuid), TsbAgentRc::OK) << "Starting virtual root should succeed";
+
+    // Destroy (stop) the virtual root
+    EXPECT_EQ(agent.StopVRoot(uuid), TsbAgentRc::OK) << "Destroying virtual root should succeed";
+
+    // Verify it was destroyed
+    vroots = agent.GetVRoots();
+    EXPECT_EQ(vroots.size(), 1UL) << "Should have one virtual root";
+}
+
+// Test case: Test starting a virtual root
+TEST_F(TsbAgentTest, StartVRoots)
+{
+    auto &agent = TsbAgentImpl::GetInstance();
+
+    // Create a virtual root
+    const std::string &uuid = "12345";
+    EXPECT_EQ(agent.CreateVRoot(uuid, "123"), TsbAgentRc::OK) << "Creating virtual root should succeed";
+
+    // Verify it exists and is not running
+    auto vroots = agent.GetVRoots();
+    EXPECT_EQ(vroots.size(), 1UL) << "Should have one virtual root";
+
+    // start the virtual root
+    EXPECT_EQ(agent.StartVRoot(uuid), TsbAgentRc::OK) << "Starting virtual root should succeed";
+
+    // Verify the virtual root is now running
+    vroots = agent.GetVRoots();
+    EXPECT_EQ(vroots.size(), 1UL) << "Should have one virtual root";
+    EXPECT_EQ(vroots[0].state, (int)VRootStatus::RUNNING) << "Virtual root should be in RUNNING";
+}
+
+// // Test case: Test starting a virtual root
+// TEST_F(TsbAgentTest, StartVRoots)
+// {
+//     auto &agent = TsbAgentImpl::GetInstance();
+
+//     // Try to start a virtual root that doesn't exist
+//     const std::string &uuid = "99999";
+//     EXPECT_NE(agent.StartVRoot(uuid), TsbAgentRc::OK) << "Starting non-existent virtual root should fail";
+
+//     // Verify no virtual roots exist
+//     vroots = agent.GetVRoots();
+//     EXPECT_EQ(vroots.size(), 0) << "Should have no virtual roots";
+// }
+
+// Test case: Test undefining a virtual root
+TEST_F(TsbAgentTest, UndefineVRoot)
+{
+    auto &agent = TsbAgentImpl::GetInstance();
+
+    // Create a virtual root
+    const std::string &uuid = "12345";
+    EXPECT_EQ(agent.CreateVRoot(uuid, "123"), TsbAgentRc::OK) << "Creating virtual root should succeed";
+
+    // Verify it exists
+    auto vroots = agent.GetVRoots();
+    EXPECT_EQ(vroots.size(), 1UL) << "Should have one virtual root";
+
+    // Undefine the virtual root
+    EXPECT_EQ(agent.RemoveVRoot(uuid), TsbAgentRc::OK) << "Undefining virtual root should succeed";
+
+    // Verify it was undefined
+    vroots = agent.GetVRoots();
+    EXPECT_EQ(vroots.size(), (size_t)0) << "Should have no virtual roots";
+}
+
+// Test case: Test undefining a non-existent virtual root
+TEST_F(TsbAgentTest, UndefineNonExistentVRoot)
+{
+    auto &agent = TsbAgentImpl::GetInstance();
+
+    // Try to undefine a virtual root that doesn't exist
+    const std::string &uuid = "99999";
+    EXPECT_NE(agent.RemoveVRoot(uuid), TsbAgentRc::OK) << "Undefining non-existent virtual root should fail";
+
+    // Verify no virtual roots exist
+    auto vroots = agent.GetVRoots();
+    EXPECT_EQ(vroots.size(), (size_t)0) << "Should have no virtual roots";
+}
+
+// Test case: Test getting all virtual roots
+TEST_F(TsbAgentTest, GetVRoots)
+{
+    auto &agent = TsbAgentImpl::GetInstance();
+
+    // Create multiple virtual roots
+    const std::string &uuid1 = "100";
+    const std::string &uuid2 = "200";
+    const std::string &uuid3 = "300";
+
+    EXPECT_EQ(agent.CreateVRoot(uuid1, "111"), TsbAgentRc::OK) << "Creating first virtual root should succeed";
+    EXPECT_EQ(agent.CreateVRoot(uuid2, "222"), TsbAgentRc::OK) << "Creating second virtual root should succeed";
+    EXPECT_EQ(agent.CreateVRoot(uuid3, "333"), TsbAgentRc::OK) << "Creating third virtual root should succeed";
+
+    // Verify all virtual roots was created
+    auto vroots = agent.GetVRoots();
+
+    // Verify we have the correct number of virtual roots
+    EXPECT_EQ(vroots.size(), (size_t)3) << "Should have three virtual roots";
+
+    // Verify the UUIDs are correct
+    EXPECT_NE(std::find_if(vroots.begin(), vroots.end(),
+                           [&uuid1](const Description &desc) { return std::string(desc.uuid) == uuid1; }),
+              vroots.end())
+        << "Virtual root UUID 100 should exist";
+
+    EXPECT_NE(std::find_if(vroots.begin(), vroots.end(),
+                           [&uuid2](const Description &desc) { return std::string(desc.uuid) == uuid2; }),
+              vroots.end())
+        << "Virtual root UUID 200 should exist";
+
+    EXPECT_NE(std::find_if(vroots.begin(), vroots.end(),
+                           [&uuid3](const Description &desc) { return std::string(desc.uuid) == uuid3; }),
+              vroots.end())
+        << "Virtual root UUID 300 should exist";
+}
+
+// Test case: Test persistence across restarts
+TEST_F(TsbAgentTest, PersistenceAcrossRestarts)
+{
+    // First, create a virtual root and save it
+    auto &agent1 = TsbAgentImpl::GetInstance();
+
+    // Create a virtual root
+    const std::string &uuid = "12345";
+    EXPECT_EQ(agent1.CreateVRoot(uuid, "123"), TsbAgentRc::OK) << "Creating virtual root should succeed";
+
+    // Now create a new agent instance (simulating restart)
+    auto &agent2 = TsbAgentImpl::GetInstance();
+
+    // Verify the virtual root was loaded
+    auto vroots = agent2.GetVRoots();
+    EXPECT_EQ(vroots.size(), (size_t)1) << "Should have one virtual roots ahter restart";
+    EXPECT_EQ(vroots.begin()->uuid, uuid) << "Virtual root UUID should match";
+}
+
+// Test case: Test state file creation and format
+TEST_F(TsbAgentTest, StateFileFormat)
+{
+    auto &agent = TsbAgentImpl::GetInstance();
+
+    // Create a virtual root
+    const std::string &uuid = "12345";
+    EXPECT_EQ(agent.CreateVRoot(uuid, "123"), TsbAgentRc::OK) << "Creating virtual root should succeed";
+
+    // Read the state file
+    std::ifstream file(temp_file_path);
+    std::stringstream buffer;
+    buffer << file.rdbuf();
+    std::string content = buffer.str();
+
+    // Verify the content contains the expected format
+    EXPECT_NE(content.find(uuid), std::string::npos) << "State file should contain UUID";
+    EXPECT_NE(content.find(std::to_string(static_cast<int>(VRootStatus::OFF))), std::string::npos)
+        << "State file should contain OFF status";
+}
+} // namespace virtrust::mock
diff --git a/virtrust/src/tsb_agent/mock/tsb_agent_test.cpp b/virtrust/src/tsb_agent/mock/tsb_agent_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..57121debbc1aad149c66acd4a6cc4416dd423328
--- /dev/null
+++ b/virtrust/src/tsb_agent/mock/tsb_agent_test.cpp
@@ -0,0 +1,238 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <gtest/gtest.h>
+
+#include <cstring>
+#include <memory>
+
+// Include the TSB agent interface header
+#include "securec.h"
+#include "tsb_agent/mock/tsb_agent_impl.h"
+
+namespace virtrust::mock {
+
+// Test fixture for TSB agent interface tests
+class TsbAgentItfTest : public ::testing::Test {
+protected:
+    // Helper method to verify that a function returns OK
+    static void VerifyOK(int result, const char *function_name)
+    {
+        EXPECT_EQ(result, 0) << "Function " << function_name << " should return OK";
+    }
+
+    // Helper method to verify that a function returns error
+    static void VerifyError(int result, const char *function_name)
+    {
+        EXPECT_NE(result, 0) << "Function " << function_name << " should return error";
+    }
+
+    // Helper method to verify that a function returns OK when it should
+    static void VerifyOK(int result, const char *function_name, const char *expected_msg)
+    {
+        EXPECT_EQ(result, 0) << "Function " << function_name << " should return OK: " << expected_msg;
+    }
+
+    // Helper method to verify that a function returns error when it should
+    static void VerifyError(int result, const char *function_name, const char *expected_msg)
+    {
+        EXPECT_NE(result, 0) << "Function " << function_name << " should return error: " << expected_msg;
+    }
+};
+
+// Test case: Test GetVRoots function
+TEST_F(TsbAgentItfTest, GetVRoots)
+{
+    int vtpcmNums = 0;
+    struct Description *vtpcmInfo = nullptr;
+
+    // Call GetVRoots
+    int result = GetVRoots(&vtpcmNums, &vtpcmInfo);
+
+    // Verify the function returns OK
+    VerifyOK(result, "GetVRoots");
+
+    // Verify the output parameters are set correctly
+    EXPECT_EQ(vtpcmNums, 0) << "Number of virtual roots should be 0";
+    EXPECT_EQ(vtpcmInfo, nullptr) << "Description pointer should be nullptr";
+
+    // Clean up
+    if (vtpcmInfo != nullptr) {
+        free(vtpcmInfo);
+    }
+}
+
+// Test case: Test CreateVRoots function
+TEST_F(TsbAgentItfTest, CreateVRoot)
+{
+    struct Description desc = {};
+    strcpy_sp(desc.name, 255, "test-vm");
+    strcpy_sp(desc.uuid, 255, "12345678-1234-5678-1234-567812345678");
+
+    // Call CreateVRoot
+    int result = CreateVRoot(&desc);
+
+    // Verify the function returns OK
+    VerifyOK(result, "CreateVRoot");
+
+    // Not Ok
+    strcpy_sp(desc.uuid, 255, "12345678-1234-5678-1234-567812345678");
+    result = CreateVRoot(&desc);
+    VerifyError(result, "CreateVRoot");
+}
+
+// Test case: Test StartVRoot function
+TEST_F(TsbAgentItfTest, StartVRoot)
+{
+    char uuid[37] = "12345678-1234-5678-1234-567812345678";
+
+    // Call StartVRoot
+    int result = StartVRoot(uuid);
+
+    // Verify the function returns OK
+    VerifyOK(result, "StartVRoot");
+}
+
+// Test case: Test StopVRoot function
+TEST_F(TsbAgentItfTest, StopVRoot)
+{
+    char uuid[37] = "12345678-1234-5678-1234-567812345678";
+
+    // Call StopVRoot
+    int result = StopVRoot(uuid);
+
+    // Verify the function returns OK
+    VerifyOK(result, "StopVRoot");
+}
+
+// Test case: Test RemoveVRoot function
+TEST_F(TsbAgentItfTest, RemoveVRoot)
+{
+    char uuid[37] = "12345678-1234-5678-1234-567812345678";
+
+    // Call RemoveVRoot
+    int result = RemoveVRoot(uuid);
+
+    // Verify the function returns OK
+    VerifyOK(result, "RemoveVRoot");
+}
+
+// Test case: Test UpdateMeasure function
+TEST_F(TsbAgentItfTest, DISABLED_UpdateMeasure)
+{
+    char uuid[37] = "12345678-1234-5678-1234-567812345678";
+
+    struct MeasureInfo bios = {};
+    struct MeasureInfo shim = {};
+    struct MeasureInfo grub = {};
+    struct MeasureInfo grubCfg = {};
+    struct MeasureInfo kernel = {};
+    struct MeasureInfo initrd = {};
+
+    // Call UpdateMeasure
+    int result = UpdateMeasure(uuid, &bios, &shim, &grub, &grubCfg, &kernel, &initrd);
+
+    // Verify the function returns OK
+    VerifyOK(result, "UpdateMeasure");
+}
+
+// Test case: Test CheckMeasure function
+TEST_F(TsbAgentItfTest, DISABLED_CheckMeasure)
+{
+    char uuid[37] = "12345678-1234-5678-1234-567812345678";
+
+    struct MeasureInfo bios = {};
+    struct MeasureInfo shim = {};
+    struct MeasureInfo grub = {};
+    struct MeasureInfo grubCfg = {};
+    struct MeasureInfo kernel = {};
+    struct MeasureInfo initrd = {};
+
+    // Call CheckMeasure
+    int result = CheckMeasure(uuid, &bios, &shim, &grub, &grubCfg, &kernel, &initrd);
+
+    // Verify the function returns OK
+    VerifyOK(result, "CheckMeasure");
+}
+
+// Test case: Test MigrationGetCert function
+TEST_F(TsbAgentItfTest, DISABLED_MigrationGetCert)
+{
+    // char pUuid[37] = "12345678-1234-5678-1234-567812345678";
+    // char vUuid[37] = "12345678-1234-5678-1234-567812345678";
+
+    // char cert[1024] = {};
+    // char pubkey[1024] = {};
+
+    // // Call MigrationGetCert
+    // int result = MigrationGetCert(pUuid, vUuid, cert, pubkey);
+
+    // // Verify the function returns OK
+    // VerifyOK(result, "MigrationGetCert");
+}
+
+// Test case: Test MigrationCheckPeerPk function
+// TEST_F(TsbAgentItfTest, DISABLED_MigrationCheckPeerPk)
+// {
+//     // char pUuid[37] = "12345678-1234-5678-1234-567812345678";
+//     char vUuid[37] = "12345678-1234-5678-1234-567812345678";
+
+//     char pk1[1024] = {};
+//     char pk2[1024] = {};
+
+//     // Call MigrationCheckPeerPk
+//     int result = MigrationCheckPeerPk(/* pUuid, */ vUuid, pk1, pk2);
+
+//     // Verify the function returns OK
+//     VerifyOK(result, "MigrationCheckPeerPk");
+// }
+
+// Test case: Test MigrationGetVRootCipher function
+// TEST_F(TsbAgentItfTest, DISABLED_MigrationGetVRootCipher)
+// {
+//     // char pUuid[37] = "12345678-1234-5678-1234-567812345678";
+//     char vUuid[37] = "12345678-1234-5678-1234-567812345678";
+
+//     char *cipher = nullptr;
+
+//     // Call MigrationGetVRootCipher
+//     int result = MigrationGetVRootCipher(/* pUuid, */ vUuid, &cipher);
+
+//     // Verify the function returns OK
+//     VerifyOK(result, "MigrationGetVRootCipher");
+
+//     // Clean up
+//     if (cipher != nullptr) {
+//         free(cipher);
+//     }
+// }
+
+// // Test case: Test MigrationImportVRootCipher function
+// TEST_F(TsbAgentItfTest, DISABLED_MigrationImportVRootCipher)
+// {
+//     // char pUuid[37] = "12345678-1234-5678-1234-567812345678";
+//     char vUuid[37] = "12345678-1234-5678-1234-567812345678";
+
+//     char cipher[1024] = "test-cipher-data";
+
+//     // Call MigrationImportVRootCipher
+//     int result = MigrationImportVRootCipher(/* pUuid, */ vUuid, cipher);
+
+//     // Verify the function returns OK
+//     VerifyOK(result, "MigrationImportVRootCipher");
+// }
+
+// // Test case: Test MigrationNotify function
+// TEST_F(TsbAgentItfTest, DISABLED_MigrationNotify)
+// {
+//     // char pUuid[37] = "12345678-1234-5678-1234-567812345678";
+//     char vUuid[37] = "12345678-1234-5678-1234-567812345678";
+
+//     // Call MigrationNotify
+//     int result = MigrationNotify(/* pUuid, */ vUuid, 1);
+
+//     // Verify the function returns OK
+//     VerifyOK(result, "MigrationNotify");
+// }
+} // namespace virtrust::mock
diff --git a/virtrust/src/tsb_agent/mock/v_root.h b/virtrust/src/tsb_agent/mock/v_root.h
new file mode 100644
index 0000000000000000000000000000000000000000..e7e82e27f1d1661b4d259e06980696d97a36c35f
--- /dev/null
+++ b/virtrust/src/tsb_agent/mock/v_root.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <securec.h>
+
+#include <array>
+#include <cstdint>
+
+#include "tsb_agent/tsb_agent.h"
+
+namespace virtrust::mock {
+
+constexpr uint32_t VROOT_VM_NAME_MAX_LEN = 256; // with extra \0
+constexpr uint32_t VROOT_VM_UUID_MAX_LEN = 37;  // with extra \0
+constexpr uint32_t VROOT_SM3_OUTPUT_BYTES = 32;
+constexpr uint32_t VROOT_VERSION_LEN = 64;
+
+// the status of virtual root
+enum class VRootStatus : uint32_t {
+    OFF,
+    RUNNING,
+};
+
+// the virtual root internal status
+struct VRootData {
+    std::array<char, VROOT_VM_UUID_MAX_LEN> uuid = {};     // uuid (string)
+    VRootStatus status = VRootStatus::OFF;                 // status (string)
+    std::array<char, VROOT_VERSION_LEN> version = {};      // version (string)
+    std::array<char, VROOT_VM_NAME_MAX_LEN> name = {};     // name (string)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> bios = {};    // sm3 (bytes)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> shim = {};    // sm3 (bytes)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> grub = {};    // sm3 (bytes)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> grubCfg = {}; // sm3 (bytes)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> kernel = {};  // sm3 (bytes)
+    std::array<char, VROOT_SM3_OUTPUT_BYTES> initrd = {};  // sm3 (bytes)
+};
+
+// Virtual Root
+class VRoot {
+public:
+    // Constructor and Destructor
+    VRoot() = default;
+    ~VRoot() = default;
+
+    explicit VRoot(VRootData data) : data_(data)
+    {}
+
+    VRootData GetData() const
+    {
+        return data_;
+    }
+
+    VRootData &GetDataRef()
+    {
+        return data_;
+    }
+
+    Description GetDescription()
+    {
+        Description out;
+        out.state = static_cast<int>(data_.status);
+        memcpy_s(out.name, VROOT_VM_NAME_MAX_LEN, data_.name.data(), data_.name.size());
+        memcpy_s(out.uuid, VROOT_VM_UUID_MAX_LEN, data_.uuid.data(), data_.uuid.size());
+        return out;
+    }
+
+private:
+    // NOTE Since this is a mock, no need for encapsulation
+    VRootData data_;
+};
+
+} // namespace virtrust::mock
diff --git a/virtrust/src/tsb_agent/tsb_agent.h b/virtrust/src/tsb_agent/tsb_agent.h
new file mode 100644
index 0000000000000000000000000000000000000000..30becff5729d405796285ed49b6e9dd9eaec0dcc
--- /dev/null
+++ b/virtrust/src/tsb_agent/tsb_agent.h
@@ -0,0 +1,195 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <cstdint>
+
+#define MAX_TPCM_ID_SIZE 32
+#define MAX_HOST_ID_SIZE 32
+#define DEFAULT_HASH_SIZE 32
+#define DEFAULT_PCR_SIZE 32
+#define UUID_SIZE 32
+#define VERSION_SIZE 64
+#define MAX_BOOT_EXTERN_SIZE 255
+#define MAX_BOOT_HASH_VERSION_NUMBER 8
+
+#define MAX_NAME_SIZE 255
+#define MAX_LINE_SIZE 512
+#define MAX_PATH_LENGTH 4096
+#define MAX_TRUST_REPORT_APPENDDATA (50 * 1024)
+
+#define VTPCMINFO_CONF "/usr/local/vtpcminfo_conf"
+#define TEMP_FILE_SUFFIX ".tmpXXXXXXX"
+
+enum {
+    BOOT_REFERENCE_FLAG_ENABLE = 0,
+    BOOT_REFERENCE_FLAG_CONTROLm,
+};
+
+enum {
+    POLICY_ACTION_SET,
+    POLICY_ACTION_ADD,
+    POLICY_ACTION_DELETE,
+    POLICY_ACTION_MODIFY,
+};
+
+enum ErrorCode {
+    SUCCESS = 0,
+    ERR_INVALID_INPUT = 0,
+    ERR_MEMORY_ALLOCA = 0,
+    ERR_INVALID_FORMAT = 0,
+    ERR_INVALID_UUID = 0,
+    ERR_FILE_LOCK = 0,
+    ERR_READ_FILE = 0,
+    ERR_WRITE_FILE = 0,
+    ERR_OPEN_FILE = 0,
+    ERR_DUPLICATE_UUID = 0,
+    ERR_PUBKEY_MISMATCH = 0,
+    ERR_CERT_MISMATCH = 0,
+};
+
+struct Description {
+    int state = 0;  // 启动，挂起等状态
+    char name[255]; // 名称，创建时有hw设置
+    char uuid[37];  // 虚拟机的uuid
+};
+
+struct MeasureInfo {
+    char name[255];   // 度量阶段名称(例如 bios, grub...)
+    char uuid[37];    // 虚拟机的uuid
+    char version[64]; // 度量阶段的版本号: 1.1.0
+    int result;       // 度量结果
+    int size;         // content的长度
+    char content[0];  // 如果size是32,content是哈希, 如果size不等于32,
+                      // content是度量对象的原文数据
+};
+
+struct global_control_policy {
+    uint32_t be_size;
+    uint32_t be_boot_measure_on;
+    uint32_t be_program_measure_on;
+    uint32_t be_dynamic_measure_on;
+    uint32_t be_boot_control;
+    uint32_t be_program_control;
+    uint32_t be_tsb_flag1;
+    uint32_t be_tsb_flag2;
+    uint32_t be_tsb_flag3;
+    uint32_t be_program_measure_mode;
+    uint32_t be_program_use_cache;
+    uint32_t be_dmeasure_use_cache;
+    uint32_t be_dmeasure_max_busy_delay;
+    uint32_t be_process_dmeasure_ref_mode;
+    uint32_t be_process_dmeasure_match_mode;
+    uint32_t be_process_measure_match_mode;
+    uint32_t be_process_dmeasure_lib_mode;
+    uint32_t be_process_verify_lib_mode;
+    uint32_t be_process_dmeasure_sub_process_mode;
+    uint32_t be_process_dmeasure_old_process_mode;
+    uint32_t be_process_dmeasure_interval;
+};
+
+struct trust_report_content_new {
+    // uint32_t be_length;
+    // uint32_t be_signature_length;
+    uint64_t be_host_report_time;
+    uint64_t be_host_startup_time;
+    unsigned char host_id[MAX_HOST_ID_SIZE];
+    unsigned char tpcm_id[MAX_TPCM_ID_SIZE];
+    struct global_control_policy global_control_policy;
+    uint32_t be_eval;
+    uint32_t be_host_ip;
+    uint32_t be_illegal_program_load;
+    uint32_t be_illegal_lib_load;
+    uint32_t be_illegal_kernel_module_load;
+    uint32_t be_illegal_file_access;
+    uint32_t be_illegal_device_access;
+    uint32_t be_illegal_network_inreq;
+    uint32_t be_illegal_network_outreq;
+    uint32_t be_process_code_measure_fail;
+    uint32_t be_process_data_measure_fail;
+    uint32_t be_notify_fail;
+    uint32_t be_boot_measure_result;
+    uint32_t be_boot_times;
+    uint32_t be_tpcm_time;
+    uint32_t be_tpcm_report_time;
+    uint32_t be_log_number;
+    unsigned char log_hash[DEFAULT_HASH_SIZE];
+    unsigned char bios_pcr[DEFAULT_PCR_SIZE];
+    unsigned char boot_loader_pcr[DEFAULT_PCR_SIZE];
+    unsigned char kernel_pcr[DEFAULT_PCR_SIZE];
+    unsigned char tsb_pcr[DEFAULT_PCR_SIZE];
+    unsigned char boot_pcr[DEFAULT_PCR_SIZE];
+    uint64_t be_nonce;
+};
+
+struct trust_report_new {
+    struct trust_report_content_new content;
+    uint8_t append_data[MAX_TRUST_REPORT_APPENDDATA];
+};
+
+// NOTE All memories are allocated by using "malloc", remeber to free them after
+// use.
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int GetVRoots(int *vtpcmNums, struct Description **vtpcmInfo);
+
+int CreateVRoot(struct Description *vtpcmInfo);
+
+int StartVRoot(char *uuid);
+
+int StopVRoot(char *uuid);
+
+int RemoveVRoot(char *uuid);
+
+int UpdateMeasure(char *uuid, struct MeasureInfo *bios, struct MeasureInfo *shim, struct MeasureInfo *grub,
+                  struct MeasureInfo *grubCfg, struct MeasureInfo *kernel, struct MeasureInfo *initrd);
+
+int CheckMeasure(char *uuid, struct MeasureInfo *bios, struct MeasureInfo *shim, struct MeasureInfo *grub,
+                 struct MeasureInfo *grubCfg, struct MeasureInfo *kernel, struct MeasureInfo *initrd);
+
+/**
+ * 迁移接口
+ */
+int GetReport(char *pUuid,                         // 物理机的uuid
+              char *vUuid,                         // 虚拟机的uuid
+              struct trust_report_new *hostreport, // 输出：host report
+              struct trust_report_new *vmreport    // 输出：virtual machine report
+);
+
+int VerifyTrustReport(char *pUuid,                         // 物理机的uuid
+                      char *vUuid,                         // 虚拟机的uuid
+                      struct trust_report_new *hostreport, // host report
+                      struct trust_report_new *vmreport    // virtual machine report
+);
+
+int MigrationGetCert(char *vUuid,   // 虚拟机的uuid
+                     char **cert,   // 输出：对 pubkey 签名的证书（BMC可验证）
+                     int *certLen,  // 输出：证书长度
+                     char **pubkey, // 输出：临时生成的随机密钥对的公钥
+                     int *pubkeyLen // 输出：公钥长度
+);
+
+int MigrationCheckPeerPk(char *vUuid, // 虚拟机的uuid
+                         char *cert,  // peer cert 公钥 (REVIEW: 改成 cert?)
+                         char *pk2    // peer 临时生成的随机密钥对的公钥, a.k.a. pubkey
+);
+
+int MigrationGetVrootCipher(char *vUuid,   // 虚拟机的uuid
+                            char **cipher, // 输出：加密后的密码资源
+                            int *cipherLen // 输出：密文长度
+);
+
+int MigrationImportVrootCipher(char *vUuid, // 虚拟机的uuid
+                               char *cipher // 加密后的密码资源
+);
+
+int MigrationNotify(char *vUuid, // 虚拟机的uuid
+                    int status);
+
+#ifdef __cplusplus
+}
+#endif
diff --git a/virtrust/src/virtrust-sh/CMakeLists.txt b/virtrust/src/virtrust-sh/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..6e69396d2d7961b68385cc2d100f214717d7330b
--- /dev/null
+++ b/virtrust/src/virtrust-sh/CMakeLists.txt
@@ -0,0 +1,30 @@
+# Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+add_library(virtrust-sh-obj OBJECT)
+
+set(VIRTRUST_SH_SOURCE_FILES "")
+
+add_subdirectory(operator)
+
+target_sources(virtrust-sh-obj PRIVATE ${VIRTRUST_SH_SOURCE_FILES})
+
+target_include_directories(
+  virtrust-sh-obj PRIVATE $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>
+                          ${CMAKE_DEPS_INCLUDEDIR})
+
+target_link_libraries(virtrust-sh-obj PRIVATE virtrust-shared)
+
+# ----------------
+# Final Executable
+# ----------------
+
+add_executable(virtrust-sh ${CMAKE_CURRENT_LIST_DIR}/main.cpp)
+
+target_include_directories(
+  virtrust-sh PRIVATE $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>
+                      ${CMAKE_DEPS_INCLUDEDIR})
+
+target_link_libraries(virtrust-sh PRIVATE virtrust-sh-obj virtrust-shared)
+
+install(TARGETS virtrust-sh RUNTIME DESTINATION bin PERMISSIONS OWNER_READ
+                                                                OWNER_EXECUTE)
diff --git a/virtrust/src/virtrust-sh/defines.h b/virtrust/src/virtrust-sh/defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..b2351e1fadd2796e89b4ed15f3688293238afdf6
--- /dev/null
+++ b/virtrust/src/virtrust-sh/defines.h
@@ -0,0 +1,12 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <string_view>
+
+namespace virtrust {
+constexpr std::string_view VIRTRUST_SH_VERSION = "1.0.0";
+constexpr std::string_view VIRTRUST_SH_VIRT_INSTALL_PATH = "/usr/bin/virt-install";
+constexpr std::string_view VIRTRUST_SH_LOGFILE_NAME = "virtrust.log";
+constexpr int VIRTRUST_SH_CMD_STR_MAX_LEN = 1024;
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/main.cpp b/virtrust/src/virtrust-sh/main.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..ad9d151046b77629d718b923da772d7815bf8d3f
--- /dev/null
+++ b/virtrust/src/virtrust-sh/main.cpp
@@ -0,0 +1,164 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include <getopt.h>
+#include <unistd.h>
+
+#include <array>
+#include <cstring>
+#include <filesystem>
+#include <string>
+#include <string_view>
+
+#include "spdlog/fmt/fmt.h"
+
+#include "virtrust-sh/defines.h"
+#include "virtrust-sh/operator/op_itf.h"
+#include "virtrust/base/custom_logger.h"
+#include "virtrust/base/logger.h"
+
+namespace {
+
+std::string GetLogPath()
+{
+    return std::filesystem::current_path() / virtrust::VIRTRUST_SH_LOGFILE_NAME;
+}
+
+void PrintVersion(std::string_view progname)
+{
+    fmt::print("{} version: {}\n", progname, virtrust::VIRTRUST_SH_VERSION);
+}
+
+void PrintUsage(std::string_view progname)
+{
+    fmt::print("\n"
+               "  USAGE:\n"
+               "    {} [options]... [<command_string>]\n"
+               "    {} [options]... <command> [args...]\n"
+               "\n"
+               "  OPTIONS:\n"
+               "    -c | --connect=URI             hypervisor connection URI, "
+               "default to {}\n"
+               "    -d | --debug                   run in debug mode\n"
+               "    -h | --help                    print this help\n"
+               "    -v | --version                 show verion\n"
+               "\n"
+               "  COMMANDS:\n"
+               "    create                         create virtual machine instance\n"
+               "    destroy                        destroy (stop) a domain\n"
+               "    list                           list domain information\n"
+               "    migrate                        migrate domain to another host\n"
+               "    start                          start a (previously define) inactive "
+               "domain\n"
+               "    undefine                       undefine a domain\n"
+               "\n",
+               progname, progname, virtrust::VIRTRUST_DEFAULT_URI);
+}
+
+int ProcessOp(int argc, char **argv, const virtrust::OpConfig &config)
+{
+    auto op = virtrust::MakeOperator(virtrust::OpTyFromStr(argv[optind]));
+    if (op == nullptr) {
+        fmt::print(":\nInvalid command: {}\n", argv[optind]);
+        PrintUsage(argv[0]);
+        return 1;
+    }
+
+    // Setup config
+    op->SetConfig(config);
+
+    // Parse subcommand
+    auto rc = op->ParseArgv(argc - optind, &argv[optind]);
+    if (rc != virtrust::OpRc::OK) {
+        return 1;
+    }
+
+    // Execute subcommand, if enabled
+    if (op->GetConfig().enableExec) {
+        rc = op->Exec();
+        if (rc != virtrust::OpRc::OK) {
+            fmt::print("\nCommand execution failed.\nSee log at: {}\n", GetLogPath());
+            return 1;
+        }
+    }
+    fmt::print("\nCommand execution succeed.\nSee log at: {}\n", GetLogPath());
+    return 0;
+}
+
+int ProcessArgs(int argc, char **argv)
+{
+    int arg = -1;
+    int longindex = -1;
+    std::vector<option> opt = {{"connect", required_argument, nullptr, 'c'},
+                               {"debug", no_argument, nullptr, 'd'},
+                               {"help", no_argument, nullptr, 'h'},
+                               {"version", no_argument, nullptr, 'v'},
+                               {nullptr, 0, nullptr, 0}};
+
+    virtrust::OpConfig op_config = {}; // default init
+
+    // The leading + means no re-ordering, see man page of getopt_long
+    while ((arg = getopt_long(argc, argv, "+c:dhv", opt.data(), &longindex)) != -1) {
+        switch (arg) {
+            case 'c':
+                op_config.uri = optarg;
+                break;
+            case 'd':
+                virtrust::Logger::Instance()->SetDisplayLogLevel(virtrust::LogLevel::DEBUG);
+                break;
+            case 'v':
+                PrintVersion(argv[0]);
+                optind = argc; // stop parsing
+                return 0;      // success
+            case 'h':
+                PrintUsage(argv[0]);
+                optind = argc; // stop parsing
+                return 0;      // success
+            case '?':
+                PrintUsage(argv[0]);
+                optind = argc; // stop parsing
+                return 1;      // fail
+            default:
+                PrintUsage(argv[0]);
+                return 1; // fail
+        }
+    }
+
+    if (argc == optind) {
+        PrintUsage(argv[0]);
+        return 1; // fail
+    } else {
+        return ProcessOp(argc, argv, op_config);
+    }
+}
+
+} // namespace
+
+int main(int argc, char *argv[])
+{
+    // Check input parameters
+    if (argv[0] == nullptr || strlen(argv[0]) > PATH_MAX) {
+        fmt::print("Invalid program name length, exit with failure\n");
+        return 1;
+    }
+
+    // Init log file for virtrust
+    auto ret = virtrust::Logger::Instance()->InitLog(static_cast<int>(virtrust::LogLevel::INFO), GetLogPath().data());
+    if (ret != virtrust::VirtrustRc::OK) {
+        fmt::print("\nInit log failed!\n");
+        return 1;
+    }
+
+    // Let libvirt print its err to virtrust
+    virtrust::Libvirt::GetInstance().SetErrorFunction([]([[maybe_unused]] void *userData, virtrust::virErrorPtr error) {
+        auto logLevel = virtrust::virErrorLevelToLogLevel(error->level);
+        // domain: see
+        // https://libvirt.org/html/libvirt-virterror.html#virErrorDomain
+        // code: see
+        // https://libvirt.org/html/libvirt-virterror.html#virErrorNumber
+        auto logMsg = fmt::format("[LIBVIRT domain: {}, code: {}] {}", error->domain, error->code, error->message);
+        virtrust::Logger::Instance()->Log(logLevel, logMsg);
+    });
+
+    // Run virtrust based on args
+    return ProcessArgs(argc, argv);
+}
diff --git a/virtrust/src/virtrust-sh/operator/CMakeLists.txt b/virtrust/src/virtrust-sh/operator/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..1942f45ad736ffe2cb2ca2763ad8a44dd4a47636
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/CMakeLists.txt
@@ -0,0 +1,22 @@
+# Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+set(VIRTRUST_SH_SOURCE_FILES
+    ${VIRTRUST_SH_SOURCE_FILES}
+    ${CMAKE_CURRENT_LIST_DIR}/op_itf.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_create.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_start.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_migrate.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_destroy.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_list.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/op_undefine.cpp)
+
+add_virtrust_sh_test_if(op_create_test ${BUILD_TEST})
+add_virtrust_sh_test_if(op_start_test ${BUILD_TEST})
+add_virtrust_sh_test_if(op_migrate_test ${BUILD_TEST})
+add_virtrust_sh_test_if(op_destroy_test ${BUILD_TEST})
+add_virtrust_sh_test_if(op_list_test ${BUILD_TEST})
+add_virtrust_sh_test_if(op_undefine_test ${BUILD_TEST})
+
+set(VIRTRUST_SH_SOURCE_FILES
+    ${VIRTRUST_SH_SOURCE_FILES}
+    PARENT_SCOPE)
diff --git a/virtrust/src/virtrust-sh/operator/op_create.cpp b/virtrust/src/virtrust-sh/operator/op_create.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..6c1e68764694c8bde1958c0df6e51b46db70a753
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_create.cpp
@@ -0,0 +1,101 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust-sh/operator/op_create.h"
+
+#include <getopt.h>
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+#include "virtrust-sh/operator/op_utils.h"
+#include "virtrust/api/domain.h"
+
+namespace virtrust {
+
+OpRc OpCreate::Exec()
+{
+    // make connection
+    conn_.reset();
+    conn_ = std::make_unique<ConnCtx>();
+    if (!conn_->SetUri(config_.uri)) {
+        VIRTRUST_LOG_ERROR("Failed to set uri: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    conn_->Connect();
+    if (conn_->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Failed to establish connection to: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    return ParseVirtrustRc(DomainCreate(conn_, virtInstallArgs_));
+}
+
+// Parse the args from command line
+OpRc OpCreate::ParseArgv(int argc, char **argv)
+{
+    int arg = -1;
+    int longindex = -1;
+    optind = 1; // reset
+    bool hasNameArg = false;
+
+    std::vector<option> opt = {{"help", no_argument, nullptr, 'h'},
+                               {"name", required_argument, nullptr, 'n'},
+                               {"allow-store-measurements", no_argument, nullptr, 1},
+                               {nullptr, 0, nullptr, 0}};
+
+    opterr = 0;
+    // The leading + means no re-ordering, see man page of getopt_long
+    while ((arg = getopt_long(argc, argv, "+c:dhv", opt.data(), &longindex)) != -1) {
+        switch (arg) {
+            case 'h':
+                config_.enableExec = false;
+                PrintUsage();
+                optind = 1;
+                return OpRc::OK;
+            case 'n':
+                hasNameArg = true;
+                break;
+            default:
+                continue; // do nothing;
+        }
+    }
+
+    opterr = 1;
+    if (!hasNameArg) {
+        fmt::print("\n--name/-n not set.\n");
+        return OpRc::ERROR;
+    }
+
+    virtInstallArgs_.clear();
+
+    // all args should be parse to virt-install, so nothing need to be done here
+    virtInstallArgs_.emplace_back(VIRTRUST_SH_VIRT_INSTALL_PATH);
+    for (auto i = 1; i < argc; ++i) {
+        virtInstallArgs_.emplace_back(argv[i]);
+    }
+    return OpRc::OK;
+}
+
+// Print the usage of this operator
+void OpCreate::PrintUsage()
+{
+    fmt::print("\n"
+               "  NAME:\n"
+               "    create - create a new virtual machine\n"
+               "\n"
+               "  SYNOPSIS:\n"
+               "    create [options] <args>\n"
+               "\n"
+               "  OPTIONS:\n"
+               "    -h | --help                    this help\n"
+               "    --allow-store-measurements     allow store measurements\n"
+               "                                   (NOTE when using this option, "
+               "--name must be provided)\n"
+               "\n"
+               "  ARGS:\n"
+               "    virt-install args, see all supported args with `virt-install "
+               "--help`.\n"
+               "\n");
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_create.h b/virtrust/src/virtrust-sh/operator/op_create.h
new file mode 100644
index 0000000000000000000000000000000000000000..31f730c8f6c34dbaff8bf03f1b08677d51618861
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_create.h
@@ -0,0 +1,30 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+
+namespace virtrust {
+
+class OpCreate : public OpItf {
+public:
+    explicit OpCreate() : OpItf(OpTy::CREATE)
+    {}
+    ~OpCreate() override = default;
+
+    OpRc Exec() override;
+
+    // Parse the args from command line
+    OpRc ParseArgv(int argc, char **argv) override;
+
+    // Print the usage of this operator
+    void PrintUsage() override;
+
+private:
+    std::vector<std::string> virtInstallArgs_;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_create_test.cpp b/virtrust/src/virtrust-sh/operator/op_create_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..99e48f754a10f9c86db7731ca96e06175566ad1b
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_create_test.cpp
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/defines.h"
+#include "virtrust-sh/operator/op_create.h"
+
+namespace virtrust {
+
+TEST(OpCreateTest, ParseArgvTest)
+{
+    OpCreate opCreate;
+
+    // Test with basic arguments
+    const char *argv[] = {"op_create", "--name", "test_vm", "--memory", "1024"};
+    int argc = 5;
+
+    OpRc result = opCreate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for valid arguments
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpCreateTest, ParseArgvEmptyTest)
+{
+    OpCreate opCreate;
+
+    // Test with no arguments (only program name)
+    const char *argv[] = {"op_create", "--name", "test_vm"};
+    int argc = 3;
+
+    OpRc result = opCreate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for edge case with no extra arguments
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpCreateTest, ParseArgvMultipleArgsTest)
+{
+    OpCreate opCreate;
+
+    // Test with more complex arguments
+    const char *argv[] = {"op_create", "--name", "test_vm", "--memory", "1024", "--vcpu", "2", "--disk", "size=10"};
+    int argc = 9;
+
+    OpRc result = opCreate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for complex arguments
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpCreateTest, ParseArgvSpecialCharactersTest)
+{
+    OpCreate opCreate;
+
+    // Test with more containing special arguments
+    const char *argv[] = {"op_create", "--name", "test-vm_123", "--memory", "2048", "--graphics", "vnc"};
+    int argc = 7;
+
+    OpRc result = opCreate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv handles special characters correctly
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpCreateTest, ParseArgvLongArgumentsTest)
+{
+    OpCreate opCreate;
+
+    // Test with long arguments names
+    const char *argv[] = {"op_create", "--name", "test-long-vm-name-for-testing", "--memory", "4096", "--vcpu", "4"};
+    int argc = 7;
+
+    OpRc result = opCreate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv handles long garuments names correctly
+    EXPECT_EQ(result, OpRc::OK);
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_destroy.cpp b/virtrust/src/virtrust-sh/operator/op_destroy.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..0ca4c3ee1ad8ad16e537ec538f2f369fa65b0cc0
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_destroy.cpp
@@ -0,0 +1,96 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust-sh/operator/op_destroy.h"
+
+#include <getopt.h>
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+#include "virtrust-sh/operator/op_utils.h"
+#include "virtrust/api/domain.h"
+
+namespace virtrust {
+namespace {
+constexpr int OP_DESTROY_EXTRA_CMD_NUM = 1;
+}
+
+OpRc OpDestroy::Exec()
+{
+    // make connection
+    conn_.reset();
+    conn_ = std::make_unique<ConnCtx>();
+    if (!conn_->SetUri(config_.uri)) {
+        VIRTRUST_LOG_ERROR("Failed to set uri: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    conn_->Connect();
+    if (conn_->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Failed to establish connection to: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    return ParseVirtrustRc(DomainDestroy(conn_, domainName_, flags_, onlyTsb_));
+}
+
+// Parse the args from command line
+OpRc OpDestroy::ParseArgv(int argc, char **argv)
+{
+    int arg = -1;
+    int longindex = -1;
+    optind = 1;                   // reset
+    const int onlyTsbVal = 0x100; // REVIEW why?
+    std::vector<option> opt = {
+        {"help", no_argument, nullptr, 'h'}, {"only-tsb", no_argument, nullptr, onlyTsbVal}, {nullptr, 0, nullptr, 0}};
+
+    // The leading + means no re-ordering, see man page of getopt_long
+    while ((arg = getopt_long(argc, argv, "+c:dhv", opt.data(), &longindex)) != -1) {
+        switch (arg) {
+            case 'h':
+                config_.enableExec = false;
+                PrintUsage();
+                optind = argc; // stop parsing
+                return OpRc::OK;
+            case onlyTsbVal:
+                onlyTsb_ = true;
+                continue;
+            default:
+                config_.enableExec = false;
+                PrintUsage();
+                optind = argc; // stop parsing
+                return OpRc::ERROR;
+        }
+    }
+
+    if (argc - optind != OP_DESTROY_EXTRA_CMD_NUM) {
+        fmt::print("\nInvalid number of arguments, expect: {}, got: {}\n", OP_DESTROY_EXTRA_CMD_NUM, argc - optind);
+        PrintUsage();
+        return OpRc::ERROR;
+    }
+
+    if (strlen(argv[optind]) != 0) {
+        domainName_ = argv[optind];
+        return OpRc::OK;
+    } else {
+        VIRTRUST_LOG_ERROR("Invalid empty domain name");
+        return OpRc::ERROR;
+    }
+}
+
+// Print the usage of this operator
+void OpDestroy::PrintUsage()
+{
+    fmt::print("\n"
+               "  NAME:\n"
+               "    destroy - destroy (stop) a domain\n"
+               "\n"
+               "  SYNOPSIS:\n"
+               "    destroy [options] <domain>\n"
+               "\n"
+               "  OPTIONS:\n"
+               "    -h | --help                    this help\n"
+               "    --onlyTsb                      only update tsb resource, <domain> need uuid\n"
+               "\n");
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_destroy.h b/virtrust/src/virtrust-sh/operator/op_destroy.h
new file mode 100644
index 0000000000000000000000000000000000000000..1c5feffbb5e74de5896b34e093eb8e63af6b6243
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_destroy.h
@@ -0,0 +1,32 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+
+namespace virtrust {
+
+class OpDestroy : public OpItf {
+public:
+    explicit OpDestroy() : OpItf(OpTy::DESTROY)
+    {}
+    ~OpDestroy() override = default;
+
+    OpRc Exec() override;
+
+    // Parse the args from command line
+    OpRc ParseArgv(int argc, char **argv) override;
+
+    // Print the usage of this operator
+    void PrintUsage() override;
+
+private:
+    std::string domainName_ = "unknown";
+    unsigned int flags_ = DOMAIN_DESTROY_NONE;
+    bool onlyTsb_ = false;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_destroy_test.cpp b/virtrust/src/virtrust-sh/operator/op_destroy_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..0d0b0039d1a3739da4e577ad018586a1e039be53
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_destroy_test.cpp
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/operator/op_destroy.h"
+
+namespace virtrust {
+
+TEST(OpDestroyTest, ParseArgvValidDomainTest)
+{
+    OpDestroy opDestroy;
+
+    // Test with valid domain name argument
+    const char *argv[] = {"op_destroy", "test_domain"};
+    int argc = 2;
+
+    OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for valid arguments
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpDestroyTest, ParseArgvHelpFlagTest)
+{
+    OpDestroy opDestroy;
+
+    // Test with help Flag
+    const char *argv[] = {"op_destroy", "--help"};
+    int argc = 2;
+
+    OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpDestroyTest, ParseArgvHelpShortFlagTest)
+{
+    OpDestroy opDestroy;
+
+    // Test with short help flag
+    const char *argv[] = {"op_destroy", "-h"};
+    int argc = 2;
+
+    OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for short help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpDestroyTest, ParseArgvMissingDomainTest)
+{
+    OpDestroy opDestroy;
+
+    // Test with no domain name argument
+    const char *argv[] = {"op_destroy"};
+    int argc = 1;
+
+    OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for missing domain
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpDestroyTest, ParseArgvExtraArgumentsTest)
+{
+    OpDestroy opDestroy;
+
+    // Test with extra arguments
+    const char *argv[] = {"op_destroy", "domain1", "domain2"};
+    int argc = 3;
+
+    OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv handles ERROR for too many arguments
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpDestroyTest, ParseArgvInvalidOptionTest)
+{
+    OpDestroy opDestroy;
+
+    // Test with invalid option
+    const char *argv[] = {"op_destroy", "--invalid-option"};
+    int argc = 2;
+
+    OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv handles ERROR for invalid option
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpDestroyTest, ParseArgvDomainNameStrorageTest)
+{
+    OpDestroy opDestroy;
+
+    // Test that domain name is properly stored
+    const char *argv[] = {"op_destroy", "test-domain-123"};
+    int argc = 2;
+
+    OpRc result = opDestroy.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK and domain name is stored
+    EXPECT_EQ(result, OpRc::OK);
+    // Note: Cannot directly access private member domainName_ for verification
+    // but we can verify the function doesn't crash and handles correctly
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_itf.cpp b/virtrust/src/virtrust-sh/operator/op_itf.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..503eb8de95e9fded18bbb5b9ce90d511dcf86322
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_itf.cpp
@@ -0,0 +1,61 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust-sh/operator/op_itf.h"
+
+#include <cstdint>
+#include <memory>
+#include <string_view>
+
+#include "virtrust-sh/operator/op_create.h"
+#include "virtrust-sh/operator/op_destroy.h"
+#include "virtrust-sh/operator/op_list.h"
+#include "virtrust-sh/operator/op_migrate.h"
+#include "virtrust-sh/operator/op_start.h"
+#include "virtrust-sh/operator/op_undefine.h"
+
+namespace virtrust {
+
+std::unique_ptr<OpItf> MakeOperator(OpTy type)
+{
+    switch (type) {
+        case OpTy::CREATE:
+            return std::make_unique<OpCreate>();
+        case OpTy::DESTROY:
+            return std::make_unique<OpDestroy>();
+        case OpTy::MIGRATE:
+            return std::make_unique<OpMigrate>();
+        case OpTy::START:
+            return std::make_unique<OpStart>();
+        case OpTy::UNDEFINE:
+            return std::make_unique<OpUndefine>();
+        case OpTy::LIST:
+            return std::make_unique<OpList>();
+        default:
+            return nullptr; // return nullptr if error
+    }
+}
+
+OpTy OpTyFromStr(const std::string &type)
+{
+    if (type == "create") {
+        return OpTy::CREATE;
+    } else if (type == "destroy") {
+        return OpTy::DESTROY;
+    } else if (type == "migrate") {
+        return OpTy::MIGRATE;
+    } else if (type == "start") {
+        return OpTy::START;
+    } else if (type == "undefine") {
+        return OpTy::UNDEFINE;
+    } else if (type == "list") {
+        return OpTy::LIST;
+    } else {
+        return OpTy::UNKNOWN;
+    }
+}
+
+std::unique_ptr<OpItf> MakeOperator(const std::string &type)
+{
+    return MakeOperator(OpTyFromStr(type));
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_itf.h b/virtrust/src/virtrust-sh/operator/op_itf.h
new file mode 100644
index 0000000000000000000000000000000000000000..b5608121615e535954ca1f79a08700f91c8a61d4
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_itf.h
@@ -0,0 +1,92 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <cstdint>
+#include <memory>
+#include <string_view>
+#include <utility>
+
+#include "virtrust/api/context.h"
+#include "virtrust/base/logger.h"
+#include "virtrust/dllib/libvirt.h"
+
+namespace virtrust {
+
+enum class OpRc : uint32_t {
+    OK = 0,
+    ERROR = 1,
+    CHECK_FAILED = 2,
+};
+
+enum class OpTy : uint32_t {
+    UNKNOWN,
+    CREATE,
+    DESTROY,
+    MIGRATE,
+    START,
+    UNDEFINE,
+    LIST,
+};
+
+OpTy OpTyFromStr(const std::string &type);
+
+// Default configs for operator
+// NOTE carefully tweak those default values
+struct OpConfig {
+    std::string uri = std::string(VIRTRUST_DEFAULT_URI);
+    bool enableExec = true;
+};
+
+// Operator Interface
+class OpItf {
+public:
+    OpItf() = delete;
+    virtual ~OpItf() = default;
+
+    // Getters and Setters
+
+    // Get uri string
+    std::string GetUri() const
+    {
+        return config_.uri;
+    }
+
+    // Get type
+    OpTy Type() const
+    {
+        return type_;
+    }
+
+    // Get const reference of op's config
+    const OpConfig &GetConfig() const
+    {
+        return config_;
+    }
+
+    void SetConfig(const OpConfig &config)
+    {
+        config_ = config;
+    }
+
+    virtual OpRc Exec() = 0;
+    virtual OpRc ParseArgv(int argc, char **argv) = 0;
+    virtual void PrintUsage() = 0;
+
+protected:
+    const OpTy type_ = OpTy::UNKNOWN;
+    std::unique_ptr<ConnCtx> conn_ = nullptr;
+    std::unique_ptr<DomainCtx> domain_ = nullptr;
+    OpConfig config_ = {};
+
+    explicit OpItf(OpTy type) : type_(type)
+    {}
+    explicit OpItf(OpTy type, OpConfig config) : type_(type), config_(std::move(config))
+    {}
+};
+
+// Operator Factory
+std::unique_ptr<OpItf> MakeOperator(OpTy type);
+std::unique_ptr<OpItf> MakeOperator(const std::string &type);
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_list.cpp b/virtrust/src/virtrust-sh/operator/op_list.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..630fdfea6dbddbdc2a5096cbef9efedbda515084
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_list.cpp
@@ -0,0 +1,188 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust-sh/operator/op_list.h"
+
+#include <getopt.h>
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+#include "virtrust-sh/operator/op_utils.h"
+#include "virtrust/api/domain.h"
+
+namespace virtrust {
+
+namespace {
+constexpr int OP_LIST_EXTRA_CMD_NUM = 0;
+constexpr int KB_TO_MD = 1024;
+inline std::string GetIdStr(const std::unique_ptr<ConnCtx> &conn, const std::string &name)
+{
+    auto &libvirt = Libvirt::GetInstance();
+    auto *domain = libvirt.virDomainLookupByName(conn->Get(), name.data());
+    if (domain == nullptr) {
+        return "-";
+    }
+    auto id = libvirt.virDomainGetID(domain);
+    libvirt.virDomainFree(domain);
+    return id == std::numeric_limits<unsigned int>::max() ? "-" : std::to_string(id);
+}
+
+inline unsigned int GetIdInt(const std::unique_ptr<ConnCtx> &conn, const std::string &name)
+{
+    auto &libvirt = Libvirt::GetInstance();
+    auto *domain = libvirt.virDomainLookupByName(conn->Get(), name.data());
+    if (domain == nullptr) {
+        return std::numeric_limits<unsigned int>::max();
+    }
+    auto id = libvirt.virDomainGetID(domain);
+    libvirt.virDomainFree(domain);
+    return id;
+}
+
+inline std::string GetStateStr(int state)
+{
+    switch (state) {
+        case VIR_DOMAIN_RUNNING:
+            return "running";
+        case VIR_DOMAIN_PAUSED:
+            return "paused";
+        case VIR_DOMAIN_SHUTDOWN:
+            return "shut down";
+        case VIR_DOMAIN_SHUTOFF:
+            return "shut off";
+        case VIR_DOMAIN_CRASHED:
+            return "crashed";
+        default:
+            return "unknown";
+    }
+}
+
+struct DomainInfoForSort {
+    unsigned int id;
+    DomainInfo domainInfo;
+};
+
+std::vector<DomainInfoForSort> GetSortedDomainInfos(const std::unique_ptr<ConnCtx> &conn,
+                                                    const std::unordered_map<std::string, DomainInfo> &domainInfos,
+                                                    size_t &maxNameLen)
+
+{
+    std::vector<DomainInfoForSort> sortedInfos;
+    sortedInfos.reserve(domainInfos.size());
+    for (const auto &[key, info] : domainInfos) {
+        DomainInfoForSort item;
+        item.id = GetIdInt(conn, info.domainName);
+        item.domainInfo = info;
+        sortedInfos.push_back(item);
+        maxNameLen = std::max(maxNameLen, info.domainName.length());
+    }
+    // 自定义排序
+    std::sort(sortedInfos.begin(), sortedInfos.end(), [](const DomainInfoForSort &lhs, const DomainInfoForSort &rhs) {
+        if (lhs.id != rhs.id) {
+            return lhs.id < rhs.id;
+        } else if (lhs.domainInfo.state != rhs.domainInfo.state) {
+            return lhs.domainInfo.state < rhs.domainInfo.state;
+
+        } else {
+            return lhs.domainInfo.domainName < rhs.domainInfo.domainName;
+        }
+    });
+    return sortedInfos;
+}
+
+} // namespace
+
+OpRc OpList::Exec()
+{
+    // make connection
+    conn_.reset();
+    conn_ = std::make_unique<ConnCtx>();
+    if (!conn_->SetUri(config_.uri)) {
+        VIRTRUST_LOG_ERROR("Failed to set uri: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    conn_->Connect();
+    if (conn_->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Failed to establish connection to: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+
+    std::unordered_map<std::string, DomainInfo> domainInfos = {};
+    auto rc = DomainList(conn_, flags_, domainInfos, true);
+    if (rc != VirtrustRc::OK) {
+        return ParseVirtrustRc(rc);
+    }
+
+    size_t maxNameLen = 5;
+    std::vector<DomainInfoForSort> sortedInfos = GetSortedDomainInfos(conn_, domainInfos, maxNameLen);
+
+    fmt::print("{:5} {:{}} {:<10}\n", "Id", "Name", maxNameLen + 2, "State");
+    std::string separator(maxNameLen + 19, '-');
+
+    fmt::print("{}\n", separator);
+    for (const auto &item : sortedInfos) {
+        fmt::print("{:5} {:{}} {:<10}\n",
+                   item.id == std::numeric_limits<unsigned int>::max() ? "-" : std::to_string(item.id),
+                   item.domainInfo.domainName, maxNameLen + 2, GetStateStr(item.domainInfo.state));
+    }
+
+    return OpRc::OK;
+}
+
+// Parse the args from command line
+OpRc OpList::ParseArgv(int argc, char **argv)
+{
+    int arg = -1;
+    int longindex = -1;
+    optind = 1; // reset
+
+    std::vector<option> opt = {
+        {"help", no_argument, nullptr, 'h'}, {"all", no_argument, nullptr, 'a'}, {nullptr, 0, nullptr, 0}};
+
+    opterr = 0;
+    // The leading + means no re-ordering, see man page of getopt_long
+    while ((arg = getopt_long(argc, argv, "+ah", opt.data(), &longindex)) != -1) {
+        switch (arg) {
+            case 'h':
+                config_.enableExec = false;
+                PrintUsage();
+                optind = argc; // stop parsing
+                return OpRc::OK;
+            case 'a':
+                // see: libvirt/tools/virsh-domain-monitor.c, line 1890
+                flags_ = LIST_DOMAINS_ACTIVE | LIST_DOMAINS_INACTIVE;
+                break;
+            default:
+                config_.enableExec = false;
+                PrintUsage();
+                optind = argc; // stop parsing
+                return OpRc::ERROR;
+        }
+    }
+
+    if (argc - optind != OP_LIST_EXTRA_CMD_NUM) {
+        fmt::print("\nInvalid number of arguments, expect: {}, got: {}\n", OP_LIST_EXTRA_CMD_NUM, argc - optind);
+        PrintUsage();
+        return OpRc::ERROR;
+    }
+    return OpRc::OK;
+}
+
+// Print the usage of this operator
+void OpList::PrintUsage()
+{
+    fmt::print("\n"
+               "  NAME:\n"
+               "    list - list domains\n"
+               "\n"
+               "  SYNOPSIS:\n"
+               "    list [options]\n"
+               "\n"
+               "  OPTIONS:\n"
+               "    -h | --help                    this help\n"
+               "    -a | --all                     list all domains\n"
+               "\n");
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_list.h b/virtrust/src/virtrust-sh/operator/op_list.h
new file mode 100644
index 0000000000000000000000000000000000000000..bce0d1d7c6de34ea320d598ffb614bdd2ea85511
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_list.h
@@ -0,0 +1,30 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+
+namespace virtrust {
+
+class OpList : public OpItf {
+public:
+    explicit OpList() : OpItf(OpTy::LIST)
+    {}
+    ~OpList() override = default;
+
+    OpRc Exec() override;
+
+    // Parse the args from command line
+    OpRc ParseArgv(int argc, char **argv) override;
+
+    // Print the usage of this operator
+    void PrintUsage() override;
+
+private:
+    unsigned int flags_ = LIST_DOMAINS_ACTIVE; // default show only active
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_list_test.cpp b/virtrust/src/virtrust-sh/operator/op_list_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..b47233239a37780dee6a5115f868040d2ad0dbaa
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_list_test.cpp
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/operator/op_list.h"
+
+namespace virtrust {
+
+TEST(OpListTest, ParseArgvNoArgumentsTest)
+{
+    OpList opList;
+
+    // Test with no arguments
+    const char *argv[] = {"op_list"};
+    int argc = 1;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for no arguments (default behavior)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpListTest, ParseArgvHelpFlagTest)
+{
+    OpList opList;
+
+    // Test with help Flag
+    const char *argv[] = {"op_list", "--help"};
+    int argc = 2;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpListTest, ParseArgvHelpShortFlagTest)
+{
+    OpList opList;
+
+    // Test with help Flag
+    const char *argv[] = {"op_list", "-h"};
+    int argc = 2;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpListTest, ParseArgvAllFlagTest)
+{
+    OpList opList;
+
+    // Test with all flag
+    const char *argv[] = {"op_list", "--all"};
+    int argc = 2;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for all flag
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpListTest, ParseArgvAllShortFlagTest)
+{
+    OpList opList;
+
+    // Test with all short falg
+    const char *argv[] = {"op_list", "-a"};
+    int argc = 2;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for all short falg
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpListTest, ParseArgvBothFlagsTest)
+{
+    OpList opList;
+
+    // Test with both flags
+    const char *argv[] = {"op_list", "-a", "--help"};
+    int argc = 3;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv return OK for both flags (help takes precedence)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpListTest, ParseArgvInvalidOptionTest)
+{
+    OpList opList;
+
+    // Test with invalid option
+    const char *argv[] = {"op_list", "--invalid-option"};
+    int argc = 2;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for invalid option
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpListTest, ParseArgvExtraArgumentsTest)
+{
+    OpList opList;
+
+    // Test with extra augruments
+    const char *argv[] = {"op_list", "extra_arg"};
+    int argc = 2;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for extra arguments
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpListTest, ParseArgvFlagCombinationTest)
+{
+    OpList opList;
+
+    // Test with mutiple valid flags
+    const char *argv[] = {"op_list", "-a", "-h"};
+    int argc = 3;
+
+    OpRc result = opList.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for valid flag combination (help takes precedence)
+    EXPECT_EQ(result, OpRc::OK);
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_migrate.cpp b/virtrust/src/virtrust-sh/operator/op_migrate.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..fdd38b382019e9919456c54eecf60f3ed2eceb78
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_migrate.cpp
@@ -0,0 +1,107 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust-sh/operator/op_migrate.h"
+
+#include <getopt.h>
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+#include "virtrust-sh/operator/op_utils.h"
+#include "virtrust/api/domain.h"
+
+namespace virtrust {
+namespace {
+constexpr int OP_MIGRATE_EXTRA_CMD_NUM = 2;
+}
+
+OpRc OpMigrate::Exec()
+{
+    // make connection
+    conn_.reset();
+    conn_ = std::make_unique<ConnCtx>();
+    if (!conn_->SetUri(config_.uri)) {
+        VIRTRUST_LOG_ERROR("Failed to set uri: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    conn_->Connect();
+    if (conn_->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Failed to establish connection to: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    return ParseVirtrustRc(DomainMigrate(conn_, domainName_, destUri_, flags_));
+}
+
+// Parse the args from command line
+OpRc OpMigrate::ParseArgv(int argc, char **argv)
+{
+    int arg = -1;
+    int longindex = -1;
+    optind = 1; // reset
+
+    std::vector<option> opt = {
+        {"help", no_argument, nullptr, 'h'}, {"undefinesource", no_argument, nullptr, 0}, {nullptr, 0, nullptr, 0}};
+
+    // The leading + means no re-ordering, see man page of getopt_long
+    while ((arg = getopt_long(argc, argv, "+h", opt.data(), &longindex)) != -1) {
+        switch (arg) {
+            case 'h':
+                config_.enableExec = false;
+                PrintUsage();
+                optind = argc; // stop parsing
+                return OpRc::OK;
+            case 0:
+                if (flags_ & MIGRATE_UNDEFINE_SOURCE) {
+                    fmt::print("\nOption --undefinesource is already set.\n");
+                    return OpRc::ERROR;
+                }
+                flags_ |= MIGRATE_UNDEFINE_SOURCE;
+                break;
+            default:
+                config_.enableExec = false;
+                PrintUsage();
+                optind = argc; // stop parsing
+                return OpRc::ERROR;
+        }
+    }
+
+    if (argc - optind != OP_MIGRATE_EXTRA_CMD_NUM) {
+        fmt::print("\nInvalid number of arguments, expect: {}, got: {}\n", OP_MIGRATE_EXTRA_CMD_NUM, argc - optind);
+        PrintUsage();
+        return OpRc::ERROR;
+    }
+
+    if (strlen(argv[optind]) != 0) {
+        domainName_ = argv[optind];
+    } else {
+        VIRTRUST_LOG_ERROR("Invalid empty domain name");
+        return OpRc::ERROR;
+    }
+
+    if (strlen(argv[optind + 1]) != 0) {
+        destUri_ = argv[optind + 1];
+    } else {
+        VIRTRUST_LOG_ERROR("Invalid empty domain name");
+        return OpRc::ERROR;
+    }
+    return OpRc::OK;
+}
+
+// Print the usage of this operator
+void OpMigrate::PrintUsage()
+{
+    fmt::print("\n"
+               "  NAME:\n"
+               "    migrate - migrate domain to another host\n"
+               "\n"
+               "  SYNOPSIS:\n"
+               "    migrate [options] <domain> <desturi>\n"
+               "\n"
+               "  OPTIONS:\n"
+               "    -h | --help                    this help\n"
+               "    --undefinesource               undefine VM on source\n"
+               "\n");
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_migrate.h b/virtrust/src/virtrust-sh/operator/op_migrate.h
new file mode 100644
index 0000000000000000000000000000000000000000..bdb697dec0e333996bfaaddd09d4dea408bff0f9
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_migrate.h
@@ -0,0 +1,32 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+
+namespace virtrust {
+
+class OpMigrate : public OpItf {
+public:
+    explicit OpMigrate() : OpItf(OpTy::MIGRATE)
+    {}
+    ~OpMigrate() override = default;
+
+    OpRc Exec() override;
+
+    // Parse the args from command line
+    OpRc ParseArgv(int argc, char **argv) override;
+
+    // Print the usage of this operator
+    void PrintUsage() override;
+
+private:
+    std::string domainName_ = "unknown";
+    std::string destUri_;
+    unsigned int flags_ = 0;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_migrate_test.cpp b/virtrust/src/virtrust-sh/operator/op_migrate_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..db75369c8827e1904e6bb5b2d3a8bb8c3f526ae9
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_migrate_test.cpp
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/operator/op_migrate.h"
+
+namespace virtrust {
+
+TEST(OpMigrateTest, ParseArgvValidArgumentsTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with valid domain name and destination URI
+    const char *argv[] = {"op_migrate", "test_doamin", "qemu+ssh://destination.example.com/system"};
+    int argc = 3;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for valid arguments
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpMigrateTest, ParseArgvHelpFlagTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with help Flag
+    const char *argv[] = {"op_migrate", "--help"};
+    int argc = 2;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpMigrateTest, ParseArgvHelpShortFlagTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with help Flag
+    const char *argv[] = {"op_migrate", "-h"};
+    int argc = 2;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for short help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpMigrateTest, ParseArgvMissingArgumentsTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with missig arguments (only program name)
+    const char *argv[] = {"op_migrate"};
+    int argc = 1;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for misssing arguments
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpMigrateTest, ParseArgvMissingDestinationTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with aonly domain name, missing destination URI
+    const char *argv[] = {"op_migrate", "test_domain"};
+    int argc = 2;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for missing destination
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpMigrateTest, ParseArgvExtraArgumentsTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with extra arguments
+    const char *argv[] = {"op_migrate", "domain1", "dest_uri", "extra_arg"};
+    int argc = 4;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv return ERROR for extra arguments
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpMigrateTest, ParseArgvInvalidOptionTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with invalid option
+    const char *argv[] = {"op_migrate", "--invalid-option"};
+    int argc = 2;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for invalid option
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpMigrateTest, ParseArgvComplexArgumentsTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with complex domain name and URI
+    const char *argv[] = {"op_migrate", "complex-domain-name-123", "qemu+ssh://user@host:22/system?param=value"};
+    int argc = 3;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for complex arguments
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpMigrateTest, ParseArgvFlagCombinationTest)
+{
+    OpMigrate opMigrate;
+
+    // Test with special characters in arguments
+    const char *argv[] = {"op_migrate", "test-dimain_123", "qemu+ssh://user@host.example.com:22/system"};
+    int argc = 3;
+
+    OpRc result = opMigrate.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for special characters
+    EXPECT_EQ(result, OpRc::OK);
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_start.cpp b/virtrust/src/virtrust-sh/operator/op_start.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..e72e897278ece80616491e754eb55ed272b8e337
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_start.cpp
@@ -0,0 +1,97 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust-sh/operator/op_start.h"
+
+#include <getopt.h>
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+#include "virtrust-sh/operator/op_utils.h"
+#include "virtrust/api/domain.h"
+
+namespace virtrust {
+
+namespace {
+constexpr int OP_START_EXTRA_CMD_NUM = 1;
+}
+
+OpRc OpStart::Exec()
+{
+    // make connection
+    conn_.reset();
+    conn_ = std::make_unique<ConnCtx>();
+    if (!conn_->SetUri(config_.uri)) {
+        VIRTRUST_LOG_ERROR("Failed to set uri: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    conn_->Connect();
+    if (conn_->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Failed to establish connection to: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    return ParseVirtrustRc(DomainStart(conn_, domainName_, flags_, onlyTsb_));
+}
+
+// Parse the args from command line
+OpRc OpStart::ParseArgv(int argc, char **argv)
+{
+    int arg = -1;
+    int longindex = -1;
+    optind = 1; // reset
+    const int onlyTsbVal = 0x100;
+
+    std::vector<option> opt = {
+        {"help", no_argument, nullptr, 'h'}, {"only-tsb", no_argument, nullptr, onlyTsbVal}, {nullptr, 0, nullptr, 0}};
+
+    opterr = 0;
+    // The leading + means no re-ordering, see man page of getopt_long
+    while ((arg = getopt_long(argc, argv, "+h", opt.data(), &longindex)) != -1) {
+        switch (arg) {
+            case 'h':
+                config_.enableExec = false;
+                PrintUsage();
+                optind = 1;
+                return OpRc::OK;
+            case onlyTsbVal:
+                onlyTsb_ = true;
+                break;
+            default:
+                config_.enableExec = false;
+                PrintUsage();
+                return OpRc::ERROR;
+        }
+    }
+
+    if (argc - optind != OP_START_EXTRA_CMD_NUM) {
+        fmt::print("\nInvalid number of arguments, expect: {}, got: {}\n", OP_START_EXTRA_CMD_NUM, argc - optind);
+        PrintUsage();
+        return OpRc::ERROR;
+    }
+
+    if (strlen(argv[optind]) != 0) {
+        domainName_ = argv[optind];
+        return OpRc::OK;
+    } else {
+        VIRTRUST_LOG_ERROR("Invalid empty domain name");
+        return OpRc::ERROR;
+    }
+}
+
+// Print the usage of this operator
+void OpStart::PrintUsage()
+{
+    fmt::print("\n"
+               "  NAME:\n"
+               "    start - start a (previously defined) inactive domain\n"
+               "\n"
+               "  SYNOPSIS:\n"
+               "    start [options] <domain>\n"
+               "\n"
+               "  OPTIONS:\n"
+               "    -h | --help                    this help\n"
+               "    --only-tsb                     only update tsb resource, <domain> need uuid\n"
+               "\n");
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_start.h b/virtrust/src/virtrust-sh/operator/op_start.h
new file mode 100644
index 0000000000000000000000000000000000000000..1afdd0f238ca300a661587864a2c3708cfb09cb7
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_start.h
@@ -0,0 +1,32 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+
+namespace virtrust {
+
+class OpStart : public OpItf {
+public:
+    explicit OpStart() : OpItf(OpTy::START)
+    {}
+    ~OpStart() override = default;
+
+    OpRc Exec() override;
+
+    // Parse the args from command line
+    OpRc ParseArgv(int argc, char **argv) override;
+
+    // Print the usage of this operator
+    void PrintUsage() override;
+
+private:
+    std::string domainName_ = "unknown";
+    unsigned int flags_ = DOMAIN_START_NONE;
+    bool onlyTsb_ = false;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_start_test.cpp b/virtrust/src/virtrust-sh/operator/op_start_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..1e54c5a3c1a07c43002ac042b9fba0254c548adc
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_start_test.cpp
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/operator/op_start.h"
+
+namespace virtrust {
+
+TEST(OpStartTest, ParseArgvValidArgumentsTest)
+{
+    OpStart opStart;
+
+    // Test with valid domain name
+    const char *argv[] = {"op_start", "test_doamin"};
+    int argc = 2;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for valid arguments
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpStartTest, ParseArgvHelpFlagTest)
+{
+    OpStart opStart;
+
+    // Test with help Flag
+    const char *argv[] = {"op_start", "--help"};
+    int argc = 2;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpStartTest, ParseArgvHelpShortFlagTest)
+{
+    OpStart opStart;
+
+    // Test with help Flag
+    const char *argv[] = {"op_start", "-h"};
+    int argc = 2;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for short help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpStartTest, ParseArgvMissingDoaminTest)
+{
+    OpStart opStart;
+
+    // Test with missig domain name arguments
+    const char *argv[] = {"op_start"};
+    int argc = 1;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for misssing arguments
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpStartTest, ParseArgvExtraArgumentsTest)
+{
+    OpStart opStart;
+
+    // Test with extra arguments
+    const char *argv[] = {"op_start", "domain1", "extra_arg"};
+    int argc = 3;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for extra arguments
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpStartTest, ParseArgvInvalidOptionTest)
+{
+    OpStart opStart;
+
+    // Test with invalid option
+    const char *argv[] = {"op_start", "--invalid-option"};
+    int argc = 2;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for invalid option
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpStartTest, ParseArgvDomainNameStorageTest)
+{
+    OpStart opStart;
+
+    // Test with domain name is properly stored
+    const char *argv[] = {"op_start", "complex-domain-123"};
+    int argc = 2;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK and domain name is stored
+    EXPECT_EQ(result, OpRc::OK);
+    // Note: Cannot directly access private member domainName_ for verification
+    // but we can verify the function doesn't crash and handles correctly
+}
+
+TEST(OpStartTest, ParseArgvComplexDomainNameTest)
+{
+    OpStart opStart;
+
+    // Test with complex domain name containing special characters
+    const char *argv[] = {"op_start", "complex-dimain-name.123"};
+    int argc = 2;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for complex domain names
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpStartTest, ParseArgvLongDomainNameTest)
+{
+    OpStart opStart;
+
+    // Test with Long domain name
+    const char *argv[] = {"op_start", "very-long-domain-name-that-has-many-characters-for-purposes"};
+    int argc = 2;
+
+    OpRc result = opStart.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for long domain names
+    EXPECT_EQ(result, OpRc::OK);
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_undefine.cpp b/virtrust/src/virtrust-sh/operator/op_undefine.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..6ebbd3444712f930939fbb5adec493a4d69b3d72
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_undefine.cpp
@@ -0,0 +1,126 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#include "virtrust-sh/operator/op_undefine.h"
+
+#include <getopt.h>
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+#include "virtrust-sh/operator/op_utils.h"
+#include "virtrust/api/domain.h"
+
+namespace virtrust {
+namespace {
+constexpr int OP_UNDEFINE_EXTRA_CMD_NUM = 1;
+}
+
+OpRc OpUndefine::Exec()
+{
+    // make connection
+    conn_.reset();
+    conn_ = std::make_unique<ConnCtx>();
+    if (!conn_->SetUri(config_.uri)) {
+        VIRTRUST_LOG_ERROR("Failed to set uri: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    conn_->Connect();
+    if (conn_->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Failed to establish connection to: {}", config_.uri);
+        return OpRc::ERROR;
+    }
+    return ParseVirtrustRc(DomainUndefine(conn_, domainName_, flags_, onlyTsb_));
+}
+
+OpRc OpUndefine::CheckOptions(int longindex)
+{
+    if (longindex == 0) {
+        if (flags_ == DOMAIN_UNDEFINE_KEEP_NVRAM) { // --nvram
+            fmt::print("Options --nvram and --keep-nvram are mutually exclusive.\n");
+            return OpRc::ERROR;
+        }
+        flags_ = DOMAIN_UNDEFINE_NVRAM;
+    } else if (longindex == 1) {
+        if (flags_ == DOMAIN_UNDEFINE_NVRAM) { // --keep-nvram
+            fmt::print("Options --nvram and --keep-nvram are mutually exclusive.\n");
+            return OpRc::ERROR;
+        }
+        flags_ = DOMAIN_UNDEFINE_KEEP_NVRAM;
+    } else if (longindex == 2) { // --only-tsb
+        onlyTsb_ = true;
+    } else {
+        fmt::print("Invalid option index: {}\n", longindex);
+        PrintUsage();
+        return OpRc::ERROR;
+    }
+    return OpRc::OK;
+}
+// Parse the args from command line
+OpRc OpUndefine::ParseArgv(int argc, char **argv)
+{
+    int arg = -1;
+    int longindex = -1;
+    optind = 1; // reset
+    std::vector<option> opt = {{"nvram", no_argument, nullptr, 0},
+                               {"keep-nvram", no_argument, nullptr, 0},
+                               {"only-tsb", no_argument, nullptr, 0},
+                               {"help", no_argument, nullptr, 'h'},
+                               {nullptr, 0, nullptr, 0}};
+
+    opterr = 0;
+    // The leading + means no re-ordering, see man page of getopt_long
+    while ((arg = getopt_long(argc, argv, "+h", opt.data(), &longindex)) != -1) {
+        switch (arg) {
+            case 'h':
+                config_.enableExec = false;
+                PrintUsage();
+                optind = argc; // stop parsing
+                return OpRc::OK;
+            case 0:
+                if (CheckOptions(longindex) != OpRc::OK) {
+                    return OpRc::ERROR;
+                }
+                break;
+            default:
+                config_.enableExec = false;
+                PrintUsage();
+                optind = argc; // stop parsing
+                return OpRc::ERROR;
+        }
+    }
+
+    if (argc - optind != OP_UNDEFINE_EXTRA_CMD_NUM) {
+        fmt::print("\nInvalid number of arguments, expect: {}, got: {}\n", OP_UNDEFINE_EXTRA_CMD_NUM, argc - optind);
+        PrintUsage();
+        return OpRc::ERROR;
+    }
+
+    if (strlen(argv[optind]) != 0) {
+        domainName_ = argv[optind];
+        return OpRc::OK;
+    } else {
+        VIRTRUST_LOG_ERROR("Invalid empty domain name");
+        return OpRc::ERROR;
+    }
+}
+
+// Print the usage of this operator
+void OpUndefine::PrintUsage()
+{
+    fmt::print("\n"
+               "  NAME:\n"
+               "    undefine - undefine a domain\n"
+               "\n"
+               "  SYNOPSIS:\n"
+               "    undefine [options] <domain>\n"
+               "\n"
+               "  OPTIONS:\n"
+               "    -h | --help                    this help\n"
+               "    --nvram                        remove nvram file\n"
+               "    --keep-nvram                   keep nvram file\n"
+               "    --only-tsb                     only remove tsb resources, <domain> need uuid\n"
+               "\n");
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_undefine.h b/virtrust/src/virtrust-sh/operator/op_undefine.h
new file mode 100644
index 0000000000000000000000000000000000000000..6ec5422bae09275cb237f9332c6887bf4a1f1934
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_undefine.h
@@ -0,0 +1,33 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+#include "virtrust-sh/operator/op_itf.h"
+
+namespace virtrust {
+
+class OpUndefine : public OpItf {
+public:
+    explicit OpUndefine() : OpItf(OpTy::UNDEFINE)
+    {}
+    ~OpUndefine() override = default;
+
+    OpRc Exec() override;
+
+    // Parse the args from command line
+    OpRc ParseArgv(int argc, char **argv) override;
+
+    // Print the usage of this operator
+    void PrintUsage() override;
+
+private:
+    OpRc CheckOptions(int longindex);
+    std::string domainName_ = "unknown";
+    unsigned int flags_ = 0;
+    bool onlyTsb_ = false;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_undefine_test.cpp b/virtrust/src/virtrust-sh/operator/op_undefine_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..18335611e35ce24dbb9696e42a66d11e1050cdd4
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_undefine_test.cpp
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust-sh/operator/op_undefine.h"
+
+namespace virtrust {
+
+TEST(OpUndefineTest, ParseArgvValidArgumentsTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with valid domain name
+    const char *argv[] = {"op_undefine", "test_doamin"};
+    int argc = 2;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for valid arguments
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpUndefineTest, ParseArgvHelpFlagTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with help Flag
+    const char *argv[] = {"op_undefine", "--help"};
+    int argc = 2;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpUndefineTest, ParseArgvHelpShortFlagTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with help Flag
+    const char *argv[] = {"op_undefine", "-h"};
+    int argc = 2;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for short help flag (should not execute)
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpUndefineTest, ParseArgvMissingDoaminTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with missig domain name arguments
+    const char *argv[] = {"op_undefine"};
+    int argc = 1;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for misssing arguments
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpUndefineTest, ParseArgvExtraArgumentsTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with extra arguments
+    const char *argv[] = {"op_undefine", "domain1", "extra_arg"};
+    int argc = 3;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for extra arguments
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpUndefineTest, ParseArgvInvalidOptionTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with invalid option
+    const char *argv[] = {"op_undefine", "--invalid-option"};
+    int argc = 2;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns ERROR for invalid option
+    EXPECT_EQ(result, OpRc::ERROR);
+}
+
+TEST(OpUndefineTest, ParseArgvDomainNameStorageTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with domain name is properly stored
+    const char *argv[] = {"op_undefine", "complex-domain-123"};
+    int argc = 2;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK and domain name is stored
+    EXPECT_EQ(result, OpRc::OK);
+    // Note: Cannot directly access private member domainName_ for verification
+    // but we can verify the function doesn't crash and handles correctly
+}
+
+TEST(OpUndefineTest, ParseArgvComplexDomainNameTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with complex domain name containing special characters
+    const char *argv[] = {"op_undefine", "complex-dimain-name.123"};
+    int argc = 2;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for complex domain names
+    EXPECT_EQ(result, OpRc::OK);
+}
+
+TEST(OpUndefineTest, ParseArgvLongDomainNameTest)
+{
+    OpUndefine opUndefine;
+
+    // Test with Long domain name
+    const char *argv[] = {"op_undefine", "very-long-domain-name-that-has-many-characters-for-purposes"};
+    int argc = 2;
+
+    OpRc result = opUndefine.ParseArgv(argc, const_cast<char **>(argv));
+
+    // Verify ParseArgv returns OK for long domain names
+    EXPECT_EQ(result, OpRc::OK);
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust-sh/operator/op_utils.h b/virtrust/src/virtrust-sh/operator/op_utils.h
new file mode 100644
index 0000000000000000000000000000000000000000..08fdf53cd12d5cd818cc61347fdc70223623f5ed
--- /dev/null
+++ b/virtrust/src/virtrust-sh/operator/op_utils.h
@@ -0,0 +1,32 @@
+// Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+#pragma once
+
+#include "virtrust-sh/defines.h"
+#include "virtrust-sh/operator/op_itf.h"
+
+namespace virtrust {
+
+inline OpRc ParseCmdStr(char *argv, std::string &out)
+{
+    if (strlen(argv) >= VIRTRUST_SH_CMD_STR_MAX_LEN) {
+        return OpRc::ERROR;
+    }
+    out = argv;
+    return OpRc::OK;
+}
+
+inline OpRc ParseVirtrustRc(VirtrustRc rc)
+{
+    switch (rc) {
+        case VirtrustRc::OK:
+            return OpRc::OK;
+        case VirtrustRc::ERROR:
+            return OpRc::ERROR;
+        default:
+            VIRTRUST_LOG_ERROR("Unknown virtrust return code: {}", static_cast<int>(rc));
+            return OpRc::ERROR;
+    }
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/CMakeLists.txt b/virtrust/src/virtrust/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..ca78eaeb457924e796f932b4a3ad867879fa1499
--- /dev/null
+++ b/virtrust/src/virtrust/CMakeLists.txt
@@ -0,0 +1,99 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+add_library(virtrust-obj OBJECT)
+
+find_package(Protobuf REQUIRED)
+find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin REQUIRED)
+
+set(VIRTRUST_SOURCE_FILES "")
+set(VIRTRUST_PROTO_SOURCE_FILES "")
+
+add_subdirectory(api)
+add_subdirectory(base)
+add_subdirectory(dllib)
+add_subdirectory(crypto)
+add_subdirectory(link)
+add_subdirectory(utils)
+
+# Object lib
+
+target_sources(virtrust-obj PRIVATE ${VIRTRUST_SOURCE_FILES})
+
+target_include_directories(
+  virtrust-obj
+  PRIVATE ${CMAKE_DEPS_INCLUDEDIR} $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>
+          # for pb headers
+          ${CMAKE_BINARY_DIR}/src ${CMAKE_CURRENT_BINARY_DIR})
+
+# HACK make sure proto builds before obj
+add_dependencies(virtrust-obj virtrust_proto)
+add_dependencies(virtrust-obj Deps::spdlog)
+add_dependencies(virtrust-obj Deps::secure_c)
+
+# Object protobuf lib
+
+add_library(virtrust_proto OBJECT)
+target_sources(virtrust_proto PRIVATE ${VIRTRUST_PROTO_SOURCE_FILES})
+
+protobuf_generate(TARGET virtrust_proto LANGUAGE cpp)
+
+protobuf_generate(
+  TARGET
+  virtrust_proto
+  LANGUAGE
+  grpc
+  GENERATE_EXTENSIONS
+  .grpc.pb.h
+  .grpc.pb.cc
+  PLUGIN
+  "protoc-gen-grpc=${GRPC_CPP_PLUGIN}")
+
+target_link_libraries(
+  virtrust_proto
+  PRIVATE protobuf
+          grpc++
+          grpc
+          grpc++_reflection
+          gpr
+          absl_synchronization
+          absl_strings
+          absl_str_format_internal
+          absl_hash
+          absl_cord
+          absl_cordz_info
+          absl_cordz_functions
+          absl_log_internal_check_op
+          absl_log_internal_message
+          absl_log_internal_nullguard)
+target_include_directories(virtrust_proto PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+
+# Shared lib
+
+add_library(virtrust-shared SHARED $<TARGET_OBJECTS:virtrust-obj>
+                                   $<TARGET_OBJECTS:virtrust_proto>)
+
+target_include_directories(
+  virtrust-shared
+  PRIVATE ${CMAKE_DEPS_INCLUDEDIR} ${CMAKE_CURRENT_BINARY_DIR}/src
+          $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/src>)
+
+target_link_libraries(virtrust-shared PRIVATE Deps::spdlog Deps::secure_c)
+
+target_link_libraries(
+  virtrust-shared
+  PRIVATE grpc++
+          grpc++
+          grpc
+          grpc++_reflection
+          gpr
+          protobuf
+          absl_synchronization
+          absl_strings
+          absl_str_format_internal
+          absl_hash
+          absl_cord
+          absl_cordz_info
+          absl_cordz_functions
+          absl_log_internal_check_op
+          absl_log_internal_message
+          absl_log_internal_nullguard)
diff --git a/virtrust/src/virtrust/api/CMakeLists.txt b/virtrust/src/virtrust/api/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..522a0e5713f934d83cc0dd7c957d5039aafd41e9
--- /dev/null
+++ b/virtrust/src/virtrust/api/CMakeLists.txt
@@ -0,0 +1,17 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTURST_SOURCE_FILES} ${CMAKE_CURRENT_LIST_DIR}/context.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/domain.cpp)
+
+add_virtrust_test_if(domain_test ${BUILD_TEST})
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    PARENT_SCOPE)
+
+install(
+  FILES ${CMAKE_CURRENT_LIST_DIR}/context.h ${CMAKE_CURRENT_LIST_DIR}/domain.h
+        ${CMAKE_CURRENT_LIST_DIR}/defines.h
+  DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/virtrust/api/
+  PERMISSIONS OWNER_READ)
diff --git a/virtrust/src/virtrust/api/context.cpp b/virtrust/src/virtrust/api/context.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..09a63ec368291c2446602c88a8109b773d755268
--- /dev/null
+++ b/virtrust/src/virtrust/api/context.cpp
@@ -0,0 +1,62 @@
+// Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+#include "virtrust/api/context.h"
+
+#include "virtrust/api/define_private.h"
+#include "virtrust/api/defines.h"
+#include "virtrust/base/logger.h"
+#include "virtrust/dllib/libvirt.h"
+
+namespace virtrust {
+
+ConnCtx::ConnCtx() : uri_(VIRTRUST_DEFAULT_URI)
+{}
+
+ConnCtx::~ConnCtx()
+{
+    if (conn_ != nullptr) {
+
+        Libvirt::GetInstance().virConnectClose(conn_);
+        conn_ = nullptr;
+    }
+}
+
+bool ConnCtx::Connect()
+{
+    conn_ = Libvirt::GetInstance().virConnectOpen(uri_.data());
+    if (conn_ == nullptr) {
+        VIRTRUST_LOG_ERROR("virConnectOpen of uri failed, a nullptr ConnCtx has been created.");
+        return false;
+    }
+    return true;
+}
+
+bool ConnCtx::SetUri(std::string uri)
+{
+    if (uri_.empty() || uri.size() > URI_MAX_LENGTH) {
+        return false;
+    }
+    uri_ = uri;
+    return true;
+}
+
+DomainCtx::DomainCtx(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName)
+{
+    if (conn->Get() != nullptr) {
+        domain_ = Libvirt::GetInstance().virDomainLookupByName(conn->Get(), domainName.data());
+        if (domain_ == nullptr) {
+            VIRTRUST_LOG_ERROR("ConnCtx is nullptr, virDomainLookupByName is not "
+                               "called, a nullprt DomainCtx has been created.");
+        }
+    }
+}
+
+DomainCtx::~DomainCtx()
+{
+
+    if (domain_ != nullptr) {
+        Libvirt::GetInstance().virDomainFree(domain_);
+        domain_ = nullptr;
+    }
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/api/context.h b/virtrust/src/virtrust/api/context.h
new file mode 100644
index 0000000000000000000000000000000000000000..79bfb627ad3a303d2c66cd651f2b353927a1c139
--- /dev/null
+++ b/virtrust/src/virtrust/api/context.h
@@ -0,0 +1,70 @@
+// Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+#pragma once
+
+#include <memory>
+#include <string>
+
+namespace virtrust {
+
+class ConnCtx {
+public:
+    // HACK redefine this type as it in libvirt
+    using virConnectPtr = int *;
+
+    ConnCtx();
+    explicit ConnCtx(virConnectPtr conn) : conn_(conn)
+    {}
+    bool Connect();
+
+    ConnCtx(const ConnCtx &) = delete;
+    ConnCtx &operator=(const ConnCtx &) = delete;
+    ~ConnCtx();
+    bool SetUri(std::string uri);
+
+    std::string GetUri() const
+    {
+        return uri_;
+    }
+
+    bool CheckOk()
+    {
+        return conn_ != nullptr;
+    }
+
+    // Get the raw pointer (NOTE you may receive a nullptr)
+    virConnectPtr Get()
+    {
+        return conn_;
+    }
+
+private:
+    virConnectPtr conn_ = nullptr;
+    std::string uri_;
+};
+
+class DomainCtx {
+public:
+    using virDomainPtr = int *;
+    DomainCtx() = default;
+    explicit DomainCtx(virDomainPtr domain) : domain_(domain)
+    {}
+    explicit DomainCtx(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName);
+
+    ~DomainCtx();
+    DomainCtx(const DomainCtx &) = delete;
+    DomainCtx &operator=(const DomainCtx &) = delete;
+
+    bool CheckOk()
+    {
+        return domain_ != nullptr;
+    }
+    virDomainPtr Get()
+    {
+        return domain_;
+    }
+
+private:
+    virDomainPtr domain_ = nullptr;
+};
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/api/define_private.h b/virtrust/src/virtrust/api/define_private.h
new file mode 100644
index 0000000000000000000000000000000000000000..809fb6a63fb00c2538e75b556c0ce5e82c77cccb
--- /dev/null
+++ b/virtrust/src/virtrust/api/define_private.h
@@ -0,0 +1,53 @@
+// Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+#pragma once
+
+#include <string>
+#include <string_view>
+
+#include "virtrust/api/defines.h"
+
+namespace virtrust {
+constexpr std::string_view VIRTRUST_VERSION = "1.0.0";
+constexpr std::string_view VIRTRUST_XML_REGEX_PATH = "/etc/libvirt/qemu/{}.xml";
+constexpr std::string_view ALLOW_STORE_MEASUREMENTS = "--allow-store-measurements";
+constexpr std::string_view VIRSH_VERSION = "1.0.0";
+const int URI_MAX_LENGTH = 1024;
+
+class VirshMeasureInfo {
+public:
+    VirshMeasureInfo(const std::string name, const std::string uuid) : name_(name), uuid_(uuid), version_(VIRSH_VERSION)
+    {}
+    VirshMeasureInfo()
+    {}
+    std::string name_;    // 度量阶段的名称 如 bios,grup
+    std::string uuid_;    // 虚机的uuid
+    std::string version_; // 度量阶段的版本号
+    int size_;            // content的长度
+    std::string content_; // 如果size是32 content是哈希，如果size不等于32
+                          //  content是度量对象的原文数据
+};
+
+// 汇总虚拟机每个文件度量所需要的信息 方便后续度量
+class VirshMeasureSummary {
+public:
+    VirshMeasureSummary(const std::string &uuid)
+        : bios("bios", uuid),
+          shim("shim", uuid),
+          grub("grub", uuid),
+          grubCfg("grub_cfg", uuid),
+          kernel("kernel", uuid),
+          initrd("initrd", uuid)
+    {}
+
+    VirshMeasureInfo bios;
+    VirshMeasureInfo shim;
+    VirshMeasureInfo grub;
+    VirshMeasureInfo grubCfg;
+    VirshMeasureInfo kernel;
+    VirshMeasureInfo initrd;
+};
+
+VirtrustRc CheckMaxDomainCount();
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/api/defines.h b/virtrust/src/virtrust/api/defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..9af0aa81b2e0302352199b3b2b3082a3efe97e19
--- /dev/null
+++ b/virtrust/src/virtrust/api/defines.h
@@ -0,0 +1,47 @@
+// Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+#pragma once
+
+#include <cstdint>
+#include <string>
+#include <string_view>
+
+namespace virtrust {
+
+constexpr std::string_view VIRTRUST_DEFAULT_URI = "qemu:///session";
+constexpr std::string_view UDS_PATH = "/tmp/grpc.sock";
+
+enum class VirtrustRc : uint32_t { OK = 0, ERROR = 1, CHECK_FAILED = 2, INCONSISTENT_RESOURCE = 3 };
+
+enum DomainUndefineFlags {
+    DOMAIN_UNDEFINE_NVRAM = (1 << 2),
+    DOMAIN_UNDEFINE_KEEP_NVRAM = (1 << 3),
+};
+
+// 可组合 如LIST_DOMAINS_ACTIVE|LIST_DOMAINS_INACTIVE
+enum DomainListFlags {
+    LIST_DOMAINS_ACTIVE = (1 << 0),
+    LIST_DOMAINS_INACTIVE = (1 << 1),
+};
+
+enum DomainStartFlags {
+    DOMAIN_START_NONE = 0,
+};
+
+enum DomainDestroyFlags {
+    DOMAIN_DESTROY_NONE = 0,
+};
+
+struct DomainInfo {
+    std::string domainName;
+    unsigned char state;        //  the running state, one of virDomainState
+    unsigned long maxMem;       //  the maximum memory in KBytes allowed
+    unsigned long memory;       //   the memory in KBytes used by the domain
+    unsigned short nrVirtCpu;   //   the number of virtual CPUs for the domain
+    unsigned long long cpuTime; //  the CPU time used in nanoseconds
+};
+
+enum DomainMigrateFlags {
+    MIGRATE_UNDEFINE_SOURCE = (1 << 4), // Undefine the domain on the source host once migration successfully finishes.
+};
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/api/domain.cpp b/virtrust/src/virtrust/api/domain.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..53fd5cd5b2e0d3a35bac53e8dfa8123615022a39
--- /dev/null
+++ b/virtrust/src/virtrust/api/domain.cpp
@@ -0,0 +1,987 @@
+// Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+#include "virtrust/api/domain.h"
+
+#include <fcntl.h>
+#include <securec.h>
+#include <sys/file.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#include <unordered_set>
+
+#include "spdlog/fmt/fmt.h"
+#include "tsb_agent/tsb_agent.h"
+
+#include "virtrust-sh/defines.h"
+#include "virtrust/api/define_private.h"
+#include "virtrust/api/defines.h"
+#include "virtrust/api/file_lock.h"
+#include "virtrust/base/logger.h"
+#include "virtrust/crypto/sm3.h"
+#include "virtrust/dllib/libvirt.h"
+#include "virtrust/link/grpc_client.h"
+#include "virtrust/utils/file_io.h"
+#include "virtrust/utils/foreign_mounter.h"
+#include "virtrust/utils/virt_xml_parser.h"
+
+namespace virtrust {
+
+constexpr const char *LOCK_FILE = "/tmp/virtrust-start.lock";
+constexpr uint32_t MAX_DOMAIN_COUNT = 32;
+constexpr uint32_t MAX_NAME_LENGTH = 200;
+constexpr uint32_t VIR_UUID_STRING_BUFLEN = 200;
+constexpr int LIST_DOMAINS_MASK = DomainListFlags::LIST_DOMAINS_ACTIVE | DomainListFlags::LIST_DOMAINS_INACTIVE;
+namespace {
+
+inline std::string GetNameStr(const virDomainPtr domian)
+{
+    auto &libvirt = Libvirt::GetInstance();
+    const char *domainName = libvirt.virDomainGetName(domian);
+    return domainName == nullptr ? "-" : domainName;
+}
+
+inline std::string GetUUIDStr(const virDomainPtr domian)
+{
+    auto &libvirt = Libvirt::GetInstance();
+    char uuid[VIR_UUID_STRING_BUFLEN];
+    auto ret = libvirt.virDomainGetUUIDString(domian, uuid);
+    return ret == static_cast<int>(-1) ? "-" : std::string(uuid);
+}
+
+VirtrustRc GetVirshMeasureSummary(virtrust::ForeignMounter &mounter, virtrust::VerifyConfig &config,
+                                  VirshMeasureSummary &measureSummary)
+{
+    virtrust::FileInputStream fis(config.GetLoaderPath());
+    std::string loaderContent = fis.ReadAll();
+    std::vector<uint8_t> loaderSm3(Sm3::DigestSize());
+    Sm3Rc sm3Rc = virtrust::DoSm3(loaderContent, loaderSm3);
+    if (sm3Rc != Sm3Rc::OK) {
+        VIRTRUST_LOG_ERROR("|GetVirshMeasureSummary|END|returnF||do sm3 failed: {}", config.GetLoaderPath());
+        return VirtrustRc::ERROR;
+    }
+
+    measureSummary.bios.content_ = std::string(reinterpret_cast<const char *>(loaderSm3.data()), loaderSm3.size());
+    // grubcfg需要提供文件内容 而不是摘要
+    std::string grubCfgContent;
+    auto rc = mounter.ReadFile(config.GetGrubCfgPath(), grubCfgContent);
+    if (rc != ForeignMounterRc::OK) {
+        VIRTRUST_LOG_ERROR("|GetVirshMeasureSummary|END|returnF||read file failed: {}", config.GetGrubCfgPath());
+        return VirtrustRc::ERROR;
+    }
+    measureSummary.grubCfg.content_ = grubCfgContent;
+
+    std::vector<uint8_t> shimSm3(Sm3::DigestSize(), 0);
+    rc = mounter.DoSm3OnVmFile(config.GetShimPath(), shimSm3);
+    if (rc != ForeignMounterRc::OK && rc != ForeignMounterRc::FILE_NOT_EXIST) {
+
+        VIRTRUST_LOG_ERROR("|GetVirshMeasureSummary|END|returnF||do sm3 failed: {}", config.GetShimPath());
+        return VirtrustRc::ERROR;
+    }
+    measureSummary.shim.content_ = std::string(reinterpret_cast<const char *>(shimSm3.data()), shimSm3.size());
+
+    std::vector<uint8_t> grubSm3(Sm3::DigestSize(), 0);
+    rc = mounter.DoSm3OnVmFile(config.GetGrubPath(), shimSm3);
+    if (rc != ForeignMounterRc::OK && rc != ForeignMounterRc::FILE_NOT_EXIST) {
+        VIRTRUST_LOG_ERROR("|GetVirshMeasureSummary|END|returnF||do sm3 by file failed: {}", config.GetGrubPath());
+        return VirtrustRc::ERROR;
+    }
+    measureSummary.grub.content_ = std::string(reinterpret_cast<const char *>(grubSm3.data()), grubSm3.size());
+
+    std::vector<uint8_t> initrdSm3(Sm3::DigestSize(), 0);
+    rc = mounter.DoSm3OnVmFile(config.GetInitrdPath(), initrdSm3);
+    if (rc != ForeignMounterRc::OK && rc != ForeignMounterRc::FILE_NOT_EXIST) {
+        VIRTRUST_LOG_ERROR("|GetVirshMeasureSummary|END|returnF||do sm3 by file failed: {}", config.GetInitrdPath());
+        return VirtrustRc::ERROR;
+    }
+    measureSummary.initrd.content_ = std::string(reinterpret_cast<const char *>(initrdSm3.data()), initrdSm3.size());
+
+    std::vector<uint8_t> kernelSm3(Sm3::DigestSize(), 0);
+    rc = mounter.DoSm3OnVmFile(config.GetLinuzPath(), kernelSm3);
+    if (rc != ForeignMounterRc::OK && rc != ForeignMounterRc::FILE_NOT_EXIST) {
+        VIRTRUST_LOG_ERROR("|GetVirshMeasureSummary|END|returnF||do sm3 by file failed: {}", config.GetLinuzPath());
+        return VirtrustRc::ERROR;
+    }
+    measureSummary.kernel.content_ = std::string(reinterpret_cast<const char *>(kernelSm3.data()), kernelSm3.size());
+    return VirtrustRc::OK;
+}
+
+bool CalcVirshMeasure(std::string_view guestName, VirshMeasureSummary &measureSummary)
+{
+    const std::string guestXmlPah = fmt::format(VIRTRUST_XML_REGEX_PATH, guestName);
+    virtrust::VirtXmlParser xmlParser;
+    virtrust::VerifyConfig verifyConfig = xmlParser.Parse(guestXmlPah);
+    if (verifyConfig.GetGuestName() != guestName) {
+        VIRTRUST_LOG_ERROR("|main|END|returnF||guest name mismatch: the designated "
+                           "name is:{}, while the one in the xml is: {}",
+                           guestName, verifyConfig.GetGuestName());
+        return false;
+    }
+    auto mounter = virtrust::ForeignMounter();
+    mounter.TryInit();
+    mounter.Mount(verifyConfig.GetDiskPath());
+    if (!mounter.CheckMount()) {
+        VIRTRUST_LOG_ERROR("|main|END|returnF||disk path is: {}|mount failed", verifyConfig.GetDiskPath());
+        return false;
+    }
+    std::string grubCfgContent;
+    ForeignMounterRc rc = mounter.ReadFile(verifyConfig.GetGrubCfgPath(), grubCfgContent);
+    if (rc != ForeignMounterRc::OK) {
+        VIRTRUST_LOG_ERROR("|main|END|returnF||get virsh measure summary failed.");
+        return false;
+    }
+
+    verifyConfig.ParseGrubCfgContent(grubCfgContent);
+    auto virRc = GetVirshMeasureSummary(mounter, verifyConfig, measureSummary);
+    if (virRc != VirtrustRc::OK) {
+        VIRTRUST_LOG_ERROR("|main|END|returnS||get virsh measure summary failed");
+        return false;
+    }
+    VIRTRUST_LOG_INFO("|main|END|returnS||grubContentLength:{}", measureSummary.grub.content_.size());
+    mounter.Unmount();
+    return true;
+}
+
+bool ConvertTsbStruct(const VirshMeasureInfo &src, struct MeasureInfo *&target)
+{
+    int contentSize = src.content_.size();
+    size_t totalSize = sizeof(MeasureInfo) + contentSize + 1;
+    target = static_cast<MeasureInfo *>(malloc(totalSize));
+    if (target == nullptr) {
+        VIRTRUST_LOG_ERROR("malloc failed:{},size:{}", src.name_, totalSize);
+        return false;
+    }
+    if (memcpy_s(target->uuid, sizeof(target->uuid) - 1, src.uuid_.c_str(), src.uuid_.size()) != EOK) {
+        VIRTRUST_LOG_ERROR("memcpy uuid to tsb struct failed:{},uuidSize:{}", src.name_, sizeof(target->uuid));
+        return false;
+    }
+    target->size = contentSize;
+
+    if (memcpy_s(target->content, contentSize, src.content_.c_str(), contentSize) != EOK) {
+        VIRTRUST_LOG_ERROR("memcpy content to tsb struct failed:{},contentSize:{}", src.name_, contentSize);
+        return false;
+    }
+    if (memcpy_s(target->name, sizeof(target->name) - 1, src.name_.c_str(), src.name_.size()) != EOK) {
+        VIRTRUST_LOG_ERROR("memcpy name to tsb struct failed:{}", src.name_);
+        return false;
+    }
+    if (memcpy_s(target->version, sizeof(target->version) - 1, src.version_.c_str(), src.version_.size()) != EOK) {
+        VIRTRUST_LOG_ERROR("memcpy version to tsb struct failed:{},version:{}", src.name_, src.version_);
+        return false;
+    }
+    return true;
+}
+
+void FreeMeasureInfo(struct MeasureInfo *bios, struct MeasureInfo *shim, struct MeasureInfo *grub,
+                     struct MeasureInfo *grubCfg, struct MeasureInfo *kernel, struct MeasureInfo *initrd)
+{
+    if (bios == nullptr) {
+        free(bios);
+    }
+    if (shim == nullptr) {
+        free(shim);
+    }
+    if (grub == nullptr) {
+        free(grub);
+    }
+    if (grubCfg == nullptr) {
+        free(grubCfg);
+    }
+    if (kernel == nullptr) {
+        free(kernel);
+    }
+    if (initrd == nullptr) {
+        free(initrd);
+    }
+}
+
+bool CheckGuestBeforeStart(std::string_view domainName, std::string &uuid)
+{
+    // 收集需要度量文件的摘要值
+    VirshMeasureSummary measureSummary(uuid);
+    if (!CalcVirshMeasure(domainName, measureSummary)) {
+        return false;
+    }
+    // 转换为tsb-agent需要的结构体
+    struct MeasureInfo *bios = nullptr;
+    struct MeasureInfo *shim = nullptr;
+    struct MeasureInfo *grub = nullptr;
+    struct MeasureInfo *grubCfg = nullptr;
+    struct MeasureInfo *kernel = nullptr;
+    struct MeasureInfo *initrd = nullptr;
+
+    bool res = ConvertTsbStruct(measureSummary.bios, bios) && ConvertTsbStruct(measureSummary.shim, shim) &&
+               ConvertTsbStruct(measureSummary.kernel, kernel) && ConvertTsbStruct(measureSummary.initrd, initrd) &&
+               ConvertTsbStruct(measureSummary.grub, grub) && ConvertTsbStruct(measureSummary.grubCfg, grubCfg);
+    if (!res) {
+        VIRTRUST_LOG_ERROR("convert tsb struct failed:{}", domainName);
+        FreeMeasureInfo(bios, shim, grub, grubCfg, kernel, initrd);
+        return false;
+    }
+    // 检查度量值是否通过
+    auto tsbRc = CheckMeasure(uuid.data(), bios, shim, grub, grubCfg, kernel, initrd);
+    FreeMeasureInfo(bios, shim, grub, grubCfg, kernel, initrd);
+    if (tsbRc != 0) {
+        VIRTRUST_LOG_ERROR("CheckMeasure failed:{}", domainName);
+        return false;
+    }
+    return true;
+}
+
+bool UpdateMeasure(std::string_view domainName, std::string &uuid)
+{
+    VIRTRUST_LOG_INFO("|UpdateMeasure|START|||domainName:{}", domainName);
+    VirshMeasureSummary measureSummary(uuid);
+    if (!CalcVirshMeasure(domainName, measureSummary)) {
+        return false;
+    }
+    struct MeasureInfo *bios = nullptr;
+    struct MeasureInfo *shim = nullptr;
+    struct MeasureInfo *grub = nullptr;
+    struct MeasureInfo *grubCfg = nullptr;
+    struct MeasureInfo *kernel = nullptr;
+    struct MeasureInfo *initrd = nullptr;
+    bool res = ConvertTsbStruct(measureSummary.bios, bios) && ConvertTsbStruct(measureSummary.shim, shim) &&
+               ConvertTsbStruct(measureSummary.kernel, kernel) && ConvertTsbStruct(measureSummary.initrd, initrd) &&
+               ConvertTsbStruct(measureSummary.grub, grub) && ConvertTsbStruct(measureSummary.grubCfg, grubCfg);
+    if (!res) {
+        FreeMeasureInfo(bios, shim, grub, grubCfg, kernel, initrd);
+        return false;
+    }
+    auto tsbRc = UpdateMeasure(uuid.data(), bios, shim, grub, grubCfg, kernel, initrd);
+    FreeMeasureInfo(bios, shim, grub, grubCfg, kernel, initrd);
+    if (tsbRc != 0) {
+        VIRTRUST_LOG_ERROR("update tsb measure failed:{}", domainName);
+        return false;
+    }
+
+    VIRTRUST_LOG_INFO("|UpdateMeasure|END|returnS||domainName:{}", domainName);
+    return true;
+}
+
+bool CheckAllowStoreMeasurements(const std::string &args)
+{
+    if (args.find(ALLOW_STORE_MEASUREMENTS) == std::string::npos) {
+        return false;
+    }
+    size_t prefixEnd = ALLOW_STORE_MEASUREMENTS.length();
+    while (prefixEnd < args.length()) {
+        if (args[prefixEnd] != ' ') {
+            return false;
+        }
+        ++prefixEnd;
+    }
+    return true;
+}
+
+VirtrustRc CheckCreateDomainName(const std::string &arg, std::string &domainName, size_t i,
+                                 const std::vector<std::string> &args)
+{
+    // 处理--name ***或-n ***情况
+    if ((arg == "--name" || arg == "-n") && i + 1 < args.size() && !args[i + 1].empty() && args[i + 1].front() != '-') {
+        domainName = args[i + 1];
+        if (domainName.empty() || domainName.size() > MAX_NAME_LENGTH) {
+            VIRTRUST_LOG_ERROR("domain name length is [1, {}]", MAX_NAME_LENGTH);
+            return VirtrustRc::ERROR;
+        }
+    }
+    // 处理--name=***或-n=***或-n*****
+    bool isLongContainsName = arg.length() > 7 && arg.substr(0, 7) == "--name="; // 7是--name=的长度
+    bool isShortContainsName = arg.length() > 3 && arg.substr(0, 2) == "-n"; // 这里大于3是处理-n并且紧跟字符的情况
+    if (isLongContainsName || isShortContainsName) {
+        if (isLongContainsName || (isLongContainsName && arg.find('=') != std::string::npos)) {
+            domainName = arg.substr(arg.find('=') + 1);
+        } else {
+            if (arg.find("-n=") != std::string::npos) {
+                domainName = arg.substr(arg.find("-n=") + 3);
+            } else {
+                domainName = arg.substr(arg.find("-n") + 2);
+            }
+        }
+        if (domainName.empty() || domainName.size() > MAX_NAME_LENGTH) {
+            VIRTRUST_LOG_ERROR("domain name length is [1, {}]", MAX_NAME_LENGTH);
+            return VirtrustRc::ERROR;
+        }
+    }
+    return VirtrustRc::OK;
+}
+
+void GetConnectArgs(const std::string &arg, std::string &value, size_t i, const std::vector<std::string> &args)
+{
+    // 处理--connect ***
+    if (arg == "--connect" && i + 1 < args.size() && !args[i + 1].empty() && args[i + 1].front() != '-') {
+        value = args[i + 1];
+    }
+    // 处理--connect=***
+    bool isLongContains = arg.length() > 10 && arg.substr(0, 10) == "--connect="; // 10是--connect=的长度
+    if (isLongContains) {
+        value = arg.substr(arg.find('=') + 1);
+    }
+}
+
+VirtrustRc ValidateAndPrepareArgs(const std::vector<std::string> &args, std::vector<char *> &execArgs,
+                                  std::string &domainName, bool &allowStoreMeasurements,
+                                  const std::unique_ptr<ConnCtx> &conn)
+{
+
+    execArgs.reserve(args.size() + 3);
+    std::string connectArgs;
+    for (size_t i = 0; i < args.size(); ++i) {
+        const auto &arg = args[i];
+        if (startsWithIgnoreSpaces(arg, ALLOW_STORE_MEASUREMENTS)) {
+            if (CheckAllowStoreMeasurements(arg)) {
+                allowStoreMeasurements = true;
+
+            } else {
+                VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||--allow-store-"
+                                   "measurements not set value");
+                return VirtrustRc::ERROR;
+            }
+            continue;
+        }
+        // 检查是否为--name=***或-n=***或-n***或--name ***或 -n ***情况
+        if (CheckCreateDomainName(arg, domainName, i, args) != VirtrustRc::OK) {
+            return VirtrustRc::ERROR;
+        }
+        (void)GetConnectArgs(arg, connectArgs, i, args);
+        execArgs.push_back(const_cast<char *>(arg.c_str()));
+    }
+    execArgs.push_back(const_cast<char *>("--noautoconsole"));
+    execArgs.push_back(const_cast<char *>("--noreboot"));
+    if (domainName.empty()) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||domain name must be given.");
+        return VirtrustRc::ERROR;
+    }
+    if (connectArgs.empty()) {
+        execArgs.reserve(args.size() + 5);
+        execArgs.push_back(const_cast<char *>("--connect"));
+        execArgs.push_back(strdup(conn->GetUri().c_str()));
+    } else {
+        conn->SetUri(connectArgs);
+    }
+    execArgs.push_back(nullptr);
+
+    return VirtrustRc::OK;
+}
+
+VirtrustRc UndefineDomainWithRetry(std::unique_ptr<DomainCtx> &domain, const std::string &domainName,
+                                   unsigned int flags, Libvirt &libvirt)
+{
+
+    for (int i = 1; i <= 3; i++) {
+        VIRTRUST_LOG_INFO("try to undefine domain: {}, try times: {}", domainName, i);
+        if (libvirt.virDomainUndefineFlags(domain->Get(), flags) >= 0) {
+            VIRTRUST_LOG_INFO("undefine domain: {} success, try times: {}", domainName, i);
+
+            return VirtrustRc::OK;
+        }
+    }
+    VIRTRUST_LOG_ERROR("failed to undefine domain: {}, try times: 3, see log to get details "
+                       "or use virsh undefine to undefine domain.",
+                       domainName);
+    return VirtrustRc::ERROR;
+}
+
+VirtrustRc CreateDomainAndVRoot(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName,
+                                bool allowStoreMeasurements)
+{
+    auto &libvirt = Libvirt::GetInstance();
+    auto domain = std::make_unique<DomainCtx>(conn, domainName);
+    if (domain->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF|failed to find domain: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    char uuid[VIR_UUID_STRING_BUFLEN];
+    if (libvirt.virDomainGetUUIDString(domain->Get(), uuid) < 0) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF|Failed to get domain uuid: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    Description description{};
+    description.state = 0;
+    if (strncpy_s(description.name, sizeof(description.name), domainName.c_str(), sizeof(description.name) - 1) !=
+        EOK) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||strncpy_s domainName failed.");
+
+        return VirtrustRc::ERROR;
+    }
+    if (strncpy_s(description.uuid, sizeof(description.uuid), uuid, sizeof(description.uuid) - 1) != EOK) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||strncpy_s uuid failed.");
+
+        return VirtrustRc::ERROR;
+    }
+    int tsbRet = CreateVRoot(&description);
+    if (tsbRet != 0) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||CreateVRoot failed, tsbRet: {}", tsbRet);
+        (void)UndefineDomainWithRetry(domain, domainName, VIR_DOMAIN_UNDEFINE_NVRAM, libvirt);
+        return VirtrustRc::ERROR;
+    }
+    if (!allowStoreMeasurements) {
+        VIRTRUST_LOG_DEBUG("|DomainCreate|END|returnS||");
+        return VirtrustRc::OK;
+    }
+    std::string uuidStr(uuid);
+    if (!UpdateMeasure(domainName, uuidStr)) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||UpdateMeasure failed");
+        (void)UndefineDomainWithRetry(domain, domainName, VIR_DOMAIN_UNDEFINE_NVRAM, libvirt);
+        return VirtrustRc::ERROR;
+    }
+    VIRTRUST_LOG_DEBUG("|DomainCreate|END|returnS||");
+    return VirtrustRc::OK;
+}
+
+void FreeDescription(Description **description)
+{
+    if (*description != nullptr) {
+        free(*description);
+        *description = nullptr;
+    }
+}
+
+VirtrustRc UndefineTsbResource(const std::string &domainName)
+{
+    if (domainName.size() != 36) { // UUID长度为36
+        VIRTRUST_LOG_ERROR("|DomainUndefine UndefineTsbResource|END|returnF||invalid domain UUID: "
+                           "{}",
+                           domainName);
+
+        return VirtrustRc::ERROR;
+    }
+    int tsbVmNum = 0;
+    Description *tsbVmInfo = nullptr;
+
+    std::unordered_set<std::string> tsbVmNames; // 存放tsb查询到的虚机名称
+    int result = GetVRoots(&tsbVmNum, &tsbVmInfo);
+    if (result != 0) {
+
+        VIRTRUST_LOG_ERROR("|DomainUndefine UndefineTsbResource|END|returnF||failed to get tsb "
+                           "domains");
+        return VirtrustRc::ERROR;
+    }
+    bool isMatch = false;
+    for (int i = 0; i < tsbVmNum; i++) {
+        if (tsbVmInfo[i].uuid == domainName) {
+            isMatch = true;
+            int tsbRet = RemoveVRoot(tsbVmInfo[i].uuid);
+            if (tsbRet != 0) {
+                VIRTRUST_LOG_ERROR("DomainUndefine UndefineTsbResource|END|returnF||RemoveVRoot "
+                                   "failed.");
+                FreeDescription(&tsbVmInfo);
+                return VirtrustRc::ERROR;
+            }
+            FreeDescription(&tsbVmInfo);
+            return VirtrustRc::OK;
+        }
+    }
+    if (!isMatch) {
+        FreeDescription(&tsbVmInfo);
+        VIRTRUST_LOG_ERROR("DomainUndefine UndefineTsbResource|END|returnF||not found uuid:{}.", domainName);
+        return VirtrustRc::ERROR;
+    }
+    FreeDescription(&tsbVmInfo);
+    VIRTRUST_LOG_DEBUG("DomainUndefine UndefineTsbResource|END|returns||domainName: {}", domainName);
+    return VirtrustRc::OK;
+}
+
+bool CompareTsbVirtState(int tsb, int virt)
+{
+    switch (virt) {
+        case VIR_DOMAIN_RUNNING:
+            return tsb == 1;
+        case VIR_DOMAIN_NOSTATE:
+        case VIR_DOMAIN_BLOCKED:
+        case VIR_DOMAIN_PAUSED:
+        case VIR_DOMAIN_SHUTDOWN:
+        case VIR_DOMAIN_SHUTOFF:
+        case VIR_DOMAIN_CRASHED:
+        case VIR_DOMAIN_PMSUSPENDED:
+            return tsb == 0;
+        default:
+            return false;
+    }
+}
+
+bool ConsistencyCheck(const std::unordered_map<std::string, Description> &tsbVmMap,
+                      const std::unordered_map<std::string, DomainInfo> &virtVmMap,
+                      std::unordered_map<std::string, std::pair<LogLevel, std::string>> &errMap)
+{
+
+    errMap.clear();
+    bool out = true;
+    std::unordered_map<std::string, Description> tsbVmMapCopy = tsbVmMap;
+    std::unordered_map<std::string, DomainInfo> virtVmMapCopy = virtVmMap;
+
+    for (const auto &tsb : tsbVmMapCopy) {
+        auto virtIter = virtVmMapCopy.find(tsb.first);
+        if (virtIter == virtVmMapCopy.end() || virtIter->second.domainName != tsb.second.name) {
+            errMap.emplace(tsb.first,
+                           std::make_pair(LogLevel::ERROR,
+                                          fmt::format("Inconsistent vm (tsb uuid:{}, name {}) dose not exist or "
+                                                      "its data is inconsistent with virsh, consider removing this "
+                                                      "instance by \"virtrust-sh "
+                                                      "undefine --only-tsb DOMAIN_UUID\".",
+                                                      tsb.first, tsb.second.name)));
+            out = false;
+            continue;
+        }
+
+        if (!(CompareTsbVirtState(tsb.second.state, virtIter->second.state))) {
+            errMap.emplace(
+                tsb.first,
+                std::make_pair(LogLevel::ERROR,
+                               fmt::format("Inconsistent vm (tsb uuid:{}, name {}) "
+                                           "its data is inconsistent with tsb, consider update this "
+                                           "instance by \"virsh start/destroy DOMAIN_NAME\", or\"virtrust-sh "
+                                           "start/destroy --only-tsb DOMAIN_UUID\".",
+                                           tsb.first, tsb.second.name)));
+            out = false;
+            continue;
+        }
+        // if everything is okay, delete it from the map that we are not iterating
+        virtVmMapCopy.erase(tsb.first);
+    }
+    for (const auto &virt : virtVmMapCopy) {
+        errMap.emplace(virt.first,
+                       std::make_pair(LogLevel::WARN, fmt::format("Found vm (tsb uuid:{}, name {}) is just a normal vm "
+                                                                  "with no trust resources,nothing is wrong, this "
+                                                                  "message is just informational",
+                                                                  virt.first, virt.second.domainName)));
+    }
+    return out;
+}
+
+auto ToMaps(int tsbVmNum, Description *tsbVmInfo, int virtVmNum, virDomainPtr *virtVmArray, unsigned int flags)
+{
+    // create tsb map
+    std::unordered_map<std::string, Description> tsbVmMap;
+    for (int i = 0; i < tsbVmNum; i++) {
+        std::string tsbVmUuid = std::string((tsbVmInfo + i)->uuid);
+        // skip, if flags are only LIST_DOMAIN_ACTIVE&, and domain is not running
+        if (flags == DomainListFlags::LIST_DOMAINS_ACTIVE &&
+            !CompareTsbVirtState((tsbVmInfo + i)->state, VIR_DOMAIN_RUNNING)) {
+            continue;
+        }
+        tsbVmMap.emplace(tsbVmUuid, *(tsbVmInfo + i));
+    }
+    // create virt map
+    std::unordered_map<std::string, DomainInfo> virtVmMap;
+    for (int i = 0; i < virtVmNum; i++) {
+        std::string virtVmUuid = GetUUIDStr(*(virtVmArray + i));
+        virDomainInfo info;
+        if (Libvirt::GetInstance().virDomainGetInfo(virtVmArray[i], &info) < 0) {
+            VIRTRUST_LOG_ERROR("Failed to get domain info for tsb uuid:{}", virtVmUuid);
+            continue;
+        }
+        DomainInfo outInfo;
+        outInfo.domainName = GetNameStr(*(virtVmArray + i));
+        outInfo.state = info.state;
+        outInfo.maxMem = info.maxMem;
+        outInfo.memory = info.memory;
+        outInfo.nrVirtCpu = info.nrVirtCpu;
+        outInfo.cpuTime = info.cpuTime;
+        if (flags == DomainListFlags::LIST_DOMAINS_ACTIVE && outInfo.state != VIR_DOMAIN_RUNNING) {
+            continue;
+        }
+        virtVmMap.emplace(virtVmUuid, outInfo);
+    }
+    return std::make_pair(tsbVmMap, virtVmMap);
+}
+} // namespace
+
+VirtrustRc CheckMaxDomainCount()
+{
+    int tsbVmNum = 0;
+    Description *tsbVmInfo = nullptr;
+    int result = GetVRoots(&tsbVmNum, &tsbVmInfo);
+    if (result != 0) {
+        VIRTRUST_LOG_ERROR("|CheckMaxDomainCount|END|returnF||Failed to get tsb domains");
+        return VirtrustRc::ERROR;
+    }
+    if (tsbVmNum == MAX_DOMAIN_COUNT) {
+        FreeDescription(&tsbVmInfo);
+        VIRTRUST_LOG_ERROR("|CheckMaxDomainCount|END|returnF||support max domain count is: {}", MAX_DOMAIN_COUNT);
+        return VirtrustRc::ERROR;
+    }
+    FreeDescription(&tsbVmInfo);
+    return VirtrustRc::OK;
+}
+
+VirtrustRc DomainCreate(const std::unique_ptr<ConnCtx> &conn, const std::vector<std::string> &args)
+{
+    VIRTRUST_LOG_DEBUG("|DomainCreate||START||");
+    if (conn == nullptr) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF|| ConnCtx is nullptr.");
+        return VirtrustRc::ERROR;
+    }
+    FileLock fileLock(LOCK_FILE);
+    if (!fileLock.IsLocked()) {
+        return VirtrustRc::ERROR;
+    }
+    if (conn == nullptr) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||conn is nullptr");
+        return VirtrustRc::ERROR;
+    }
+    if (CheckMaxDomainCount() != VirtrustRc::OK) {
+        return VirtrustRc::ERROR;
+    }
+    std::vector<char *> execArgs;
+    std::string domainName;
+    bool allowStoreMeasurements = false;
+    execArgs.reserve(args.size() + 3); // +3 for --noautoconsole, --noreboot and nullptr
+    if (ValidateAndPrepareArgs(args, execArgs, domainName, allowStoreMeasurements, conn) != VirtrustRc::OK) {
+        return VirtrustRc::ERROR;
+    }
+    std::string argStr = MakeString(execArgs);
+    // run virt-install in a child progress
+    VIRTRUST_LOG_INFO("|DomainCreate|RUNNING|||Execute cmd: {},allowStoreMeasurements:{}", argStr,
+                      allowStoreMeasurements);
+    pid_t pid = fork();
+    if (pid == -1) {
+        VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||Failed to create fork, msg:{}", strerror(errno));
+        return VirtrustRc::ERROR;
+
+    } else if (pid == 0) {
+
+        if (execv(execArgs[0], execArgs.data()) == -1) {
+
+            VIRTRUST_LOG_ERROR("|DomainCreate|END|returnF||Failed to execute cmd:{}, msg: {}", argStr, strerror(errno));
+            _exit(0);
+        }
+    } else {
+        int status;
+        waitpid(pid, &status, 0);
+        if (WIFEXITED(status)) {
+            int exitStatus = WEXITSTATUS(status);
+            VIRTRUST_LOG_INFO("|DomainCreate|||Child process exited with status: {}", exitStatus);
+            if (exitStatus != 0) {
+                VIRTRUST_LOG_ERROR("|DomainCreate|||Child process exited executed "
+                                   "failed, status is: {}",
+                                   exitStatus);
+                return VirtrustRc::ERROR;
+            }
+            return CreateDomainAndVRoot(conn, domainName, allowStoreMeasurements);
+        }
+        if (WIFSIGNALED(status)) {
+            VIRTRUST_LOG_ERROR("|DomainCreate|||Child process terminated by sigal: {}", WTERMSIG(status));
+            return VirtrustRc::ERROR;
+        }
+    }
+    VIRTRUST_LOG_DEBUG("|DomainCreate|END|returnS||");
+    return VirtrustRc::OK;
+}
+
+VirtrustRc DomainDestroy(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName, unsigned int flags,
+                         bool isOnlyTsb)
+{
+    VIRTRUST_LOG_DEBUG("|DomainDestroy||START||destroy domainName:{}, isonlyTsb:{}", domainName, isOnlyTsb);
+    if (conn == nullptr) {
+        VIRTRUST_LOG_ERROR("|DomainDestroy|END|returnF|| ConnCtx is nullptr.");
+        return VirtrustRc::ERROR;
+    }
+    FileLock fileLock(LOCK_FILE);
+    if (!fileLock.IsLocked()) {
+        return VirtrustRc::ERROR;
+    }
+    if (conn == nullptr) {
+        VIRTRUST_LOG_ERROR("|DomainDestroy|END|returnF||conn is nullptr");
+        return VirtrustRc::ERROR;
+    }
+
+    if (isOnlyTsb) {
+        if (domainName.size() != 36) { // UUID长度为36
+            VIRTRUST_LOG_ERROR("|DomainDestroy|END|returnF||invalid domain UUID: "
+                               "{}",
+                               domainName);
+            return VirtrustRc::ERROR;
+        }
+        std::string uuidStr = domainName;
+        if (StopVRoot(uuidStr.data()) != 0) {
+            VIRTRUST_LOG_ERROR("stop vRoot failed, uuid: {}", uuidStr);
+            return VirtrustRc::ERROR;
+        }
+        return VirtrustRc::OK;
+    }
+    auto &libvirt = Libvirt::GetInstance();
+    if (flags != DOMAIN_DESTROY_NONE) {
+        VIRTRUST_LOG_ERROR("flags only support: {}", static_cast<int>(DOMAIN_DESTROY_NONE));
+        return VirtrustRc::ERROR;
+    }
+    auto domain = std::make_unique<DomainCtx>(conn, domainName);
+    if (domain->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Failed to find domain: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    if (libvirt.virDomainDestroyFlags(domain->Get(), flags) < 0) {
+        VIRTRUST_LOG_ERROR("Failed to destroy domain: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    std::string uuid = GetUUIDStr(domain->Get());
+    if (StopVRoot(uuid.data()) != 0) {
+        VIRTRUST_LOG_ERROR("stop vRoot failed: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    VIRTRUST_LOG_DEBUG("|DomainDestroy||END|returnS||domainName: {}", domainName);
+    return VirtrustRc::OK;
+}
+
+VirtrustRc DomainList(const std::unique_ptr<ConnCtx> &conn, unsigned int flags,
+                      std::unordered_map<std::string, DomainInfo> &domainInfos, bool printErrToCli)
+{
+    VIRTRUST_LOG_DEBUG("|DomainList||START||");
+    if (conn == nullptr) {
+        VIRTRUST_LOG_ERROR("|DomainList|END|returnF|| ConnCtx is nullptr.");
+        return VirtrustRc::ERROR;
+    }
+    // 使用按位与操作来检查value是否包含无效的标志
+    if (flags == 0 || (flags & LIST_DOMAINS_MASK) != flags) {
+        VIRTRUST_LOG_ERROR("|DomainList|END|returnF||invalid flags, support value "
+                           "see DomainListFlags.");
+        return VirtrustRc::ERROR;
+    }
+    if (conn == nullptr) {
+        VIRTRUST_LOG_ERROR("|DomainList|END|returnF||conn is nullptr");
+        return VirtrustRc::ERROR;
+    }
+    domainInfos.clear();
+
+    int tsbVmNum = 0;
+    Description *tsbVmInfo = nullptr;
+    if (GetVRoots(&tsbVmNum, &tsbVmInfo) != 0) {
+
+        VIRTRUST_LOG_ERROR("|DomainList|END|returnF||failed to get tsb domains");
+        return VirtrustRc::ERROR;
+    }
+
+    virDomainPtr *virtVmInfo;
+    int virtVmNum = Libvirt::GetInstance().virConnectListAllDomains(conn->Get(), &virtVmInfo, flags);
+    if (virtVmNum < 0) {
+        VIRTRUST_LOG_ERROR("|DomainList|END|returnF||failed to get virsh domains");
+        FreeDescription(&tsbVmInfo);
+        return VirtrustRc::ERROR;
+    }
+
+    auto [tsbVmMap, virtVmMap] = ToMaps(tsbVmNum, tsbVmInfo, virtVmNum, virtVmInfo, flags);
+    std::unordered_map<std::string, std::pair<LogLevel, std::string>> errUuids;
+    auto rc = ConsistencyCheck(tsbVmMap, virtVmMap, errUuids);
+
+    domainInfos = virtVmMap;
+    for (const auto &it : errUuids) {
+        auto msg = fmt::format("[tsb, libvirt]=[{}, {}]{}", tsbVmMap.find(it.first) != tsbVmMap.end(),
+                               virtVmMap.find(it.first) != virtVmMap.end(), it.second.second);
+        switch (it.second.first) {
+            case LogLevel::ERROR:
+                VIRTRUST_LOG_ERROR(msg);
+                break;
+            case LogLevel::WARN:
+                VIRTRUST_LOG_WARN(msg);
+                break;
+            default:
+                VIRTRUST_LOG_ERROR("Unsupported LigLevel: {}", static_cast<int>(it.second.first));
+        }
+        if (printErrToCli && !rc && it.second.first == LogLevel::ERROR) {
+            fmt::print(stderr, "\n{}\n", msg);
+        }
+        domainInfos.erase(it.first);
+    }
+    FreeDescription(&tsbVmInfo);
+    if (virtVmInfo != nullptr) {
+        free(virtVmInfo);
+    }
+    VIRTRUST_LOG_DEBUG("|DomainList|END|returnS||");
+    return VirtrustRc::OK;
+}
+
+VirtrustRc DomainMigrate(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName,
+                         const std::string &destUri, unsigned int flags)
+{
+    VIRTRUST_LOG_DEBUG("|DomainMigrate||START||");
+    if (conn == nullptr) {
+        VIRTRUST_LOG_ERROR("|DomainMigrate|END|returnF|| ConnCtx is nullptr.");
+        return VirtrustRc::ERROR;
+    }
+    FileLock fileLock(LOCK_FILE);
+    if (!fileLock.IsLocked()) {
+        return VirtrustRc::ERROR;
+    }
+    flags |= VIR_MIGRATE_OFFLINE | VIR_MIGRATE_PERSIST_DEST; // 默认离线迁移 离线迁移必须指定VIR_MIGRATE_PERSIST_DEST
+    if (flags != (VIR_MIGRATE_OFFLINE | VIR_MIGRATE_PERSIST_DEST) &&
+        flags != (VIR_MIGRATE_OFFLINE | VIR_MIGRATE_PERSIST_DEST | MIGRATE_UNDEFINE_SOURCE)) {
+        VIRTRUST_LOG_ERROR("|DomainMigrate|END|returnF|invalid flags, only support 0 and {}",
+                           static_cast<unsigned int>(MIGRATE_UNDEFINE_SOURCE));
+        return VirtrustRc::ERROR;
+    }
+    if (destUri.empty() || destUri.find("qemu+tls://") != 0) {
+        VIRTRUST_LOG_ERROR("|DomainMigrate|END|returnF|destUrt is only support starts with qemu+tls://");
+        return VirtrustRc::ERROR;
+    }
+    // 校验虚拟机是否tsb和virsh都存在 并获取uuid
+    std::unordered_map<std::string, DomainInfo> domainInfos;
+    auto ret = DomainList(conn, LIST_DOMAINS_ACTIVE | LIST_DOMAINS_INACTIVE, domainInfos, false);
+    if (ret != VirtrustRc::OK) {
+        VIRTRUST_LOG_ERROR("|DomainMigrate|END|returnF|failed to get domainInfos");
+        return VirtrustRc::ERROR;
+    }
+    std::string uuid;
+    bool exists = std::any_of(domainInfos.begin(), domainInfos.end(), [&domainName, &uuid](const auto &pair) {
+        if (pair.second.domainName == domainName && pair.second.state == VIR_DOMAIN_SHUTOFF) {
+            uuid = pair.first;
+            return true;
+        }
+        return false;
+    });
+    if (!exists) {
+        VIRTRUST_LOG_ERROR("|DomainMigrate|END|returnF|domain: {} not exist or state is not shut off", domainName);
+        return VirtrustRc::ERROR;
+    }
+
+    auto domain = std::make_unique<DomainCtx>();
+
+    LinkConfig config;
+    config.udsPath = UDS_PATH;
+    UdsClient client(config);
+
+    auto localUri = conn->GetUri();
+    MigrationConfig migration_config{
+        .domainName = domainName,
+        .uuid = uuid,
+        .destUri = destUri,
+        .localUri = localUri,
+        .flags = flags,
+    };
+
+    auto retClient = client.DomainMigrate(migration_config);
+    if (retClient != 0) {
+        VIRTRUST_LOG_ERROR("|DomainMigrate|END|returnF|DomainMigrate failed domainName: {}, retClient:{}", domainName,
+                           retClient);
+        return VirtrustRc::ERROR;
+    }
+
+    VIRTRUST_LOG_DEBUG("|DomainMigrate||END|returnS||domainName: {}", domainName);
+    return VirtrustRc::OK;
+}
+
+VirtrustRc DomainStart(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName, unsigned int flags,
+                       bool isOnlyTsb)
+{
+    VIRTRUST_LOG_DEBUG("|DomainStart||START||start domainName: {}, isonlyTsb:{}", domainName, isOnlyTsb);
+    if (conn == nullptr) {
+        VIRTRUST_LOG_ERROR("|DomainStart|END|returnF|| ConnCtx is nullptr.");
+        return VirtrustRc::ERROR;
+    }
+    FileLock fileLock(LOCK_FILE);
+    if (!fileLock.IsLocked()) {
+        return VirtrustRc::ERROR;
+    }
+    if (conn == nullptr) {
+        VIRTRUST_LOG_ERROR("|DomainStart|END|returnF||conn is nullptr");
+        return VirtrustRc::ERROR;
+    }
+    // 如果带--only-tsb仅更新tsb资源
+    if (isOnlyTsb) {
+        std::string uuidStr = domainName;
+        VIRTRUST_LOG_INFO("only update tsb resource");
+        if (domainName.size() != 36) { // UUIDchang长度为36
+            VIRTRUST_LOG_DEBUG("|DomainStart|END|returnF||invalid domain UUID: {}", domainName);
+            return VirtrustRc::ERROR;
+        }
+        if (StartVRoot(uuidStr.data()) != 0) {
+            VIRTRUST_LOG_DEBUG("|DomainStart|END|returnF||start vRoot failed,UUID: {}", domainName);
+            return VirtrustRc::ERROR;
+        }
+        return VirtrustRc::OK;
+    }
+    if (flags != DOMAIN_START_NONE) {
+        VIRTRUST_LOG_ERROR("flags only support: {}", static_cast<unsigned int>(flags));
+        return VirtrustRc::ERROR;
+    }
+    auto domain = std::make_unique<DomainCtx>(conn, domainName);
+    if (domain->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("failed to find domain: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+
+    std::string uuid = GetUUIDStr(domain->Get());
+    VIRTRUST_LOG_INFO("Perform checking on: {} before start", domainName);
+    if (!CheckGuestBeforeStart(domainName, uuid)) {
+        VIRTRUST_LOG_ERROR("Check domain failed,domainName: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    auto tsbRc = StartVRoot(uuid.data());
+    if (tsbRc != 0) {
+        VIRTRUST_LOG_ERROR("start vRoot failed: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    if (Libvirt::GetInstance().virDomainCreateWithFlags(domain->Get(), flags) < 0) {
+        VIRTRUST_LOG_ERROR("failed to start domain: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    VIRTRUST_LOG_DEBUG("|DomainStart||END|returnS|domainName: {}", domainName);
+    return VirtrustRc::OK;
+}
+
+VirtrustRc DomainUndefine(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName, unsigned int flags,
+                          bool isOnlyTsb)
+{
+    VIRTRUST_LOG_DEBUG("|DomainUndefine||START||domainName: {}", domainName);
+    if (conn == nullptr) {
+        VIRTRUST_LOG_ERROR("|DomainUndefine|END|returnF|| ConnCtx is nullptr.");
+        return VirtrustRc::ERROR;
+    }
+    FileLock fileLock(LOCK_FILE);
+    if (!fileLock.IsLocked()) {
+        return VirtrustRc::ERROR;
+    }
+    if (conn == nullptr) {
+        VIRTRUST_LOG_ERROR("|DomainUndefine|END|returnF||conn is nullptr");
+        return VirtrustRc::ERROR;
+    }
+    if (isOnlyTsb) {
+        return UndefineTsbResource(domainName);
+    }
+    if (domainName.empty() || domainName.size() > MAX_NAME_LENGTH) {
+        VIRTRUST_LOG_ERROR("DomainUndefine|END|returnF||domain name length is [1, {}]", MAX_NAME_LENGTH);
+        return VirtrustRc::ERROR;
+    }
+    if (flags != DOMAIN_UNDEFINE_NVRAM && flags != DOMAIN_UNDEFINE_KEEP_NVRAM && flags != 0) {
+        VIRTRUST_LOG_ERROR("DomainUndefine|END|returnF||flags only suppport:0,{},and {}",
+                           static_cast<int>(DOMAIN_UNDEFINE_NVRAM), static_cast<int>(DOMAIN_UNDEFINE_KEEP_NVRAM));
+        return VirtrustRc::ERROR;
+    }
+    auto &libvirt = Libvirt::GetInstance();
+
+    auto domain = std::make_unique<DomainCtx>(conn, domainName);
+    if (domain->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("|DomainUndefine|END|returnF||failed to find domain: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    virDomainInfo info;
+    if (libvirt.virDomainGetInfo(domain->Get(), &info) < 0) {
+        VIRTRUST_LOG_ERROR("|DomainUndefine|END|returnF||failed to get domain info: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+    if (info.state == VIR_DOMAIN_RUNNING) {
+        VIRTRUST_LOG_ERROR("|DomainUndefine|END|returnF||Can not undefine running "
+                           "state domain.");
+        return VirtrustRc::ERROR;
+    }
+    char uuid[VIR_UUID_STRING_BUFLEN];
+    if (libvirt.virDomainGetUUIDString(domain->Get(), uuid) < 0) {
+        VIRTRUST_LOG_ERROR("|DomainUndefine|END|returnF||failed to get domain uuid: {}", domainName);
+        return VirtrustRc::ERROR;
+    }
+
+    if (UndefineDomainWithRetry(domain, domainName, flags, libvirt) != VirtrustRc::OK) {
+        return VirtrustRc::ERROR;
+    }
+
+    int tsbRet = RemoveVRoot(uuid);
+    if (tsbRet != 0) {
+        VIRTRUST_LOG_ERROR("|DomainUndefine|END|returnF||tsb resource remove "
+                           "failed, maybe not exist tsb resource uuid: "
+                           "{},domainName: {},use virsh to undefine domain.",
+                           uuid, domainName);
+        return VirtrustRc::ERROR;
+    }
+    VIRTRUST_LOG_DEBUG("|DomainUndefine|END|returnS||domainName: {}", domainName);
+    return VirtrustRc::OK;
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/api/domain.h b/virtrust/src/virtrust/api/domain.h
new file mode 100644
index 0000000000000000000000000000000000000000..93c740cc9b0b90826e9523070f615ecfc6063fe5
--- /dev/null
+++ b/virtrust/src/virtrust/api/domain.h
@@ -0,0 +1,83 @@
+// Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+#pragma once
+
+#include <string>
+#include <unordered_map>
+#include <vector>
+
+#include "virtrust/api/context.h"
+#include "virtrust/api/defines.h"
+
+namespace virtrust {
+/**
+ * 创建虚拟机
+ * @param conn 连接参数
+ * @param args 参数 参考virt-install --help
+ * 名称字段必须指定。arg[0]为virt-install的路径 如：、usr/bin/virt-install
+ * --allow-store-measurements可选 是否鞥新tsb的度量值
+ * @return VirtrustRc
+ */
+VirtrustRc DomainCreate(const std::unique_ptr<ConnCtx> &conn, const std::vector<std::string> &args);
+
+/**
+ * 停止虚拟机
+ * @param conn 连接参数
+ * @param flags 见DomainDestroyFlags中的选项
+ * @param domainName 虚拟机名称，isOnlyTsb为true时只更新tsb相关资源
+ * 为虚拟机UUID，当isOnlyTsb为true时将忽略flags入参
+ * @param isOnlyTsb 是否只更新tsb资源，为true时只更新tsb资源
+ * @return VirtrustRc
+ */
+VirtrustRc DomainDestroy(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName, unsigned int flags,
+                         bool isOnlyTsb = false);
+
+/**
+ * 迁移虚拟机
+ * @param conn 连接参数
+ * @param flags 默认0，不删除源端虚拟机，要删除源端虚拟机见DomainMigrateFlags中的选项
+ * @param domainName 虚拟机名称
+ * @param destUri 目的端地址 格式为<protocol>://<hostip>:<port>/<path> 如qemu+tls://7.7.7.7:8080/system
+ * @return VirtrustRc
+ */
+VirtrustRc DomainMigrate(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName,
+                         const std::string &destUri, unsigned int flags = 0);
+
+/**
+ * 启动虚拟机
+ * @param conn 连接参数
+ * @param flags 见DomainStartFlags中的选项
+ * @param domainName 虚拟机名称，isOnlyTsb为true时只更新tsb相关资源
+ * 为虚拟机UUID，当isOnlyTsb为true时将忽略flags入参
+ * @param isOnlyTsb 是否只更新tsb资源，为true时只更新tsb资源
+ * @return VirtrustRc
+ */
+VirtrustRc DomainStart(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName, unsigned int flags,
+                       bool isOnlyTsb = false);
+
+/**
+ * 删除虚拟机
+ * @param conn 连接参数
+ * @param flags 默认为0（适用于不产生nvram文件时，其他值
+ * 见DomainUndefineFlags,DOMAIN_UNDEFINE_NVRAM和DOMAIN_UNDEFINE_KEEP_NVRAM仅支持同一时间指定一种
+ * @param domainName 虚拟机名称，isOnlyTsb为true时只更新tsb相关资源
+ * 为虚拟机UUID，当isOnlyTsb为true时将忽略flags入参
+ * @param isOnlyTsb 是否只删除tsb资源，为true时只删除tsb资源
+ * @return VirtrustRc
+ */
+VirtrustRc DomainUndefine(const std::unique_ptr<ConnCtx> &conn, const std::string &domainName, unsigned int flags = 0,
+                          bool isOnlyTsb = false);
+
+/**
+ * 展示虚拟机
+ * @param conn 连接参数
+ * @param flags
+ * 见DomainListFlag选项，可组合LIST_DOMAINS_ACTIVE|LIST_DOMAINS_INACTIVE
+ * @param dmoainInfos 查询到的虚拟机信息
+ * @param printErrToCli
+ * 是否屏显tsb资源和libvirt资源不一致的错误信息，如果libvirt有但是tsb没有不会屏显，日志会有warn日志
+ * @return VirtrustRc
+ */
+VirtrustRc DomainList(const std::unique_ptr<ConnCtx> &conn, unsigned int flags,
+                      std::unordered_map<std::string, DomainInfo> &domainInfos, bool printErrToCli = false);
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/api/domain_test.cpp b/virtrust/src/virtrust/api/domain_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..8520fa84a4eb13c6350bb139d3ceb83b8a055b9b
--- /dev/null
+++ b/virtrust/src/virtrust/api/domain_test.cpp
@@ -0,0 +1,244 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <gtest/gtest.h>
+
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "virtrust/api/context.h"
+#include "virtrust/api/defines.h"
+#include "virtrust/api/domain.h"
+#include "virtrust/base/logger.h"
+#include "virtrust/crypto/sm3.h"
+#include "virtrust/dllib/libvirt.h"
+#include "virtrust/utils/file_io.h"
+#include "virtrust/utils/foreign_mounter.h"
+#include "virtrust/utils/virt_xml_parser.h"
+
+namespace virtrust {
+
+// Test that basic compilation works
+TEST(DISABLED_DomainTest, BasicCompilation)
+{
+    // Basic compile-time test - just ensure the functions exist and can be called
+    EXPECT_TRUE(true);
+}
+
+// Test that VerifyConfig can be instantiated and used
+TEST(DISABLED_DomainTest, VerifyConfigBasics)
+{
+    // Test that VerifyConfig can be constructed with basic parameters
+    VerifyConfig config("test-guest", "/path/to/disk", "/path/to/loader");
+
+    // Test basic getter functions exist and work
+    EXPECT_EQ(config.GetGuestName(), "test-guest");
+    EXPECT_EQ(config.GetDiskPath(), "/path/to/disk");
+    EXPECT_EQ(config.GetLoaderPath(), "/path/to/loader");
+}
+
+// Test additional VerifyConfig methods
+TEST(DISABLED_DomainTest, VerifyConfigAdditionalPaths)
+{
+    VerifyConfig config("test-guest", "/path/to/disk", "/path/to/loader");
+
+    // Test getter functions exist and return non-empty strings after construction
+    EXPECT_EQ(config.GetGuestName(), "test-guest");
+    EXPECT_EQ(config.GetDiskPath(), "/path/to/disk");
+    EXPECT_EQ(config.GetLoaderPath(), "/path/to/loader");
+
+    // Test that other paths return something (may be empty initially)
+    EXPECT_NO_THROW(config.GetShimPath());
+    EXPECT_NO_THROW(config.GetGrubPath());
+    EXPECT_NO_THROW(config.GetGrubCfgPath());
+    EXPECT_NO_THROW(config.GetInitrdPath());
+    EXPECT_NO_THROW(config.GetLinuzPath());
+}
+
+// Test DomainList with different connection scenarios
+TEST(DISABLED_DomainTest, DomainListScenarios)
+{
+    std::unordered_map<std::string, DomainInfo> domainInfos;
+
+    // Test with null connection - should handle gracefully
+    (void)DomainList(nullptr, DomainListFlags::LIST_DOMAINS_ACTIVE, domainInfos, false);
+    // Function should not crash - actual return code may vary
+
+    domainInfos.clear();
+    // Test with valid connection and different flags
+    auto conn = std::make_unique<ConnCtx>();
+    (void)DomainList(conn, DomainListFlags::LIST_DOMAINS_ACTIVE, domainInfos, false);
+    // Just verify the function can be called - actual result depends on test environment
+
+    domainInfos.clear();
+    (void)DomainList(conn, DomainListFlags::LIST_DOMAINS_INACTIVE, domainInfos, false);
+
+    domainInfos.clear();
+    (void)DomainList(conn, DomainListFlags::LIST_DOMAINS_ACTIVE | DomainListFlags::LIST_DOMAINS_INACTIVE, domainInfos,
+                     false);
+}
+
+// Test DomainCreate with various parameters
+TEST(DISABLED_DomainTest, DomainCreateVariations)
+{
+    // Test with null connection
+    std::vector<std::string> args;
+    (void)DomainCreate(nullptr, args);
+    // Should handle null connection gracefully
+
+    // Test with valid connection but empty args
+    args.clear();
+    (void)DomainCreate(std::make_unique<ConnCtx>(), args);
+    // Should handle empty args gracefully
+
+    // Test with valid connection and mock args
+    args = {"/usr/bin/virt-install", "--name", "test-vm", "--ram", "1024", "--import"};
+    (void)DomainCreate(std::make_unique<ConnCtx>(), args);
+    // Should handle valid args gracefully
+}
+
+// Test DomainStart with various scenarios
+TEST(DISABLED_DomainTest, DomainStartScenarios)
+{
+    // Test with null connection
+    (void)DomainStart(nullptr, "test-domain", DomainStartFlags::DOMAIN_START_NONE, false);
+
+    // Test with valid connection and empty domain name
+    (void)DomainStart(std::make_unique<ConnCtx>(), "", DomainStartFlags::DOMAIN_START_NONE, false);
+
+    // Test with valid connection and domain name
+    (void)DomainStart(std::make_unique<ConnCtx>(), "test-domain", DomainStartFlags::DOMAIN_START_NONE, false);
+
+    // Test with isOnlyTsb=true
+    (void)DomainStart(std::make_unique<ConnCtx>(), "test-domain", DomainStartFlags::DOMAIN_START_NONE, true);
+}
+
+// Test DomainDestroy with various scenarios
+TEST(DISABLED_DomainTest, DomainDestroyScenarios)
+{
+    // Test with null connection
+    (void)DomainDestroy(nullptr, "test-domain", DomainDestroyFlags::DOMAIN_DESTROY_NONE, false);
+
+    // Test with valid connection and empty domain name
+    (void)DomainDestroy(std::make_unique<ConnCtx>(), "", DomainDestroyFlags::DOMAIN_DESTROY_NONE, false);
+
+    // Test with valid connection and domain name
+    (void)DomainDestroy(std::make_unique<ConnCtx>(), "test-domain", DomainDestroyFlags::DOMAIN_DESTROY_NONE, false);
+
+    // Test with isOnlyTsb=true
+    (void)DomainDestroy(std::make_unique<ConnCtx>(), "test-domain", DomainDestroyFlags::DOMAIN_DESTROY_NONE, true);
+}
+
+// Test DomainMigrate with various scenarios
+TEST(DISABLED_DomainTest, DomainMigrateScenarios)
+{
+    // Test with null connection
+    (void)DomainMigrate(nullptr, "test-domain", "qemu+tls://dest:16509/system", 0);
+
+    // Test with valid connection and empty domain name
+    (void)DomainMigrate(std::make_unique<ConnCtx>(), "", "qemu+tls://dest:16509/system", 0);
+
+    // Test with valid connection and empty destination URI
+    (void)DomainMigrate(std::make_unique<ConnCtx>(), "test-domain", "", 0);
+
+    // Test with valid parameters
+    (void)DomainMigrate(std::make_unique<ConnCtx>(), "test-domain", "qemu+tls://dest:16509/system", 0);
+
+    // Test with migrate flags
+    (void)DomainMigrate(std::make_unique<ConnCtx>(), "test-domain", "qemu+tls://dest:16509/system",
+                        DomainMigrateFlags::MIGRATE_UNDEFINE_SOURCE);
+}
+
+// Test DomainUndefine with various scenarios
+TEST(DISABLED_DomainTest, DomainUndefineScenarios)
+{
+    // Test with null connection
+    (void)DomainUndefine(nullptr, "test-domain", 0, false);
+
+    // Test with valid connection and empty domain name
+    (void)DomainUndefine(std::make_unique<ConnCtx>(), "", 0, false);
+
+    // Test with valid connection and domain name
+    (void)DomainUndefine(std::make_unique<ConnCtx>(), "test-domain", 0, false);
+
+    // Test with isOnlyTsb=true
+    (void)DomainUndefine(std::make_unique<ConnCtx>(), "test-domain", 0, true);
+
+    // Test with nvram flags
+    (void)DomainUndefine(std::make_unique<ConnCtx>(), "test-domain", DomainUndefineFlags::DOMAIN_UNDEFINE_NVRAM, false);
+
+    (void)DomainUndefine(std::make_unique<ConnCtx>(), "test-domain", DomainUndefineFlags::DOMAIN_UNDEFINE_KEEP_NVRAM,
+                         false);
+}
+
+// Test ConnCtx functionality
+TEST(DISABLED_DomainTest, ConnCtxFunctionality)
+{
+    // Test ConnCtx construction and methods
+    auto conn = std::make_unique<ConnCtx>();
+    EXPECT_FALSE(conn->CheckOk()); // Should be false since no connection established
+
+    EXPECT_TRUE(conn->GetUri().empty()); // URI should be empty initially
+
+    // Test SetUri functionality
+    EXPECT_TRUE(conn->SetUri("test:///default"));
+    EXPECT_EQ(conn->GetUri(), "test:///default");
+
+    // Test setting another URI
+    EXPECT_TRUE(conn->SetUri("qemu:///system"));
+    EXPECT_EQ(conn->GetUri(), "qemu:///system");
+
+    // Test invalid URI setting if any
+    // Just verify the function can be called without crashing
+    EXPECT_NO_THROW(conn->SetUri("invalid://uri"));
+}
+
+// Test VerifyConfig construction with different Linux distributions
+TEST(DISABLED_DomainTest, VerifyConfigDistroVariations)
+{
+    VerifyConfig configEuler("test-guest", "/path/to/disk", "/path/to/loader", LinuxDistro::OPENEULER);
+    EXPECT_EQ(configEuler.GetGuestName(), "test-guest");
+
+    VerifyConfig configCentos("test-guest", "/path/to/disk", "/path/to/loader", LinuxDistro::CENTOS);
+    EXPECT_EQ(configCentos.GetGuestName(), "test-guest");
+
+    VerifyConfig configUbuntu("test-guest", "/path/to/disk", "/path/to/loader", LinuxDistro::UBUNTU);
+    EXPECT_EQ(configUbuntu.GetGuestName(), "test-guest");
+
+    VerifyConfig configDebian("test-guest", "/path/to/disk", "/path/to/loader", LinuxDistro::DEBIAN);
+    EXPECT_EQ(configDebian.GetGuestName(), "test-guest");
+
+    VerifyConfig configFedora("test-guest", "/path/to/disk", "/path/to/loader", LinuxDistro::FEDORA);
+    EXPECT_EQ(configFedora.GetGuestName(), "test-guest");
+}
+
+// Test VerifyConfig ParseGrubCfgContent functionality
+TEST(DISABLED_DomainTest, VerifyConfigParseGrubCfgContent)
+{
+    VerifyConfig config("test-guest", "/path/to/disk", "/path/to/loader");
+
+    // Test parsing GRUB config content
+    std::string grubContent = R"(
+# GRUB configuration file
+set default="0"
+set timeout=5
+
+menuentry "Test OS" {
+    linux /boot/vmlinuz-5.10.0 root=/dev/sda1
+    initrd /boot/initramfs-5.10.0.img
+}
+)";
+
+    EXPECT_NO_THROW(config.ParseGrubCfgContent(grubContent));
+
+    // Test with empty content
+    EXPECT_NO_THROW(config.ParseGrubCfgContent(""));
+
+    // Test with malformed content
+    std::string malformedContent = "invalid grub config content\n";
+    EXPECT_NO_THROW(config.ParseGrubCfgContent(malformedContent));
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/api/file_lock.h b/virtrust/src/virtrust/api/file_lock.h
new file mode 100644
index 0000000000000000000000000000000000000000..e79fb7efda03cf73a075b260a00ed34aaa5dcff4
--- /dev/null
+++ b/virtrust/src/virtrust/api/file_lock.h
@@ -0,0 +1,61 @@
+// Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+#pragma once
+
+#include <fcntl.h>
+#include <sys/file.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include <cerrno>
+#include <cstring>
+
+#include "virtrust/base/logger.h"
+
+namespace virtrust {
+
+class FileLock {
+public:
+    FileLock(const char *fileName) : fd_(open(fileName, O_RDWR | O_CREAT | O_CLOEXEC, LOCK_FILE_PERMISSIONS))
+    {
+        if (fd_ == -1) {
+            VIRTRUST_LOG_ERROR("Failed to open file {}, msg {}", fileName, strerror(errno));
+        } else {
+
+            // Force permissions to 666 regardless of umask
+            if (fchmod(fd_, 0666) == -1) {
+                VIRTRUST_LOG_ERROR("Failed to set permissions for file {}, msg {}", fileName, strerror(errno));
+            }
+
+            // Try to acquire the lock
+            if (flock(fd_, LOCK_EX) == -1) {
+                VIRTRUST_LOG_ERROR("Failed to lock file {}, msg {}", fileName, strerror(errno));
+                close(fd_);
+                fd_ = -1;
+            }
+        }
+    }
+
+    ~FileLock()
+    {
+        if (fd_ != -1) {
+            flock(fd_, LOCK_UN);
+            close(fd_);
+        }
+    }
+
+    bool IsLocked() const
+    {
+        return fd_ != -1;
+    }
+    int GetFileDescriptor() const
+    {
+        return fd_;
+    }
+
+private:
+    static constexpr mode_t LOCK_FILE_PERMISSIONS = 0666;
+    int fd_ = -1;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/CMakeLists.txt b/virtrust/src/virtrust/base/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..ded88cec4279d547ff65d5ab821881a167abf4e6
--- /dev/null
+++ b/virtrust/src/virtrust/base/CMakeLists.txt
@@ -0,0 +1,22 @@
+# Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    ${CMAKE_CURRENT_LIST_DIR}/custom_logger.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/log_adapt.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/str_utils.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/exception.cpp)
+
+add_virtrust_test_if(exception_test ${BUILD_TEST})
+add_virtrust_test_if(custom_logger_test ${BUILD_TEST})
+add_virtrust_test_if(log_adapt_test ${BUILD_TEST})
+add_virtrust_test_if(str_utils_test ${BUILD_TEST})
+
+install(
+  FILES ${CMAKE_CURRENT_LIST_DIR}/custom_logger.h
+  DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/virtrust/base
+  PERMISSIONS OWNER_READ)
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    PARENT_SCOPE)
diff --git a/virtrust/src/virtrust/base/custom_logger.cpp b/virtrust/src/virtrust/base/custom_logger.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..02d15fd8a162ddad47e6c6bef2a43d10e9832afd
--- /dev/null
+++ b/virtrust/src/virtrust/base/custom_logger.cpp
@@ -0,0 +1,130 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "virtrust/base/custom_logger.h"
+
+#include <string>
+
+// NOTE DO NOT REMOVE this chrono header
+#include "spdlog/fmt/bundled/chrono.h"
+#include "spdlog/fmt/bundled/core.h"
+
+#include "virtrust/base/log_adapt.h"
+#include "virtrust/utils/enum_check.h"
+
+namespace virtrust {
+using LogLevelCheck = EnumCheck<LogLevel, LogLevel::TRACE, LogLevel::DEBUG, LogLevel::INFO, LogLevel::WARN,
+                                LogLevel::ERROR, LogLevel::CRITICAL>;
+
+namespace {
+std::mutex mutex;
+constexpr int DEFAULT_STR_TIME_LEN = 24;
+constexpr auto DEFAULT_LOG_FUNCTION = [](LogLevel level, std::string_view msg) {
+    std::chrono::time_point<std::chrono::system_clock> now = std::chrono::system_clock::now();
+    fmt::print("[{} {:%Y-%m-%d %H-%M-%S}] {}\n", LogLevelToStr(level), now, msg);
+};
+} // namespace
+
+std::string LogLevelToStr(LogLevel level)
+{
+    switch (level) {
+        case LogLevel::TRACE:
+            return "TRACE";
+        case LogLevel::DEBUG:
+            return "DEBUG";
+        case LogLevel::INFO:
+            return "INFO";
+        case LogLevel::WARN:
+            return "WARN";
+        case LogLevel::ERROR:
+            return "ERROR";
+        case LogLevel::CRITICAL:
+            return "CRITICAL";
+        default:
+            return "UNKNOWN";
+    }
+}
+
+Logger *Logger::Instance()
+{
+    static Logger logger;
+    return &logger;
+}
+
+void Logger::Log(LogLevel level, std::string_view msg)
+{
+    if (logFunction_ != nullptr) {
+        logFunction_(level, msg);
+    } else {
+        if (LogAdapt::gSpdLogger != nullptr && LogAdapt::gSpdLogger->spdLogger != nullptr &&
+            static_cast<int>(level) >= static_cast<int>(displayLogLevel_)) {
+            LogAdapt::gSpdLogger->spdLogger->log(static_cast<spdlog::level::level_enum>(static_cast<int>(level)),
+                                                 msg.data());
+        }
+    }
+}
+
+void Logger::SetDisplayLogLevel(LogLevel level)
+{
+    if (static_cast<int>(level) >= static_cast<int>(LogLevel::UNKNOWN)) {
+        fmt::print(stderr, "log level is invalid : {}", static_cast<int>(level));
+    }
+
+    if (LogAdapt::gSpdLogger != nullptr && LogAdapt::gSpdLogger->spdLogger != nullptr) {
+        LogAdapt::gSpdLogger->spdLogger->set_level(static_cast<spdlog::level::level_enum>(static_cast<int>(level)));
+        displayLogLevel_ = level;
+    } else {
+        fmt::print(stderr, "failed to set log level\n");
+    }
+}
+
+void Logger::Reset()
+{
+    logFunction_ = nullptr;
+    if (LogAdapt::gSpdLogger != nullptr && LogAdapt::gSpdLogger->spdLogger != nullptr) {
+        LogAdapt::gSpdLogger->spdLogger->set_level(
+            static_cast<spdlog::level::level_enum>(static_cast<int>(LogLevel::INFO)));
+    }
+    displayLogLevel_ = LogLevel::INFO;
+}
+
+VirtrustRc Logger::InitLog(int logLevel, const char *path, int rotationFileSize, int rotationFileCount)
+{
+
+    if (logLevel < static_cast<int>(LogLevel::TRACE) || logLevel > static_cast<int>(LogLevel::CRITICAL)) {
+        fmt::print(stderr, "Invalid log level: {}", logLevel);
+        return VirtrustRc::ERROR;
+    }
+
+    int logType = (path != nullptr) ? FILE_TYPE : STDOUT_TYPE;
+    auto rc = LogAdapt::ValidateParams(logType, path, rotationFileSize, rotationFileCount);
+    if (rc != VirtrustRc::OK) {
+        fmt::print(stderr, "LogAdapt param validation failed, return: {}, msg: {}", static_cast<uint32_t>(rc),
+                   LogAdapt::gLastErrorMessage);
+        return rc;
+    }
+
+    rc = LogAdapt::CreateInstance(logType, logLevel, path, rotationFileSize, rotationFileCount);
+    if (rc != VirtrustRc::OK) {
+        fmt::print(stderr, "LogAdapt create instance failed, return: {}", static_cast<uint32_t>(rc));
+        return rc;
+    }
+
+    displayLogLevel_ = static_cast<LogLevel>(logLevel);
+    return VirtrustRc::OK;
+}
+
+bool Logger::SetCustomLogFunction(const std::function<CustomLogFunTy> &func)
+{
+    std::lock_guard<std::mutex> lock(mutex);
+    if (func == nullptr) {
+        DEFAULT_LOG_FUNCTION(LogLevel::ERROR, "Failed to set external log function as log function is nullptr.");
+        return false;
+    } else {
+        logFunction_ = func;
+        return true;
+    }
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/custom_logger.h b/virtrust/src/virtrust/base/custom_logger.h
new file mode 100644
index 0000000000000000000000000000000000000000..aacd4b63e9b7e9719f531eb5259f306014397813
--- /dev/null
+++ b/virtrust/src/virtrust/base/custom_logger.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#pragma once
+
+#include <functional>
+#include <string>
+
+#include "virtrust/api/defines.h"
+
+namespace virtrust {
+const int32_t DEFAULT_ROTATION_FILE_SIZE = 20 * 1024 * 1024;
+const int32_t DEFAULT_ROTATION_FILE_COUNT = 20;
+
+enum class LogLevel {
+    TRACE = 0,
+    DEBUG = 1,
+    INFO = 2,
+    WARN = 3,
+    ERROR = 4,
+    CRITICAL = 5,
+    UNKNOWN,
+};
+
+std::string LogLevelToStr(LogLevel level);
+
+class Logger {
+public:
+    using CustomLogFunTy = void(LogLevel level, std::string_view msg);
+
+    Logger(const Logger &) = delete;
+    Logger(Logger &&) = delete;
+    Logger &operator=(const Logger &) = delete;
+    Logger &operator=(Logger &&) = delete;
+
+    ~Logger()
+    {
+        logFunction_ = nullptr;
+    }
+
+    static Logger *Instance();
+
+    void Log(LogLevel level, std::string_view msg);
+
+    // For cpp-style function, lambda works
+    // NOTE Please make sure you do not use a "capture" lambda for log function
+    bool SetCustomLogFunction(const std::function<CustomLogFunTy> &func);
+
+    void SetDisplayLogLevel(LogLevel level);
+
+    LogLevel GetDisplayLogLevel()
+    {
+        return displayLogLevel_;
+    }
+
+    void Reset();
+
+    /**
+     * 初始化日志相关
+     * @param path[IN] 日志路径 nullptr
+     * 不输出到文件，要输出到文件时是带文件名的路径，路径需存在。
+     * @param logLevel[IN] 日志级别 默认INFO。
+     * @param rotationFileSize[IN]
+     * 单个日志文件大小，单位字节bytes,默认20*1024*1024*1024（20M）范围[1*1024*1024,500*1024*1024]。
+     * @param rotationFileCount[IN] 日志保存数量 超过该数量 之前日志将被删除
+     * 默认20 范围[1,64]。
+     * @return VirtrustRc::OK 失败错误码
+     */
+    VirtrustRc InitLog(int logLevel = static_cast<int>(LogLevel::INFO), const char *path = nullptr,
+                       int rotationFileSize = DEFAULT_ROTATION_FILE_SIZE,
+                       int rotationFileCount = DEFAULT_ROTATION_FILE_COUNT);
+
+private:
+    Logger() = default;
+    std::function<CustomLogFunTy> logFunction_ = nullptr;
+    LogLevel displayLogLevel_ = LogLevel::INFO;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/custom_logger_test.cpp b/virtrust/src/virtrust/base/custom_logger_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..84688a058ea4f555b649520c53b7199060f63600
--- /dev/null
+++ b/virtrust/src/virtrust/base/custom_logger_test.cpp
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <thread>
+
+#include "gtest/gtest.h"
+#include "spdlog/fmt/fmt.h"
+
+#include "virtrust/base/custom_logger.h"
+#include "virtrust/base/logger.h"
+
+namespace virtrust {
+
+TEST(CustomLogger, SetCustomLogFunction)
+{
+    // Test setting a custom log function
+    bool result = Logger::Instance()->SetCustomLogFunction(
+        [](LogLevel level, std::string_view msg) { fmt::print("[{}] {}\n", LogLevelToStr(level), msg); });
+    EXPECT_TRUE(result);
+
+    // Test setting nullptr function
+    result = Logger::Instance()->SetCustomLogFunction(nullptr);
+    EXPECT_FALSE(result);
+
+    // Reset the logger
+    Logger::Instance()->Reset();
+}
+
+TEST(CustomLogger, LogLevelConversion)
+{
+    // Test conversion of log levels to strings
+    EXPECT_EQ(LogLevelToStr(LogLevel::TRACE), "TRACE");
+    EXPECT_EQ(LogLevelToStr(LogLevel::DEBUG), "DEBUG");
+    EXPECT_EQ(LogLevelToStr(LogLevel::INFO), "INFO");
+    EXPECT_EQ(LogLevelToStr(LogLevel::WARN), "WARN");
+    EXPECT_EQ(LogLevelToStr(LogLevel::ERROR), "ERROR");
+    EXPECT_EQ(LogLevelToStr(LogLevel::CRITICAL), "CRITICAL");
+    EXPECT_EQ(LogLevelToStr(LogLevel::UNKNOWN), "UNKNOWN");
+}
+
+TEST(CustomLogger, InstanceSingleton)
+{
+    // Test that Logger follows singleton pattern
+    Logger *logger1 = Logger::Instance();
+    Logger *logger2 = Logger::Instance();
+    EXPECT_EQ(logger1, logger2);
+}
+
+TEST(CustomLogger, logWithCustomFunction)
+{
+    // Test logging with custom function
+    std::string captured_log;
+
+    // this log function is actually corrupted when we leave this test
+    // Note this is bad practice, do not use capture lambda for log function
+    Logger::Instance()->SetCustomLogFunction([&captured_log](LogLevel level, std::string_view msg) {
+        captured_log = fmt::format("[{}] {}", LogLevelToStr(level), msg);
+    });
+
+    Logger::Instance()->Log(LogLevel::INFO, "Test message");
+    EXPECT_FALSE(captured_log.empty());
+
+    // Reset the logger
+    Logger::Instance()->Reset();
+}
+
+TEST(CustomLogger, logWithoutCustomFunction)
+{
+    // Test logging without custom function (should use default)
+    // This test mainly ensures no crash occurs
+    Logger::Instance()->Log(LogLevel::INFO, "Default log message");
+
+    // Test with different log levels
+    Logger::Instance()->Log(LogLevel::TRACE, "DTrace message");
+    Logger::Instance()->Log(LogLevel::DEBUG, "Debug message");
+    Logger::Instance()->Log(LogLevel::WARN, "Warn message");
+    Logger::Instance()->Log(LogLevel::ERROR, "Error message");
+    Logger::Instance()->Log(LogLevel::CRITICAL, "Critical message");
+}
+
+TEST(CustomLogger, ResetFunctionality)
+{
+    // Test that Reset clears the custom log function
+    Logger::Instance()->SetCustomLogFunction(
+        [](LogLevel level, std::string_view msg) { fmt::print("[{}] {}\n", LogLevelToStr(level), msg); });
+
+    // Verify custom function is set
+    // Node: we can't directly test the function pointer comparison, but we can
+    // verify behavior after reset
+    Logger::Instance()->Log(LogLevel::INFO, "Message before reset");
+
+    // Reset the logger
+    Logger::Instance()->Reset();
+
+    // verify that after reset, we can still log without issues
+    Logger::Instance()->Log(LogLevel::INFO, "Message after reset");
+
+    // Reset the logger
+    Logger::Instance()->Reset();
+}
+
+TEST(CustomLogger, DiaplayLogLevel)
+{
+    // Test getting and setting display log level
+    Logger::Instance()->InitLog();
+    auto initial_level = Logger::Instance()->GetDisplayLogLevel();
+    EXPECT_EQ(initial_level, LogLevel::INFO);
+
+    // Change display level
+    Logger::Instance()->SetDisplayLogLevel(LogLevel::DEBUG);
+
+    auto new_level = Logger::Instance()->GetDisplayLogLevel();
+    EXPECT_EQ(new_level, LogLevel::DEBUG);
+
+    // Reset the logger
+    Logger::Instance()->Reset();
+}
+
+TEST(CustomLogger, ThreadSafety)
+{
+    // Test that logging is thread-safe
+    std::vector<std::thread> threads;
+    std::atomic<int> log_count{0};
+
+    // Create multiple threads that log simultaneously
+    threads.reserve(10);
+    for (int i = 0; i < 10; i++) {
+        threads.emplace_back([&log_count]() {
+            for (int j = 0; j < 10; j++) {
+                Logger::Instance()->Log(LogLevel::INFO, "Thread safety test");
+                log_count++;
+            }
+        });
+    }
+
+    // Wait for all threads to complete
+    for (auto &t : threads) {
+        t.join();
+    }
+
+    // Verify all logs were processed
+    EXPECT_EQ(log_count.load(), 100);
+
+    // Reset the logger
+    Logger::Instance()->Reset();
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/exception.cpp b/virtrust/src/virtrust/base/exception.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..357567071913e3b8136bf4ac9462f5d3ee5df439
--- /dev/null
+++ b/virtrust/src/virtrust/base/exception.cpp
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "virtrust/base/exception.h"
+
+#include <numeric>
+
+#include "spdlog/fmt/fmt.h"
+
+namespace virtrust {
+EnforceNotMet::EnforceNotMet(const char *file, const int line, const char *condition, const std::string &msg)
+    : msgStack_{fmt::format("[Enforce fail at {}:{}] {}. {}", file, line, condition, msg)}
+{
+    fullMsg_ = this->msg();
+}
+
+std::string EnforceNotMet::msg() const
+{
+    return std::accumulate(msgStack_.begin(), msgStack_.end(), std::string(""));
+}
+
+const char *EnforceNotMet::what() const noexcept
+{
+    return fullMsg_.c_str();
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/exception.h b/virtrust/src/virtrust/base/exception.h
new file mode 100644
index 0000000000000000000000000000000000000000..b04d753df9b2a6885b53f836d2360ea4ff169047
--- /dev/null
+++ b/virtrust/src/virtrust/base/exception.h
@@ -0,0 +1,135 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#pragma once
+
+#include <exception>
+#include <functional>
+#include <vector>
+
+#include "virtrust/base/str_utils.h"
+
+namespace virtrust {
+class EnforceNotMet : public std::exception {
+public:
+    EnforceNotMet(const char *file, const int line, const char *condition, const std::string &msg);
+    std::string msg() const;
+
+    inline const std::vector<std::string> &msg_stack() const
+    {
+        return msgStack_;
+    }
+
+    virtual const char *what() const noexcept override;
+
+private:
+    std::vector<std::string> msgStack_;
+    std::string fullMsg_;
+};
+
+#define VIRTRUST_ENFORCE(condition, ...)                                                                          \
+    do {                                                                                                          \
+        if (!(condition)) {                                                                                       \
+            throw ::virtrust::EnforceNotMet(__FILE__, __LINE__, #condition, ::virtrust::MakeString(__VA_ARGS__)); \
+        }                                                                                                         \
+    } while (false)
+
+// Check condition, and returns error code on error
+#define VIRTRUST_CHECK_ROF(condition, error_code, ...) \
+    do {                                               \
+        if (!(condition)) {                            \
+            VIRTRUST_ERROR(__VA_ARGS__);               \
+            return error_code;                         \
+        }                                              \
+    } while (false)
+
+namespace enforce_detail {
+
+struct EnforceOK {};
+
+class EnforceFailMessage {
+public:
+    constexpr EnforceFailMessage(EnforceOK) : msg_(nullptr)
+    {}
+
+    EnforceFailMessage(EnforceFailMessage &&) = default;
+    EnforceFailMessage(const EnforceFailMessage &) = delete;
+    EnforceFailMessage &operator=(EnforceFailMessage &&) = delete;
+    EnforceFailMessage &operator=(const EnforceFailMessage &) = delete;
+
+    EnforceFailMessage(std::string &&msg)
+    {
+        msg_ = new std::string(std::move(msg));
+    }
+
+    inline bool bad() const
+    {
+        return msg_ != nullptr;
+    }
+
+    std::string get_message_and_free(std::string &&extra) const
+    {
+        std::string r;
+        if (extra.empty()) {
+            r = std::move(*msg_);
+        } else {
+            r = ::virtrust::MakeString(*msg_, ". ", extra);
+        }
+        delete msg_;
+        return r;
+    }
+
+private:
+    std::string *msg_ = nullptr;
+};
+
+#define BINARY_COMP_HELPER(name, op)                                                             \
+    template <typename T1, typename T2> inline EnforceFailMessage name(const T1 &x, const T2 &y) \
+    {                                                                                            \
+        if (x op y) {                                                                            \
+            return EnforceOK();                                                                  \
+        }                                                                                        \
+        return MakeString(x, " vs ", y);                                                         \
+    }
+
+BINARY_COMP_HELPER(Equals, ==)
+BINARY_COMP_HELPER(NotEquals, !=)
+BINARY_COMP_HELPER(Greater, >)
+BINARY_COMP_HELPER(GreaterEquals, >=)
+BINARY_COMP_HELPER(Less, <)
+BINARY_COMP_HELPER(LessEquals, <=)
+#undef BINARY_COMP_HELPER
+
+#define VIRTRUST_ENFORCE_THAT_IMPL(condition, expr, ...)                                      \
+    do {                                                                                      \
+        const ::virtrust::enforce_detail::EnforceFailMessage r = (condition);                 \
+        if (r.bad()) {                                                                        \
+            throw ::virtrust::EnforceNotMet(__FILE__, __LINE__, expr,                         \
+                                            r.get_message_and_free(MakeString(__VA_ARGS__))); \
+        }                                                                                     \
+    } while (false)
+
+#define VIRTRUST_ENFORCE_THAT(condition, ...) VIRTRUST_ENFORCE_THAT_IMPL((condition), #condition, __VA_ARGS__)
+
+} // namespace enforce_detail
+
+#define VIRTRUST_ENFORCE_EQ(x, y, ...) \
+    VIRTRUST_ENFORCE_THAT_IMPL(::virtrust::enforce_detail::Equals((x), (y)), #x "==" #y, __VA_ARGS__)
+
+#define VIRTRUST_ENFORCE_NE(x, y, ...) \
+    VIRTRUST_ENFORCE_THAT_IMPL(::virtrust::enforce_detail::NotEquals((x), (y)), #x "!=" #y, __VA_ARGS__)
+
+#define VIRTRUST_ENFORCE_LE(x, y, ...) \
+    VIRTRUST_ENFORCE_THAT_IMPL(::virtrust::enforce_detail::LessEquals((x), (y)), #x "<=" #y, __VA_ARGS__)
+
+#define VIRTRUST_ENFORCE_LT(x, y, ...) \
+    VIRTRUST_ENFORCE_THAT_IMPL(::virtrust::enforce_detail::Less((x), (y)), #x "<" #y, __VA_ARGS__)
+
+#define VIRTRUST_ENFORCE_GE(x, y, ...) \
+    VIRTRUST_ENFORCE_THAT_IMPL(::virtrust::enforce_detail::GreaterEquals((x), (y)), #x ">=" #y, __VA_ARGS__)
+
+#define VIRTRUST_ENFORCE_GT(x, y, ...) \
+    VIRTRUST_ENFORCE_THAT_IMPL(::virtrust::enforce_detail::Greater((x), (y)), #x ">" #y, __VA_ARGS__)
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/exception_test.cpp b/virtrust/src/virtrust/base/exception_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..dac534cee363dc9e28054efaf6c172e482f22c19
--- /dev/null
+++ b/virtrust/src/virtrust/base/exception_test.cpp
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+#include "spdlog/fmt/bundled/core.h"
+
+#include "virtrust/base/exception.h"
+#include "virtrust/base/logger.h"
+
+namespace virtrust {
+
+TEST(Exception, Enforce)
+{
+    ASSERT_THROW(VIRTRUST_ENFORCE(false), EnforceNotMet);
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE(true));
+}
+
+TEST(Exception, Compares)
+{
+    ASSERT_THROW(VIRTRUST_ENFORCE_EQ(0, 1), EnforceNotMet);
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE_EQ(1, 1));
+
+    ASSERT_THROW(VIRTRUST_ENFORCE_LE(1, 0), EnforceNotMet);
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE_LE(0, 1));
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE_LE(1, 1));
+
+    ASSERT_THROW(VIRTRUST_ENFORCE_GE(0, 1), EnforceNotMet);
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE_GE(1, 0));
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE_GE(1, 1));
+
+    ASSERT_THROW(VIRTRUST_ENFORCE_LT(1, 0), EnforceNotMet);
+    ASSERT_THROW(VIRTRUST_ENFORCE_LT(1, 1), EnforceNotMet);
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE_LT(0, 1));
+
+    ASSERT_THROW(VIRTRUST_ENFORCE_GT(0, 1), EnforceNotMet);
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE_GT(1, 0));
+}
+
+TEST(Exception, CompareWithMessages)
+{
+    try {
+        VIRTRUST_ENFORCE_EQ(1, 2, "Expected 1 to equal 2");
+        FAIL() << "Should have thrown EnforceNotMet exception";
+    } catch (const EnforceNotMet &e) {
+        EXPECT_NE(std::string(e.what()).find("1 vs 2"), std::string::npos);
+        EXPECT_NE(std::string(e.what()).find("Expected 1 to equal 2"), std::string::npos);
+    }
+
+    try {
+        VIRTRUST_ENFORCE_GT(1, 2, "1 should be greater than 2");
+        FAIL() << "Should have thrown EnforceNotMet exception";
+    } catch (const EnforceNotMet &e) {
+        EXPECT_NE(std::string(e.what()).find("1 vs 2"), std::string::npos);
+        EXPECT_NE(std::string(e.what()).find("1 should be greater than 2"), std::string::npos);
+    }
+}
+
+TEST(Exception, EnforceThat)
+{
+    // Test successful enforcement
+    ASSERT_NO_THROW(VIRTRUST_ENFORCE_THAT(enforce_detail::Equals(1, 1), "Values should be equal"));
+
+    try {
+        VIRTRUST_ENFORCE_THAT(enforce_detail::Equals(1, 2), "Values should be equal");
+        FAIL() << "Should have thrown EnforceNotMet exception";
+    } catch (const EnforceNotMet &e) {
+        EXPECT_NE(std::string(e.what()).find("1 vs 2"), std::string::npos);
+    }
+}
+
+TEST(Exception, ExceptionMessageDetails)
+{
+    try {
+        VIRTRUST_ENFORCE(false, "Test message with ", 42);
+        FAIL() << "Should have thrown EnforceNotMet exception";
+    } catch (const EnforceNotMet &e) {
+        // Check that the message contains the excepted content
+        std::string what_msg = e.what();
+
+        VIRTRUST_LOG_INFO(what_msg);
+
+        EXPECT_NE(what_msg.find("Test message with 42"), std::string::npos);
+
+        // Check that we can get the message stack
+        const auto &msg_stack = e.msg_stack();
+        EXPECT_FALSE(msg_stack.empty());
+    }
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/log_adapt.cpp b/virtrust/src/virtrust/base/log_adapt.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..27c42abc415273905fa6aa054dc8e483d3945ed9
--- /dev/null
+++ b/virtrust/src/virtrust/base/log_adapt.cpp
@@ -0,0 +1,220 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "log_adapt.h"
+
+#include <sys/stat.h>
+
+#include <iostream>
+
+#include "spdlog/sinks/rotating_file_sink.h"
+#include "spdlog/sinks/stdout_sinks.h"
+
+#include "virtrust/api/defines.h"
+#include "virtrust/base/custom_logger.h"
+namespace virtrust {
+std::unique_ptr<LogAdapt> LogAdapt::gSpdLogger = nullptr;
+thread_local std::string LogAdapt::gLastErrorMessage;
+int LogAdapt::loglevel = static_cast<int>(LogLevel::INFO);
+
+constexpr auto ROTATION_FILE_SIZE_MIN = 1 * 1024 * 1024;
+constexpr auto ROTATION_FILE_SIZE_MAX = 500 * 1024 * 1024;
+constexpr auto ROTATION_FILE_COUNT_MAX = 64;
+namespace {
+bool CanonicalPath(std::string &path)
+{
+
+    if (path.empty() || path.size() > PATH_MAX) {
+        return false;
+    }
+    char pathBuf[PATH_MAX + 1] = {0};
+    if (realpath(path.c_str(), pathBuf) == nullptr) {
+        return false;
+    }
+    path = pathBuf;
+    return true;
+}
+
+bool GetFolderPath(std::string &filePath, std::string &folderPath)
+{
+    const size_t pos = filePath.find_last_of("/");
+    if (pos == std::string::npos) {
+        return false;
+    }
+    folderPath = filePath.substr(0, pos);
+    return true;
+}
+
+bool Exist(const std::string &path, const int &mode)
+{
+    return access(path.c_str(), mode) != -1;
+}
+
+bool IsAbsolutePath(const std::string &path)
+{
+    if (path.empty()) {
+        return false;
+    }
+    if (path[0] != '/') {
+        return false;
+    }
+    if (strstr(path.c_str(), "/../") != nullptr || strstr(path.c_str(), "/./") != nullptr) {
+        return false;
+    }
+    return true;
+}
+} // namespace
+
+VirtrustRc LogAdapt::ValidateParams(int logType, const char *path, int rotationFileSize, int rotationFileCount)
+{
+    if (logType != STDOUT_TYPE && logType != FILE_TYPE) {
+        gLastErrorMessage = "Invalid log type, which should be 0,1";
+        return VirtrustRc::ERROR;
+    }
+    if (logType == STDOUT_TYPE) {
+        return VirtrustRc::OK;
+    }
+
+    if (path == nullptr) {
+        gLastErrorMessage = "Path is empty";
+        return VirtrustRc::ERROR;
+    }
+    if (rotationFileSize > ROTATION_FILE_SIZE_MAX || rotationFileSize < ROTATION_FILE_SIZE_MIN) {
+        gLastErrorMessage = "Invalid rotation file size, which should be 1MB to 500MB";
+        return VirtrustRc::ERROR;
+    }
+    if (rotationFileCount > ROTATION_FILE_COUNT_MAX || rotationFileCount < 1) {
+        gLastErrorMessage = "Invalid rotation file count, which should be lest than 65";
+        return VirtrustRc::ERROR;
+    }
+    return VirtrustRc::OK;
+}
+
+VirtrustRc LogAdapt::CreateInstance(int &logType, int logLevel, const char *path, int rotationFileSize,
+                                    int rotationFileCount)
+{
+    if (gSpdLogger != nullptr) {
+        return VirtrustRc::OK;
+    }
+    loglevel = logLevel;
+    std::string realPath;
+    if (path != nullptr) {
+        realPath = std::string(path);
+        if (!IsAbsolutePath(realPath)) {
+            std::cerr << "Log folder path: " << realPath << "is not absolute path." << std::endl;
+            return VirtrustRc::ERROR;
+        }
+        std::string folderPath;
+        if (!GetFolderPath(realPath, folderPath)) {
+            std::cerr << "Get folder path: " << realPath << "failed." << std::endl;
+            return VirtrustRc::ERROR;
+        }
+
+        if (!Exist(folderPath, F_OK | R_OK | W_OK)) {
+            std::cerr << "Access denied or logpath: " << folderPath << " does not exist." << std::endl;
+            return VirtrustRc::ERROR;
+        }
+
+        if (!CanonicalPath(folderPath)) {
+            std::cerr << "Get real path: " << realPath << "failed." << std::endl;
+            return VirtrustRc::ERROR;
+        }
+    }
+    VirtrustRc ret = SetTmpLogger(logType, realPath, rotationFileSize, rotationFileCount, loglevel);
+    if (ret != VirtrustRc::OK) {
+        return ret;
+    }
+    return VirtrustRc::OK;
+}
+
+VirtrustRc LogAdapt::Initialize()
+{
+    try {
+        if (this->logType_ == STDOUT_TYPE) {
+            std::string console = "console";
+            if (!spdlog::get(console)) {
+                this->spdLogger = spdlog::stdout_logger_mt(console);
+            } else {
+                this->spdLogger = spdlog::get(console);
+            }
+        } else if (this->logType_ == FILE_TYPE) {
+            std::string logName = "log:" + this->filePath_;
+            spdlog::file_event_handlers handlers;
+            handlers.after_open = [](spdlog::filename_t filename, [[maybe_unused]] std::FILE *fstream) {
+                chmod(filename.c_str(), S_IRUSR | S_IWUSR);
+            };
+            if (!spdlog::get(logName)) {
+                this->spdLogger = spdlog::rotating_logger_mt(logName, this->filePath_, this->rotationFileSize_,
+                                                             this->rotationFileCount_, false, handlers);
+            } else {
+                this->spdLogger = spdlog::get(logName);
+            }
+            spdlog::flush_every(std::chrono::seconds(1));
+        }
+        if (this->spdLogger == nullptr) {
+            std::cerr << "spdLogger init failed" << std::endl;
+            return VirtrustRc::ERROR;
+        }
+
+        this->spdLogger->set_pattern("%Y-%m-%d %H:%M:%S.%f %t %l %v");
+        this->spdLogger->set_level(static_cast<spdlog::level::level_enum>(this->logLevel_));
+        this->spdLogger->flush_on(static_cast<spdlog::level::level_enum>(this->logLevel_));
+        if (this->logLevel_ < static_cast<int>(spdlog::level::info)) {
+        }
+    } catch (const spdlog::spdlog_ex &ex) {
+        gLastErrorMessage = "Failed to create log";
+        gLastErrorMessage += ex.what();
+        return VirtrustRc::ERROR;
+    }
+    return VirtrustRc::OK;
+}
+
+VirtrustRc LogAdapt::Log(int level, const char *prefix, const char *message) const
+{
+    if (level < static_cast<int>(LogLevel::TRACE) || level > static_cast<int>(LogLevel::CRITICAL)) {
+        gLastErrorMessage = "Invalid log level, which should be 0-5";
+        return VirtrustRc::ERROR;
+    }
+    this->spdLogger->log(static_cast<spdlog::level::level_enum>(level), "{}]{}", prefix, message);
+    return VirtrustRc::OK;
+}
+
+void LogAdapt::Flush()
+{
+    if (gSpdLogger != nullptr) {
+        gSpdLogger->spdLogger->flush();
+    }
+}
+
+int LogAdapt::GetLogLevel()
+{
+    return loglevel;
+}
+
+VirtrustRc LogAdapt::SetTmpLogger(int logType, std::string realPath, int rotationFileSize, int rotationFileCount,
+                                  int logLevel)
+{
+    std::unique_ptr<LogAdapt> tmpLogger =
+        std::make_unique<LogAdapt>(logType, realPath, rotationFileSize, rotationFileCount);
+    if (tmpLogger == nullptr) {
+        std::cerr << "tmpLogger init failed" << std::endl;
+        return VirtrustRc::ERROR;
+    }
+
+    tmpLogger->SetLogLevel(logLevel);
+    VirtrustRc ret = tmpLogger->Initialize();
+    if (ret != VirtrustRc::OK) {
+        std::cerr << "LogAdapt initialize failed" << std::endl;
+        return ret;
+    }
+    gSpdLogger = std::move(tmpLogger);
+    return VirtrustRc::OK;
+}
+
+void LogAdapt::UnInitialize()
+{
+    gSpdLogger = nullptr;
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/log_adapt.h b/virtrust/src/virtrust/base/log_adapt.h
new file mode 100644
index 0000000000000000000000000000000000000000..4dc7e3281d8a0610c684fabb3e9ba41a291a50ab
--- /dev/null
+++ b/virtrust/src/virtrust/base/log_adapt.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#pragma once
+
+#include <iostream>
+#include <sstream>
+#include <string>
+#include <utility>
+
+#include "spdlog/common.h"
+#include "spdlog/spdlog.h"
+
+#include "virtrust/api/defines.h"
+namespace virtrust {
+const int STDOUT_TYPE = 0;
+const int FILE_TYPE = 1;
+
+class LogAdapt {
+public:
+    LogAdapt(int logType, std::string path, int rotationFileSize, int rotationFileCount)
+        : logType_(logType),
+          filePath_(std::move(path)),
+          rotationFileSize_(rotationFileSize),
+          rotationFileCount_(rotationFileCount){};
+    ~LogAdapt() = default;
+
+    VirtrustRc Initialize();
+    static void UnInitialize();
+
+    static int GetLogLevel();
+    inline void SetLogLevel(int logLevel)
+    {
+        if (logLevel < 0) {
+            std::cerr << "logLevel is invalid. logLevel is" << logLevel << std::endl;
+            return;
+        }
+        logLevel_ = logLevel;
+    }
+    [[nodiscard]] inline bool IsLogLevelEnabled(int nowLevel) const
+    {
+        return nowLevel >= logLevel_;
+    }
+    VirtrustRc Log(int level, const char *prefix, const char *message) const;
+
+    static VirtrustRc CreateInstance(int &logType, int logLevel, const char *path, int rotationFileSize,
+                                     int rotationFileCount);
+    static VirtrustRc SetTmpLogger(int logType, std::string realPath, int rotationFileSize, int rotationFileCount,
+                                   int logLevel);
+    static std::unique_ptr<LogAdapt> gSpdLogger;
+    std::shared_ptr<spdlog::logger> spdLogger;
+    static void Flush();
+    static int loglevel;
+    static VirtrustRc ValidateParams(int logType, const char *path, int rotationFileSize, int rotationFileCount);
+    static thread_local std::string gLastErrorMessage;
+
+private:
+    int logType_;
+    int logLevel_{0};
+    std::string filePath_;
+    int rotationFileSize_;
+    int rotationFileCount_;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/log_adapt_test.cpp b/virtrust/src/virtrust/base/log_adapt_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..2dac3e1096f710ca6348d8852da69a5e47c63d8a
--- /dev/null
+++ b/virtrust/src/virtrust/base/log_adapt_test.cpp
@@ -0,0 +1,277 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <gtest/gtest.h>
+
+#include <memory>
+#include <string>
+
+#include "virtrust/api/defines.h"
+#include "virtrust/base/log_adapt.h"
+
+// Define log levels since they're not exposed in headers
+#define LOG_TRACE 0
+#define LOG_DEBUG 1
+#define LOG_INFO 2
+#define LOG_WARN 3
+#define LOG_ERROR 4
+#define LOG_CRITICAL 5
+#define LOG_OFF 6
+
+namespace virtrust {
+
+class LogAdaptTest : public ::testing::Test {
+protected:
+    void SetUp() override
+    {
+        // Clean up any existing logger before each test
+        LogAdapt::UnInitialize();
+    }
+
+    void TearDown() override
+    {
+        // Clean up after each test
+        LogAdapt::UnInitialize();
+    }
+};
+
+// Test ValidateParams with valid parameters for STDOUT
+TEST_F(LogAdaptTest, ValidateParamsValidStdout)
+{
+    VirtrustRc rc = LogAdapt::ValidateParams(STDOUT_TYPE, nullptr, 0, 0);
+    EXPECT_EQ(rc, VirtrustRc::OK);
+}
+
+// Test ValidateParams with valid parameters for FILE
+TEST_F(LogAdaptTest, ValidateParamsValidFile)
+{
+    std::string testPath = "/tmp/test.log";
+    VirtrustRc rc = LogAdapt::ValidateParams(FILE_TYPE, testPath.c_str(), 5 * 1024 * 1024, 10);
+    EXPECT_EQ(rc, VirtrustRc::OK);
+}
+
+// Test ValidateParams with invalid log type
+TEST_F(LogAdaptTest, ValidateParamsInvalidLogType)
+{
+    VirtrustRc rc = LogAdapt::ValidateParams(99, nullptr, 0, 0);
+    EXPECT_EQ(rc, VirtrustRc::ERROR);
+    EXPECT_FALSE(LogAdapt::gLastErrorMessage.empty());
+}
+
+// Test ValidateParams with null path for FILE type
+TEST_F(LogAdaptTest, ValidateParamsNullPathFile)
+{
+    VirtrustRc rc = LogAdapt::ValidateParams(FILE_TYPE, nullptr, 5 * 1024 * 1024, 10);
+    EXPECT_EQ(rc, VirtrustRc::ERROR);
+    EXPECT_FALSE(LogAdapt::gLastErrorMessage.empty());
+}
+
+// Test ValidateParams with invalid rotation file size - too small
+TEST_F(LogAdaptTest, ValidateParamsRotationSizeTooSmall)
+{
+    std::string testPath = "/tmp/test.log";
+    VirtrustRc rc = LogAdapt::ValidateParams(FILE_TYPE, testPath.c_str(), 1024, 10); // 1KB, too small
+    EXPECT_EQ(rc, VirtrustRc::ERROR);
+    EXPECT_FALSE(LogAdapt::gLastErrorMessage.empty());
+}
+
+// Test ValidateParams with invalid rotation file size - too large
+TEST_F(LogAdaptTest, ValidateParamsRotationSizeTooLarge)
+{
+    std::string testPath = "/tmp/test.log";
+    VirtrustRc rc = LogAdapt::ValidateParams(FILE_TYPE, testPath.c_str(), 600 * 1024 * 1024, 10); // 600MB, too large
+    EXPECT_EQ(rc, VirtrustRc::ERROR);
+    EXPECT_FALSE(LogAdapt::gLastErrorMessage.empty());
+}
+
+// Test ValidateParams with invalid rotation file count - too small
+TEST_F(LogAdaptTest, ValidateParamsRotationCountTooSmall)
+{
+    std::string testPath = "/tmp/test.log";
+    VirtrustRc rc = LogAdapt::ValidateParams(FILE_TYPE, testPath.c_str(), 5 * 1024 * 1024, 0);
+    EXPECT_EQ(rc, VirtrustRc::ERROR);
+    EXPECT_FALSE(LogAdapt::gLastErrorMessage.empty());
+}
+
+// Test ValidateParams with invalid rotation file count - too large
+TEST_F(LogAdaptTest, ValidateParamsRotationCountTooLarge)
+{
+    std::string testPath = "/tmp/test.log";
+    VirtrustRc rc = LogAdapt::ValidateParams(FILE_TYPE, testPath.c_str(), 5 * 1024 * 1024, 100);
+    EXPECT_EQ(rc, VirtrustRc::ERROR);
+    EXPECT_FALSE(LogAdapt::gLastErrorMessage.empty());
+}
+
+// Test CreateInstance with valid STDOUT parameters
+TEST_F(LogAdaptTest, CreateInstanceValidStdout)
+{
+    int logType = STDOUT_TYPE;
+    VirtrustRc rc = LogAdapt::CreateInstance(logType, LOG_INFO, nullptr, 0, 0);
+    EXPECT_EQ(rc, VirtrustRc::OK);
+    EXPECT_EQ(logType, STDOUT_TYPE);
+}
+
+// Test CreateInstance with valid FILE parameters
+TEST_F(LogAdaptTest, CreateInstanceValidFile)
+{
+    std::string testPath = "/tmp/test.log";
+    int logType = FILE_TYPE;
+
+    VirtrustRc rc = LogAdapt::CreateInstance(logType, LOG_DEBUG, testPath.c_str(), 5 * 1024 * 1024, 10);
+    EXPECT_EQ(rc, VirtrustRc::OK);
+    EXPECT_EQ(logType, FILE_TYPE);
+}
+
+// Test CreateInstance with invalid log type
+TEST_F(LogAdaptTest, CreateInstanceInvalidLogType)
+{
+    int logType = 99; // Invalid log type
+    VirtrustRc rc = LogAdapt::CreateInstance(logType, LOG_INFO, nullptr, 0, 0);
+    EXPECT_EQ(rc, VirtrustRc::ERROR);
+}
+
+// Test CreateInstance with relative path
+TEST_F(LogAdaptTest, CreateInstanceRelativePath)
+{
+    std::string testPath = "relative/path/test.log"; // Relative path
+    int logType = FILE_TYPE;
+
+    VirtrustRc rc = LogAdapt::CreateInstance(logType, LOG_INFO, testPath.c_str(), 5 * 1024 * 1024, 10);
+    EXPECT_EQ(rc, VirtrustRc::ERROR);
+}
+
+// Test CreateInstance with non-existent directory
+TEST_F(LogAdaptTest, CreateInstanceNonExistentDirectory)
+{
+    std::string testPath = "/non/existent/path/test.log";
+    int logType = FILE_TYPE;
+
+    VirtrustRc rc = LogAdapt::CreateInstance(logType, LOG_INFO, testPath.c_str(), 5 * 1024 * 1024, 10);
+    EXPECT_EQ(rc, VirtrustRc::ERROR);
+}
+
+// Test LogAdapt constructor and basic functionality
+TEST_F(LogAdaptTest, LogAdaptConstructor)
+{
+    std::string testPath = "/tmp/test.log";
+    LogAdapt logAdapt(FILE_TYPE, testPath, 5 * 1024 * 1024, 10);
+
+    // Test setting log level
+    logAdapt.SetLogLevel(LOG_ERROR);
+    EXPECT_FALSE(logAdapt.IsLogLevelEnabled(LOG_DEBUG));
+    EXPECT_TRUE(logAdapt.IsLogLevelEnabled(LOG_ERROR));
+
+    // Test invalid log level setting
+    logAdapt.SetLogLevel(-1); // Should not crash
+}
+
+// Test SetTmpLogger function indirectly through CreateInstance
+TEST_F(LogAdaptTest, SetTmpLoggerIndirect)
+{
+    std::string testPath = "/tmp/tmp_test.log";
+    int logType = FILE_TYPE;
+
+    // This will call SetTmpLogger internally
+    VirtrustRc rc = LogAdapt::CreateInstance(logType, LOG_INFO, testPath.c_str(), 5 * 1024 * 1024, 10);
+    EXPECT_EQ(rc, VirtrustRc::OK);
+}
+
+// Test GetLogLevel
+TEST_F(LogAdaptTest, GetLogLevel)
+{
+    int initialLevel = LogAdapt::GetLogLevel();
+    EXPECT_GE(initialLevel, 0);
+    EXPECT_LE(initialLevel, 6); // SPDLOG_LEVEL_TRACE = 0, SPDLOG_LEVEL_OFF = 6
+}
+
+// Test Flush functionality
+TEST_F(LogAdaptTest, Flush)
+{
+    // Create a logger first
+    int logType = STDOUT_TYPE;
+    VirtrustRc rc = LogAdapt::CreateInstance(logType, LOG_INFO, nullptr, 0, 0);
+    EXPECT_EQ(rc, VirtrustRc::OK);
+
+    // Test flush - should not crash
+    EXPECT_NO_THROW(LogAdapt::Flush());
+}
+
+// Test Log method
+TEST_F(LogAdaptTest, LogMethod)
+{
+    std::string testPath = "/tmp/log_test.log";
+    LogAdapt logAdapt(FILE_TYPE, testPath, 5 * 1024 * 1024, 10);
+
+    // Initialize the logger
+    VirtrustRc rc = logAdapt.Initialize();
+    // Note: This might fail in test environment, but we can test the method call
+    if (rc == VirtrustRc::OK) {
+        // Test logging at different levels
+        rc = logAdapt.Log(LOG_INFO, "TEST", "Test message");
+        EXPECT_EQ(rc, VirtrustRc::OK);
+
+        rc = logAdapt.Log(LOG_ERROR, "ERROR", "Error message");
+        EXPECT_EQ(rc, VirtrustRc::OK);
+    }
+}
+
+// Test CreateInstance duplicate call (should return OK without creating new instance)
+TEST_F(LogAdaptTest, CreateInstanceDuplicate)
+{
+    int logType = STDOUT_TYPE;
+
+    // First call
+    VirtrustRc rc1 = LogAdapt::CreateInstance(logType, LOG_INFO, nullptr, 0, 0);
+    EXPECT_EQ(rc1, VirtrustRc::OK);
+
+    // Second call with same instance
+    VirtrustRc rc2 = LogAdapt::CreateInstance(logType, LOG_ERROR, nullptr, 0, 0);
+    EXPECT_EQ(rc2, VirtrustRc::OK);
+}
+
+// Test multiple CreateInstance calls with different log levels
+TEST_F(LogAdaptTest, CreateInstanceDifferentLevels)
+{
+    std::string testPath = "/tmp/level_test.log";
+    int logType = FILE_TYPE;
+
+    // Test with different log levels
+    std::vector<int> logLevels = {LOG_TRACE, LOG_DEBUG, LOG_INFO, LOG_WARN, LOG_ERROR, LOG_CRITICAL, LOG_OFF};
+
+    for (int level : logLevels) {
+        LogAdapt::UnInitialize(); // Clean up before each attempt
+        VirtrustRc rc = LogAdapt::CreateInstance(logType, level, testPath.c_str(), 5 * 1024 * 1024, 10);
+        EXPECT_EQ(rc, VirtrustRc::OK);
+    }
+}
+
+// Test edge cases for rotation file size
+TEST_F(LogAdaptTest, ValidateParamsRotationSizeEdgeCases)
+{
+    std::string testPath = "/tmp/test.log";
+
+    // Test minimum valid size (1MB)
+    VirtrustRc rc1 = LogAdapt::ValidateParams(FILE_TYPE, testPath.c_str(), 1 * 1024 * 1024, 10);
+    EXPECT_EQ(rc1, VirtrustRc::OK);
+
+    // Test maximum valid size (500MB)
+    VirtrustRc rc2 = LogAdapt::ValidateParams(FILE_TYPE, testPath.c_str(), 500 * 1024 * 1024, 10);
+    EXPECT_EQ(rc2, VirtrustRc::OK);
+}
+
+// Test edge cases for rotation file count
+TEST_F(LogAdaptTest, ValidateParamsRotationCountEdgeCases)
+{
+    std::string testPath = "/tmp/test.log";
+
+    // Test minimum valid count (1)
+    VirtrustRc rc1 = LogAdapt::ValidateParams(FILE_TYPE, testPath.c_str(), 5 * 1024 * 1024, 1);
+    EXPECT_EQ(rc1, VirtrustRc::OK);
+
+    // Test maximum valid count (64)
+    VirtrustRc rc2 = LogAdapt::ValidateParams(FILE_TYPE, testPath.c_str(), 5 * 1024 * 1024, 64);
+    EXPECT_EQ(rc2, VirtrustRc::OK);
+}
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/base/logger.h b/virtrust/src/virtrust/base/logger.h
new file mode 100644
index 0000000000000000000000000000000000000000..811d2db9d11e2a201c72394e37ad8a91f3f825d0
--- /dev/null
+++ b/virtrust/src/virtrust/base/logger.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#pragma once
+
+#include <sys/time.h>
+
+#include <atomic>
+#include <cstring>
+#include <functional>
+#include <iostream>
+#include <mutex>
+#include <sstream>
+#include <string>
+
+#include "spdlog/fmt/fmt.h"
+
+#include "virtrust/base/custom_logger.h"
+#include "virtrust/base/str_utils.h"
+
+#ifndef VIRTRUST_LIKELY
+#define VIRTRUST_LIKELY(x) (__builtin_expect(!!(x), 1) != 0)
+#endif
+
+#ifndef VIRTRUST_UNLIKELY
+#define VIRTRUST_UNLIKELY(x) (__builtin_expect(!!(x), 0) != 0)
+#endif
+
+#ifndef VIRTRUST_LOG_FILENAME
+#define VIRTRUST_LOG_FILENAME (strrchr(__FILE__, '/') ? strrchr(__FILE__, '/') + 1 : __FILE__)
+#endif
+
+#define VIRTRUST_LOG(level, ...)                                                                                       \
+    do {                                                                                                               \
+        auto logger = ::virtrust::Logger::Instance();                                                                  \
+        if (logger != nullptr) {                                                                                       \
+            logger->Log(                                                                                               \
+                level, fmt::format("[VIRTRUST {}:{}] {}", VIRTRUST_LOG_FILENAME, __LINE__, fmt::format(__VA_ARGS__))); \
+        }                                                                                                              \
+    } while (0)
+
+#define VIRTRUST_LOG_TRACE(...) VIRTRUST_LOG(::virtrust::LogLevel::TRACE, __VA_ARGS__)
+#define VIRTRUST_LOG_DEBUG(...) VIRTRUST_LOG(::virtrust::LogLevel::DEBUG, __VA_ARGS__)
+#define VIRTRUST_LOG_INFO(...) VIRTRUST_LOG(::virtrust::LogLevel::INFO, __VA_ARGS__)
+#define VIRTRUST_LOG_WARN(...) VIRTRUST_LOG(::virtrust::LogLevel::WARN, __VA_ARGS__)
+#define VIRTRUST_LOG_ERROR(...) VIRTRUST_LOG(::virtrust::LogLevel::ERROR, __VA_ARGS__)
+
+#define VIRTRUST_ASSERT_LOG_RETURN(args, ret)  \
+    if (VIRTRUST_UNLIKELY(!(args))) {          \
+        VIRTRUST_LOG_ERROR("Assert" << #args); \
+        return (ret);                          \
+    }
+#define VIRTRUST_ASSERT_LOG_RETURN_VOID(args)  \
+    if (VIRTRUST_UNLIKELY(!(args))) {          \
+        VIRTRUST_LOG_ERROR("Assert" << #args); \
+        return (ret);                          \
+    }
diff --git a/virtrust/src/virtrust/base/str_utils.cpp b/virtrust/src/virtrust/base/str_utils.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..053d20eadc6f4c20c133dca71fd0a61882ccd713
--- /dev/null
+++ b/virtrust/src/virtrust/base/str_utils.cpp
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "virtrust/base/str_utils.h"
+
+#include <sstream>
+#include <string>
+#include <vector>
+
+namespace virtrust {
+
+void StrSplit(std::string_view src, std::string_view sep, std::vector<std::string> &out)
+{
+
+    if (src.empty() || sep.empty()) {
+        return;
+    }
+    std::string::size_type pos1 = 0;
+    std::string::size_type pos2 = src.find(sep);
+    while (pos2 != std::string::npos) {
+        out.emplace_back(src.substr(pos1, pos2 - pos1));
+        pos1 = pos2 + sep.size();
+        pos2 = src.find(sep, pos1);
+    }
+    if (pos1 != src.size())
+        out.emplace_back(src.substr(pos1));
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/str_utils.h b/virtrust/src/virtrust/base/str_utils.h
new file mode 100644
index 0000000000000000000000000000000000000000..8ecb08b4601d6d51bf73b70cc77eb586d8116b88
--- /dev/null
+++ b/virtrust/src/virtrust/base/str_utils.h
@@ -0,0 +1,144 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#pragma once
+
+#include <fstream>
+#include <memory>
+#include <sstream>
+#include <string>
+#include <vector>
+
+namespace virtrust {
+
+inline void MakeStringInternal(std::stringstream &)
+{}
+
+template <typename T> inline void MakeStringInternal(std::stringstream &ss, const T &t)
+{
+    ss << t;
+}
+
+template <> inline void MakeStringInternal(std::stringstream &ss, const std::stringstream &t)
+{
+
+    ss << t.str();
+}
+
+template <typename T, typename... Args>
+inline void MakeStringInternal(std::stringstream &ss, const T &t, const Args &...args)
+{
+    MakeStringInternal(ss, t);
+    MakeStringInternal(ss, args...);
+}
+
+template <typename... Args> std::string MakeString(const Args &...args)
+{
+    std::stringstream ss;
+    MakeStringInternal(ss, args...);
+    return std::string(ss.str());
+}
+
+template <typename T> std::string MakeString(const std::vector<T> &v, const std::string &delim = " ")
+{
+    std::stringstream ss;
+    for (auto it = v.begin(); it != v.end(); ++it) {
+        if (it != v.begin()) {
+            MakeStringInternal(ss, delim);
+        }
+        MakeStringInternal(ss, *it);
+    }
+    return std::string(ss.str());
+}
+
+template <> inline std::string MakeString(const std::string &args)
+{
+    return args;
+}
+
+inline std::string MakeString(const char *cstr)
+{
+    return {cstr};
+}
+
+void StrSplit(std::string_view src, std::string_view sep, std::vector<std::string> &out);
+
+inline std::vector<std::string> StrSplit(std::string_view src, std::string_view sep)
+{
+    std::vector<std::string> out;
+    StrSplit(src, sep, out);
+    return out;
+}
+
+// 按照空白符分割字符串
+inline std::vector<std::string> StrSplit(const std::string &str)
+{
+    std::istringstream iss(str);
+    std::vector<std::string> rets;
+    std::string token;
+    while (iss >> token) { // 自动按空白分割病跳过多余空白
+        rets.push_back(token);
+    }
+    return rets;
+}
+// 去除收尾的指定字符
+inline std::string StrTrim(const std::string &str, char ch)
+{
+
+    if (str.empty()) {
+        return str;
+    }
+    size_t start = str.find_first_not_of(ch);
+    if (start == std::string::npos) {
+        return ""; // 全是目标字符
+    }
+    size_t end = str.find_last_not_of(ch);
+    return str.substr(start, end - start + 1);
+}
+
+// 去除首尾的空白符
+inline std::string StrTrimWhitespace(const std::string &str)
+{
+    const std::string whitespace = " \t\n\v\f\r";
+    size_t start = str.find_first_not_of(whitespace);
+    if (start == std::string::npos) {
+        return "";
+    }
+    size_t end = str.find_last_not_of(whitespace);
+    return str.substr(start, end - start + 1);
+}
+
+// 统计字符出现次数
+
+inline size_t StrCountChar(const std::string &str, char target)
+{
+    int cnt = 0;
+    for (const char ch : str) {
+        if (ch == target) {
+            cnt++;
+        }
+    }
+    return cnt;
+}
+
+inline bool StrStartsWith(const std::string_view &s, const std::string_view &prefix)
+{
+    return s.size() >= prefix.size() && s.compare(0, prefix.size(), prefix) == 0;
+}
+
+inline bool startsWithIgnoreSpaces(const std::string &str, const std::string_view &prefix)
+{
+    size_t start = str.find_first_not_of(' ');
+    if (start == std::string::npos) {
+        return false;
+    }
+    return str.substr(start).find(prefix) == 0;
+}
+
+inline std::string ReadFile(const std::string &filename)
+{
+    std::ifstream file(filename);
+    return {std::istreambuf_iterator<char>(file), std::istreambuf_iterator<char>()};
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/base/str_utils_test.cpp b/virtrust/src/virtrust/base/str_utils_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..9ceab321d741e54e72e95eb73cec6d0ec0105167
--- /dev/null
+++ b/virtrust/src/virtrust/base/str_utils_test.cpp
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust/base/str_utils.h"
+
+namespace virtrust {
+
+TEST(StrUtils, MakeString)
+{
+    // Test basic functionality
+    EXPECT_EQ(MakeString(), "");
+    EXPECT_EQ(MakeString("hello"), "hello");
+    EXPECT_EQ(MakeString("hello", " ", "world"), "hello world");
+    EXPECT_EQ(MakeString(123), "123");
+    EXPECT_EQ(MakeString(123, " ", 456), "123 456");
+    EXPECT_EQ(MakeString("Number:", 42), "Number:42");
+
+    // Test with Vector
+    std::vector<int> nums = {1, 2, 3, 4, 5};
+    EXPECT_EQ(MakeString(nums), "1 2 3 4 5");
+
+    std::vector<std::string> strs = {"a", "b", "c"};
+    EXPECT_EQ(MakeString(strs), "a b c");
+
+    // Test with custom delimiter
+    EXPECT_EQ(MakeString<int>(nums, ","), "1,2,3,4,5");
+}
+
+TEST(StrUtils, Split)
+{
+    // Test Split with separator
+    std::vector<std::string> result;
+    StrSplit("a,b,c", ",", result);
+    ASSERT_EQ(result.size(), (size_t)3);
+    EXPECT_EQ(result[0], "a");
+    EXPECT_EQ(result[1], "b");
+    EXPECT_EQ(result[2], "c");
+
+    // Test Split with empty string
+    result.clear();
+    StrSplit("", ",", result);
+    ASSERT_EQ(result.size(), (size_t)0);
+
+    // Test Split with no separator
+    result.clear();
+    StrSplit("abc", ",", result);
+    ASSERT_EQ(result.size(), (size_t)1);
+    EXPECT_EQ(result[0], "abc");
+
+    // Test Split with empty separator
+    result.clear();
+    StrSplit("abc", "", result);
+    ASSERT_EQ(result.size(), (size_t)0);
+
+    // Test Split with multiple consecutive separators
+    result.clear();
+    StrSplit("a,,b,,c", ",", result);
+    ASSERT_EQ(result.size(), (size_t)5);
+    EXPECT_EQ(result[0], "a");
+    EXPECT_EQ(result[1], "");
+    EXPECT_EQ(result[2], "b");
+    EXPECT_EQ(result[3], "");
+    EXPECT_EQ(result[4], "c");
+
+    // Test Split with trailing separator
+    result.clear();
+    StrSplit("a,b,", ",", result);
+    ASSERT_EQ(result.size(), (size_t)2);
+    EXPECT_EQ(result[0], "a");
+    EXPECT_EQ(result[1], "b");
+
+    // Test Split with leading separator
+    result.clear();
+    StrSplit(",a,b", ",", result);
+    ASSERT_EQ(result.size(), (size_t)3);
+    EXPECT_EQ(result[0], "");
+    EXPECT_EQ(result[1], "a");
+    EXPECT_EQ(result[2], "b");
+}
+
+TEST(StrUtils, SplitWithEmptyString)
+{
+    // Test Split with empty string (no separator)
+    std::vector<std::string> result = StrSplit("a,b,c", ",");
+    ASSERT_EQ(result.size(), (size_t)3);
+    EXPECT_EQ(result[0], "a");
+    EXPECT_EQ(result[1], "b");
+    EXPECT_EQ(result[2], "c");
+}
+
+TEST(StrUtils, SplitWhitespace)
+{
+    // Test Split with whitespace separator
+    std::vector<std::string> result = StrSplit("  hello   world  ");
+    ASSERT_EQ(result.size(), (size_t)2);
+    EXPECT_EQ(result[0], "hello");
+    EXPECT_EQ(result[1], "world");
+
+    // Test Split with multiple whitespace
+    result = StrSplit("a\t\nb\r\fc");
+    ASSERT_EQ(result.size(), (size_t)3);
+    EXPECT_EQ(result[0], "a");
+    EXPECT_EQ(result[1], "b");
+    EXPECT_EQ(result[2], "c");
+
+    // Test Split with empty string
+    result = StrSplit("");
+    ASSERT_EQ(result.size(), (size_t)0);
+
+    // Test Split with only whitespace
+    result = StrSplit("   \t\n  ");
+    ASSERT_EQ(result.size(), (size_t)0);
+}
+
+TEST(StrUtils, Trim)
+{
+    // Test Trim with specified character
+    EXPECT_EQ(StrTrim("aaaHelloaaa", 'a'), "Hello");
+    EXPECT_EQ(StrTrim("bbbWorldbbb", 'b'), "World");
+    EXPECT_EQ(StrTrim("Hello", 'x'), "Hello");
+    EXPECT_EQ(StrTrim("aaaa", 'a'), "");
+    EXPECT_EQ(StrTrim("", 'a'), "");
+    EXPECT_EQ(StrTrim("  Hello  ", ' '), "Hello");
+}
+
+TEST(StrUtils, TrimWhitespace)
+{
+    // Test TrimWhitespace
+    EXPECT_EQ(StrTrimWhitespace("  Hello  "), "Hello");
+    EXPECT_EQ(StrTrimWhitespace("\t\nHello\r\f"), "Hello");
+    EXPECT_EQ(StrTrimWhitespace("Hello"), "Hello");
+    EXPECT_EQ(StrTrimWhitespace(""), "");
+    EXPECT_EQ(StrTrimWhitespace("    "), "");
+    EXPECT_EQ(StrTrimWhitespace("\t\n\r\f\v"), "");
+}
+
+TEST(StrUtils, CountChar)
+{
+    // Test CountChar
+    EXPECT_EQ(StrCountChar("hello world", 'l'), (size_t)3);
+    EXPECT_EQ(StrCountChar("abcdef", 'z'), (size_t)0);
+    EXPECT_EQ(StrCountChar("", 'a'), (size_t)0);
+    EXPECT_EQ(StrCountChar("aaaaaa", 'a'), (size_t)6);
+    EXPECT_EQ(StrCountChar("Hello World", ' '), (size_t)1);
+}
+
+TEST(StrUtils, StartsWith)
+{
+    // Test StartsWith
+    EXPECT_TRUE(StrStartsWith("Hello World", "Hello"));
+    EXPECT_FALSE(StrStartsWith("Hello World", "World"));
+    EXPECT_TRUE(StrStartsWith("Hello", "Hello"));
+    EXPECT_FALSE(StrStartsWith("Hello", "Hello World"));
+    EXPECT_TRUE(StrStartsWith("", ""));
+    EXPECT_FALSE(StrStartsWith("", "Hello"));
+    EXPECT_TRUE(StrStartsWith("Hello World", ""));
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/crypto/CMakeLists.txt b/virtrust/src/virtrust/crypto/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..6220ba8c3d70e7885992dae4eaace7e0a2460f3f
--- /dev/null
+++ b/virtrust/src/virtrust/crypto/CMakeLists.txt
@@ -0,0 +1,10 @@
+# Copyright (C) 2025 by Huawei Technologies Co., Ltd. All rights reserved.
+
+set(VIRTRUST_SOURCE_FILES ${VIRTRUST_SOURCE_FILES}
+                          ${CMAKE_CURRENT_LIST_DIR}/sm3.cpp)
+
+add_virtrust_test_if(sm3_test ${BUILD_TEST})
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    PARENT_SCOPE)
diff --git a/virtrust/src/virtrust/crypto/sm3.cpp b/virtrust/src/virtrust/crypto/sm3.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..9c8eba91e45276eb3020a8e1d1c6a82cf9fddbda
--- /dev/null
+++ b/virtrust/src/virtrust/crypto/sm3.cpp
@@ -0,0 +1,153 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include "virtrust/crypto/sm3.h"
+
+#include <securec.h>
+
+#include <vector>
+
+#include "virtrust/base/logger.h"
+#include "virtrust/dllib/openssl.h"
+
+namespace virtrust {
+
+Sm3::Sm3()
+    : md_(SmartEVP_MD(Openssl::GetInstance().EVP_MD_fetch(nullptr, "sm3", nullptr))),
+      context_(SmartEVP_MD_CTX(Openssl::GetInstance().EVP_MD_CTX_new()))
+{
+    Reset();
+}
+
+Sm3Rc Sm3::Reset()
+{
+    if (context_.Get() == nullptr || md_.Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Sm3::Reset() Failed, context_ or md_ is nullptr");
+        return Sm3Rc::ERROR;
+    }
+
+    auto ret = Openssl::GetInstance().EVP_MD_CTX_reset(context_.Get());
+    if (ret != OPENSSL_OK) {
+        VIRTRUST_LOG_ERROR("Sm3::Reset() Failed, EVP_MD_CTX_reset return:{}", ret);
+        return Sm3Rc::ERROR;
+    }
+
+    // NOTE we do not need to reset md_-
+    ret = Openssl::GetInstance().EVP_DigestInit(context_.Get(), md_.Get());
+    if (ret != OPENSSL_OK) {
+        VIRTRUST_LOG_ERROR("Sm3::Reset() Failed, EVP_DigestInit return:{}", ret);
+        return Sm3Rc::ERROR;
+    }
+
+    return Sm3Rc::OK;
+}
+
+Sm3Rc Sm3::Update(std::string_view data)
+{
+    if (data.size() > UPDATE_SIZE_LIMIT) {
+        VIRTRUST_LOG_ERROR("Sm3::Update() Failed, input data size:{}, exceeds limit:{}", data.size(),
+                           UPDATE_SIZE_LIMIT);
+        return Sm3Rc::ERROR;
+    }
+
+    if (context_.Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Sm3::Update() Failed, context is nullptr");
+        return Sm3Rc::ERROR;
+    }
+
+    auto ret = Openssl::GetInstance().EVP_DigestUpdate(context_.Get(), data.data(), data.size());
+    if (ret != OPENSSL_OK) {
+        VIRTRUST_LOG_ERROR("Sm3::Update() Failed, EVP_DigestUpdate  returns: {}", ret);
+        return Sm3Rc::ERROR;
+    }
+
+    return Sm3Rc::OK;
+}
+
+std::vector<uint8_t> Sm3::CumulativeHash() const
+{
+    if (context_.Get() == nullptr || md_.Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Sm3::CumulativeHash() Failed, context_ or md_ is nullptr");
+        return {};
+    }
+
+    unsigned int out_len = 0;
+    std::vector<uint8_t> out(DigestSize());
+
+    auto ctx_snapshot = SmartEVP_MD_CTX(Openssl::GetInstance().EVP_MD_CTX_new());
+    if (ctx_snapshot.Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("Sm3::CumulativeHash() Failed, EVP_MD_CTX_new returns nullptr");
+        return {};
+    }
+
+    auto ret = Openssl::GetInstance().EVP_MD_CTX_copy_ex(ctx_snapshot.Get(), context_.Get());
+    if (ret != OPENSSL_OK) {
+        VIRTRUST_LOG_ERROR("Sm3::CumulativeHash() Failed, EVP_MD_CTX_copy_ex returns:{}", ret);
+        return {};
+    }
+
+    ret = Openssl::GetInstance().EVP_DigestFinal_ex(ctx_snapshot.Get(), out.data(), &out_len);
+    if (ret != OPENSSL_OK) {
+        VIRTRUST_LOG_ERROR("Sm3::CumulativeHash() Failed, EVP_DigestFinal_ex returns:{}", ret);
+        return {};
+    }
+
+    if (out_len != DigestSize()) {
+        VIRTRUST_LOG_ERROR("Sm3::CumulativeHash() Failed, EVP_DigestFinal_ex "
+                           "output len incorrect:{}",
+                           out_len);
+        return {};
+    }
+
+    return out;
+}
+
+std::array<uint8_t, Sm3::DigestSize()> DoSm3(std::string_view data)
+{
+    auto sm3 = Sm3();
+    if (sm3.Update(data) != Sm3Rc::OK) { // data.size limit will be captured here
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, Update error");
+        return {};
+    }
+
+    auto buf = sm3.CumulativeHash();
+    if (buf.size() < Sm3::DigestSize()) {
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, CumulativeHash output len incorrent:{}", buf.size());
+        return {};
+    }
+
+    std::array<uint8_t, Sm3::DigestSize()> out{};
+    auto ret = memcpy_s(out.data(), out.size(), buf.data(), buf.size());
+    if (ret != EOK) {
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, memcpy_s error. ret is: {}", ret);
+        return {};
+    }
+
+    return out;
+}
+
+Sm3Rc DoSm3(std::string_view data, std::vector<uint8_t> &out)
+{
+    auto sm3 = Sm3();
+    if (sm3.Update(data) != Sm3Rc::OK) { // data.size limit will be captured here
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, update error");
+        return Sm3Rc::ERROR;
+    }
+
+    auto buf = sm3.CumulativeHash();
+    if (buf.size() < Sm3::DigestSize()) {
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, CumulativeHash output len incorrent:{}", buf.size());
+        return Sm3Rc::ERROR;
+    }
+
+    auto ret = memcpy_s(out.data(), out.size(), buf.data(), buf.size());
+    if (ret != EOK) {
+        VIRTRUST_LOG_ERROR("DoSm3() Failed, memcpy_s error. ret is: {}", ret);
+        return Sm3Rc::ERROR;
+    }
+
+    return Sm3Rc::OK;
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/crypto/sm3.h b/virtrust/src/virtrust/crypto/sm3.h
new file mode 100644
index 0000000000000000000000000000000000000000..74beeb8c4b879626b80f8d54422199607736b915
--- /dev/null
+++ b/virtrust/src/virtrust/crypto/sm3.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+#include <cstddef>
+#include <cstdint>
+#include <memory>
+#include <vector>
+
+#include "virtrust/dllib/openssl.h"
+#include "virtrust/dllib/openssl_defines.h"
+#include "virtrust/utils/smart_deleter.h"
+
+namespace virtrust {
+
+VIRTRUST_MAKE_SMART(EVP_MD_CTX, Openssl::GetInstance().EVP_MD_CTX_free);
+VIRTRUST_MAKE_SMART(EVP_MD, Openssl::GetInstance().EVP_MD_free);
+
+enum class Sm3Rc : uint32_t { OK = 0, ERROR = 1 };
+
+class Sm3 {
+public:
+    Sm3();
+    Sm3Rc Reset();
+    Sm3Rc Update(std::string_view data);
+    std::vector<uint8_t> CumulativeHash() const;
+
+    static constexpr size_t DigestSize()
+    {
+        return DIGEST_SIZE;
+    }
+
+private:
+    SmartEVP_MD md_;
+    SmartEVP_MD_CTX context_;
+    static constexpr size_t DIGEST_SIZE = 32;
+    static constexpr size_t UPDATE_SIZE_LIMIT = 1024 * 1024 * 1024; // 1G
+};
+
+std::array<uint8_t, Sm3::DigestSize()> DoSm3(std::string_view data);
+Sm3Rc DoSm3(std::string_view data, std::vector<uint8_t> &out);
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/crypto/sm3_test.cpp b/virtrust/src/virtrust/crypto/sm3_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..df1cfb1044bf7c9b0b921eb8c6a952f2ae345f15
--- /dev/null
+++ b/virtrust/src/virtrust/crypto/sm3_test.cpp
@@ -0,0 +1,252 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <iomanip>
+#include <sstream>
+#include <string>
+#include <vector>
+
+#include "gtest/gtest.h"
+
+#include "virtrust/crypto/sm3.h"
+#include "virtrust/dllib/openssl.h"
+
+namespace virtrust::test {
+namespace {
+// The following two test vectors are taken from
+// https://www.oscca.gov.cn/sca/xxgk/2010-12/17/1002389/files/302a3ada057c4a73830536d03e683110.pdf
+const std::vector<std::string> SM3_TEST_DATA = {"abc",
+                                                "66c7f0f462eeedd9d1f2d46bdc10e4e24167c4875cf2f7a2297da02b8f4ba8e0",
+                                                "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd",
+                                                "debe9ff92275b8a138604889c18e5a4d6fdb70e5387e5765293dcba39c0c5732",
+                                                "dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd"};
+
+inline std::string BytesToHexString(const std::vector<uint8_t> &bytes)
+{
+    std::ostringstream oss;
+    oss << std::hex << std::setfill('0'); // Set output to hex and pad with '0'
+
+    for (unsigned char byte : bytes) {
+        oss << std::setw(2) << static_cast<int>(byte); // Format each bute as 2-digit hex
+    }
+
+    return oss.str();
+}
+
+} // namespace
+
+TEST(Sm3Test, Works)
+{
+    std::string msg = "123";
+    auto result1 = DoSm3(msg);
+    auto result2 = DoSm3(msg);
+
+    EXPECT_EQ(result1.size(), Sm3::DigestSize());
+    EXPECT_EQ(result1.size(), result2.size());
+    EXPECT_EQ(memcmp(result1.data(), result2.data(), result1.size()), 0);
+}
+
+TEST(Sm3Test, Test1)
+{
+    auto hash = Sm3();
+    hash.Update(SM3_TEST_DATA[0]);
+    auto ret = BytesToHexString(hash.CumulativeHash());
+    EXPECT_EQ(ret.size(), SM3_TEST_DATA[1].size());
+    EXPECT_EQ(ret, SM3_TEST_DATA[1]);
+}
+
+TEST(Sm3Test, Test2)
+{
+    auto hash = Sm3();
+    hash.Update(SM3_TEST_DATA[2]);
+    auto ret = BytesToHexString(hash.CumulativeHash());
+    EXPECT_EQ(ret.size(), SM3_TEST_DATA[3].size());
+    EXPECT_EQ(ret, SM3_TEST_DATA[3]);
+}
+
+TEST(Sm3Test, Test3)
+{
+    auto hash = Sm3();
+    hash.Update(SM3_TEST_DATA[0]);
+    hash.Update(SM3_TEST_DATA[4]);
+    auto ret = BytesToHexString(hash.CumulativeHash());
+    EXPECT_EQ(ret.size(), SM3_TEST_DATA[3].size());
+    EXPECT_EQ(ret, SM3_TEST_DATA[3]);
+}
+
+TEST(Sm3Test, Test4)
+{
+    auto hash = Sm3();
+    hash.Update(SM3_TEST_DATA[0]);
+    hash.Reset();
+    hash.Update(SM3_TEST_DATA[2]);
+    auto ret = BytesToHexString(hash.CumulativeHash());
+    EXPECT_EQ(ret.size(), SM3_TEST_DATA[3].size());
+    EXPECT_EQ(ret, SM3_TEST_DATA[3]);
+}
+
+// Test empty string
+TEST(Sm3Test, EmptyString)
+{
+    auto hash = Sm3();
+    hash.Update("");
+    auto result = hash.CumulativeHash();
+    EXPECT_EQ(result.size(), Sm3::DigestSize());
+    EXPECT_FALSE(result.empty());
+}
+
+// Test various string sizes
+TEST(Sm3Test, VariousSizes)
+{
+    // Small strings
+    std::vector<std::string> testString = {"", "a", "ab", "abc", "abcd"};
+    for (const auto &str : testString) {
+        auto hash = Sm3();
+        hash.Update(str);
+        auto result = hash.CumulativeHash();
+        EXPECT_EQ(result.size(), Sm3::DigestSize());
+    }
+
+    // Large strings
+    std::string largeStr(1000, 'x');
+    auto hash = Sm3();
+    hash.Update(largeStr);
+    auto result = hash.CumulativeHash();
+    EXPECT_EQ(result.size(), Sm3::DigestSize());
+}
+
+// Test Update with size limit
+TEST(Sm3Test, UpdateSizeLimit)
+{
+    // Test within limit
+    std::string smallData(1000, 'x');
+    auto hash = Sm3();
+    EXPECT_EQ(hash.Update(smallData), Sm3Rc::OK);
+
+    // Test exceeding limit (should return ERROR)
+    std::string largeData(1024 * 1024 * 1024 + 1, 'x'); // limit
+    EXPECT_EQ(hash.Update(largeData), Sm3Rc::ERROR);
+}
+
+// Test cumulative hash with empty context
+TEST(Sm3Test, CumulativeHashWithNullContext)
+{
+    // This test requires mocking or directly testing the internal state
+    // The actual implementation handles null checks, but we want to ensure
+    // the function behaves correctly
+    auto hash = Sm3();
+    // Normally the context is initialized, but we can still verify it works
+    hash.Update("test");
+    auto result = hash.CumulativeHash();
+    EXPECT_EQ(result.size(), Sm3::DigestSize());
+}
+
+// Test reset functionality
+TEST(Sm3Test, ResetFunctionality)
+{
+    auto hash = Sm3();
+
+    // Update with some data
+    hash.Update("hello");
+    auto intermediateHash = hash.CumulativeHash();
+    EXPECT_EQ(intermediateHash.size(), Sm3::DigestSize());
+
+    // Reset and update with different data
+    hash.Reset();
+    hash.Update("world");
+    auto finalHash = hash.CumulativeHash();
+    EXPECT_EQ(finalHash.size(), Sm3::DigestSize());
+
+    // Hashes should be different
+    EXPECT_NE(memcmp(intermediateHash.data(), finalHash.data(), intermediateHash.size()), 0);
+}
+
+// Test DoSm3 with vector output
+TEST(Sm3Test, DoSm3VectorOutput)
+{
+    std::string testData = "test data";
+    std::vector<uint8_t> output(Sm3::DigestSize());
+
+    auto result = DoSm3(testData, output);
+    EXPECT_EQ(result, Sm3Rc::OK);
+    EXPECT_EQ(output.size(), Sm3::DigestSize());
+
+    // Verify the output is not empty
+    bool allZero = true;
+    for (uint8_t byte : output) {
+        if (byte != 0) {
+            allZero = false;
+            break;
+        }
+    }
+    EXPECT_FALSE(allZero);
+}
+
+// Test DoSm3 with array output (existing test)
+TEST(Sm3Test, DoSm3ArrayOutput)
+{
+    std::string testData = "test data";
+    auto result = DoSm3(testData);
+
+    EXPECT_EQ(result.size(), Sm3::DigestSize());
+
+    // Verify the output is not all zeros
+    bool allZero = true;
+    for (uint8_t byte : result) {
+        if (byte != 0) {
+            allZero = false;
+            break;
+        }
+    }
+    EXPECT_FALSE(allZero);
+}
+
+// Test Hash consistency across multiple updates
+TEST(Sm3Test, MultipleUpdatesConsistency)
+{
+    std::string data1 = "hello";
+    std::string data2 = "";
+    std::string data3 = "world";
+
+    // Single update
+    auto hash1 = Sm3();
+    hash1.Update(data1 + data2 + data3);
+    auto result1 = hash1.CumulativeHash();
+
+    // Multiple updates
+    auto hash2 = Sm3();
+    hash2.Update(data1);
+    hash2.Update(data2);
+    hash2.Update(data3);
+    auto result2 = hash2.CumulativeHash();
+
+    // Results should be identical
+    EXPECT_EQ(result1.size(), result2.size());
+    EXPECT_EQ(memcmp(result1.data(), result2.data(), result1.size()), 0);
+}
+
+// Test Hash concatenation
+TEST(Sm3Test, HashConcatenation)
+{
+    std::string data1 = "first";
+    std::string data2 = "second";
+
+    auto hash1 = Sm3();
+    hash1.Update(data1);
+    auto hash1Result = hash1.CumulativeHash();
+
+    auto hash2 = Sm3();
+    hash2.Update(data2);
+    auto hash2Result = hash2.CumulativeHash();
+
+    auto hash3 = Sm3();
+    hash3.Update(data1 + data2);
+    auto hash3Result = hash3.CumulativeHash();
+
+    // Hashes should be different
+    EXPECT_NE(memcmp(hash1Result.data(), hash2Result.data(), hash1Result.size()), 0);
+    EXPECT_NE(memcmp(hash1Result.data(), hash3Result.data(), hash1Result.size()), 0);
+    EXPECT_NE(memcmp(hash2Result.data(), hash3Result.data(), hash2Result.size()), 0);
+}
+} // namespace virtrust::test
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/CMakeLists.txt b/virtrust/src/virtrust/dllib/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..e437bbcec0bd7cef4fa93c6a4812c1b57f73e7cc
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/CMakeLists.txt
@@ -0,0 +1,19 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+set(VIRTRUST_SOURCE_FILES ${VIRTRUST_SOURCE_FILES})
+
+add_virtrust_test_if(libxml2_test ${BUILD_TEST})
+
+# HACK libguestfs has memory leaks, so we disable this test under asan
+#
+if(NOT CMAKE_BUILD_TYPE STREQUAL "Asan")
+  add_virtrust_test_if(libguestfs_test ${BUILD_TEST})
+endif()
+
+add_virtrust_test_if(libvirt_test ${BUILD_TEST})
+add_virtrust_test_if(openssl_test ${BUILD_TEST})
+add_virtrust_test_if(dllib_test ${BUILD_TEST})
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    PARENT_SCOPE)
diff --git a/virtrust/src/virtrust/dllib/common.h b/virtrust/src/virtrust/dllib/common.h
new file mode 100644
index 0000000000000000000000000000000000000000..c7e031b4793b67d96c974e9aacfd0d7093b1fc6f
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/common.h
@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <dlfcn.h>
+
+#include <cstdint>
+#include <functional>
+#include <memory>
+#include <numeric>
+#include <stdexcept>
+#include <string_view>
+
+#include "virtrust/base/str_utils.h"
+
+namespace virtrust {
+
+// Dllib Return Code
+enum class DllibRc : uint32_t {
+    OK = 0,
+    ERROR = 1,
+};
+
+template <class R, class... Args> class DlFun {
+public:
+    using FunTy = R (*)(Args...);
+
+    DlFun() = default;
+
+    DlFun(std::string_view name, FunTy funptr)
+        : funName_(name), funptr_(funptr ? std::function<R(Args...)>(funptr) : std::function<R(Args...)>(nullptr))
+    {}
+
+    std::function<R(Args...)> Get() const
+    {
+        return funptr_;
+    }
+
+    std::string GetName() const
+    {
+        return funName_;
+    }
+
+    R operator()(Args... args) const
+    {
+        if (!funptr_) {
+            throw std::runtime_error(std::string("[") + __FILE__ + ":" + std::to_string(__LINE__) +
+                                     "] Fatal Error: function " + funName_ +
+                                     " is nullptr, maybe previous dlsym failed.");
+        }
+        return funptr_(std::forward<Args>(args)...);
+    }
+
+private:
+    std::string funName_ = "unknown";
+    std::function<R(Args...)> funptr_ = nullptr;
+};
+
+class DlLibBase {
+public:
+    // Check whether dlopen and dlsym has succeed
+    DllibRc CheckOk() const
+    {
+        return ok_ ? DllibRc::OK : DllibRc::ERROR;
+    }
+
+    size_t Size() const
+    {
+        return size_;
+    }
+
+protected:
+    explicit DlLibBase(std::string_view lib) : libName_(lib)
+    {}
+
+    virtual ~DlLibBase()
+    {
+        SelfDlClose();
+    }
+
+    void SelfDlClose()
+    {
+        // the stored pointer
+        if (libptr_ != nullptr) {
+            dlclose(libptr_);
+            libptr_ = nullptr;
+        }
+
+        // reset to default
+        size_ = 0;
+        ok_ = true;
+    }
+
+    DllibRc SelfDlOpen()
+    {
+        libptr_ = dlopen(libName_.data(), RTLD_NOW | RTLD_GLOBAL);
+        return libptr_ != nullptr ? DllibRc::OK : DllibRc::ERROR;
+    }
+
+    template <class R, class... Args> void SelfDlSym(std::string_view funName, DlFun<R, Args...> &outFun)
+    {
+        if (libptr_ == nullptr || funName.empty()) {
+            return;
+        }
+
+        void *funPtr = dlsym(libptr_, funName.data());
+        if (funPtr == nullptr) {
+            ok_ = false;
+        }
+        size_++; // always add up internal size counter
+        outFun = DlFun<R, Args...>(funName, reinterpret_cast<R (*)(Args...)>(funPtr));
+    }
+
+private:
+    void *libptr_ = nullptr;
+    const std::string libName_ = "unknown";
+
+    // funCache_ stores all dlsym function raw pointers
+    // WARNING: DO NOT manually manipulate those pointers
+    std::vector<void *> funCache_; // cache DO NOT own pointers, those pointers should read only
+    size_t size_ = 0;
+    bool ok_ = true;
+};
+
+// The second argument is the templateHelper which helps template deduction
+#define DLLIB_SELF_DLSYM(NAME) SelfDlSym(#NAME, NAME)
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/dllib_test.cpp b/virtrust/src/virtrust/dllib/dllib_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..6aff4008033994d0453ada39e58dde89cc803fd3
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/dllib_test.cpp
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust/dllib/libguestfs.h"
+#include "virtrust/dllib/libvirt.h"
+#include "virtrust/dllib/libxml2.h"
+#include "virtrust/dllib/openssl.h"
+
+namespace virtrust {
+
+TEST(DynamicLibraryTest, OpensslInitialization)
+{
+    // Test taht Openssl can be initialied properly
+    auto &openssl = Openssl::GetInstance();
+    EXPECT_EQ(openssl.CheckOk(), DllibRc::OK);
+
+    // Test that the library was loaded
+    EXPECT_GT(openssl.Size(), (size_t)0);
+}
+
+TEST(DynamicLibraryTest, OpensslFunctionPointers)
+{
+    // Test taht all key openssl function pointers are valid
+    auto &openssl = Openssl::GetInstance();
+
+    // Test that function pointers are not null
+    EXPECT_NE(openssl.EVP_MD_CTX_new.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_MD_CTX_free.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_DigestInit.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_DigestUpdate.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_DigestFinal_ex.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_MD_fetch.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_MD_free.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_MD_CTX_reset.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_MD_CTX_copy_ex.Get(), nullptr);
+}
+
+TEST(DynamicLibraryTest, OpensslReloadFunctionality)
+{
+    // Test reload functionality
+    auto &openssl = Openssl::GetInstance();
+
+    // Check initial state
+    EXPECT_EQ(openssl.CheckOk(), DllibRc::OK);
+
+    // Reload the library
+    auto ret = openssl.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+
+    // Verify it's still working after reload
+    EXPECT_EQ(openssl.CheckOk(), DllibRc::OK);
+}
+
+TEST(DynamicLibraryTest, LibvirtInitialization)
+{
+    // Test that libvirt can be initialied properly
+    auto &libvirt = Libvirt::GetInstance();
+    // Note: we don't assert CheckOk() as libvirt might not be available in test
+    // environment But we can verify it doesn't crash
+    EXPECT_NE(&libvirt, nullptr);
+}
+
+TEST(DynamicLibraryTest, LibguestfsInitialization)
+{
+    auto &libguestfs = Libguestfs::GetInstance();
+    // Note: we don't assert CheckOk() as libguestfs might not be available in
+    // test environment But we can verify it doesn't crash
+    EXPECT_NE(&libguestfs, nullptr);
+}
+
+TEST(DynamicLibraryTest, Libxml2Initialization)
+{
+    // Test that libxml2 can be initialied properly
+    auto &libxml2 = Libxml2::GetInstance();
+    // Note: we don't assert CheckOk() as libxml2 might not be available in test
+    // environment But we can verify it doesn't crash
+    EXPECT_NE(&libxml2, nullptr);
+}
+
+TEST(DynamicLibraryTest, SingletonPattern)
+{
+    // Test that all dynamic library classes follow singleton pattern
+    auto &openssl1 = Openssl::GetInstance();
+    auto &openssl2 = Openssl::GetInstance();
+    EXPECT_EQ(&openssl1, &openssl2);
+
+    auto &libvirt1 = Libvirt::GetInstance();
+    auto &libvirt2 = Libvirt::GetInstance();
+    EXPECT_EQ(&libvirt1, &libvirt2);
+
+    auto &libguestfs1 = Libguestfs::GetInstance();
+    auto &libguestfs2 = Libguestfs::GetInstance();
+    EXPECT_EQ(&libguestfs1, &libguestfs2);
+
+    auto &libxml21 = Libxml2::GetInstance();
+    auto &libxml22 = Libxml2::GetInstance();
+    EXPECT_EQ(&libxml21, &libxml22);
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libguestfs.h b/virtrust/src/virtrust/dllib/libguestfs.h
new file mode 100644
index 0000000000000000000000000000000000000000..7b7f4741f7cb8b32a8e91beac1866aca0c57e850
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libguestfs.h
@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <dlfcn.h>
+
+#include <cstdarg>
+#include <cstdint>
+#include <functional>
+#include <string_view>
+
+#include "virtrust/dllib/common.h"
+#include "virtrust/dllib/libguestfs_defines.h"
+
+namespace virtrust {
+
+// libguestfs api
+class Libguestfs : public DlLibBase {
+public:
+    ~Libguestfs() = default;
+    Libguestfs(const Libguestfs &) = delete;
+    void operator=(const Libguestfs &) = delete;
+
+    // Singleton instance
+    static Libguestfs &GetInstance()
+    {
+        static Libguestfs instance;
+        return instance;
+    }
+
+    // Reload all functions
+    DllibRc Reload()
+    {
+        SelfDlClose();
+        LoadAll();
+        return CheckOk();
+    }
+
+    // Declare all functions that you need
+    // NOTE Please make sure the class instance is inited before calling those
+    // functions
+
+    // Create guestfs context
+    DlFun<guestfs_h *> guestfs_create;
+
+    DlFun<int, guestfs_h *, const char *> guestfs_set_backend;
+
+    DlFun<int, guestfs_h *, const char *, const struct guestfs_add_drive_opts_argv> guestfs_add_drive_opts_argv;
+
+    DlFun<int, guestfs_h *> guestfs_launch;
+
+    DlFun<char **, guestfs_h *> guestfs_inspect_os;
+
+    DlFun<char **, guestfs_h *, const char *> guestfs_inspect_get_mountpoints;
+
+    DlFun<int, guestfs_h *, const char *, const char *> guestfs_mount_ro;
+
+    DlFun<int, guestfs_h *> guestfs_umount_all;
+
+    DlFun<void, guestfs_h *> guestfs_close;
+
+    DlFun<int, guestfs_h *, int> guestfs_set_trace;
+
+    DlFun<int, guestfs_h *, const char *> guestfs_exists;
+
+    DlFun<int, guestfs_h *, const char *> guestfs_is_file;
+
+    DlFun<char *, guestfs_h *, const char *, size_t *> guestfs_read_file;
+
+private:
+    void LoadAll()
+    {
+        // NOTE explicitly dlopen shared library
+        auto ret = SelfDlOpen();
+        if (ret != DllibRc::OK) {
+            return;
+        }
+        DLLIB_SELF_DLSYM(guestfs_create);
+        DLLIB_SELF_DLSYM(guestfs_set_backend);
+        DLLIB_SELF_DLSYM(guestfs_add_drive_opts_argv);
+        DLLIB_SELF_DLSYM(guestfs_launch);
+        DLLIB_SELF_DLSYM(guestfs_inspect_os);
+        DLLIB_SELF_DLSYM(guestfs_inspect_get_mountpoints);
+        DLLIB_SELF_DLSYM(guestfs_mount_ro);
+        DLLIB_SELF_DLSYM(guestfs_umount_all);
+        DLLIB_SELF_DLSYM(guestfs_close);
+        DLLIB_SELF_DLSYM(guestfs_set_trace);
+        DLLIB_SELF_DLSYM(guestfs_exists);
+        DLLIB_SELF_DLSYM(guestfs_is_file);
+        DLLIB_SELF_DLSYM(guestfs_read_file);
+    }
+
+    Libguestfs() : DlLibBase(LIB_NAME)
+    {
+        LoadAll();
+    }
+
+    static constexpr std::string_view LIB_NAME = "libguestfs.so";
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libguestfs_defines.h b/virtrust/src/virtrust/dllib/libguestfs_defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..5745de20caa32d9ae2a93901a41dc9cebf8a07b6
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libguestfs_defines.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <dlfcn.h>
+
+#include <cstdint>
+#include <functional>
+#include <string_view>
+
+namespace virtrust {
+
+// see: libguestfs.h, it's a forward declaration in original header file
+struct guestfs_h;
+
+struct guestfs_add_drive_opts_argv {
+    uint64_t bitmask;
+#define GUESTFS_ADD_DRIVE_OPTS_READONLY_BITMASK (UINT64_C(1) << 0)
+    int readonly;
+#define GUESTFS_ADD_DRIVE_OPTS_FORMAT_BITMASK (UINT64_C(1) << 1)
+    const char *format;
+#define GUESTFS_ADD_DRIVE_OPTS_IFACE_BITMASK (UINT64_C(1) << 2)
+    const char *iface;
+#define GUESTFS_ADD_DRIVE_OPTS_NAME_BITMASK (UINT64_C(1) << 3)
+    const char *name;
+#define GUESTFS_ADD_DRIVE_OPTS_LABEL_BITMASK (UINT64_C(1) << 4)
+    const char *label;
+#define GUESTFS_ADD_DRIVE_OPTS_PROTOCOL_BITMASK (UINT64_C(1) << 5)
+    const char *protocol;
+#define GUESTFS_ADD_DRIVE_OPTS_SERVER_BITMASK (UINT64_C(1) << 6)
+    char *const *server;
+#define GUESTFS_ADD_DRIVE_OPTS_USERNAME_BITMASK (UINT64_C(1) << 7)
+    const char *username;
+#define GUESTFS_ADD_DRIVE_OPTS_SECRET_BITMASK (UINT64_C(1) << 8)
+    const char *secret;
+#define GUESTFS_ADD_DRIVE_OPTS_CACHEMODE_BITMASK (UINT64_C(1) << 9)
+    const char *cachemode;
+#define GUESTFS_ADD_DRIVE_OPTS_DISCARD_BITMASK (UINT64_C(1) << 10)
+    const char *discard;
+#define GUESTFS_ADD_DRIVE_OPTS_COPYONREAD_BITMASK (UINT64_C(1) << 11)
+    int copyonread;
+#define GUESTFS_ADD_DRIVE_OPTS_BLOCKSIZE_BITMASK (UINT64_C(1) << 12)
+    int blocksize;
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libguestfs_test.cpp b/virtrust/src/virtrust/dllib/libguestfs_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..e6212fefee20fe329a3cbabf57aa993bb3db1ca7
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libguestfs_test.cpp
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust/dllib/libguestfs.h"
+
+namespace virtrust {
+
+TEST(LibGuestfsTest, works)
+{
+    // Init
+    auto &libguestfs = Libguestfs::GetInstance();
+    EXPECT_EQ(libguestfs.CheckOk(), DllibRc::OK);
+
+    // Explicity reload
+    auto ret = libguestfs.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+
+    // Call Function
+    auto *g = libguestfs.guestfs_create();
+    EXPECT_NE(g, nullptr);
+
+    // quit
+    if (g != nullptr) {
+        libguestfs.guestfs_close(g);
+    }
+}
+
+TEST(LibGuestfsTest, SingletonPattern)
+{
+    // Test that libguestfs follow singleton pattern
+    auto &libguestfs1 = Libguestfs::GetInstance();
+    auto &libguestfs2 = Libguestfs::GetInstance();
+    EXPECT_EQ(&libguestfs1, &libguestfs2);
+}
+
+TEST(LibGuestfsTest, CheckOkFunction)
+{
+    // Test the CheckOk function
+    auto &libguestfs = Libguestfs::GetInstance();
+    EXPECT_EQ(libguestfs.CheckOk(), DllibRc::OK);
+
+    // Test size function
+    EXPECT_GT(libguestfs.Size(), (size_t)0);
+}
+
+TEST(LibGuestfsTest, ReloadFunction)
+{
+    // Test reloading functionality
+    auto &libguestfs = Libguestfs::GetInstance();
+
+    // check inital state
+    EXPECT_EQ(libguestfs.CheckOk(), DllibRc::OK);
+
+    // Reload the library
+    auto ret = libguestfs.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+
+    // Verify it's still working after reload
+    EXPECT_EQ(libguestfs.CheckOk(), DllibRc::OK);
+}
+
+TEST(LibGuestfsTest, FunctionPointerValidity)
+{
+    // Test that all function pointer are valid
+    auto &libguestfs = Libguestfs::GetInstance();
+
+    // Test a few key functions for validity
+    EXPECT_NE(libguestfs.guestfs_create.Get(), nullptr);
+    EXPECT_NE(libguestfs.guestfs_launch.Get(), nullptr);
+    EXPECT_NE(libguestfs.guestfs_close.Get(), nullptr);
+
+    // Test that functions can be called (without actually executing)
+    EXPECT_FALSE(libguestfs.guestfs_create.GetName().empty());
+    EXPECT_FALSE(libguestfs.guestfs_launch.GetName().empty());
+    EXPECT_FALSE(libguestfs.guestfs_close.GetName().empty());
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libvirt.h b/virtrust/src/virtrust/dllib/libvirt.h
new file mode 100644
index 0000000000000000000000000000000000000000..a88a87fa1d5e6e88b3ea222d0d66e539994f1be5
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libvirt.h
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <dlfcn.h>
+
+#include <string_view>
+
+#include "virtrust/dllib/common.h"
+#include "virtrust/dllib/libvirt_defines.h"
+
+namespace virtrust {
+
+// libvirt api
+class Libvirt : public DlLibBase {
+public:
+    ~Libvirt() = default;
+    Libvirt(const Libvirt &) = delete;
+    void operator=(const Libvirt &) = delete;
+
+    // Singleton instance
+    static Libvirt &GetInstance()
+    {
+        static Libvirt instance;
+        return instance;
+    }
+
+    // Reload all functions
+    DllibRc Reload()
+    {
+        SelfDlClose();
+        LoadAll();
+        return CheckOk();
+    }
+
+    // Set log level
+    DllibRc SetErrorFunction(virErrorFunc func)
+    {
+        auto ret = GetInstance().CheckOk();
+        if (ret != DllibRc::OK) {
+            return ret;
+        }
+        virSetErrorFunc(nullptr, func);
+        return DllibRc::OK;
+    }
+
+    // Declare all functions that you need
+    // NOTE Please make sure the class instance is inited before calling those
+    // functions
+    DlFun<virConnectPtr, const char *> virConnectOpen;
+    DlFun<virDomainPtr, virConnectPtr, const char *> virDomainLookupByName;
+    DlFun<int, virDomainPtr, unsigned int> virDomainCreateWithFlags;
+    DlFun<int, virConnectPtr> virConnectClose;
+    DlFun<int, virDomainPtr> virDomainFree;
+    DlFun<int, virDomainPtr, unsigned int> virDomainShutdownFlags;
+    DlFun<int, virConnectPtr> virConnectNumOfDomains;
+    DlFun<int, virConnectPtr, virDomainPtr **, unsigned int> virConnectListAllDomains;
+    DlFun<unsigned int, virDomainPtr> virDomainGetID;
+    DlFun<const char *, virDomainPtr> virDomainGetName;
+    DlFun<int, virDomainPtr, virDomainInfo *> virDomainGetInfo;
+    DlFun<int, virDomainPtr, unsigned int> virDomainDestroyFlags;
+    DlFun<int, virDomainPtr, unsigned int> virDomainUndefineFlags;
+    DlFun<void, void *, virErrorFunc> virSetErrorFunc;
+    DlFun<int, virDomainPtr, char *> virDomainGetUUIDString;
+    DlFun<virDomainPtr, virDomainPtr, virConnectPtr, virTypedParameterPtr, unsigned int, unsigned int>
+        virDomainMigrate3;
+
+private:
+    void LoadAll()
+    {
+        // NOTE explicitly dlopen shared library
+        auto ret = SelfDlOpen();
+        if (ret != DllibRc::OK) {
+            return;
+        }
+        DLLIB_SELF_DLSYM(virConnectOpen);
+        DLLIB_SELF_DLSYM(virDomainLookupByName);
+        DLLIB_SELF_DLSYM(virDomainCreateWithFlags);
+        DLLIB_SELF_DLSYM(virConnectClose);
+        DLLIB_SELF_DLSYM(virDomainFree);
+        DLLIB_SELF_DLSYM(virDomainShutdownFlags);
+        DLLIB_SELF_DLSYM(virConnectNumOfDomains);
+        DLLIB_SELF_DLSYM(virConnectListAllDomains);
+        DLLIB_SELF_DLSYM(virDomainGetID);
+        DLLIB_SELF_DLSYM(virDomainGetName);
+        DLLIB_SELF_DLSYM(virDomainGetInfo);
+        DLLIB_SELF_DLSYM(virDomainDestroyFlags);
+        DLLIB_SELF_DLSYM(virDomainUndefineFlags);
+        DLLIB_SELF_DLSYM(virSetErrorFunc);
+        DLLIB_SELF_DLSYM(virDomainGetUUIDString);
+        DLLIB_SELF_DLSYM(virDomainMigrate3);
+    }
+
+    Libvirt() : DlLibBase(LIB_NAME)
+    {
+        LoadAll();
+    }
+
+    static constexpr std::string_view LIB_NAME = "libvirt.so";
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libvirt_defines.h b/virtrust/src/virtrust/dllib/libvirt_defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..fd6dd092970dbc0f7d75695eaacd382a90181d4d
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libvirt_defines.h
@@ -0,0 +1,430 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <string>
+
+#include "virtrust/base/custom_logger.h"
+
+namespace virtrust {
+
+using virConnectPtr = int *;
+using virDomainPtr = int *;
+using virNetworkPtr = int *;
+using virTypedParameterPtr = int *;
+
+/**
+ * virDomainState:
+ *
+ * A domain may be in different states at a given point in time
+ *
+ * Since: 0.0.1
+ */
+typedef enum {
+    VIR_DOMAIN_NOSTATE = 0,     /* no state (Since: 0.0.1) */
+    VIR_DOMAIN_RUNNING = 1,     /* the domain is running (Since: 0.0.1) */
+    VIR_DOMAIN_BLOCKED = 2,     /* the domain is blocked on resource (Since: 0.0.1) */
+    VIR_DOMAIN_PAUSED = 3,      /* the domain is paused by user (Since: 0.0.1) */
+    VIR_DOMAIN_SHUTDOWN = 4,    /* the domain is being shut down (Since: 0.0.1) */
+    VIR_DOMAIN_SHUTOFF = 5,     /* the domain is shut off (Since: 0.0.1) */
+    VIR_DOMAIN_CRASHED = 6,     /* the domain is crashed (Since: 0.0.2) */
+    VIR_DOMAIN_PMSUSPENDED = 7, /* the domain is suspended by guest
+                                   power management (Since: 0.9.11) */
+} virDomainState;
+
+/**
+ * virDomainInfo:
+ *
+ * a virDomainInfo is a structure filled by virDomainGetInfo() and extracting
+ * runtime information for a given active Domain
+ *
+ * Since: 0.0.1
+ */
+using virDomainInfo = struct _virDomainInfo;
+
+struct _virDomainInfo {
+    unsigned char state;        /* the running state, one of virDomainState */
+    unsigned long maxMem;       /* the maximum memory in KBytes allowed */
+    unsigned long memory;       /* the memory in KBytes used by the domain */
+    unsigned short nrVirtCpu;   /* the number of virtual CPUs for the domain */
+    unsigned long long cpuTime; /* the CPU time used in nanoseconds */
+};
+
+/**
+ * virConnectListAllDomainsFlags:
+ *
+ * Flags used to tune which domains are listed by virConnectListAllDomains().
+ * Note that these flags come in groups; if all bits from a group are 0,
+ * then that group is not used to filter results.
+ *
+ * Since: 0.9.13
+ */
+typedef enum {
+    VIR_CONNECT_LIST_DOMAINS_ACTIVE = 1 << 0,   /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_INACTIVE = 1 << 1, /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_PERSISTENT = 1 << 2, /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_TRANSIENT = 1 << 3,  /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_RUNNING = 1 << 4, /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_PAUSED = 1 << 5,  /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_SHUTOFF = 1 << 6, /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_OTHER = 1 << 7,   /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_MANAGEDSAVE = 1 << 8,    /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_NO_MANAGEDSAVE = 1 << 9, /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_AUTOSTART = 1 << 10,    /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_NO_AUTOSTART = 1 << 11, /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_HAS_SNAPSHOT = 1 << 12, /* (Since: 0.9.13) */
+    VIR_CONNECT_LIST_DOMAINS_NO_SNAPSHOT = 1 << 13,  /* (Since: 0.9.13) */
+
+    VIR_CONNECT_LIST_DOMAINS_HAS_CHECKPOINT = 1 << 14, /* (Since: 5.6.0) */
+    VIR_CONNECT_LIST_DOMAINS_NO_CHECKPOINT = 1 << 15,  /* (Since: 5.6.0) */
+} virConnectListAllDomainsFlags;
+
+/**
+ * virDomainCreateFlags:
+ *
+ * Flags OR'ed together to provide specific behaviour when creating a
+ * Domain.
+ *
+ * Since: 0.0.1
+ */
+typedef enum {
+    VIR_DOMAIN_NONE = 0,                    /* Default behavior (Since: 0.0.1) */
+    VIR_DOMAIN_START_PAUSED = 1 << 0,       /* Launch guest in paused state (Since: 0.8.2) */
+    VIR_DOMAIN_START_AUTODESTROY = 1 << 1,  /* Automatically kill guest when virConnectPtr is closed (Since:
+                                               0.9.3) */
+    VIR_DOMAIN_START_BYPASS_CACHE = 1 << 2, /* Avoid file system cache pollution (Since: 0.9.4) */
+    VIR_DOMAIN_START_FORCE_BOOT = 1 << 3,   /* Boot, discarding any managed save (Since: 0.9.5) */
+    VIR_DOMAIN_START_VALIDATE = 1 << 4,     /* Validate the XML document against schema (Since: 1.2.12) */
+    VIR_DOMAIN_START_RESET_NVRAM = 1 << 5,  /* Re-initialize NVRAM from template (Since: 8.1.0) */
+} virDomainCreateFlags;
+
+/**
+ * virDomainDestroyFlagsValues:
+ *
+ * Flags used to provide specific behaviour to the
+ * virDomainDestroyFlags() function
+ *
+ * Since: 0.9.4
+ */
+typedef enum {
+    VIR_DOMAIN_DESTROY_DEFAULT = 0,          /* Default behavior - could lead to data loss!! (Since: 0.9.10) */
+    VIR_DOMAIN_DESTROY_GRACEFUL = 1 << 0,    /* only SIGTERM, no SIGKILL (Since: 0.9.10) */
+    VIR_DOMAIN_DESTROY_REMOVE_LOGS = 1 << 1, /* remove VM logs on destroy (Since: 8.3.0) */
+} virDomainDestroyFlagsValues;
+
+/**
+ * virDomainUndefineFlagsValues:
+ *
+ * Since: 0.9.4
+ */
+typedef enum {
+    VIR_DOMAIN_UNDEFINE_MANAGED_SAVE = (1 << 0),         /* Also remove any
+                                                            managed save (Since: 0.9.4) */
+    VIR_DOMAIN_UNDEFINE_SNAPSHOTS_METADATA = (1 << 1),   /* If last use of domain,
+                                                            then also remove any
+                                                            snapshot metadata (Since: 0.9.5) */
+    VIR_DOMAIN_UNDEFINE_NVRAM = (1 << 2),                /* Also remove any
+                                                            nvram file (Since: 1.2.9) */
+    VIR_DOMAIN_UNDEFINE_KEEP_NVRAM = (1 << 3),           /* Keep nvram file (Since: 2.3.0) */
+    VIR_DOMAIN_UNDEFINE_CHECKPOINTS_METADATA = (1 << 4), /* If last use of domain,
+                                                            then also remove any
+                                                            checkpoint metadata (Since: 5.6.0) */
+    VIR_DOMAIN_UNDEFINE_TPM = (1 << 5),                  /* Also remove any
+                                                            TPM state (Since: 8.9.0) */
+    VIR_DOMAIN_UNDEFINE_KEEP_TPM = (1 << 6),             /* Keep TPM state (Since: 8.9.0) */
+                                                         /* Future undefine control flags should come here. */
+} virDomainUndefineFlagsValues;
+
+/**
+ * virErrorLevel:
+ *
+ * Indicates the level of an error
+ *
+ * Since: 0.1.0
+ */
+typedef enum {
+    VIR_ERR_NONE = 0,    /* (Since: 0.1.0) */
+    VIR_ERR_WARNING = 1, /* A simple warning (Since: 0.1.0) */
+    VIR_ERR_ERROR = 2    /* An error (Since: 0.1.0) */
+} virErrorLevel;
+
+inline LogLevel virErrorLevelToLogLevel(virErrorLevel level)
+{
+    switch (level) {
+        case VIR_ERR_WARNING: {
+            return LogLevel::WARN;
+        }
+        case VIR_ERR_ERROR: {
+            return LogLevel::ERROR;
+        }
+        default:
+            return LogLevel::UNKNOWN;
+    }
+}
+
+/**
+ * virError:
+ *
+ * A libvirt Error instance.
+ *
+ * The conn, dom and net fields should be used with extreme care.
+ * Reference counts are not incremented so the underlying objects
+ * may be deleted without notice after the error has been delivered.
+ *
+ * Since: 0.1.0
+ */
+using virError = struct _virError;
+
+/**
+ * virErrorPtr:
+ *
+ * Since: 0.1.0
+ */
+using virErrorPtr = virError *;
+
+struct _virError {
+    int code;            /* The error code, a virErrorNumber */
+    int domain;          /* What part of the library raised this error */
+    char *message;       /* human-readable informative error message */
+    virErrorLevel level; /* how consequent is the error */
+    virConnectPtr conn;  /* connection if available, deprecated
+                                          see note above */
+    virDomainPtr dom;    /* domain if available, deprecated
+                                        see note above */
+    char *str1;          /* extra string information */
+    char *str2;          /* extra string information */
+    char *str3;          /* extra string information */
+    int int1;            /* extra number information */
+    int int2;            /* extra number information */
+    virNetworkPtr net;   /* network if available, deprecated
+                                         see note above */
+};
+
+using virErrorFunc = void (*)(void *userData, virErrorPtr error);
+
+/**
+ * virDomainMigrateFlags:
+ *
+ * Domain migration flags.
+ *
+ * Since: 0.3.2
+ */
+typedef enum {
+    /* Do not pause the domain during migration. The domain's memory will
+     * be transferred to the destination host while the domain is running.
+     * The migration may never converge if the domain is changing its memory
+     * faster then it can be transferred. The domain can be manually paused
+     * anytime during migration using virDomainSuspend.
+     *
+     * Since: 0.3.2
+     */
+    VIR_MIGRATE_LIVE = (1 << 0),
+
+    /* Tell the source libvirtd to connect directly to the destination host.
+     * Without this flag the client (e.g., virsh) connects to both hosts and
+     * controls the migration process. In peer-to-peer mode, the source
+     * libvirtd controls the migration by calling the destination daemon
+     * directly.
+     *
+     * Since: 0.7.2
+     */
+    VIR_MIGRATE_PEER2PEER = (1 << 1),
+
+    /* Tunnel migration data over libvirtd connection. Without this flag the
+     * source hypervisor sends migration data directly to the destination
+     * hypervisor. This flag can only be used when VIR_MIGRATE_PEER2PEER is
+     * set as well.
+     *
+     * Note the less-common spelling that we're stuck with:
+     * VIR_MIGRATE_TUNNELLED should be VIR_MIGRATE_TUNNELED.
+     *
+     * Since: 0.7.2
+     */
+    VIR_MIGRATE_TUNNELLED = (1 << 2),
+
+    /* Define the domain as persistent on the destination host after successful
+     * migration. If the domain was persistent on the source host and
+     * VIR_MIGRATE_UNDEFINE_SOURCE is not used, it will end up persistent on
+     * both hosts.
+     *
+     * Since: 0.7.3
+     */
+    VIR_MIGRATE_PERSIST_DEST = (1 << 3),
+
+    /* Undefine the domain on the source host once migration successfully
+     * finishes.
+     *
+     * Since: 0.7.3
+     */
+    VIR_MIGRATE_UNDEFINE_SOURCE = (1 << 4),
+
+    /* Leave the domain suspended on the destination host. virDomainResume (on
+     * the virDomainPtr returned by the migration API) has to be called
+     * explicitly to resume domain's virtual CPUs.
+     *
+     * Since: 0.7.5
+     */
+    VIR_MIGRATE_PAUSED = (1 << 5),
+
+    /* Migrate full disk images in addition to domain's memory. By default
+     * only non-shared non-readonly disk images are transferred. The
+     * VIR_MIGRATE_PARAM_MIGRATE_DISKS parameter can be used to specify which
+     * disks should be migrated.
+     *
+     * This flag and VIR_MIGRATE_NON_SHARED_INC are mutually exclusive.
+     *
+     * Since: 0.8.2
+     */
+    VIR_MIGRATE_NON_SHARED_DISK = (1 << 6),
+
+    /* Migrate disk images in addition to domain's memory. This is similar to
+     * VIR_MIGRATE_NON_SHARED_DISK, but only the top level of each disk's
+     * backing chain is copied. That is, the rest of the backing chain is
+     * expected to be present on the destination and to be exactly the same as
+     * on the source host.
+     *
+     * This flag and VIR_MIGRATE_NON_SHARED_DISK are mutually exclusive.
+     *
+     * Since: 0.8.2
+     */
+    VIR_MIGRATE_NON_SHARED_INC = (1 << 7),
+
+    /* Protect against domain configuration changes during the migration
+     * process. This flag is used automatically when both sides support it.
+     * Explicitly setting this flag will cause migration to fail if either the
+     * source or the destination does not support it.
+     *
+     * Since: 0.9.4
+     */
+    VIR_MIGRATE_CHANGE_PROTECTION = (1 << 8),
+
+    /* Force migration even if it is considered unsafe. In some cases libvirt
+     * may refuse to migrate the domain because doing so may lead to potential
+     * problems such as data corruption, and thus the migration is considered
+     * unsafe. For a QEMU domain this may happen if the domain uses disks
+     * without explicitly setting cache mode to "none". Migrating such domains
+     * is unsafe unless the disk images are stored on coherent clustered
+     * filesystem, such as GFS2 or GPFS.
+     *
+     * Since: 0.9.11
+     */
+    VIR_MIGRATE_UNSAFE = (1 << 9),
+
+    /* Migrate a domain definition without starting the domain on the
+     * destination and without stopping it on the source host. Offline
+     * migration requires VIR_MIGRATE_PERSIST_DEST to be set.
+     *
+     * Offline migration may not copy disk storage or any other file based
+     * storage (such as UEFI variables).
+     *
+     * Since: 1.0.1
+     */
+    VIR_MIGRATE_OFFLINE = (1 << 10),
+
+    /* Compress migration data. The compression methods can be specified using
+     * VIR_MIGRATE_PARAM_COMPRESSION. A hypervisor default method will be used
+     * if this parameter is omitted. Individual compression methods can be
+     * tuned via their specific VIR_MIGRATE_PARAM_COMPRESSION_* parameters.
+     *
+     * Since: 1.0.3
+     */
+    VIR_MIGRATE_COMPRESSED = (1 << 11),
+
+    /* Cancel migration if a soft error (such as I/O error) happens during
+     * migration.
+     *
+     * Since: 1.1.0
+     */
+    VIR_MIGRATE_ABORT_ON_ERROR = (1 << 12),
+
+    /* Enable algorithms that ensure a live migration will eventually converge.
+     * This usually means the domain will be slowed down to make sure it does
+     * not change its memory faster than a hypervisor can transfer the changed
+     * memory to the destination host. VIR_MIGRATE_PARAM_AUTO_CONVERGE_*
+     * parameters can be used to tune the algorithm.
+     *
+     * Since: 1.2.3
+     */
+    VIR_MIGRATE_AUTO_CONVERGE = (1 << 13),
+
+    /* This flag can be used with RDMA migration (i.e., when
+     * VIR_MIGRATE_PARAM_URI starts with "rdma://") to tell the hypervisor
+     * to pin all domain's memory at once before migration starts rather then
+     * letting it pin memory pages as needed. This means that all memory pages
+     * belonging to the domain will be locked in host's memory and the host
+     * will not be allowed to swap them out.
+     *
+     * For QEMU/KVM this requires hard_limit memory tuning element (in the
+     * domain XML) to be used and set to the maximum memory configured for the
+     * domain plus any memory consumed by the QEMU process itself. Beware of
+     * setting the memory limit too high (and thus allowing the domain to lock
+     * most of the host's memory). Doing so may be dangerous to both the
+     * domain and the host itself since the host's kernel may run out of
+     * memory.
+     *
+     * Since: 1.2.9
+     */
+    VIR_MIGRATE_RDMA_PIN_ALL = (1 << 14),
+
+    /* Setting the VIR_MIGRATE_POSTCOPY flag tells libvirt to enable post-copy
+     * migration. However, the migration will start normally and
+     * virDomainMigrateStartPostCopy needs to be called to switch it into the
+     * post-copy mode. See virDomainMigrateStartPostCopy for more details.
+     *
+     * Since: 1.3.3
+     */
+    VIR_MIGRATE_POSTCOPY = (1 << 15),
+
+    /* Setting the VIR_MIGRATE_TLS flag will cause the migration to attempt
+     * to use the TLS environment configured by the hypervisor in order to
+     * perform the migration. If incorrectly configured on either source or
+     * destination, the migration will fail.
+     *
+     * Since: 3.2.0
+     */
+    VIR_MIGRATE_TLS = (1 << 16),
+
+    /* Send memory pages to the destination host through several network
+     * connections. See VIR_MIGRATE_PARAM_PARALLEL_* parameters for
+     * configuring the parallel migration.
+     *
+     * Since: 5.2.0
+     */
+    VIR_MIGRATE_PARALLEL = (1 << 17),
+
+    /* Force the guest writes which happen when copying disk images for
+     * non-shared storage migration to be synchronously written to the
+     * destination. This ensures the storage migration converges for VMs
+     * doing heavy I/O on fast local storage and slow mirror.
+     *
+     * Requires one of VIR_MIGRATE_NON_SHARED_DISK, VIR_MIGRATE_NON_SHARED_INC
+     * to be present as well.
+     *
+     * Since: 8.0.0
+     */
+    VIR_MIGRATE_NON_SHARED_SYNCHRONOUS_WRITES = (1 << 18),
+
+    /* Resume migration which failed in post-copy phase.
+     *
+     * Since: 8.5.0
+     */
+    VIR_MIGRATE_POSTCOPY_RESUME = (1 << 19),
+
+    /* Use zero-copy mechanism for migrating memory pages. For QEMU/KVM this
+     * means QEMU will be temporarily allowed to lock all guest pages in host's
+     * memory, although only those that are queued for transfer will be locked
+     * at the same time.
+     *
+     * Since: 8.5.0
+     */
+    VIR_MIGRATE_ZEROCOPY = (1 << 20),
+} virDomainMigrateFlags;
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libvirt_test.cpp b/virtrust/src/virtrust/dllib/libvirt_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..ee7633ab5df9d496952121340814615199c4f9d8
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libvirt_test.cpp
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust/dllib/libvirt.h"
+
+namespace virtrust {
+
+TEST(LibvirtTest, works)
+{
+    // Init
+    auto &libvirt = Libvirt::GetInstance();
+    EXPECT_EQ(libvirt.CheckOk(), DllibRc::OK);
+
+    // Explicity reload
+    auto ret = libvirt.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+}
+
+TEST(LibvirtTest, SingletonPattern)
+{
+    // Test that libvirt follow singleton pattern
+    auto &libvirt1 = Libvirt::GetInstance();
+    auto &libvirt2 = Libvirt::GetInstance();
+    EXPECT_EQ(&libvirt1, &libvirt2);
+}
+
+TEST(LibvirtTest, CheckOkFunction)
+{
+    // Test the CheckOk function
+    auto &libvirt = Libvirt::GetInstance();
+    EXPECT_EQ(libvirt.CheckOk(), DllibRc::OK);
+
+    // Test size function
+    EXPECT_GT(libvirt.Size(), (size_t)0);
+}
+
+TEST(LibvirtTest, ReloadFunction)
+{
+    // Test reloading functionality
+    auto &libvirt = Libvirt::GetInstance();
+
+    // check inital state
+    EXPECT_EQ(libvirt.CheckOk(), DllibRc::OK);
+
+    // Reload the library
+    auto ret = libvirt.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+
+    // Verify it's still working after reload
+    EXPECT_EQ(libvirt.CheckOk(), DllibRc::OK);
+}
+
+TEST(LibvirtTest, FunctionPointerValidity)
+{
+    // Test that all function pointer are valid
+    auto &libvirt = Libvirt::GetInstance();
+
+    // Test a few key functions for validity
+    EXPECT_NE(libvirt.virConnectOpen.Get(), nullptr);
+    EXPECT_NE(libvirt.virDomainLookupByName.Get(), nullptr);
+    EXPECT_NE(libvirt.virDomainFree.Get(), nullptr);
+
+    // Test that functions can be called (without actually executing)
+    EXPECT_FALSE(libvirt.virConnectOpen.GetName().empty());
+    EXPECT_FALSE(libvirt.virDomainLookupByName.GetName().empty());
+    EXPECT_FALSE(libvirt.virDomainFree.GetName().empty());
+}
+
+TEST(LibvirtTest, SetErrorFunction)
+{
+    // Test the SetErrorFunction functionality
+    auto &libvirt = Libvirt::GetInstance();
+
+    // Test that SetErrorFunction can be called without crashing
+    auto ret = libvirt.SetErrorFunction(nullptr);
+    EXPECT_EQ(ret, DllibRc::OK);
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libxml2.h b/virtrust/src/virtrust/dllib/libxml2.h
new file mode 100644
index 0000000000000000000000000000000000000000..fd7f5a8eeb78026ae329b824e3092a425fe1cfd6
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libxml2.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <dlfcn.h>
+
+#include <string_view>
+
+#include "virtrust/dllib/common.h"
+#include "virtrust/dllib/libxml2_defines.h"
+
+namespace virtrust {
+
+// libxml2 api
+class Libxml2 : public DlLibBase {
+public:
+    ~Libxml2() = default;
+    Libxml2(const Libxml2 &) = delete;
+    void operator=(const Libxml2 &) = delete;
+
+    // Singleton instance
+    static Libxml2 &GetInstance()
+    {
+        static Libxml2 instance;
+        return instance;
+    }
+
+    // Reload all functions
+    DllibRc Reload()
+    {
+        SelfDlClose();
+        LoadAll();
+        return CheckOk();
+    }
+
+    // Declare all functions that you need
+    // NOTE Please make sure the class instance is inited before calling those
+    // functions
+    DlFun<xmlDoc *, const char *> xmlParseFile;
+    DlFun<void, xmlDoc *> xmlFreeDoc;
+    DlFun<xmlNode *, const xmlDoc *> xmlDocGetRootElement;
+    DlFun<xmlChar *, const xmlNode *, const xmlChar *> xmlGetProp;
+    DlFun<void, void *> xmlFree;
+
+private:
+    void LoadAll()
+    {
+        // NOTE explicitly dlopen shared library
+        auto ret = SelfDlOpen();
+        if (ret != DllibRc::OK) {
+            return;
+        }
+        DLLIB_SELF_DLSYM(xmlParseFile);
+        DLLIB_SELF_DLSYM(xmlFreeDoc);
+        DLLIB_SELF_DLSYM(xmlDocGetRootElement);
+        DLLIB_SELF_DLSYM(xmlGetProp);
+        DLLIB_SELF_DLSYM(xmlFree);
+    }
+
+    Libxml2() : DlLibBase(LIB_NAME)
+    {
+        LoadAll();
+    }
+
+    static constexpr std::string_view LIB_NAME = "libxml2.so";
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/libxml2_defines.h b/virtrust/src/virtrust/dllib/libxml2_defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..132bf0c1398dad7629ec1b4ff3e74ace3471201c
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libxml2_defines.h
@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+namespace virtrust {
+
+using xmlChar = unsigned char;
+
+// ---------------------------------------------------------------------------
+// Type definition from libxml2/libxml/tree.h
+// ---------------------------------------------------------------------------
+
+/*
+ * The different element types carried by an XML tree.
+ *
+ * NOTE: This is synchronized with DOM Level1 values
+ *       See http://www.w3.org/TR/REC-DOM-Level-1/
+ *
+ * Actually this had diverged a bit, and now XML_DOCUMENT_TYPE_NODE should
+ * be deprecated to use an XML_DTD_NODE.
+ */
+typedef enum {
+    XML_ELEMENT_NODE = 1,
+    XML_ATTRIBUTE_NODE = 2,
+    XML_TEXT_NODE = 3,
+    XML_CDATA_SECTION_NODE = 4,
+    XML_ENTITY_REF_NODE = 5,
+    XML_ENTITY_NODE = 6,
+    XML_PI_NODE = 7,
+    XML_COMMENT_NODE = 8,
+    XML_DOCUMENT_NODE = 9,
+    XML_DOCUMENT_TYPE_NODE = 10,
+    XML_DOCUMENT_FRAG_NODE = 11,
+    XML_NOTATION_NODE = 12,
+    XML_HTML_DOCUMENT_NODE = 13,
+    XML_DTD_NODE = 14,
+    XML_ELEMENT_DECL = 15,
+    XML_ATTRIBUTE_DECL = 16,
+    XML_ENTITY_DECL = 17,
+    XML_NAMESPACE_DECL = 18,
+    XML_XINCLUDE_START = 19,
+    XML_XINCLUDE_END = 20
+    /* XML_DOCB_DOCUMENT_NODE=	21 */ /* removed */
+} xmlElementType;
+
+/**
+ * xmlNs:
+ *
+ * An XML namespace.
+ * Note that prefix == NULL is valid, it defines the default namespace
+ * within the subtree (until overridden).
+ *
+ * xmlNsType is unified with xmlElementType.
+ */
+using xmlNs = struct _xmlNs;
+using xmlNsType = xmlElementType;
+
+struct _xmlNs {
+    struct _xmlNs *next;     /* next Ns link for this node  */
+    xmlNsType type;          /* global or local */
+    const xmlChar *href;     /* URL for the namespace */
+    const xmlChar *prefix;   /* prefix for the namespace */
+    void *_private;          /* application data */
+    struct _xmlDoc *context; /* normally an xmlDoc */
+};
+
+/**
+ * xmlDoc:
+ *
+ * An XML document.
+ */
+using xmlDoc = struct _xmlDoc;
+using xmlDocPtr = xmlDoc *;
+
+struct _xmlDoc {
+    void *_private;            /* application data */
+    xmlElementType type;       /* XML_DOCUMENT_NODE, must be second ! */
+    char *name;                /* name/filename/URI of the document */
+    struct _xmlNode *children; /* the document tree */
+    struct _xmlNode *last;     /* last child link */
+    struct _xmlNode *parent;   /* child->parent link */
+    struct _xmlNode *next;     /* next sibling link  */
+    struct _xmlNode *prev;     /* previous sibling link  */
+    struct _xmlDoc *doc;       /* autoreference to itself */
+
+    /* End of common part */
+    int compression;           /* level of zlib compression */
+    int standalone;            /* standalone document (no external refs)
+                    1 if standalone="yes"
+                    0 if standalone="no"
+                   -1 if there is no XML declaration
+                   -2 if there is an XML declaration, but no
+                   standalone attribute was specified */
+    struct _xmlDtd *intSubset; /* the document internal subset */
+    struct _xmlDtd *extSubset; /* the document external subset */
+    struct _xmlNs *oldNs;      /* Global namespace, the old way */
+    const xmlChar *version;    /* the XML version string */
+    const xmlChar *encoding;   /* external initial encoding, if any */
+    void *ids;                 /* Hash table for ID attributes if any */
+    void *refs;                /* Hash table for IDREFs attributes if any */
+    const xmlChar *URL;        /* The URI for that document */
+    int charset;               /* Internal flag for charset handling,
+                  actually an xmlCharEncoding */
+    struct _xmlDict *dict;     /* dict used to allocate names or NULL */
+    void *psvi;                /* for type/PSVI information */
+    int parseFlags;            /* set of xmlParserOption used to parse the
+                  document */
+    int properties;            /* set of xmlDocProperties for this document
+                  set at the end of parsing */
+};
+
+/**
+ * xmlNode:
+ *
+ * A node in an XML tree.
+ */
+using xmlNode = struct _xmlNode;
+using xmlNodePtr = xmlNode *;
+
+struct _xmlNode {
+    void *_private;            /* application data */
+    xmlElementType type;       /* type number, must be second ! */
+    const xmlChar *name;       /* the name of the node, or the entity */
+    struct _xmlNode *children; /* parent->childs link */
+    struct _xmlNode *last;     /* last child link */
+    struct _xmlNode *parent;   /* child->parent link */
+    struct _xmlNode *next;     /* next sibling link  */
+    struct _xmlNode *prev;     /* previous sibling link  */
+    struct _xmlDoc *doc;       /* the containing document */
+
+    /* End of common part */
+    xmlNs *ns;                   /* pointer to the associated namespace */
+    xmlChar *content;            /* the content */
+    struct _xmlAttr *properties; /* properties list */
+    xmlNs *nsDef;                /* namespace definitions on this node */
+    void *psvi;                  /* for type/PSVI information */
+    unsigned short line;         /* line number */
+    unsigned short extra;        /* extra data for XPath/XSLT */
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/dllib/libxml2_test.cpp b/virtrust/src/virtrust/dllib/libxml2_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..a15c5fe2f7bfa6768f6bb85c28b94305cff2e329
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/libxml2_test.cpp
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust/dllib/libxml2.h"
+
+namespace virtrust {
+
+TEST(Libxml2Test, works)
+{
+    // Init
+    auto &libxml2 = Libxml2::GetInstance();
+    EXPECT_EQ(libxml2.CheckOk(), DllibRc::OK);
+
+    // Explicity reload
+    auto ret = libxml2.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+
+    // Call Function
+    auto *fun_ret = libxml2.xmlParseFile("12312"); // with wrong param
+    EXPECT_EQ(fun_ret, nullptr);
+}
+
+TEST(Libxml2Test, SingletonPattern)
+{
+    // Test that libxml2 follows singleton pattern
+    auto &libxml21 = Libxml2::GetInstance();
+    auto &libxml22 = Libxml2::GetInstance();
+    EXPECT_EQ(&libxml21, &libxml22);
+}
+
+TEST(Libxml2Test, CheckOkFunction)
+{
+    // Test the CheckOk function
+    auto &libxml2 = Libxml2::GetInstance();
+    EXPECT_EQ(libxml2.CheckOk(), DllibRc::OK);
+
+    // Test size function
+    EXPECT_GT(libxml2.Size(), (size_t)0);
+}
+
+TEST(Libxml2Test, ReloadFunction)
+{
+    // Test reloading functionality
+    auto &libxml2 = Libxml2::GetInstance();
+
+    // check inital state
+    EXPECT_EQ(libxml2.CheckOk(), DllibRc::OK);
+
+    // Reload the library
+    auto ret = libxml2.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+
+    // Verify it's still working after reload
+    EXPECT_EQ(libxml2.CheckOk(), DllibRc::OK);
+}
+
+TEST(Libxml2Test, FunctionPointerValidity)
+{
+    // Test that all function pointer are valid
+    auto &libxml2 = Libxml2::GetInstance();
+
+    // Test a few key functions for validity
+    EXPECT_NE(libxml2.xmlParseFile.Get(), nullptr);
+    EXPECT_NE(libxml2.xmlFreeDoc.Get(), nullptr);
+    EXPECT_NE(libxml2.xmlDocGetRootElement.Get(), nullptr);
+
+    // Test that functions can be called (without actually executing)
+    EXPECT_FALSE(libxml2.xmlParseFile.GetName().empty());
+    EXPECT_FALSE(libxml2.xmlFreeDoc.GetName().empty());
+    EXPECT_FALSE(libxml2.xmlDocGetRootElement.GetName().empty());
+}
+
+TEST(Libxml2Test, XmlParsingFunctionality)
+{
+    // Test xml parsing functionality with invalid file
+    auto &libxml2 = Libxml2::GetInstance();
+
+    // Test that xmlParseFile returns nullptr for invalid file (expected behavior)
+    auto *doc = libxml2.xmlParseFile("nonexistent.xml");
+    EXPECT_EQ(doc, nullptr);
+
+    // Test that we can xmlFreeDoc on nullptr (should not crash)
+    libxml2.xmlFreeDoc(nullptr);
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/dllib/openssl.h b/virtrust/src/virtrust/dllib/openssl.h
new file mode 100644
index 0000000000000000000000000000000000000000..0b07fa121f573471c46bfc6444677138fce2dfe2
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/openssl.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <dlfcn.h>
+
+#include <cstdint>
+#include <functional>
+#include <string_view>
+
+#include "virtrust/dllib/common.h"
+#include "virtrust/dllib/openssl_defines.h"
+
+namespace virtrust {
+
+// openssl api
+class Openssl : public DlLibBase {
+public:
+    ~Openssl() = default;
+    Openssl(const Openssl &) = delete;
+    void operator=(const Openssl &) = delete;
+
+    // Singleton instance
+    static Openssl &GetInstance()
+    {
+        static Openssl instance;
+        return instance;
+    }
+
+    // Reload all functions
+    DllibRc Reload()
+    {
+        SelfDlClose();
+        LoadAll();
+        return CheckOk();
+    }
+
+    // Declare all functions that you need
+    // NOTE Please make sure the class instance is inited before calling those
+    // functions
+
+    // Fetch openssl message digest context
+    DlFun<EVP_MD *, OSSL_LIB_CTX *, const char *, const char *> EVP_MD_fetch;
+
+    // Get the output size of the message digest algorithm (e.g. SM3), this
+    // function is the same as EVP_MD_size
+    DlFun<int, const EVP_MD *> EVP_MD_get_size;
+
+    // Create new message digest context
+    DlFun<EVP_MD_CTX *> EVP_MD_CTX_new;
+
+    // Reset md context
+    DlFun<int, EVP_MD_CTX *> EVP_MD_CTX_reset;
+
+    // Copy md context
+    DlFun<int, EVP_MD_CTX *, const EVP_MD_CTX *> EVP_MD_CTX_copy_ex;
+
+    // Init
+    DlFun<int, EVP_MD_CTX *, EVP_MD *> EVP_DigestInit;
+
+    // Update
+    DlFun<int, EVP_MD_CTX *, const void *, size_t> EVP_DigestUpdate;
+
+    // Final
+    DlFun<int, EVP_MD_CTX *, unsigned char *, unsigned int *> EVP_DigestFinal_ex;
+
+    // Free
+    DlFun<void, EVP_MD *> EVP_MD_free;
+    DlFun<void, EVP_MD_CTX *> EVP_MD_CTX_free;
+
+private:
+    void LoadAll()
+    {
+        // NOTE explicitly dlopen shared library
+        auto ret = SelfDlOpen();
+        if (ret != DllibRc::OK) {
+            return;
+        }
+        DLLIB_SELF_DLSYM(EVP_MD_fetch);
+        DLLIB_SELF_DLSYM(EVP_MD_get_size);
+        DLLIB_SELF_DLSYM(EVP_MD_CTX_new);
+        DLLIB_SELF_DLSYM(EVP_MD_CTX_reset);
+        DLLIB_SELF_DLSYM(EVP_MD_CTX_copy_ex);
+        DLLIB_SELF_DLSYM(EVP_DigestInit);
+        DLLIB_SELF_DLSYM(EVP_DigestUpdate);
+        DLLIB_SELF_DLSYM(EVP_DigestFinal_ex);
+        DLLIB_SELF_DLSYM(EVP_MD_free);
+        DLLIB_SELF_DLSYM(EVP_MD_CTX_free);
+    }
+
+    Openssl() : DlLibBase(LIB_NAME)
+    {
+        LoadAll();
+    }
+
+    static constexpr std::string_view LIB_NAME = "libcrypto.so";
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/dllib/openssl_defines.h b/virtrust/src/virtrust/dllib/openssl_defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..86e1043c44097460bf23d307cc10ffd5bc6b229a
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/openssl_defines.h
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+namespace virtrust {
+
+using EVP_MD = struct evp_md_st;
+using EVP_MD_CTX = struct evp_md_ctx_st;
+using OSSL_LIB_CTX = struct ossl_lib_ctx_st;
+
+// openssl return value check
+constexpr int OPENSSL_OK = 1;
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/dllib/openssl_test.cpp b/virtrust/src/virtrust/dllib/openssl_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..4b9929b3bc4516607ff49d9284e805a286ff9570
--- /dev/null
+++ b/virtrust/src/virtrust/dllib/openssl_test.cpp
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "gtest/gtest.h"
+
+#include "virtrust/dllib/openssl.h"
+
+namespace virtrust {
+
+TEST(OpensslTest, works)
+{
+    // Init
+    auto &openssl = Openssl::GetInstance();
+    EXPECT_EQ(openssl.CheckOk(), DllibRc::OK);
+
+    // Explicity reload
+    auto ret = openssl.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+
+    // Call Function
+    auto *ptr = openssl.EVP_MD_CTX_new();
+    EXPECT_NE(ptr, nullptr);
+
+    // Quit
+    openssl.EVP_MD_CTX_free(ptr);
+}
+
+TEST(OpensslTest, SingletonPattern)
+{
+    // Test that openssl follows singleton pattern
+    auto &openssl1 = Openssl::GetInstance();
+    auto &openssl2 = Openssl::GetInstance();
+    EXPECT_EQ(&openssl1, &openssl2);
+}
+
+TEST(OpensslTest, CheckOkFunction)
+{
+    // Test the CheckOk function
+    auto &openssl = Openssl::GetInstance();
+    EXPECT_EQ(openssl.CheckOk(), DllibRc::OK);
+
+    // Test size function
+    EXPECT_GT(openssl.Size(), (size_t)0);
+}
+
+TEST(OpensslTest, ReloadFunction)
+{
+    // Test reloading functionality
+    auto &openssl = Openssl::GetInstance();
+
+    // check inital state
+    EXPECT_EQ(openssl.CheckOk(), DllibRc::OK);
+
+    // Reload the library
+    auto ret = openssl.Reload();
+    EXPECT_EQ(ret, DllibRc::OK);
+
+    // Verify it's still working after reload
+    EXPECT_EQ(openssl.CheckOk(), DllibRc::OK);
+}
+
+TEST(OpensslTest, FunctionPointerValidity)
+{
+    // Test that all function pointer are valid
+    auto &openssl = Openssl::GetInstance();
+
+    // Test a few key functions for validity
+    EXPECT_NE(openssl.EVP_MD_CTX_new.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_MD_CTX_free.Get(), nullptr);
+    EXPECT_NE(openssl.EVP_DigestInit.Get(), nullptr);
+
+    // Test that functions can be called (without actually executing)
+    EXPECT_FALSE(openssl.EVP_MD_CTX_new.GetName().empty());
+    EXPECT_FALSE(openssl.EVP_MD_CTX_free.GetName().empty());
+    EXPECT_FALSE(openssl.EVP_DigestInit.GetName().empty());
+}
+
+TEST(OpensslTest, DigestFunctionality)
+{
+    // Test basic functionality
+    auto &openssl = Openssl::GetInstance();
+
+    // Test that EVP_MD_CTX_new creates a invalid context
+    auto *ctx = openssl.EVP_MD_CTX_new();
+    EXPECT_NE(ctx, nullptr);
+
+    // Test that EVP_MD_CTX_free cleans up properly
+    openssl.EVP_MD_CTX_free(ctx);
+
+    // Test that EVP_MD_CTX_reset works
+    ctx = openssl.EVP_MD_CTX_new();
+    EXPECT_NE(ctx, nullptr);
+    EXPECT_EQ(openssl.EVP_MD_CTX_reset(ctx), 1); // Should return OPENSSL_OK
+    openssl.EVP_MD_CTX_free(ctx);
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/link/CMakeLists.txt b/virtrust/src/virtrust/link/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..bd154d876ca604b780da1056835a47ee234a5dd2
--- /dev/null
+++ b/virtrust/src/virtrust/link/CMakeLists.txt
@@ -0,0 +1,36 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    ${PROTO_SRC}
+    ${CMAKE_CURRENT_LIST_DIR}/grpc_server.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/migration_service_impl.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/grpc_client.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/migration_session.cpp)
+
+set(VIRTRUST_PROTO_SOURCE_FILES ${VIRTRUST_PROTO_SOURCE_FILES}
+                                ${CMAKE_CURRENT_LIST_DIR}/proto/migrate.proto)
+
+# Add tests for link directory
+add_virtrust_test_if(proto_tools_test ${BUILD_TEST})
+if(BUILD_TEST)
+  target_link_libraries(proto_tools_test PRIVATE virtrust_proto)
+endif()
+add_virtrust_test_if(grpc_client_test ${BUILD_TEST})
+if(BUILD_TEST)
+  target_link_libraries(grpc_client_test PRIVATE virtrust_proto)
+endif()
+# add_virtrust_test_if(grpc_server_test ${BUILD_TEST})
+# add_virtrust_test_if(migration_session_test ${BUILD_TEST}) if(BUILD_TEST)
+# target_link_libraries(migration_session_test PRIVATE virtrust_proto) endif()
+# add_virtrust_test_if(migration_service_impl_test ${BUILD_TEST}) if(BUILD_TEST)
+# target_link_libraries(migration_service_impl_test PRIVATE virtrust_proto)
+# endif()
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    PARENT_SCOPE)
+
+set(VIRTRUST_PROTO_SOURCE_FILES
+    ${VIRTRUST_PROTO_SOURCE_FILES}
+    PARENT_SCOPE)
diff --git a/virtrust/src/virtrust/link/defines.h b/virtrust/src/virtrust/link/defines.h
new file mode 100644
index 0000000000000000000000000000000000000000..e7e36cbccd07eb0b114fe021e6b2869580ef5d09
--- /dev/null
+++ b/virtrust/src/virtrust/link/defines.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <array>
+#include <cstdint>
+#include <string>
+#include <string_view>
+
+#include "virtrust/base/logger.h"
+
+namespace virtrust {
+enum class LinkRc : uint32_t {
+    OK = 0,
+    ERROR = 1,
+};
+
+constexpr uint16_t WAIT_RUN_SERVER_SECONDS = 2;
+
+struct LinkConfig {
+    std::string caPath;
+    std::string certPath;
+    std::string skPath;
+    std::string ip;
+    std::string ipMask;
+    uint16_t port;
+    std::string udsPath;
+};
+
+class ConfigMgr {
+public:
+    static ConfigMgr &Instance()
+    {
+        static ConfigMgr instance;
+        return instance;
+    }
+    void SetLinkConfig(const LinkConfig &config)
+    {
+        linkConfig_ = config;
+    }
+    LinkConfig GetLinkConfig()
+    {
+        return linkConfig_;
+    }
+
+private:
+    LinkConfig linkConfig_;
+};
+
+struct MigrationConfig {
+    std::string domainName;
+    std::string uuid;
+    std::string destUri;
+    std::string localUri;
+    unsigned int flags;
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/link/grpc_client.cpp b/virtrust/src/virtrust/link/grpc_client.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..9b546a79828aaa99a9fdcce57818c1ba2832356d
--- /dev/null
+++ b/virtrust/src/virtrust/link/grpc_client.cpp
@@ -0,0 +1,227 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include "virtrust/link/grpc_client.h"
+
+#include <grpcpp/grpcpp.h>
+
+#include <memory>
+#include <string>
+
+#include "virtrust/base/str_utils.h"
+#include "virtrust/link/defines.h"
+
+namespace virtrust {
+UdsClient::UdsClient(LinkConfig config) : config_(config)
+{}
+
+int32_t UdsClient::DomainMigrate(const MigrationConfig &config)
+{
+    protos::DomainMigraterRequest request;
+    request.set_domainname(config.domainName);
+    request.set_uuid(config.uuid);
+    request.set_desturi(config.destUri);
+    request.set_localuri(config.localUri);
+    request.set_flags(config.flags);
+    // Container for the response from the server.
+    protos::DomainMigraterReply reply;
+
+    // Context for the client.
+    grpc::ClientContext context;
+
+    // The actual RPC.
+    std::shared_ptr<grpc::Channel> channel =
+        grpc::CreateChannel("unix:" + config_.udsPath, grpc::InsecureChannelCredentials());
+
+    std::unique_ptr<protos::MigrationService::Stub> stub = protos::MigrationService::NewStub(channel);
+    grpc::Status status = stub->DomainMigrate(&context, request, &reply);
+
+    if (!status.ok()) {
+        VIRTRUST_LOG_ERROR("|DomainMigrate|END|returnF|fail to triggle DomainMigrate:{}, serverAddress is: {}",
+                           status.error_message(), config_.udsPath);
+        return -1;
+    }
+    return reply.result();
+}
+
+RpcClient::RpcClient(LinkConfig config) : config_(config)
+{}
+
+int32_t RpcClient::PrepareMigration(uint32_t timeout, const protos::PrepareMigRequest &request,
+                                    protos::PrepareMigReply *response)
+{
+    std::string serverAddress = config_.ip + ":" + std::to_string(config_.port);
+    // 创建 SSL 凭证
+    auto channel_creds = grpc::InsecureChannelCredentials();
+    if (!config_.caPath.empty() && !config_.certPath.empty() && !config_.skPath.empty()) {
+        VIRTRUST_LOG_DEBUG("|PrepareMigration|||Connect in certificate form");
+        grpc::SslCredentialsOptions ssl_opts;
+        ssl_opts.pem_root_certs = ReadFile(config_.caPath);
+        // 设置客户端证书（如果需要）
+        ssl_opts.pem_private_key = ReadFile(config_.skPath);
+        ssl_opts.pem_cert_chain = ReadFile(config_.certPath);
+        channel_creds = grpc::SslCredentials(ssl_opts);
+    }
+
+    auto channel = grpc::CreateChannel(serverAddress, channel_creds);
+    std::unique_ptr<protos::MigrationService::Stub> stub = protos::MigrationService::NewStub(channel);
+
+    // 创建 ClientContext
+    grpc::ClientContext context;
+
+    // 设置超时
+    auto deadline = std::chrono::system_clock::now() + std::chrono::seconds(timeout);
+    context.set_deadline(deadline);
+    grpc::Status status = stub->PrepareMigration(&context, request, response);
+    if (!status.ok()) {
+        VIRTRUST_LOG_ERROR("|PrepareMigration|END|returnF|fail to triggle prepare migration:{}, serverAddress is: {}",
+                           status.error_message(), serverAddress);
+        return -1;
+    }
+    return response->result();
+}
+
+// 2: 交换公钥
+int32_t RpcClient::ExchangePkAndReport(uint32_t timeout, const protos::EXchangePkAndReportRequest &request,
+                                       protos::EXchangePkAndReportReply *response)
+{
+    std::string serverAddress = config_.ip + ":" + std::to_string(config_.port);
+
+    // 创建 SSL 凭证
+    auto channel_creds = grpc::InsecureChannelCredentials();
+    if (!config_.caPath.empty() && !config_.certPath.empty() && !config_.skPath.empty()) {
+        VIRTRUST_LOG_DEBUG("|ExchangePkAndReport|||Connect in certificate form");
+        grpc::SslCredentialsOptions ssl_opts;
+        ssl_opts.pem_root_certs = ReadFile(config_.caPath);
+        // 设置客户端证书（如果需要）
+        ssl_opts.pem_private_key = ReadFile(config_.skPath);
+        ssl_opts.pem_cert_chain = ReadFile(config_.certPath);
+        channel_creds = grpc::SslCredentials(ssl_opts);
+    }
+
+    std::shared_ptr<grpc::Channel> channel = grpc::CreateChannel(serverAddress, channel_creds);
+    std::unique_ptr<protos::MigrationService::Stub> stub = protos::MigrationService::NewStub(channel);
+
+    // 创建 ClientContext
+    grpc::ClientContext context;
+
+    // 设置超时
+    auto deadline = std::chrono::system_clock::now() + std::chrono::seconds(timeout);
+    context.set_deadline(deadline);
+    grpc::Status status = stub->ExchangePkAndReport(&context, request, response);
+    if (!status.ok()) {
+        VIRTRUST_LOG_ERROR(
+            "|ExchangePkAndReport|END|returnF|fail to triggle exchange pkandReport:{}, serverAddress is: {}",
+            status.error_message(), serverAddress);
+        return -1;
+    }
+    return response->result();
+}
+
+// 3: 开始迁移
+int32_t RpcClient::StartMigration(uint32_t timeout, const protos::StartMigRequest &request,
+                                  protos::StartMigReply *response)
+{
+    std::string serverAddress = config_.ip + ":" + std::to_string(config_.port);
+    // 创建 SSL 凭证
+    auto channel_creds = grpc::InsecureChannelCredentials();
+    if (!config_.caPath.empty() && !config_.certPath.empty() && !config_.skPath.empty()) {
+        VIRTRUST_LOG_DEBUG("|StartMigration|||Connect in certificate form");
+        grpc::SslCredentialsOptions ssl_opts;
+        ssl_opts.pem_root_certs = ReadFile(config_.caPath);
+        // 设置客户端证书（如果需要）
+        ssl_opts.pem_private_key = ReadFile(config_.skPath);
+        ssl_opts.pem_cert_chain = ReadFile(config_.certPath);
+        channel_creds = grpc::SslCredentials(ssl_opts);
+    }
+
+    std::shared_ptr<grpc::Channel> channel = grpc::CreateChannel(serverAddress, channel_creds);
+    std::unique_ptr<protos::MigrationService::Stub> stub = protos::MigrationService::NewStub(channel);
+
+    // 创建 ClientContext
+    grpc::ClientContext context;
+
+    // 设置超时
+    auto deadline = std::chrono::system_clock::now() + std::chrono::seconds(timeout);
+    context.set_deadline(deadline);
+    grpc::Status status = stub->StartMigration(&context, request, response);
+    if (!status.ok()) {
+        VIRTRUST_LOG_ERROR("|StartMigration|END|returnF|fail to triggle start migration:{}, serverAddress is: {}",
+                           status.error_message(), serverAddress);
+        return -1;
+    }
+    return response->result();
+}
+
+// 4：迁移虚机密码资源
+int32_t RpcClient::SendVRsourceData(uint32_t timeout, const protos::VRsourceInfoRequest &request,
+                                    protos::VRsourceInfoReply *response)
+{
+    std::string serverAddress = config_.ip + ":" + std::to_string(config_.port);
+    // 创建 SSL 凭证
+    auto channel_creds = grpc::InsecureChannelCredentials();
+    if (!config_.caPath.empty() && !config_.certPath.empty() && !config_.skPath.empty()) {
+        VIRTRUST_LOG_DEBUG("|SendVRsourceData|||Connect in certificate form");
+        grpc::SslCredentialsOptions ssl_opts;
+        ssl_opts.pem_root_certs = ReadFile(config_.caPath);
+        // 设置客户端证书（如果需要）
+        ssl_opts.pem_private_key = ReadFile(config_.skPath);
+        ssl_opts.pem_cert_chain = ReadFile(config_.certPath);
+        channel_creds = grpc::SslCredentials(ssl_opts);
+    }
+
+    std::shared_ptr<grpc::Channel> channel = grpc::CreateChannel(serverAddress, channel_creds);
+    std::unique_ptr<protos::MigrationService::Stub> stub = protos::MigrationService::NewStub(channel);
+
+    // 创建 ClientContext
+    grpc::ClientContext context;
+
+    // 设置超时
+    auto deadline = std::chrono::system_clock::now() + std::chrono::seconds(timeout);
+    context.set_deadline(deadline);
+    grpc::Status status = stub->SendVRsourceData(&context, request, response);
+    if (!status.ok()) {
+        VIRTRUST_LOG_ERROR("|SendVRsourceData|END|returnF|fail to triggle send vrsourceData:{}, serverAddress is: {}",
+                           status.error_message(), serverAddress);
+        return -1;
+    }
+    return response->result();
+}
+
+// 5: 通知迁移结果
+int32_t RpcClient::NotifyVRMigrateResult(uint32_t timeout, const protos::MigrateResultRequest &request,
+                                         protos::MigrateResultReply *response)
+{
+    std::string serverAddress = config_.ip + ":" + std::to_string(config_.port);
+    // 创建 SSL 凭证
+    auto channel_creds = grpc::InsecureChannelCredentials();
+    if (!config_.caPath.empty() && !config_.certPath.empty() && !config_.skPath.empty()) {
+        VIRTRUST_LOG_DEBUG("|NotifyVRMigrateResult|||Connect in certificate form");
+        grpc::SslCredentialsOptions ssl_opts;
+        ssl_opts.pem_root_certs = ReadFile(config_.caPath);
+        // 设置客户端证书（如果需要）
+        ssl_opts.pem_private_key = ReadFile(config_.skPath);
+        ssl_opts.pem_cert_chain = ReadFile(config_.certPath);
+        channel_creds = grpc::SslCredentials(ssl_opts);
+    }
+
+    std::shared_ptr<grpc::Channel> channel = grpc::CreateChannel(serverAddress, channel_creds);
+    std::unique_ptr<protos::MigrationService::Stub> stub = protos::MigrationService::NewStub(channel);
+
+    // 创建 ClientContext
+    grpc::ClientContext context;
+
+    // 设置超时
+    auto deadline = std::chrono::system_clock::now() + std::chrono::seconds(timeout);
+    context.set_deadline(deadline);
+    grpc::Status status = stub->NotifyVRMigrateResult(&context, request, response);
+    if (!status.ok()) {
+        VIRTRUST_LOG_ERROR(
+            "|NotifyVRMigrateResult|END|returnF|fail to triggle NotifyVRMigrateResult :{}, serverAddress is: {}",
+            status.error_message(), serverAddress);
+        return -1;
+    }
+    return response->result();
+}
+}; // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/link/grpc_client.h b/virtrust/src/virtrust/link/grpc_client.h
new file mode 100644
index 0000000000000000000000000000000000000000..7b8d7905e63bfb428c65674990de1702c4209a5d
--- /dev/null
+++ b/virtrust/src/virtrust/link/grpc_client.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <string>
+
+#include "virtrust/link/defines.h"
+
+#include "virtrust/link/proto/migrate.grpc.pb.h"
+
+namespace virtrust {
+// 给virsh-sh命令行使用
+class UdsClient {
+public:
+    explicit UdsClient(LinkConfig config);
+
+    int32_t DomainMigrate(const MigrationConfig &config);
+
+private:
+    LinkConfig config_;
+};
+
+// 守护进程之间使用
+class RpcClient {
+public:
+    explicit RpcClient(LinkConfig config);
+
+    int32_t PrepareMigration(uint32_t timeout, const protos::PrepareMigRequest &request,
+                             protos::PrepareMigReply *response);
+
+    // 2: 交换公钥
+    int32_t ExchangePkAndReport(uint32_t timeout, const protos::EXchangePkAndReportRequest &request,
+                                protos::EXchangePkAndReportReply *response);
+
+    // 3: 开始迁移
+    int32_t StartMigration(uint32_t timeout, const protos::StartMigRequest &request, protos::StartMigReply *response);
+
+    // 4：迁移虚机密码资源
+    int32_t SendVRsourceData(uint32_t timeout, const protos::VRsourceInfoRequest &request,
+                             protos::VRsourceInfoReply *response);
+
+    // 5: 通知迁移结果
+    int32_t NotifyVRMigrateResult(uint32_t timeout, const protos::MigrateResultRequest &request,
+                                  protos::MigrateResultReply *response);
+
+private:
+    LinkConfig config_;
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/link/grpc_client_test.cpp b/virtrust/src/virtrust/link/grpc_client_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..0f243c1f586649ef8df9a53c9380654e1bef9814
--- /dev/null
+++ b/virtrust/src/virtrust/link/grpc_client_test.cpp
@@ -0,0 +1,288 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include <string>
+
+#include "gtest/gtest.h"
+
+#include "virtrust/link/defines.h"
+#include "virtrust/link/grpc_client.h"
+
+namespace virtrust {
+
+class GrpcClientTest : public ::testing::Test {
+protected:
+    void SetUp() override
+    {
+        // Initialize test configuration
+        linkConfig_.caPath = "/test/ca.pem";
+        linkConfig_.certPath = "/test/cert.pem";
+        linkConfig_.skPath = "/test/sk.pem";
+        linkConfig_.ip = "127.0.0.1";
+        linkConfig_.ipMask = "127.0.0.0/24";
+        linkConfig_.port = 50051;
+        linkConfig_.udsPath = "/tmp/test.sock";
+
+        migrationConfig_.domainName = "test-domain";
+        migrationConfig_.uuid = "test-uuid-12345";
+        migrationConfig_.destUri = "qemu+tcp://dest-host/system";
+        migrationConfig_.localUri = "qemu+tcp://src-host/system";
+        migrationConfig_.flags = 0;
+    }
+
+    LinkConfig linkConfig_;
+    MigrationConfig migrationConfig_;
+};
+
+TEST_F(GrpcClientTest, UdsClientConstructor)
+{
+    // Test that UdsClient can be constructed with valid config
+    UdsClient client(linkConfig_);
+
+    // The constructor should not throw, and the client should be valid
+    // Since we can't directly access private members, we just ensure construction succeeds
+    SUCCEED();
+}
+
+TEST_F(GrpcClientTest, UdsClientConstructorWithEmptyConfig)
+{
+    // Test with empty config
+    LinkConfig emptyConfig;
+    UdsClient client(emptyConfig);
+
+    // Should still construct successfully
+    SUCCEED();
+}
+
+TEST_F(GrpcClientTest, UdsClientDomainMigrateRequest)
+{
+    UdsClient client(linkConfig_);
+
+    // This will fail because there's no server running, but we can test the request construction
+    // and error handling
+    int32_t result = client.DomainMigrate(migrationConfig_);
+
+    // Should return -1 when server is not available
+    EXPECT_EQ(result, -1);
+}
+
+TEST_F(GrpcClientTest, UdsClientDomainMigrateWithEmptyConfig)
+{
+    UdsClient client(linkConfig_);
+
+    MigrationConfig emptyConfig;
+    int32_t result = client.DomainMigrate(emptyConfig);
+
+    // Should return -1 when server is not available
+    EXPECT_EQ(result, -1);
+}
+
+TEST_F(GrpcClientTest, RpcClientConstructor)
+{
+    // Test that RpcClient can be constructed with valid config
+    RpcClient client(linkConfig_);
+
+    // The constructor should not throw, and the client should be valid
+    SUCCEED();
+}
+
+TEST_F(GrpcClientTest, RpcClientConstructorWithEmptyConfig)
+{
+    // Test with empty config
+    LinkConfig emptyConfig;
+    RpcClient client(emptyConfig);
+
+    // Should still construct successfully
+    SUCCEED();
+}
+
+TEST_F(GrpcClientTest, RpcClientPrepareMigration)
+{
+    RpcClient client(linkConfig_);
+
+    protos::PrepareMigRequest request;
+    protos::PrepareMigReply response;
+
+    // Set up a basic request
+    request.set_domainname("test-domain");
+    request.set_uuid("test-uuid");
+
+    // This will fail because there's no server running, but we can test the request construction
+    // and error handling
+    int32_t result = client.PrepareMigration(5, request, &response);
+
+    // Should return -1 when server is not available
+    EXPECT_EQ(result, -1);
+}
+
+TEST_F(GrpcClientTest, RpcClientExchangePkAndReport)
+{
+    RpcClient client(linkConfig_);
+
+    protos::EXchangePkAndReportRequest request;
+    protos::EXchangePkAndReportReply response;
+
+    // Set up a basic request
+    request.set_domainname("test-domain");
+    request.set_uuid("test-uuid");
+    request.set_cert("test-certificate");
+    request.set_publickey("test-public-key");
+    // Note: hostReport and vmReport are TrustReportNew messages, not strings
+    // For test purposes, we'll leave them unset
+
+    // This will fail because there's no server running, but we can test the request construction
+    // and error handling
+    int32_t result = client.ExchangePkAndReport(5, request, &response);
+
+    // Should return -1 when server is not available
+    EXPECT_EQ(result, -1);
+}
+
+TEST_F(GrpcClientTest, RpcClientStartMigration)
+{
+    RpcClient client(linkConfig_);
+
+    protos::StartMigRequest request;
+    protos::StartMigReply response;
+
+    // Set up a basic request
+    request.set_domainname("test-domain");
+    request.set_uuid("test-uuid");
+
+    // This will fail because there's no server running, but we can test the request construction
+    // and error handling
+    int32_t result = client.StartMigration(5, request, &response);
+
+    // Should return -1 when server is not available
+    EXPECT_EQ(result, -1);
+}
+
+TEST_F(GrpcClientTest, RpcClientSendVRsourceData)
+{
+    RpcClient client(linkConfig_);
+
+    protos::VRsourceInfoRequest request;
+    protos::VRsourceInfoReply response;
+
+    // Set up a basic request
+    request.set_uuid("test-uuid");
+    request.set_data("test-vr-data");
+
+    // This will fail because there's no server running, but we can test the request construction
+    // and error handling
+    int32_t result = client.SendVRsourceData(5, request, &response);
+
+    // Should return -1 when server is not available
+    EXPECT_EQ(result, -1);
+}
+
+TEST_F(GrpcClientTest, RpcClientNotifyVRMigrateResult)
+{
+    RpcClient client(linkConfig_);
+
+    protos::MigrateResultRequest request;
+    protos::MigrateResultReply response;
+
+    // Set up a basic request
+    request.set_domainname("test-domain");
+    request.set_uuid("test-uuid");
+    request.set_result(1); // 1 for success
+
+    // This will fail because there's no server running, but we can test the request construction
+    // and error handling
+    int32_t result = client.NotifyVRMigrateResult(5, request, &response);
+
+    // Should return -1 when server is not available
+    EXPECT_EQ(result, -1);
+}
+
+TEST_F(GrpcClientTest, RpcClientWithTimeout)
+{
+    RpcClient client(linkConfig_);
+
+    protos::PrepareMigRequest request;
+    protos::PrepareMigReply response;
+
+    request.set_domainname("test-domain");
+    request.set_uuid("test-uuid");
+
+    // Test with very short timeout (1 second) - should still handle gracefully
+    int32_t result = client.PrepareMigration(1, request, &response);
+
+    // Should return -1 when server is not available
+    EXPECT_EQ(result, -1);
+}
+
+TEST_F(GrpcClientTest, RpcClientWithZeroTimeout)
+{
+    RpcClient client(linkConfig_);
+
+    protos::PrepareMigRequest request;
+    protos::PrepareMigReply response;
+
+    request.set_domainname("test-domain");
+    request.set_uuid("test-uuid");
+
+    // Test with zero timeout - should still handle gracefully
+    int32_t result = client.PrepareMigration(0, request, &response);
+
+    // Should return -1 when server is not available
+    EXPECT_EQ(result, -1);
+}
+
+TEST_F(GrpcClientTest, RpcClientWithInvalidIp)
+{
+    LinkConfig invalidConfig = linkConfig_;
+    invalidConfig.ip = "invalid.ip.address";
+
+    RpcClient client(invalidConfig);
+
+    protos::PrepareMigRequest request;
+    protos::PrepareMigReply response;
+
+    request.set_domainname("test-domain");
+    request.set_uuid("test-uuid");
+
+    // Should handle invalid IP gracefully
+    int32_t result = client.PrepareMigration(5, request, &response);
+
+    // Should return -1 when unable to connect
+    EXPECT_EQ(result, -1);
+}
+
+TEST_F(GrpcClientTest, RpcClientWithInvalidPort)
+{
+    LinkConfig invalidConfig = linkConfig_;
+    invalidConfig.port = 0; // Invalid port
+
+    RpcClient client(invalidConfig);
+
+    protos::PrepareMigRequest request;
+    protos::PrepareMigReply response;
+
+    request.set_domainname("test-domain");
+    request.set_uuid("test-uuid");
+
+    // Should handle invalid port gracefully
+    int32_t result = client.PrepareMigration(5, request, &response);
+
+    // Should return -1 when unable to connect
+    EXPECT_EQ(result, -1);
+}
+
+TEST_F(GrpcClientTest, UdsClientWithInvalidUdsPath)
+{
+    LinkConfig invalidConfig = linkConfig_;
+    invalidConfig.udsPath = ""; // Empty UDS path
+
+    UdsClient client(invalidConfig);
+
+    // Should handle empty UDS path gracefully
+    int32_t result = client.DomainMigrate(migrationConfig_);
+
+    // Should return -1 when unable to connect
+    EXPECT_EQ(result, -1);
+}
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/link/grpc_server.cpp b/virtrust/src/virtrust/link/grpc_server.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..c19c226e87aeb5bca2a204d56282fe7d6a1996c3
--- /dev/null
+++ b/virtrust/src/virtrust/link/grpc_server.cpp
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include "virtrust/link/grpc_server.h"
+
+#include "virtrust/base/logger.h"
+#include "virtrust/base/str_utils.h"
+#include "virtrust/link/defines.h"
+#include "virtrust/link/migration_service_impl.h"
+
+#include "virtrust/link/proto/migrate.grpc.pb.h"
+
+namespace virtrust {
+using grpc::Server;
+using grpc::ServerBuilder;
+using grpc::ServerContext;
+using grpc::Status;
+
+GrpcServer::GrpcServer(LinkConfig config) : config_(config)
+{}
+
+LinkRc GrpcServer::Start()
+{
+    if (running_) {
+        return LinkRc::ERROR;
+    }
+    ::unlink(config_.udsPath.c_str());
+    server_thread_ = std::make_unique<std::thread>([this]() { RunServer(); });
+
+    // 等待服务器启动
+    std::this_thread::sleep_for(std::chrono::seconds(WAIT_RUN_SERVER_SECONDS)); // 2秒之后启动
+
+    if (!running_) {
+        return LinkRc::ERROR;
+    }
+    return LinkRc::OK;
+}
+
+void GrpcServer::Stop()
+{
+    if (!running_) {
+        return;
+    }
+    if (server_) {
+        server_->Shutdown();
+        server_.reset();
+    }
+    if (server_thread_ && server_thread_->joinable()) {
+        server_thread_->join();
+        server_thread_.reset();
+    }
+
+    // 清理 UDS 文件
+    ::unlink(config_.udsPath.c_str());
+    running_ = false;
+}
+
+void GrpcServer::RunServer()
+{
+    try {
+        MigrationServiceImpl service;
+        std::string serverAddress = config_.ip + ":" + std::to_string(config_.port);
+        grpc::EnableDefaultHealthCheckService(true);
+        grpc::reflection::InitProtoReflectionServerBuilderPlugin();
+
+        grpc::ServerBuilder builder;
+        auto server_creds = grpc::InsecureServerCredentials();
+        // 创建 SSL 凭证
+        if (!config_.skPath.empty() && !config_.certPath.empty() && !config_.caPath.empty()) {
+            VIRTRUST_LOG_DEBUG("|RunServer|||Start in certificate");
+            grpc::SslServerCredentialsOptions::PemKeyCertPair key_cert_pair;
+            key_cert_pair.private_key = ReadFile(config_.skPath);
+            key_cert_pair.cert_chain = ReadFile(config_.certPath);
+
+            grpc::SslServerCredentialsOptions ssl_opts;
+            ssl_opts.client_certificate_request = GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY;
+            ssl_opts.pem_key_cert_pairs.push_back(key_cert_pair);
+            ssl_opts.pem_root_certs = ReadFile(config_.caPath);
+            server_creds = grpc::SslServerCredentials(ssl_opts);
+        }
+
+        // 监听tcp地址
+        builder.AddListeningPort(serverAddress, server_creds);
+        // 监听uds地址
+        builder.AddListeningPort("unix:" + config_.udsPath, grpc::InsecureServerCredentials());
+        builder.RegisterService(&service);
+
+        server_ = builder.BuildAndStart();
+        if (!server_) {
+            VIRTRUST_LOG_ERROR("|RunServer|END|returnF|rpc buildAndStart failed");
+            return;
+        }
+
+        running_ = true;
+        server_->Wait();
+    } catch (const std::exception &e) {
+        running_ = false;
+    }
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/link/grpc_server.h b/virtrust/src/virtrust/link/grpc_server.h
new file mode 100644
index 0000000000000000000000000000000000000000..313da946a401b51531b6b43d5fb4ad65999045fd
--- /dev/null
+++ b/virtrust/src/virtrust/link/grpc_server.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <grpcpp/grpcpp.h>
+
+#include <memory>
+#include <thread>
+
+#include "virtrust/link/defines.h"
+
+namespace virtrust {
+class GrpcServer {
+public:
+    explicit GrpcServer(LinkConfig config);
+
+    LinkRc Start();
+    void Stop();
+
+private:
+    void RunServer();
+
+    LinkConfig config_;
+    std::atomic<bool> running_{false};
+
+    std::unique_ptr<grpc::Server> server_;
+    std::unique_ptr<std::thread> server_thread_;
+};
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/link/grpc_server_test.cpp b/virtrust/src/virtrust/link/grpc_server_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..797ed4b0da33b15b4d24e026599e8f8555fba7bd
--- /dev/null
+++ b/virtrust/src/virtrust/link/grpc_server_test.cpp
@@ -0,0 +1,309 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include <chrono>
+#include <fstream>
+#include <string>
+#include <thread>
+
+#include "gtest/gtest.h"
+
+#include "virtrust/link/defines.h"
+#include "virtrust/link/grpc_server.h"
+
+namespace virtrust {
+
+class GrpcServerTest : public ::testing::Test {
+protected:
+    void SetUp() override
+    {
+        // Initialize test configuration
+        linkConfig_.caPath = "/test/ca.pem";
+        linkConfig_.certPath = "/test/cert.pem";
+        linkConfig_.skPath = "/test/sk.pem";
+        linkConfig_.ip = "127.0.0.1";
+        linkConfig_.ipMask = "127.0.0.0/24";
+        linkConfig_.port = 50052; // Use different port to avoid conflicts
+        linkConfig_.udsPath = "/tmp/test_grpc_server.sock";
+    }
+
+    void TearDown() override
+    {
+        // Clean up any leftover UDS file
+        ::unlink(linkConfig_.udsPath.c_str());
+    }
+
+    LinkConfig linkConfig_;
+};
+
+TEST_F(GrpcServerTest, Constructor)
+{
+    // Test that GrpcServer can be constructed with valid config
+    GrpcServer server(linkConfig_);
+
+    // The constructor should not throw, and the server should be valid
+    SUCCEED();
+}
+
+TEST_F(GrpcServerTest, ConstructorWithEmptyConfig)
+{
+    // Test with empty config
+    LinkConfig emptyConfig;
+    GrpcServer server(emptyConfig);
+
+    // Should still construct successfully
+    SUCCEED();
+}
+
+TEST_F(GrpcServerTest, StartAndStop)
+{
+    GrpcServer server(linkConfig_);
+
+    // Start the server
+    LinkRc startResult = server.Start();
+
+    // Give the server a moment to start
+    std::this_thread::sleep_for(std::chrono::milliseconds(200));
+
+    // Stop the server
+    server.Stop();
+
+    // Both start and stop should succeed
+    EXPECT_EQ(startResult, LinkRc::OK);
+}
+
+TEST_F(GrpcServerTest, StartTwice)
+{
+    GrpcServer server(linkConfig_);
+
+    // Start the server first time
+    LinkRc firstStart = server.Start();
+
+    // Give the server a moment to start
+    std::this_thread::sleep_for(std::chrono::milliseconds(200));
+
+    // Try to start again - should fail
+    LinkRc secondStart = server.Start();
+
+    // Stop the server
+    server.Stop();
+
+    // First start should succeed, second should fail
+    EXPECT_EQ(firstStart, LinkRc::OK);
+    EXPECT_EQ(secondStart, LinkRc::ERROR);
+}
+
+TEST_F(GrpcServerTest, StopWithoutStart)
+{
+    GrpcServer server(linkConfig_);
+
+    // Stop the server without starting it - should not crash
+    server.Stop();
+
+    // Should complete without issues
+    SUCCEED();
+}
+
+TEST_F(GrpcServerTest, StartStopMultipleTimes)
+{
+    GrpcServer server(linkConfig_);
+
+    for (int i = 0; i < 3; i++) {
+        // Start the server
+        LinkRc startResult = server.Start();
+
+        // Give the server a moment to start
+        std::this_thread::sleep_for(std::chrono::milliseconds(100));
+
+        // Stop the server
+        server.Stop();
+
+        // Each start should succeed
+        EXPECT_EQ(startResult, LinkRc::OK);
+
+        // Brief pause between iterations
+        std::this_thread::sleep_for(std::chrono::milliseconds(50));
+    }
+}
+
+TEST_F(GrpcServerTest, StartWithInvalidPort)
+{
+    LinkConfig invalidConfig = linkConfig_;
+    invalidConfig.port = 0; // Invalid port
+
+    GrpcServer server(invalidConfig);
+
+    // Starting with invalid port should handle gracefully
+    LinkRc startResult = server.Start();
+    (void)startResult; // Suppress unused variable warning
+
+    // Give it a moment to attempt starting
+    std::this_thread::sleep_for(std::chrono::milliseconds(200));
+
+    server.Stop();
+
+    // Start should handle the invalid port gracefully
+    // The exact result depends on gRPC implementation
+    // but it should not crash
+    SUCCEED();
+}
+
+TEST_F(GrpcServerTest, StartWithPrivilegedPort)
+{
+    LinkConfig privilegedConfig = linkConfig_;
+    privilegedConfig.port = 80; // Privileged port (might fail)
+
+    GrpcServer server(privilegedConfig);
+
+    // Starting with privileged port might fail due to permissions
+    LinkRc startResult = server.Start();
+    (void)startResult; // Suppress unused variable warning
+
+    // Give it a moment to attempt starting
+    std::this_thread::sleep_for(std::chrono::milliseconds(200));
+
+    server.Stop();
+
+    // Should handle privileged port gracefully (might succeed or fail depending on permissions)
+    SUCCEED();
+}
+
+TEST_F(GrpcServerTest, StartWithInvalidUdsPath)
+{
+    LinkConfig invalidConfig = linkConfig_;
+    invalidConfig.udsPath = ""; // Empty UDS path
+
+    GrpcServer server(invalidConfig);
+
+    // Starting with invalid UDS path should handle gracefully
+    LinkRc startResult = server.Start();
+    (void)startResult; // Suppress unused variable warning
+
+    // Give it a moment to attempt starting
+    std::this_thread::sleep_for(std::chrono::milliseconds(200));
+
+    server.Stop();
+
+    // Should handle the invalid UDS path gracefully
+    // The exact result depends on gRPC implementation
+    SUCCEED();
+}
+
+TEST_F(GrpcServerTest, StartWithLongUdsPath)
+{
+    LinkConfig longPathConfig = linkConfig_;
+    longPathConfig.udsPath =
+        "/tmp/very_long_uds_path_name_that_exceeds_normal_filesystem_limits_and_should_test_error_handling.sock";
+
+    GrpcServer server(longPathConfig);
+
+    // Starting with very long UDS path should handle gracefully
+    LinkRc startResult = server.Start();
+    (void)startResult; // Suppress unused variable warning
+
+    // Give it a moment to attempt starting
+    std::this_thread::sleep_for(std::chrono::milliseconds(200));
+
+    server.Stop();
+
+    // Should handle the long UDS path gracefully
+    SUCCEED();
+}
+
+TEST_F(GrpcServerTest, ServerLifecycleWithRapidStartStop)
+{
+    GrpcServer server(linkConfig_);
+
+    // Test rapid start/stop cycles
+    for (int i = 0; i < 5; i++) {
+        LinkRc startResult = server.Start();
+        (void)startResult; // Suppress unused variable warning
+
+        // Very short start time
+        std::this_thread::sleep_for(std::chrono::milliseconds(50));
+
+        server.Stop();
+
+        // Brief pause
+        std::this_thread::sleep_for(std::chrono::milliseconds(10));
+    }
+
+    // Should handle rapid cycles without issues
+    SUCCEED();
+}
+
+TEST_F(GrpcServerTest, ServerHandlesExistingUdsFile)
+{
+    // Create a file at the UDS path first
+    std::ofstream existingFile(linkConfig_.udsPath);
+    existingFile << "existing content";
+    existingFile.close();
+
+    GrpcServer server(linkConfig_);
+
+    // Server should handle existing file at UDS path gracefully
+    LinkRc startResult = server.Start();
+    (void)startResult; // Suppress unused variable warning
+
+    // Give it a moment to start
+    std::this_thread::sleep_for(std::chrono::milliseconds(200));
+
+    server.Stop();
+
+    // Should handle existing file gracefully
+    SUCCEED();
+}
+
+TEST_F(GrpcServerTest, ServerWithDifferentPorts)
+{
+    std::vector<uint16_t> testPorts = {50053, 50054, 50055, 50056};
+
+    for (uint16_t port : testPorts) {
+        LinkConfig testConfig = linkConfig_;
+        testConfig.port = port;
+        testConfig.udsPath = "/tmp/test_grpc_server_" + std::to_string(port) + ".sock";
+
+        GrpcServer server(testConfig);
+
+        LinkRc startResult = server.Start();
+
+        // Give it a moment to start
+        std::this_thread::sleep_for(std::chrono::milliseconds(100));
+
+        server.Stop();
+
+        // Clean up UDS file
+        ::unlink(testConfig.udsPath.c_str());
+
+        // Each port should be handled gracefully
+        EXPECT_EQ(startResult, LinkRc::OK);
+    }
+}
+
+TEST_F(GrpcServerTest, ServerConcurrentOperations)
+{
+    GrpcServer server(linkConfig_);
+
+    // Start server in background
+    std::thread startThread([&server]() {
+        LinkRc result = server.Start();
+        EXPECT_EQ(result, LinkRc::OK);
+    });
+
+    // Give server time to start
+    std::this_thread::sleep_for(std::chrono::milliseconds(100));
+
+    // Stop server
+    server.Stop();
+
+    // Wait for start thread to complete
+    if (startThread.joinable()) {
+        startThread.join();
+    }
+
+    // Should handle concurrent operations without issues
+    SUCCEED();
+}
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/link/link_config_builder.h b/virtrust/src/virtrust/link/link_config_builder.h
new file mode 100644
index 0000000000000000000000000000000000000000..783636e0ff8d95ac383bfc42d805e401bb6c4557
--- /dev/null
+++ b/virtrust/src/virtrust/link/link_config_builder.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <array>
+#include <cstdint>
+#include <string>
+#include <string_view>
+
+#include "virtrust/link/defines.h"
+
+namespace virtrust {
+
+class LinkConfigBuilder {
+public:
+#define VIRTRUST_LINK_BUILDER_ADD(TYPE, NAME) \
+    LinkConfigBuilder NAME(TYPE NAME)         \
+    {                                         \
+        config_.NAME = NAME;                  \
+        return *this;                         \
+    }
+
+    VIRTRUST_LINK_BUILDER_ADD(const std::string &, caPath)
+    VIRTRUST_LINK_BUILDER_ADD(const std::string &, udsPath)
+    VIRTRUST_LINK_BUILDER_ADD(const std::string &, certPath)
+    VIRTRUST_LINK_BUILDER_ADD(const std::string &, skPath)
+    VIRTRUST_LINK_BUILDER_ADD(const std::string &, ip)
+    VIRTRUST_LINK_BUILDER_ADD(uint16_t, port)
+
+#undef VIRTRUST_LINK_BUILDER_ADD
+
+    LinkConfig Build()
+    {
+        return config_;
+    }
+
+private:
+    LinkConfig config_;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/link/link_test.cpp b/virtrust/src/virtrust/link/link_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..a7bdf331f4c243f3944663751c1a16ba7c7c704a
--- /dev/null
+++ b/virtrust/src/virtrust/link/link_test.cpp
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <filesystem>
+#include <future>
+
+#include "gtest/gtest.h"
+#include "spdlog/fmt/bundled/core.h"
+
+#include "virtrust/link/link_client.h"
+#include "virtrust/link/link_config_builder.h"
+#include "virtrust/link/link_server.h"
+
+namespace virtrust {
+
+namespace {
+constexpr std::string_view TEST_CA_CERT_FILENAME = "ca/cert.pem";
+constexpr std::string_view TEST_SERVER_CERT_FILENAME = "server/cert.pem";
+constexpr std::string_view TEST_SERVER_SK_FILENAME = "server/sk.pem";
+constexpr std::string_view TEST_CLIENT_CERT_FILENAME = "client/cert.pem";
+constexpr std::string_view TEST_CLIENT_SK_FILENAME = "client/sk.pem";
+
+constexpr std::string_view TEST_ADDR = "127.0.0.1";
+constexpr std::string_view TEST_ADDR_MASK = "127.0.0.0/128";
+constexpr uint16_t TEST_SERVER_PORT = "10086";
+constexpr uint16_t TEST_CLIENT_PORT = "10087";
+
+inline std::filesystem::path GetTestDir()
+{
+    // GET the project root path (which is the directory)
+    auto filePath = std::filesystem::path(__FILE__);
+    return (filePath / ".." / ".." / ".." / ".." / "test").lexically_normal();
+}
+
+#define GET_PATH(ROLE, TYPE) (GetTestDir() / TEST_##ROLE##_##TYPE##_FILENAME).lexically_normal().string()
+
+} // namespace
+
+TEST(LinkTest, SimpleDemo)
+{
+    auto s = std::async([]() {
+        LinkServer link(LinkConfigBuilder()
+                            .caPath(GET_PATH(CA, CERT))
+                            .certPath(GET_PATH(SERVER, CERT))
+                            .skPath(GET_PATH(SERVER, SK))
+                            .ip(std::string(TEST_ADDR))
+                            .ipMask(std::string(TEST_ADDR_MASK))
+                            .port(TEST_SERVER_PORT)
+                            .Build());
+        return link.Start();
+    });
+    auto c = std::async([]() {
+        LinkClient link(LinkConfigBuilder()
+                            .caPath(GET_PATH(CA, CERT))
+                            .certPath(GET_PATH(CLIENT, CERT))
+                            .skPath(GET_PATH(CLIENT, SK))
+                            .ip(std::string(TEST_ADDR))
+                            .ipMask(std::string(TEST_ADDR_MASK))
+                            .port(TEST_CLIENT_PORT)
+                            .Build());
+        auto ret = link.Start();
+        if (ret != LinkRc::OK) {
+            return ret;
+        };
+        return link.Connect(TEST_ADDR, TEST_SERVER_PORT);
+    });
+    EXPECT_EQ(s.get(), LinkRc::OK);
+    EXPECT_EQ(c.get(), LinkRc::OK);
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/link/migration_service_impl.cpp b/virtrust/src/virtrust/link/migration_service_impl.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..e4c03d48090b84c5dcf14158baf9476a153fb491
--- /dev/null
+++ b/virtrust/src/virtrust/link/migration_service_impl.cpp
@@ -0,0 +1,218 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "virtrust/link/migration_service_impl.h"
+
+#include <memory>
+#include <regex>
+#include <thread>
+#include <vector>
+
+#include "libvirtrustd/defines.h"
+#include "tsb_agent/tsb_agent.h"
+
+#include "virtrust/base/logger.h"
+#include "virtrust/link/defines.h"
+#include "virtrust/link/grpc_client.h"
+#include "virtrust/link/migration_session.h"
+
+namespace virtrust {
+const std::regex IP_REGEX(R"((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))");
+
+namespace {
+std::string ExtractSingleIP(const std::string &str)
+{
+    std::vector<std::string> ips;
+    std::sregex_iterator it(str.begin(), str.end(), IP_REGEX);
+    std::sregex_iterator end;
+    for (; it != end; ++it) {
+        ips.push_back((*it)[1]);
+    }
+
+    if (ips.empty()) {
+        VIRTRUST_LOG_ERROR("|ExtracSingleIP|END|returnF|No IP address found");
+        return "";
+    } else if (ips.size() > 1) {
+        VIRTRUST_LOG_ERROR("|ExtracSingleIP|END|returnF|IP address is not in one or more");
+        return "";
+    }
+    return ips[0];
+}
+} // namespace
+
+grpc::Status MigrationServiceImpl::PrepareMigration(grpc::ServerContext *context,
+                                                    const protos::PrepareMigRequest *request,
+                                                    protos::PrepareMigReply *response)
+{
+    VIRTRUST_LOG_DEBUG("|PrepareMigration|START||start handle rpc request");
+    auto &uuid = request->uuid();
+    auto &domainName = request->domainname();
+    auto &mgr = SessionManager::GetInstance();
+
+    // 已存在session，说明正在迁移
+    if (mgr.GetSession(uuid) != nullptr) {
+        VIRTRUST_LOG_ERROR(
+            "|PrepareMigration|END|returnF|domain name: {}|Session already exists, this VM is already migrating",
+            domainName);
+        response->set_result(1);
+        return grpc::Status::OK;
+    }
+
+    // 否则创建session
+    MigrationSession *session = mgr.CreateSession(MigrationSession::Role::Responder, uuid, request->domainname(),
+                                                  request->desturi(), request->localuri(), request->flags());
+    MigrateSessionRc rc = session->OnMigrateRequestReceived();
+    if (rc != MigrateSessionRc::OK) {
+        response->set_result(1);
+        return grpc::Status::OK;
+    }
+    response->set_result(0);
+    return grpc::Status::OK;
+}
+
+// 2: 交换公钥和报告
+grpc::Status MigrationServiceImpl::ExchangePkAndReport(grpc::ServerContext *context,
+                                                       const protos::EXchangePkAndReportRequest *request,
+                                                       protos::EXchangePkAndReportReply *response)
+{
+    VIRTRUST_LOG_DEBUG("|ExchangePkAndReport|START||start handle rpc request");
+    auto &uuid = request->uuid();
+    auto &domainName = request->domainname();
+    MigrationSession *session = SessionManager::GetInstance().GetSession(uuid);
+    if (session == nullptr) {
+        VIRTRUST_LOG_ERROR("|ExchangePkAndReport|END|returnF|domain name: {}|Can't find session.", domainName);
+        response->set_result(1);
+        return grpc::Status::OK;
+    }
+
+    MigrateSessionRc rc = session->OnExchangeKeyRequestReceived(request, response);
+    if (rc != MigrateSessionRc::OK) {
+        response->set_result(1);
+        return grpc::Status::OK;
+    }
+
+    response->set_result(0);
+    return grpc::Status::OK;
+}
+
+// 3: 开始迁移通知
+grpc::Status MigrationServiceImpl::StartMigration(grpc::ServerContext *context, const protos::StartMigRequest *request,
+                                                  protos::StartMigReply *response)
+{
+    VIRTRUST_LOG_DEBUG("|StartMigration|START||start handle rpc request");
+    auto &uuid = request->uuid();
+    auto &domainName = request->domainname();
+    MigrationSession *session = SessionManager::GetInstance().GetSession(uuid);
+    if (session == nullptr) {
+        VIRTRUST_LOG_ERROR("|StartMigration|END|returnF|domain name: {}|Can't find session.", domainName);
+        response->set_result(1);
+        return grpc::Status::OK;
+    }
+
+    MigrateSessionRc rc = session->OnStartMigrationRequestReceived();
+    if (rc != MigrateSessionRc::OK) {
+        response->set_result(1);
+        return grpc::Status::OK;
+    }
+
+    response->set_result(0);
+    return grpc::Status::OK;
+}
+
+// 4：迁移虚机密码资源
+grpc::Status MigrationServiceImpl::SendVRsourceData(grpc::ServerContext *context,
+                                                    const protos::VRsourceInfoRequest *request,
+                                                    protos::VRsourceInfoReply *response)
+{
+    VIRTRUST_LOG_DEBUG("|SendVRsourceData|START||start handle rpc request");
+    if (request == nullptr) {
+        VIRTRUST_LOG_ERROR("|SendVRsourceData|END|returnF||request is nullptr.");
+        response->set_result(1);
+        return grpc::Status::OK;
+    }
+    auto &uuid = request->uuid();
+    MigrationSession *session = SessionManager::GetInstance().GetSession(uuid);
+    if (session == nullptr) {
+        VIRTRUST_LOG_ERROR("|SendVRsourceData|END|returnF|uuid: {}|Can't find session.", uuid);
+        response->set_result(1);
+        return grpc::Status::OK;
+    }
+    // 服务端
+    MigrateSessionRc rc = session->OnTransferDataRequestReceived(request);
+    if (rc != MigrateSessionRc::OK) {
+        response->set_result(1);
+        return grpc::Status::OK;
+    }
+
+    response->set_result(0);
+    return grpc::Status::OK;
+}
+
+// 5: 通知迁移结果
+grpc::Status MigrationServiceImpl::NotifyVRMigrateResult(grpc::ServerContext *context,
+                                                         const protos::MigrateResultRequest *request,
+                                                         protos::MigrateResultReply *response)
+{
+    VIRTRUST_LOG_DEBUG("|NotifyVRMigrateResult|START||start handle rpc request");
+    if (request == nullptr) {
+        VIRTRUST_LOG_ERROR("|DomainMigrate|END|returnF|NotifyVRMigrateResult request is nullptr.");
+        response->set_result(1);
+        return grpc::Status::OK;
+    }
+    auto &uuid = request->uuid();
+    MigrationSession *session = SessionManager::GetInstance().GetSession(uuid);
+    if (session == nullptr) {
+        VIRTRUST_LOG_ERROR("|StartMigration|END|returnF|NotifyVRMigrateResult uuid: {}|Can't find session.", uuid);
+        response->set_result(1);
+        return grpc::Status::OK;
+    }
+    MigrateSessionRc rc = session->OnFinishedRequestReceived(request->result() == 0);
+    if (rc != MigrateSessionRc::OK) {
+        response->set_result(1);
+        return grpc::Status::OK;
+    }
+    response->set_result(0);
+    return grpc::Status::OK;
+}
+
+// 6: 发起迁移任务, virsh-sh主动这个方法
+grpc::Status MigrationServiceImpl::DomainMigrate(grpc::ServerContext *context,
+                                                 const protos::DomainMigraterRequest *request,
+                                                 protos::DomainMigraterReply *response)
+{
+    VIRTRUST_LOG_DEBUG("|DomainMigrate|START||start handle uds request");
+    std::string destIp = ExtractSingleIP(request->desturi());
+    if (destIp.empty()) {
+        VIRTRUST_LOG_ERROR("|MigrationServiceImpl DomainMigrate|END|returnF|invalid ip, destUri is: {}",
+                           request->desturi());
+        response->set_result(1);
+        return grpc::Status::OK;
+    }
+    LinkConfig config = ConfigMgr::Instance().GetLinkConfig();
+    config.ip = destIp;
+    RpcClient client(config);
+
+    auto &mgr = SessionManager::GetInstance();
+    MigrationSession *session =
+        mgr.CreateSession(MigrationSession::Role::Initiator, request->uuid(), request->domainname(), request->desturi(),
+                          request->localuri(), request->flags());
+    if (!session) {
+        response->set_result(1); // already exists or failed
+        return grpc::Status::OK;
+    }
+    // 初始化会话内的 RPC 客户端
+    session->SetRpcClient(std::make_unique<RpcClient>(config));
+    // 启动状态机（内部会依次调用 Prepare/Exchange/Start）
+    auto ret = session->Start();
+    if (ret != MigrateSessionRc::OK) {
+        response->set_result(1);
+        return grpc::Status::OK;
+    }
+
+    response->set_result(0);
+    VIRTRUST_LOG_DEBUG("|DomainMigrate|END|returnS|");
+    return grpc::Status::OK;
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/link/migration_service_impl.h b/virtrust/src/virtrust/link/migration_service_impl.h
new file mode 100644
index 0000000000000000000000000000000000000000..32c1cf2386468a2431ee4bf4e5a10e3afb75033e
--- /dev/null
+++ b/virtrust/src/virtrust/link/migration_service_impl.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <grpcpp/ext/proto_server_reflection_plugin.h>
+#include <grpcpp/grpcpp.h>
+
+#include <memory>
+#include <thread>
+
+#include "virtrust/link/defines.h"
+
+#include "virtrust/link/proto/migrate.grpc.pb.h"
+
+namespace virtrust {
+class MigrationServiceImpl final : public protos::MigrationService::Service {
+public:
+    // 1: 准备迁移
+    grpc::Status PrepareMigration(grpc::ServerContext *context, const protos::PrepareMigRequest *request,
+                                  protos::PrepareMigReply *response) override;
+
+    // 2: 交换公钥
+    grpc::Status ExchangePkAndReport(grpc::ServerContext *context, const protos::EXchangePkAndReportRequest *request,
+                                     protos::EXchangePkAndReportReply *response) override;
+
+    // 3: 开始迁移
+    grpc::Status StartMigration(grpc::ServerContext *context, const protos::StartMigRequest *request,
+                                protos::StartMigReply *response) override;
+
+    // 4：迁移虚机密码资源
+    grpc::Status SendVRsourceData(grpc::ServerContext *context, const protos::VRsourceInfoRequest *request,
+                                  protos::VRsourceInfoReply *response) override;
+
+    // 5: 通知迁移结果
+    grpc::Status NotifyVRMigrateResult(grpc::ServerContext *context, const protos::MigrateResultRequest *request,
+                                       protos::MigrateResultReply *response) override;
+
+    // 6: 发起迁移任务
+    grpc::Status DomainMigrate(grpc::ServerContext *context, const protos::DomainMigraterRequest *request,
+                               protos::DomainMigraterReply *response) override;
+};
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/link/migration_service_impl_test.cpp b/virtrust/src/virtrust/link/migration_service_impl_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..2d12bf663c3c182c4dde634a927b004fba1250e4
--- /dev/null
+++ b/virtrust/src/virtrust/link/migration_service_impl_test.cpp
@@ -0,0 +1,447 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include <memory>
+
+#include "gtest/gtest.h"
+
+#include "virtrust/link/migration_service_impl.h"
+#include "virtrust/link/migration_session.h"
+
+namespace virtrust {
+
+class MigrationServiceImplTest : public ::testing::Test {
+protected:
+    void SetUp() override
+    {
+        service_ = std::make_unique<MigrationServiceImpl>();
+
+        testUuid_ = "test-uuid-12345";
+        testDomainName_ = "test-domain";
+        testDestUri_ = "qemu+tcp://192.168.1.100/system";
+        testLocalUri_ = "qemu+tcp://192.168.1.50/system";
+        testFlags_ = 0;
+    }
+
+    void TearDown() override
+    {
+        // Clean up any sessions created during tests
+        SessionManager::GetInstance().RemoveSession(testUuid_);
+    }
+
+    std::unique_ptr<MigrationServiceImpl> service_;
+    std::string testUuid_;
+    std::string testDomainName_;
+    std::string testDestUri_;
+    std::string testLocalUri_;
+    unsigned int testFlags_;
+};
+
+TEST_F(MigrationServiceImplTest, Constructor)
+{
+    // Test that MigrationServiceImpl can be constructed
+    ASSERT_NE(service_, nullptr);
+    SUCCEED();
+}
+
+TEST_F(MigrationServiceImplTest, PrepareMigrationNewSession)
+{
+    // Create request
+    protos::PrepareMigRequest request;
+    protos::PrepareMigReply response;
+
+    request.set_uuid(testUuid_);
+    request.set_domainname(testDomainName_);
+    request.set_desturi(testDestUri_);
+    request.set_localuri(testLocalUri_);
+    request.set_flags(testFlags_);
+
+    // Call PrepareMigration
+    grpc::Status status = service_->PrepareMigration(nullptr, &request, &response);
+
+    // Should succeed
+    EXPECT_TRUE(status.ok());
+    EXPECT_EQ(response.result(), 0u);
+
+    // Session should be created
+    MigrationSession *session = SessionManager::GetInstance().GetSession(testUuid_);
+    EXPECT_NE(session, nullptr);
+    EXPECT_EQ(session->Id(), testUuid_);
+}
+
+TEST_F(MigrationServiceImplTest, PrepareMigrationDuplicateSession)
+{
+    // Create first request
+    protos::PrepareMigRequest request1;
+    protos::PrepareMigReply response1;
+
+    request1.set_uuid(testUuid_);
+    request1.set_domainname(testDomainName_);
+    request1.set_desturi(testDestUri_);
+    request1.set_localuri(testLocalUri_);
+    request1.set_flags(testFlags_);
+
+    // Call PrepareMigration first time
+    grpc::Status status1 = service_->PrepareMigration(nullptr, &request1, &response1);
+    EXPECT_TRUE(status1.ok());
+    EXPECT_EQ(response1.result(), 0u);
+
+    // Create second request with same UUID
+    protos::PrepareMigRequest request2;
+    protos::PrepareMigReply response2;
+
+    request2.set_uuid(testUuid_);
+    request2.set_domainname(testDomainName_);
+    request2.set_desturi(testDestUri_);
+    request2.set_localuri(testLocalUri_);
+    request2.set_flags(testFlags_);
+
+    // Call PrepareMigration second time (should fail due to duplicate)
+    grpc::Status status2 = service_->PrepareMigration(nullptr, &request2, &response2);
+    EXPECT_TRUE(status2.ok());
+    EXPECT_EQ(response2.result(), 1u);
+}
+
+TEST_F(MigrationServiceImplTest, PrepareMigrationWithEmptyUuid)
+{
+    protos::PrepareMigRequest request;
+    protos::PrepareMigReply response;
+
+    // Set empty UUID
+    request.set_uuid("");
+    request.set_domainname(testDomainName_);
+    request.set_desturi(testDestUri_);
+    request.set_localuri(testLocalUri_);
+    request.set_flags(testFlags_);
+
+    // Call PrepareMigration
+    grpc::Status status = service_->PrepareMigration(nullptr, &request, &response);
+
+    // Should handle empty UUID gracefully
+    EXPECT_TRUE(status.ok());
+}
+
+TEST_F(MigrationServiceImplTest, PrepareMigrationWithEmptyDomainName)
+{
+    protos::PrepareMigRequest request;
+    protos::PrepareMigReply response;
+
+    request.set_uuid(testUuid_);
+    request.set_domainname("");
+    request.set_desturi(testDestUri_);
+    request.set_localuri(testLocalUri_);
+    request.set_flags(testFlags_);
+
+    // Call PrepareMigration
+    grpc::Status status = service_->PrepareMigration(nullptr, &request, &response);
+
+    // Should handle empty domain name gracefully
+    EXPECT_TRUE(status.ok());
+}
+
+TEST_F(MigrationServiceImplTest, ExchangePkAndReportWithValidSession)
+{
+    // First create a session
+    protos::PrepareMigRequest prepareRequest;
+    protos::PrepareMigReply prepareResponse;
+
+    prepareRequest.set_uuid(testUuid_);
+    prepareRequest.set_domainname(testDomainName_);
+    prepareRequest.set_desturi(testDestUri_);
+    prepareRequest.set_localuri(testLocalUri_);
+    prepareRequest.set_flags(testFlags_);
+
+    grpc::Status prepareStatus = service_->PrepareMigration(nullptr, &prepareRequest, &prepareResponse);
+    EXPECT_TRUE(prepareStatus.ok());
+    EXPECT_EQ(prepareResponse.result(), 0u);
+
+    // Now test ExchangePkAndReport
+    protos::EXchangePkAndReportRequest request;
+    protos::EXchangePkAndReportReply response;
+
+    request.set_uuid(testUuid_);
+    request.set_domainname(testDomainName_);
+    request.set_cert("test-certificate-pem");
+    request.set_publickey("test-public-key");
+    // Note: hostReport and vmReport are TrustReportNew messages, not strings
+    // For test purposes, we'll leave them unset
+
+    grpc::Status status = service_->ExchangePkAndReport(nullptr, &request, &response);
+
+    // Should handle the request
+    EXPECT_TRUE(status.ok());
+}
+
+TEST_F(MigrationServiceImplTest, ExchangePkAndReportWithoutSession)
+{
+    protos::EXchangePkAndReportRequest request;
+    protos::EXchangePkAndReportReply response;
+
+    request.set_uuid("non-existent-uuid");
+    request.set_domainname(testDomainName_);
+    request.set_cert("test-certificate-pem");
+    request.set_publickey("test-public-key");
+    // Note: hostReport and vmReport are TrustReportNew messages, not strings
+    // For test purposes, we'll leave them unset
+
+    grpc::Status status = service_->ExchangePkAndReport(nullptr, &request, &response);
+
+    // Should return error since session doesn't exist
+    EXPECT_TRUE(status.ok());
+    EXPECT_EQ(response.result(), 1u);
+}
+
+TEST_F(MigrationServiceImplTest, StartMigrationWithValidSession)
+{
+    // First create a session
+    protos::PrepareMigRequest prepareRequest;
+    protos::PrepareMigReply prepareResponse;
+
+    prepareRequest.set_uuid(testUuid_);
+    prepareRequest.set_domainname(testDomainName_);
+    prepareRequest.set_desturi(testDestUri_);
+    prepareRequest.set_localuri(testLocalUri_);
+    prepareRequest.set_flags(testFlags_);
+
+    grpc::Status prepareStatus = service_->PrepareMigration(nullptr, &prepareRequest, &prepareResponse);
+    EXPECT_TRUE(prepareStatus.ok());
+    EXPECT_EQ(prepareResponse.result(), 0u);
+
+    // Now test StartMigration
+    protos::StartMigRequest request;
+    protos::StartMigReply response;
+
+    request.set_uuid(testUuid_);
+    request.set_domainname(testDomainName_);
+
+    grpc::Status status = service_->StartMigration(nullptr, &request, &response);
+
+    // Should handle the request
+    EXPECT_TRUE(status.ok());
+}
+
+TEST_F(MigrationServiceImplTest, StartMigrationWithoutSession)
+{
+    protos::StartMigRequest request;
+    protos::StartMigReply response;
+
+    request.set_uuid("non-existent-uuid");
+    request.set_domainname(testDomainName_);
+
+    grpc::Status status = service_->StartMigration(nullptr, &request, &response);
+
+    // Should return error since session doesn't exist
+    EXPECT_TRUE(status.ok());
+    EXPECT_EQ(response.result(), 1u);
+}
+
+TEST_F(MigrationServiceImplTest, SendVRsourceDataWithValidSession)
+{
+    // First create a session
+    protos::PrepareMigRequest prepareRequest;
+    protos::PrepareMigReply prepareResponse;
+
+    prepareRequest.set_uuid(testUuid_);
+    prepareRequest.set_domainname(testDomainName_);
+    prepareRequest.set_desturi(testDestUri_);
+    prepareRequest.set_localuri(testLocalUri_);
+    prepareRequest.set_flags(testFlags_);
+
+    grpc::Status prepareStatus = service_->PrepareMigration(nullptr, &prepareRequest, &prepareResponse);
+    EXPECT_TRUE(prepareStatus.ok());
+    EXPECT_EQ(prepareResponse.result(), 0u);
+
+    // Now test SendVRsourceData
+    protos::VRsourceInfoRequest request;
+    protos::VRsourceInfoReply response;
+
+    request.set_uuid(testUuid_);
+    request.set_data("test-virtual-resource-data");
+
+    grpc::Status status = service_->SendVRsourceData(nullptr, &request, &response);
+
+    // Should handle the request
+    EXPECT_TRUE(status.ok());
+}
+
+TEST_F(MigrationServiceImplTest, SendVRsourceDataWithoutSession)
+{
+    protos::VRsourceInfoRequest request;
+    protos::VRsourceInfoReply response;
+
+    request.set_uuid("non-existent-uuid");
+    request.set_data("test-virtual-resource-data");
+
+    grpc::Status status = service_->SendVRsourceData(nullptr, &request, &response);
+
+    // Should return error since session doesn't exist
+    EXPECT_TRUE(status.ok());
+    EXPECT_EQ(response.result(), 1u);
+}
+
+TEST_F(MigrationServiceImplTest, NotifyVRMigrateResultWithValidSession)
+{
+    // First create a session
+    protos::PrepareMigRequest prepareRequest;
+    protos::PrepareMigReply prepareResponse;
+
+    prepareRequest.set_uuid(testUuid_);
+    prepareRequest.set_domainname(testDomainName_);
+    prepareRequest.set_desturi(testDestUri_);
+    prepareRequest.set_localuri(testLocalUri_);
+    prepareRequest.set_flags(testFlags_);
+
+    grpc::Status prepareStatus = service_->PrepareMigration(nullptr, &prepareRequest, &prepareResponse);
+    EXPECT_TRUE(prepareStatus.ok());
+    EXPECT_EQ(prepareResponse.result(), 0u);
+
+    // Now test NotifyVRMigrateResult
+    protos::MigrateResultRequest request;
+    protos::MigrateResultReply response;
+
+    request.set_uuid(testUuid_);
+    request.set_domainname(testDomainName_);
+    request.set_result(1); // 1 for success
+
+    grpc::Status status = service_->NotifyVRMigrateResult(nullptr, &request, &response);
+
+    // Should handle the request
+    EXPECT_TRUE(status.ok());
+}
+
+TEST_F(MigrationServiceImplTest, NotifyVRMigrateResultWithoutSession)
+{
+    protos::MigrateResultRequest request;
+    protos::MigrateResultReply response;
+
+    request.set_uuid("non-existent-uuid");
+    request.set_domainname(testDomainName_);
+    request.set_result(0); // 0 for failure
+
+    grpc::Status status = service_->NotifyVRMigrateResult(nullptr, &request, &response);
+
+    // Should return error since session doesn't exist
+    EXPECT_TRUE(status.ok());
+    EXPECT_EQ(response.result(), 1u);
+}
+
+TEST_F(MigrationServiceImplTest, DomainMigrateBasic)
+{
+    protos::DomainMigraterRequest request;
+    protos::DomainMigraterReply response;
+
+    request.set_domainname(testDomainName_);
+    request.set_uuid(testUuid_);
+    request.set_desturi(testDestUri_);
+    request.set_localuri(testLocalUri_);
+    request.set_flags(testFlags_);
+
+    grpc::Status status = service_->DomainMigrate(nullptr, &request, &response);
+
+    // Should handle the request (implementation may create a session)
+    EXPECT_TRUE(status.ok());
+}
+
+TEST_F(MigrationServiceImplTest, DomainMigrateWithEmptyRequest)
+{
+    protos::DomainMigraterRequest request;
+    protos::DomainMigraterReply response;
+
+    // Don't set any fields
+    grpc::Status status = service_->DomainMigrate(nullptr, &request, &response);
+
+    // Should handle empty request gracefully
+    EXPECT_TRUE(status.ok());
+}
+
+TEST_F(MigrationServiceImplTest, MultipleSessions)
+{
+    std::vector<std::string> uuids = {"uuid-1", "uuid-2", "uuid-3"};
+
+    // Create multiple sessions
+    for (const auto &uuid : uuids) {
+        protos::PrepareMigRequest request;
+        protos::PrepareMigReply response;
+
+        request.set_uuid(uuid);
+        request.set_domainname("domain-" + uuid);
+        request.set_desturi(testDestUri_);
+        request.set_localuri(testLocalUri_);
+        request.set_flags(testFlags_);
+
+        grpc::Status status = service_->PrepareMigration(nullptr, &request, &response);
+        EXPECT_TRUE(status.ok());
+        EXPECT_EQ(response.result(), 0u);
+
+        // Verify session exists
+        MigrationSession *session = SessionManager::GetInstance().GetSession(uuid);
+        EXPECT_NE(session, nullptr);
+        EXPECT_EQ(session->Id(), uuid);
+    }
+
+    // Clean up
+    for (const auto &uuid : uuids) {
+        SessionManager::GetInstance().RemoveSession(uuid);
+    }
+}
+
+TEST_F(MigrationServiceImplTest, SessionLifecycle)
+{
+    // Test complete session lifecycle
+    std::string sessionId = "lifecycle-test";
+
+    // 1. PrepareMigration
+    protos::PrepareMigRequest prepareRequest;
+    protos::PrepareMigReply prepareResponse;
+
+    prepareRequest.set_uuid(sessionId);
+    prepareRequest.set_domainname(testDomainName_);
+    prepareRequest.set_desturi(testDestUri_);
+    prepareRequest.set_localuri(testLocalUri_);
+    prepareRequest.set_flags(testFlags_);
+
+    grpc::Status prepareStatus = service_->PrepareMigration(nullptr, &prepareRequest, &prepareResponse);
+    EXPECT_TRUE(prepareStatus.ok());
+    EXPECT_EQ(prepareResponse.result(), 0u);
+
+    // 2. ExchangePkAndReport
+    protos::EXchangePkAndReportRequest exchangeRequest;
+    protos::EXchangePkAndReportReply exchangeResponse;
+
+    exchangeRequest.set_uuid(sessionId);
+    exchangeRequest.set_domainname(testDomainName_);
+    exchangeRequest.set_cert("test-cert");
+    exchangeRequest.set_publickey("test-key");
+    // Note: hostReport and vmReport are TrustReportNew messages, not strings
+    // For test purposes, we'll leave them unset
+
+    grpc::Status exchangeStatus = service_->ExchangePkAndReport(nullptr, &exchangeRequest, &exchangeResponse);
+    EXPECT_TRUE(exchangeStatus.ok());
+
+    // 3. StartMigration
+    protos::StartMigRequest startRequest;
+    protos::StartMigReply startResponse;
+
+    startRequest.set_uuid(sessionId);
+    startRequest.set_domainname(testDomainName_);
+
+    grpc::Status startStatus = service_->StartMigration(nullptr, &startRequest, &startResponse);
+    EXPECT_TRUE(startStatus.ok());
+
+    // 4. NotifyVRMigrateResult
+    protos::MigrateResultRequest notifyRequest;
+    protos::MigrateResultReply notifyResponse;
+
+    notifyRequest.set_uuid(sessionId);
+    notifyRequest.set_domainname(testDomainName_);
+    notifyRequest.set_result(1); // 1 for success
+
+    grpc::Status notifyStatus = service_->NotifyVRMigrateResult(nullptr, &notifyRequest, &notifyResponse);
+    EXPECT_TRUE(notifyStatus.ok());
+
+    // Clean up
+    SessionManager::GetInstance().RemoveSession(sessionId);
+}
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/link/migration_session.cpp b/virtrust/src/virtrust/link/migration_session.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..60f3d7484dfb323bbcd69345c63414006ae4eae6
--- /dev/null
+++ b/virtrust/src/virtrust/link/migration_session.cpp
@@ -0,0 +1,639 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include "virtrust/link/migration_session.h"
+
+#include <iostream>
+#include <memory>
+#include <mutex>
+
+#include "virtrust/api/define_private.h"
+#include "virtrust/base/logger.h"
+#include "virtrust/dllib/libvirt.h"
+#include "virtrust/link/proto/proto_tools.h"
+
+#include "virtrust/link/proto/migrate.pb.h"
+
+namespace virtrust {
+
+namespace {
+unsigned int GetFlagCleard(const unsigned int &flags, const unsigned int &clear)
+{
+    return flags & ~clear;
+}
+} // namespace
+
+MigrationSession *SessionManager::CreateSession(MigrationSession::Role role, const std::string &sessionId,
+                                                const std::string &domainName, const std::string &destUri,
+                                                const std::string &localUri, const unsigned int flags)
+{
+    std::lock_guard<std::mutex> lock(mtx_);
+
+    auto it = sessions_.find(sessionId);
+    if (it != sessions_.end()) {
+        return it->second.get();
+    }
+
+    auto session = std::make_unique<MigrationSession>(role, sessionId, domainName, destUri, localUri, flags);
+    MigrationSession *raw = session.get();
+    sessions_[sessionId] = std::move(session);
+    return raw;
+}
+
+MigrationSession *SessionManager::GetSession(const std::string &sessionId)
+{
+    std::lock_guard<std::mutex> lock(mtx_);
+    auto it = sessions_.find(sessionId);
+    if (it == sessions_.end()) {
+        return nullptr;
+    }
+    return it->second.get();
+}
+
+void SessionManager::RemoveSession(const std::string &sessionId)
+{
+    std::lock_guard<std::mutex> lock(mtx_);
+    sessions_.erase(sessionId);
+}
+
+MigrationSession::MigrationSession(Role role, const std::string &sessionId, const std::string &domainName,
+                                   const std::string &destUri, const std::string &localUri, const unsigned int flags)
+    : role_(role),
+      state_(State::Init),
+      sessionId_(sessionId),
+      domainName_(domainName),
+      destUri_(destUri),
+      localUri_(localUri),
+      flags_(flags)
+{}
+
+MigrateSessionRc MigrationSession::Start()
+{
+    if (role_ != Role::Initiator) {
+        return MigrateSessionRc::ERROR;
+    }
+    EnterState(State::Init);
+    return SendMigrateRequest();
+}
+
+MigrateSessionRc MigrationSession::SendMigrateRequest()
+{
+    if (!rpcClient_) {
+        VIRTRUST_LOG_ERROR("|SendMigrateRequest|END|returnF|domain name: {}|rpc client is nullptr.", domainName_);
+        OnFail();
+        return MigrateSessionRc::ERROR;
+    }
+
+    protos::PrepareMigRequest req;
+    req.set_uuid(sessionId_);
+    req.set_domainname(domainName_);
+
+    protos::PrepareMigReply reply;
+
+    int32_t rc = rpcClient_->PrepareMigration(5, req, &reply);
+    bool ok = (rc == 0 && reply.result() == 0);
+
+    if (!ok) {
+        VIRTRUST_LOG_ERROR("|SendMigrateRequest|END|returnF|domain name: {}|send migrate request failed.", domainName_);
+        OnFail();
+        return MigrateSessionRc::ERROR;
+    }
+    return OnMigrateResponseReceived();
+}
+
+MigrateSessionRc MigrationSession::OnMigrateResponseReceived()
+{
+    EnterState(State::WaitingKey);
+    return SendExchangeKey();
+}
+
+MigrateSessionRc MigrationSession::SendExchangeKey()
+{
+    protos::EXchangePkAndReportRequest req;
+    MigrateSessionRc rc = GetExchangePkAndReport(&req, nullptr);
+    if (rc != MigrateSessionRc::OK) {
+        VIRTRUST_LOG_ERROR("|SendExchangeKey|END|returnF|domain name: {}|Get local cert and report failed.",
+                           domainName_);
+        OnFail();
+        return MigrateSessionRc::ERROR;
+    }
+
+    protos::EXchangePkAndReportReply res;
+    int32_t ret = rpcClient_->ExchangePkAndReport(5, req, &res);
+    if (ret != 0 || res.result() != 0) {
+        VIRTRUST_LOG_ERROR("|SendExchangeKey|END|returnF|domain name: {}|Exchange cert and report failed.",
+                           domainName_);
+        OnFail();
+        return MigrateSessionRc::ERROR;
+    }
+    return OnExchangeKeyResponseReceived(res);
+}
+
+MigrateSessionRc MigrationSession::OnExchangeKeyResponseReceived(protos::EXchangePkAndReportReply &res)
+{
+    // 校验证书和报告
+    EnterState(State::CertVerify);
+
+    // 1. 校验对端证书
+    MigrateSessionRc rc = VerifyCertificate(res.uuid(), res.cert(), res.publickey());
+    if (rc != MigrateSessionRc::OK) {
+        VIRTRUST_LOG_ERROR("|OnExchangeKeyResponseReceived|END|returnF|domain name: {}|Verify peer cert failed.",
+                           domainName_);
+        OnFail();
+        return MigrateSessionRc::ERROR;
+    }
+
+    // 2.校验对端报告
+    rc = VerifyHostAndVmReport(res.hostreport(), res.vmreport());
+    if (rc != MigrateSessionRc::OK) {
+        VIRTRUST_LOG_ERROR("|OnExchangeKeyResponseReceived|END|returnF|domain name: {}|Verify peer report failed.",
+                           domainName_);
+        OnFail();
+        return MigrateSessionRc::ERROR;
+    }
+
+    return SendStartMigration();
+}
+
+MigrateSessionRc MigrationSession::SendStartMigration()
+{
+    protos::StartMigRequest req;
+    req.set_domainname(domainName_);
+    req.set_uuid(sessionId_);
+
+    protos::StartMigReply res;
+    int32_t ret = rpcClient_->StartMigration(5, req, &res);
+    if (ret != 0) {
+        VIRTRUST_LOG_ERROR("|SendStartMigration|END|returnF|domain name: {}|Send start migration signal failed.",
+                           domainName_);
+        OnFail();
+        return MigrateSessionRc::ERROR;
+    }
+    if (res.result() != 0) {
+        VIRTRUST_LOG_ERROR("|SendStartMigration|END|returnF|domain name: {}|Start migration failed.", domainName_);
+        OnFail();
+        return MigrateSessionRc::ERROR;
+    }
+
+    return OnStartMigrationResponseReceived();
+}
+
+MigrateSessionRc MigrationSession::OnStartMigrationResponseReceived()
+{
+    char *cipher = nullptr;
+    int cipherLen = 0;
+    // 收集密码资源
+    auto ret = MigrationGetVrootCipher(const_cast<char *>(sessionId_.c_str()), &cipher, &cipherLen);
+    if (ret != 0 || cipher == nullptr) {
+        VIRTRUST_LOG_ERROR(
+            "|OnStartMigrationResponseReceived|END|returnF|domain name: {}|MigrationGetVRootCipher failed.",
+            domainName_);
+        OnFail();
+        return MigrateSessionRc::ERROR;
+    }
+
+    std::string cipherStr(cipher, cipherLen);
+    free(cipher);
+
+    // 进入传输阶段
+    EnterState(State::Transferring);
+    return SendTransferOnce(cipherStr);
+}
+
+MigrateSessionRc MigrationSession::SendTransferOnce(const std::string &cipher)
+{
+    // 1.调用libvirt命令进行迁移
+    MigrateSessionRc rc = MigrateByLibvirt();
+    if (rc != MigrateSessionRc::OK) {
+        VIRTRUST_LOG_ERROR("|SendTransferOnce|END|returnF||migrate by libvirt failed.");
+        OnFail();
+        return rc;
+    }
+
+    // 2.传输数据
+    protos::VRsourceInfoRequest req;
+    req.set_uuid(sessionId_);
+    req.set_data(cipher);
+    protos::VRsourceInfoReply res;
+    int32_t ret = rpcClient_->SendVRsourceData(5, req, &res);
+    // 传输数据失败
+    if (ret != 0) {
+        VIRTRUST_LOG_ERROR("|SendTransferOnce|END|returnF||failed to tansfer data for: {}", domainName_);
+        UndoMigration();
+        return MigrateSessionRc::ERROR;
+    }
+
+    return OnTransferResponseReceived(res.result() == 0);
+}
+
+MigrateSessionRc MigrationSession::OnTransferResponseReceived(bool transferRet)
+{
+    // 对端校验数据失败
+    if (!transferRet) {
+        VIRTRUST_LOG_ERROR("|OnTransferResponseReceived|END|returnF||peer verify data faild: {}", domainName_);
+        UndoMigration();
+        return MigrateSessionRc::ERROR;
+    }
+
+    // 通知TSB迁移成功
+    auto rc = NotifyVRMigration(true);
+    if (rc != MigrateSessionRc::OK) {
+        VIRTRUST_LOG_ERROR("|OnTransferResponseReceived|END|returnF|domain name: {}|MigrationNotify failure failed.",
+                           domainName_);
+        UndoMigration();
+        return MigrateSessionRc::ERROR;
+    }
+
+    // 所有动作执行完后，判断是否删除本地虚机
+    if (flags_ & MIGRATE_UNDEFINE_SOURCE) {
+        (void)UndefineVirtDomainBaseUri(localUri_);
+        int tsbRet = RemoveVRoot(const_cast<char *>(sessionId_.c_str()));
+        if (tsbRet != 0) {
+            VIRTRUST_LOG_ERROR("|OnTransferResponseReceived|END|returnF||tsb resource remove "
+                               "failed, maybe not exist tsb resource uuid: "
+                               "{},domainName: {},use virsh to undefine domain.",
+                               sessionId_, domainName_);
+        }
+    }
+
+    // 向对端发送最终通知，忽略通知结果
+    (void)SendFinishedNotify(true);
+    EnterState(State::Finished);
+    return MigrateSessionRc::OK;
+}
+
+MigrateSessionRc MigrationSession::SendFinishedNotify(bool success)
+{
+    protos::MigrateResultRequest req;
+    req.set_result(success ? 0 : 1);
+    req.set_uuid(sessionId_);
+    protos::MigrateResultReply res;
+    auto ret = rpcClient_->NotifyVRMigrateResult(5, req, &res);
+    if (ret != 0) {
+        VIRTRUST_LOG_ERROR("|SendFinishedNotify|END|returnF|domain name: {}|Send notify failed.", domainName_);
+        return MigrateSessionRc::ERROR;
+    }
+    return OnFinishedResponseReceived(res.result() == 0);
+}
+
+MigrateSessionRc MigrationSession::OnFinishedResponseReceived(bool finished)
+{
+    return MigrateSessionRc::OK;
+}
+
+MigrateSessionRc MigrationSession::GetExchangePkAndReport(protos::EXchangePkAndReportRequest *req,
+                                                          protos::EXchangePkAndReportReply *res)
+{
+    auto uuid = sessionId_;
+    char *cert = nullptr;
+    int certLen = 0;
+    char *pubKey = nullptr;
+    int pubKeyLen = 0;
+
+    int ret = MigrationGetCert(uuid.data(), &cert, &certLen, &pubKey, &pubKeyLen);
+    if (ret != 0) {
+        VIRTRUST_LOG_ERROR("|GetExchangePkAndReport|END|returnF|domain name: {}|Get local cert failed.", domainName_);
+        return MigrateSessionRc::ERROR;
+    }
+
+    std::string certStr(cert, certLen);
+    std::string pubKeyStr(pubKey, pubKeyLen);
+    free(cert);
+    free(pubKey);
+
+    trust_report_new hostReport;
+    trust_report_new vmReport;
+    ret = GetReport(uuid.data(), uuid.data(), &hostReport, &vmReport);
+    if (ret != 0) {
+        VIRTRUST_LOG_ERROR("|GetExchangePkAndReport|END|returnF|domain name: {}|Get local report failed.", domainName_);
+        return MigrateSessionRc::ERROR;
+    }
+
+    if (role_ == Role::Initiator) {
+        req->set_domainname(domainName_);
+        req->set_uuid(uuid);
+        req->set_cert(certStr);
+        req->set_publickey(pubKeyStr);
+        auto hostReportProto = req->mutable_hostreport();
+        ReportToProto(hostReport, hostReportProto);
+        auto vmReportProto = req->mutable_vmreport();
+        ReportToProto(vmReport, vmReportProto);
+    } else {
+        res->set_domainname(domainName_);
+        res->set_uuid(uuid);
+        res->set_cert(certStr);
+        res->set_publickey(pubKeyStr);
+        auto hostReportProto = res->mutable_hostreport();
+        ReportToProto(hostReport, hostReportProto);
+        auto vmReportProto = res->mutable_vmreport();
+        ReportToProto(vmReport, vmReportProto);
+    }
+    return MigrateSessionRc::OK;
+}
+
+MigrateSessionRc MigrationSession::VerifyCertificate(std::string uuid, std::string cert, std::string pubkey)
+{
+    int ret = MigrationCheckPeerPk(uuid.data(), cert.data(), pubkey.data());
+    return ret == 0 ? MigrateSessionRc::OK : MigrateSessionRc::ERROR;
+}
+
+MigrateSessionRc MigrationSession::VerifyHostAndVmReport(const protos::TrustReportNew &hostProtoReport,
+                                                         const protos::TrustReportNew &vmProtoReport)
+{
+    trust_report_new hostReport = ReportFromProto(hostProtoReport);
+    trust_report_new vmReport = ReportFromProto(vmProtoReport);
+
+    // 调用TSB API进行报告校验, 目前不对UUID进行校验
+    auto ret = VerifyTrustReport(sessionId_.data(), sessionId_.data(), &hostReport, &vmReport);
+    return ret == 0 ? MigrateSessionRc::OK : MigrateSessionRc::ERROR;
+}
+
+// 调用libvirt接口迁移
+MigrateSessionRc MigrationSession::MigrateByLibvirt()
+{
+    auto &libvirt = Libvirt::GetInstance();
+
+    std::unique_ptr<ConnCtx> destConn;
+    auto rc = GetVirConnContext(destUri_, destConn);
+    if (rc != MigrateSessionRc::OK) {
+        VIRTRUST_LOG_ERROR("|MigrateByLibvirt|END|returnF||failed to get virt connect: {}", destUri_);
+        return rc;
+    }
+
+    std::unique_ptr<ConnCtx> localConn;
+    rc = GetVirConnContext(localUri_, localConn);
+    if (rc != MigrateSessionRc::OK) {
+        VIRTRUST_LOG_ERROR("|MigrateByLibvirt|END|returnF||failed to get virt connect: {}", localUri_);
+        return rc;
+    }
+
+    auto domain = std::make_unique<DomainCtx>(localConn, domainName_);
+    if (domain->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("|MigrateByLibvirt|END|returnF||failed to find domain: {}", domainName_);
+        return MigrateSessionRc::ERROR;
+    }
+    auto *domainPtr = libvirt.virDomainMigrate3(domain->Get(), destConn->Get(), nullptr, 0,
+                                                GetFlagCleard(flags_, MIGRATE_UNDEFINE_SOURCE));
+    if (domainPtr == nullptr) {
+        VIRTRUST_LOG_ERROR("|MigrateByLibvirt|END|returnF||failed to migrate domain: {}", domainName_);
+        return MigrateSessionRc::ERROR;
+    }
+    libvirt.virDomainFree(domainPtr);
+
+    return MigrateSessionRc::OK;
+}
+
+MigrateSessionRc MigrationSession::GetVirConnContext(const std::string &uri, std::unique_ptr<ConnCtx> &outConn)
+{
+    auto conn = std::make_unique<ConnCtx>();
+    if (!conn->SetUri(uri)) {
+        VIRTRUST_LOG_ERROR("|SendTransferOnce|END|returnF||destUri is not valid: {}", uri);
+        return MigrateSessionRc::ERROR;
+    }
+
+    conn->Connect();
+    if (conn->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("|SendTransferOnce|END|returnF||failed to establish connection to: {}", uri);
+        return MigrateSessionRc::ERROR;
+    }
+
+    // 成功了再把拥有权交出去
+    outConn = std::move(conn);
+    return MigrateSessionRc::OK;
+}
+
+// 撤销迁移操作
+void MigrationSession::UndoMigration()
+{
+    // 防止server端误调
+    if (role_ != Role::Initiator) {
+        return;
+    }
+
+    // 1.基于uri删除libvirt虚拟机
+    UndefineVirtDomainBaseUri(destUri_);
+
+    // 2.通知TSB迁移失败
+    NotifyVRMigration(false);
+
+    // 3.通知peer迁移失败，并进行清理
+    OnFail();
+}
+
+// 基于uri删除libvirt虚拟机
+MigrateSessionRc MigrationSession::UndefineVirtDomainBaseUri(const std::string &uri)
+{
+    std::unique_ptr<ConnCtx> destConn;
+    auto rc = GetVirConnContext(uri, destConn);
+    if (rc != MigrateSessionRc::OK) {
+        VIRTRUST_LOG_ERROR("|UndefineVirtDomainBaseUri|END|returnF||failed to get virt connect: {}", uri);
+        return rc;
+    }
+
+    auto destDomain = std::make_unique<DomainCtx>(destConn, domainName_);
+    if (destDomain->Get() == nullptr) {
+        VIRTRUST_LOG_ERROR("|UndefineVirtDomainBaseUri|END|returnF|failed to find destDomain: {}, uri: {}", domainName_,
+                           uri);
+        return MigrateSessionRc::ERROR;
+    }
+
+    auto &libvirt = Libvirt::GetInstance();
+    if (libvirt.virDomainUndefineFlags(destDomain->Get(), DOMAIN_UNDEFINE_NVRAM) != 0) {
+        VIRTRUST_LOG_INFO("|UndefineVirtDomainBaseUri|END|returnF|undefine dest domain: {} failed, uri: {}",
+                          domainName_, uri);
+        return MigrateSessionRc::ERROR;
+    }
+    return MigrateSessionRc::OK;
+}
+
+// 通知TSB迁移结果
+MigrateSessionRc MigrationSession::NotifyVRMigration(bool success)
+{
+    auto status = success ? 0 : -1;
+    auto ret = MigrationNotify(const_cast<char *>(sessionId_.c_str()), status);
+    if (ret != 0) {
+        VIRTRUST_LOG_INFO("|NotifyVRMigration|END|returnF|domainName:{}, migration statu: {}|Notify TSB failed.",
+                          domainName_, success);
+        return MigrateSessionRc::ERROR;
+    }
+    return MigrateSessionRc::OK;
+}
+
+void MigrationSession::EnterState(State s)
+{
+    state_ = s;
+    CancelTimer();
+
+    // 终态不再开定时器
+    if (s == State::Failed || s == State::Finished) {
+        return;
+    }
+
+    StartTimerFor(s);
+}
+
+static std::chrono::seconds TimeoutForState(MigrationSession::State s)
+{
+    switch (s) {
+        case MigrationSession::State::Init:
+            return std::chrono::seconds(10);
+        case MigrationSession::State::WaitingKey:
+            return std::chrono::seconds(30);
+        case MigrationSession::State::Transferring:
+            return std::chrono::seconds(60);
+        default:
+            return std::chrono::seconds(60);
+    }
+}
+
+void MigrationSession::StartTimerFor(State s)
+{
+    timerActive_.store(true);
+    auto dur = TimeoutForState(s);
+    timer_.Start(dur, [this, s] { this->OnTimeout(s); });
+}
+
+void MigrationSession::CancelTimer()
+{
+    timer_.Cancel();
+    timerActive_.store(false);
+}
+
+void MigrationSession::OnTimeout(State stateWhenSet)
+{
+    if (!timerActive_.load() || state_ != stateWhenSet) {
+        return;
+    }
+    EnterState(State::Failed);
+    Cleanup();
+}
+
+void MigrationSession::Cleanup()
+{
+    CancelTimer();
+    SessionManager::GetInstance().RemoveSession(sessionId_);
+}
+
+void MigrationSession::OnFail()
+{
+    // 向服务端发送迁移失败通知
+    if (role_ == Role::Initiator) {
+        MigrateSessionRc sendRet = SendFinishedNotify(false);
+        if (sendRet != MigrateSessionRc::OK) {
+            VIRTRUST_LOG_ERROR("|DomainMigrate|END|returnF| domain name: {}|SendFinishedNotify failed.", domainName_);
+        }
+    }
+
+    // 进入失败状态并进行清理
+    EnterState(State::Failed);
+    Cleanup();
+}
+
+MigrateSessionRc MigrationSession::OnMigrateRequestReceived()
+{
+    if (CheckMaxDomainCount() != VirtrustRc::OK) {
+        EnterState(State::Failed);
+        Cleanup();
+        return MigrateSessionRc::ERROR;
+    }
+    EnterState(State::WaitingKey);
+    return MigrateSessionRc::OK;
+}
+
+MigrateSessionRc MigrationSession::OnExchangeKeyRequestReceived(const protos::EXchangePkAndReportRequest *request,
+                                                                protos::EXchangePkAndReportReply *response)
+{
+    if (state_ != State::WaitingKey) {
+        VIRTRUST_LOG_ERROR(
+            "|OnExchangeKeyRequestReceived|END|returnF|domain name: {}|Waiting for exchanging key timeout.",
+            domainName_);
+        Cleanup();
+        return MigrateSessionRc::ERROR;
+    }
+
+    // 1. 获取本端证书和报告
+    MigrateSessionRc rc = GetExchangePkAndReport(nullptr, response);
+    if (rc != MigrateSessionRc::OK) {
+        VIRTRUST_LOG_ERROR(
+            "|OnExchangeKeyRequestReceived|END|returnF|domain name: {}|Get public key and report failed.", domainName_);
+        Cleanup();
+        return MigrateSessionRc::ERROR;
+    }
+
+    // 2. 校验对端证书
+    rc = VerifyCertificate(request->uuid(), request->cert(), request->publickey());
+    if (rc != MigrateSessionRc::OK) {
+        VIRTRUST_LOG_ERROR("|OnExchangeKeyRequestReceived|END|returnF|domain name: {}|Verify peer cert failed.",
+                           domainName_);
+        Cleanup();
+        return MigrateSessionRc::ERROR;
+    }
+
+    // 3. 校验对端报告
+    rc = VerifyHostAndVmReport(request->hostreport(), request->vmreport());
+    if (rc != MigrateSessionRc::OK) {
+        VIRTRUST_LOG_ERROR("|OnExchangeKeyRequestReceived|END|returnF|domain name: {}|Verify peer report failed.",
+                           domainName_);
+        Cleanup();
+        return MigrateSessionRc::ERROR;
+    }
+
+    // 等待对端校验证书后的进一步信号：开始迁移信号
+    EnterState(State::CertVerify);
+    return MigrateSessionRc::OK;
+}
+
+MigrateSessionRc MigrationSession::OnStartMigrationRequestReceived()
+{
+    if (state_ != State::CertVerify) {
+        Cleanup();
+        VIRTRUST_LOG_ERROR("|OnStartMigrationRequestReceived|END|returnF|domain name: {}|Waiting for starting "
+                           "migration signal timeout.",
+                           domainName_);
+        return MigrateSessionRc::ERROR;
+    }
+
+    // 等待对端发起数据传数
+    EnterState(State::Transferring);
+    return MigrateSessionRc::OK;
+}
+
+MigrateSessionRc MigrationSession::OnTransferDataRequestReceived(const protos::VRsourceInfoRequest *request)
+{
+    if (state_ != State::Transferring) {
+        Cleanup();
+        VIRTRUST_LOG_ERROR(
+            "|OnTransferDataRequestReceived|END|returnF|domain name: {}|Waiting for transfering timeout.", domainName_);
+        return MigrateSessionRc::ERROR;
+    }
+    // 服务端校验客户端发来的虚拟机资源信息
+    auto ret = MigrationImportVrootCipher(const_cast<char *>(request->uuid().c_str()),
+                                          const_cast<char *>(request->data().c_str()));
+    if (ret != 0) {
+        EnterState(State::Failed);
+        Cleanup();
+        VIRTRUST_LOG_ERROR(
+            "|OnTransferDataRequestReceived|END|returnF|domain name: {}|MigrationImportVrootCipher failed.",
+            domainName_);
+        return MigrateSessionRc::ERROR;
+    }
+    EnterState(State::Transferring);
+    return MigrateSessionRc::OK;
+}
+
+MigrateSessionRc MigrationSession::OnFinishedRequestReceived(bool finished)
+{
+    if (role_ != Role::Responder) {
+        return MigrateSessionRc::ERROR;
+    }
+    if (!finished) {
+        Cleanup();
+        return MigrateSessionRc::ERROR;
+    }
+    VIRTRUST_LOG_INFO("|OnFinishedRequestReceived|END|returnS|domain name: {}|Migrate success.", domainName_);
+    EnterState(State::Finished);
+    Cleanup();
+    return MigrateSessionRc::OK;
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/link/migration_session.h b/virtrust/src/virtrust/link/migration_session.h
new file mode 100644
index 0000000000000000000000000000000000000000..7bb1c8431f8237ab0d6c6c6433458af8f0caff6e
--- /dev/null
+++ b/virtrust/src/virtrust/link/migration_session.h
@@ -0,0 +1,185 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#pragma once
+
+#include <atomic>
+#include <memory>
+#include <mutex>
+#include <string>
+#include <unordered_map>
+
+#include "tsb_agent/tsb_agent.h"
+
+#include "virtrust/api/context.h"
+#include "virtrust/link/grpc_client.h"
+#include "virtrust/utils/async_timer.h"
+
+namespace virtrust {
+
+enum class MigrateSessionRc : uint32_t {
+    OK = 0,
+    ERROR = 1,
+};
+
+class MigrationSession {
+public:
+    enum class Role {
+        Initiator, // 客户端状态
+        Responder  // 服务端状态
+    };
+
+    enum class State { Init, WaitingKey, CertVerify, Transferring, Finished, Failed };
+
+    MigrationSession(Role role, const std::string &sessionId, const std::string &domainName,
+                     const std::string &destUri = "", const std::string &localUri = "", const unsigned int flags = 0);
+
+    // 主动方起步
+    MigrateSessionRc Start();
+
+    // 定时器触发时调用
+    void OnTimeout(State stateWhenSet);
+
+    // 失败时调用：状态设置为失败，并进行清理
+    void OnFail();
+
+    // 让manager删掉自己
+    void Cleanup();
+
+    const std::string &Id() const
+    {
+        return sessionId_;
+    }
+
+    // 仅 Initiator 使用：注入 RPC 客户端（会话拥有其生命周期）
+    void SetRpcClient(std::unique_ptr<RpcClient> rpc)
+    {
+        rpcClient_ = std::move(rpc);
+    }
+
+    // 响应方使用
+    MigrateSessionRc OnMigrateRequestReceived();
+
+    MigrateSessionRc OnExchangeKeyRequestReceived(const protos::EXchangePkAndReportRequest *request,
+                                                  protos::EXchangePkAndReportReply *response);
+
+    MigrateSessionRc OnStartMigrationRequestReceived();
+
+    MigrateSessionRc OnTransferDataRequestReceived(const protos::VRsourceInfoRequest *request);
+
+    MigrateSessionRc OnFinishedRequestReceived(bool finished);
+
+private:
+    // 这几个是收到对端应答时要调用的
+    MigrateSessionRc OnMigrateResponseReceived();
+
+    MigrateSessionRc OnExchangeKeyResponseReceived(protos::EXchangePkAndReportReply &res);
+
+    MigrateSessionRc OnStartMigrationResponseReceived();
+
+    MigrateSessionRc OnTransferResponseReceived(bool finished);
+
+    MigrateSessionRc OnFinishedResponseReceived(bool finished);
+
+    void EnterState(State s);
+
+    void StartTimerFor(State s);
+
+    void CancelTimer();
+
+    // 主动方要发的几步
+    MigrateSessionRc SendMigrateRequest();
+
+    MigrateSessionRc SendExchangeKey();
+
+    MigrateSessionRc SendStartMigration();
+
+    MigrateSessionRc SendTransferOnce(const std::string &cipher);
+
+    MigrateSessionRc SendFinishedNotify(bool success);
+
+    // 辅助函数
+    MigrateSessionRc GetExchangePkAndReport(protos::EXchangePkAndReportRequest *req,
+                                            protos::EXchangePkAndReportReply *res);
+
+    MigrateSessionRc VerifyCertificate(std::string uuid, std::string cert, std::string pubkey);
+
+    MigrateSessionRc VerifyHostAndVmReport(const protos::TrustReportNew &hostReport,
+                                           const protos::TrustReportNew &vmReport);
+
+    MigrateSessionRc MigrateByLibvirt();
+
+    MigrateSessionRc GetVirConnContext(const std::string &uri, std::unique_ptr<ConnCtx> &outConn);
+
+    void UndoMigration();
+
+    MigrateSessionRc UndefineVirtDomainBaseUri(const std::string &uri);
+
+    MigrateSessionRc NotifyVRMigration(bool success);
+
+private:
+    Role role_;
+    State state_;
+    std::string sessionId_;
+    std::string domainName_;
+    std::string destUri_;
+    std::string localUri_;
+    unsigned int flags_;
+    bool delFalgs_;
+
+    std::string myPubKey_;
+    std::string peerPubKey_;
+
+    // 仅 Initiator 侧使用
+    std::unique_ptr<RpcClient> rpcClient_;
+
+    std::atomic<bool> timerActive_{false};
+
+    AsyncTimer timer_;
+};
+
+class SessionManager {
+public:
+    static SessionManager &GetInstance()
+    {
+        static SessionManager instance;
+        return instance;
+    }
+
+    // 禁止拷贝和移动
+    SessionManager(const SessionManager &) = delete;
+
+    SessionManager &operator=(const SessionManager &) = delete;
+
+    // 创建并托管一个会话，返回裸指针，所有权仍在manager内
+    MigrationSession *CreateSession(MigrationSession::Role role, const std::string &sessionId,
+                                    const std::string &domainName, const std::string &destUri,
+                                    const std::string &localUri, const unsigned int flags);
+
+    // 查找会话（比如 gRPC handler 用这个）
+    MigrationSession *GetSession(const std::string &sessionId);
+
+    // 会话结束时调用，真正删除
+    void RemoveSession(const std::string &sessionId);
+
+private:
+    SessionManager() = default;
+
+    ~SessionManager() = default;
+
+    std::mutex mtx_;
+
+    std::unordered_map<std::string, std::unique_ptr<MigrationSession>> sessions_;
+};
+
+struct EXchangePkAndReport {
+    std::string domainName;
+    std::string uuid;
+    std::string cert;
+    std::string pubKey;
+    std::string hostReport;
+    std::string vmReport;
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/link/migration_session_test.cpp b/virtrust/src/virtrust/link/migration_session_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..02f1de5113495e00b86fa713530e12e1f4ba2791
--- /dev/null
+++ b/virtrust/src/virtrust/link/migration_session_test.cpp
@@ -0,0 +1,358 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include <memory>
+#include <string>
+
+#include "gmock/gmock.h"
+#include "gtest/gtest.h"
+
+#include "virtrust/link/grpc_client.h"
+#include "virtrust/link/migration_session.h"
+
+namespace virtrust {
+
+// TODO: Add MockRpcClient when RpcClient methods are made virtual or we have proper dependency injection
+
+class MigrationSessionTest : public ::testing::Test {
+protected:
+    void SetUp() override
+    {
+        sessionId_ = "test-session-12345";
+        domainName_ = "test-domain";
+        destUri_ = "qemu+tcp://dest-host/system";
+        localUri_ = "qemu+tcp://src-host/system";
+        flags_ = 0;
+    }
+
+    std::string sessionId_;
+    std::string domainName_;
+    std::string destUri_;
+    std::string localUri_;
+    unsigned int flags_;
+};
+
+TEST_F(MigrationSessionTest, ConstructorInitiator)
+{
+    MigrationSession session(MigrationSession::Role::Initiator, sessionId_, domainName_, destUri_, localUri_, flags_);
+
+    EXPECT_EQ(session.Id(), sessionId_);
+    // We can't directly test private members, but the constructor should work
+    SUCCEED();
+}
+
+TEST_F(MigrationSessionTest, ConstructorResponder)
+{
+    MigrationSession session(MigrationSession::Role::Responder, sessionId_, domainName_, destUri_, localUri_, flags_);
+
+    EXPECT_EQ(session.Id(), sessionId_);
+    // We can't directly test private members, but the constructor should work
+    SUCCEED();
+}
+
+TEST_F(MigrationSessionTest, ConstructorWithEmptyValues)
+{
+    MigrationSession session(MigrationSession::Role::Initiator, "", "", "", "", 0);
+
+    EXPECT_EQ(session.Id(), "");
+    // Should handle empty values gracefully
+    SUCCEED();
+}
+
+TEST_F(MigrationSessionTest, SessionManagerCreateAndGetSession)
+{
+    SessionManager &manager = SessionManager::GetInstance();
+
+    // Create a session
+    MigrationSession *session =
+        manager.CreateSession(MigrationSession::Role::Initiator, sessionId_, domainName_, destUri_, localUri_, flags_);
+
+    ASSERT_NE(session, nullptr);
+    EXPECT_EQ(session->Id(), sessionId_);
+
+    // Get the same session
+    MigrationSession *retrievedSession = manager.GetSession(sessionId_);
+    EXPECT_EQ(retrievedSession, session);
+
+    // Clean up
+    manager.RemoveSession(sessionId_);
+}
+
+TEST_F(MigrationSessionTest, SessionManagerCreateDuplicateSession)
+{
+    SessionManager &manager = SessionManager::GetInstance();
+
+    // Create first session
+    MigrationSession *firstSession =
+        manager.CreateSession(MigrationSession::Role::Initiator, sessionId_, domainName_, destUri_, localUri_, flags_);
+
+    // Create second session with same ID (should return existing one)
+    MigrationSession *secondSession = manager.CreateSession(MigrationSession::Role::Responder, sessionId_,
+                                                            "other-domain", "other-uri", "other-uri", 1);
+
+    EXPECT_EQ(firstSession, secondSession);
+    EXPECT_EQ(secondSession->Id(), sessionId_);
+
+    // Clean up
+    manager.RemoveSession(sessionId_);
+}
+
+TEST_F(MigrationSessionTest, SessionManagerGetNonExistentSession)
+{
+    SessionManager &manager = SessionManager::GetInstance();
+
+    // Try to get non-existent session
+    MigrationSession *session = manager.GetSession("non-existent-session");
+    EXPECT_EQ(session, nullptr);
+}
+
+TEST_F(MigrationSessionTest, SessionManagerRemoveNonExistentSession)
+{
+    SessionManager &manager = SessionManager::GetInstance();
+
+    // Try to remove non-existent session (should not crash)
+    manager.RemoveSession("non-existent-session");
+    SUCCEED();
+}
+
+TEST_F(MigrationSessionTest, SessionManagerMultipleSessions)
+{
+    SessionManager &manager = SessionManager::GetInstance();
+
+    std::vector<std::string> sessionIds = {"session-1", "session-2", "session-3", "session-4", "session-5"};
+
+    // Create multiple sessions
+    for (const auto &id : sessionIds) {
+        MigrationSession *session =
+            manager.CreateSession(MigrationSession::Role::Initiator, id, domainName_, destUri_, localUri_, flags_);
+        ASSERT_NE(session, nullptr);
+        EXPECT_EQ(session->Id(), id);
+    }
+
+    // Verify all sessions exist
+    for (const auto &id : sessionIds) {
+        MigrationSession *session = manager.GetSession(id);
+        EXPECT_NE(session, nullptr);
+        EXPECT_EQ(session->Id(), id);
+    }
+
+    // Remove all sessions
+    for (const auto &id : sessionIds) {
+        manager.RemoveSession(id);
+    }
+
+    // Verify all sessions are removed
+    for (const auto &id : sessionIds) {
+        MigrationSession *session = manager.GetSession(id);
+        EXPECT_EQ(session, nullptr);
+    }
+}
+
+TEST_F(MigrationSessionTest, InitiatorStartWithoutRpcClient)
+{
+    MigrationSession session(MigrationSession::Role::Initiator, sessionId_, domainName_, destUri_, localUri_, flags_);
+
+    // Try to start without setting RPC client
+    MigrateSessionRc result = session.Start();
+
+    // Should fail because no RPC client is set
+    EXPECT_EQ(result, MigrateSessionRc::ERROR);
+}
+
+TEST_F(MigrationSessionTest, ResponderStart)
+{
+    MigrationSession session(MigrationSession::Role::Responder, sessionId_, domainName_, destUri_, localUri_, flags_);
+
+    // Try to start a responder session
+    MigrateSessionRc result = session.Start();
+
+    // Should fail because responders can't start migration
+    EXPECT_EQ(result, MigrateSessionRc::ERROR);
+}
+
+// TODO: Fix this test when RpcClient methods are made virtual or we have proper dependency injection
+// TEST_F(MigrationSessionTest, SetRpcClient)
+// {
+//     MigrationSession session(MigrationSession::Role::Initiator, sessionId_, domainName_, destUri_, localUri_,
+//     flags_);
+//
+//     // Create mock RPC client
+//     auto mockClient = std::make_unique<MockRpcClient>();
+//
+//     // Set mock client (this should work without crashing)
+//     session.SetRpcClient(std::move(mockClient));
+//
+//     SUCCEED();
+// }
+
+TEST_F(MigrationSessionTest, ResponderOnMigrateRequestReceived)
+{
+    MigrationSession session(MigrationSession::Role::Responder, sessionId_, domainName_, destUri_, localUri_, flags_);
+
+    // Responder should handle migrate request
+    MigrateSessionRc result = session.OnMigrateRequestReceived();
+
+    // Should succeed for responders
+    EXPECT_EQ(result, MigrateSessionRc::OK);
+}
+
+TEST_F(MigrationSessionTest, InitiatorOnMigrateRequestReceived)
+{
+    MigrationSession session(MigrationSession::Role::Initiator, sessionId_, domainName_, destUri_, localUri_, flags_);
+
+    // Initiator should not handle migrate request
+    MigrateSessionRc result = session.OnMigrateRequestReceived();
+    (void)result; // Suppress unused variable warning
+
+    // Might return error or handle gracefully depending on implementation
+    SUCCEED();
+}
+
+TEST_F(MigrationSessionTest, OnExchangeKeyRequestReceived)
+{
+    MigrationSession session(MigrationSession::Role::Responder, sessionId_, domainName_, destUri_, localUri_, flags_);
+
+    // Create test request and response
+    protos::EXchangePkAndReportRequest request;
+    protos::EXchangePkAndReportReply response;
+
+    request.set_domainname(domainName_);
+    request.set_uuid(sessionId_);
+    request.set_cert("test-cert");
+    request.set_publickey("test-key");
+    // Note: hostReport and vmReport are TrustReportNew messages, not strings
+    // For test purposes, we'll leave them unset
+
+    // Handle exchange key request
+    MigrateSessionRc result = session.OnExchangeKeyRequestReceived(&request, &response);
+    (void)result; // Suppress unused variable warning
+
+    // Should handle the request (result depends on implementation details)
+    SUCCEED();
+}
+
+TEST_F(MigrationSessionTest, OnStartMigrationRequestReceived)
+{
+    MigrationSession session(MigrationSession::Role::Responder, sessionId_, domainName_, destUri_, localUri_, flags_);
+
+    // Handle start migration request
+    MigrateSessionRc result = session.OnStartMigrationRequestReceived();
+    (void)result; // Suppress unused variable warning
+
+    // Should handle the request (result depends on implementation details)
+    SUCCEED();
+}
+
+TEST_F(MigrationSessionTest, OnTransferDataRequestReceived)
+{
+    MigrationSession session(MigrationSession::Role::Responder, sessionId_, domainName_, destUri_, localUri_, flags_);
+
+    // Create test request
+    protos::VRsourceInfoRequest request;
+
+    request.set_uuid(sessionId_);
+    request.set_data("test-vr-data");
+
+    // Handle transfer data request
+    MigrateSessionRc result = session.OnTransferDataRequestReceived(&request);
+    (void)result; // Suppress unused variable warning
+
+    // Should handle the request (result depends on implementation details)
+    SUCCEED();
+}
+
+TEST_F(MigrationSessionTest, OnFinishedRequestReceived)
+{
+    MigrationSession session(MigrationSession::Role::Responder, sessionId_, domainName_, destUri_, localUri_, flags_);
+
+    // Handle finished request with success
+    MigrateSessionRc successResult = session.OnFinishedRequestReceived(true);
+    (void)successResult; // Suppress unused variable warning
+
+    // Handle finished request with failure
+    MigrateSessionRc failureResult = session.OnFinishedRequestReceived(false);
+    (void)failureResult; // Suppress unused variable warning
+
+    // Should handle both cases
+    SUCCEED();
+}
+
+TEST_F(MigrationSessionTest, OnTimeoutAndOnFail)
+{
+    MigrationSession session(MigrationSession::Role::Initiator, sessionId_, domainName_, destUri_, localUri_, flags_);
+
+    // Test timeout handling
+    session.OnTimeout(MigrationSession::State::Init);
+
+    // Test fail handling
+    session.OnFail();
+
+    // Should handle both without crashing
+    SUCCEED();
+}
+
+TEST_F(MigrationSessionTest, Cleanup)
+{
+    MigrationSession session(MigrationSession::Role::Initiator, sessionId_, domainName_, destUri_, localUri_, flags_);
+
+    // Test cleanup
+    session.Cleanup();
+
+    // Should handle cleanup without crashing
+    SUCCEED();
+}
+
+TEST_F(MigrationSessionTest, DifferentRolesAndStates)
+{
+    // Test different roles
+    MigrationSession initiator(MigrationSession::Role::Initiator, sessionId_ + "-init", domainName_, destUri_,
+                               localUri_, flags_);
+    MigrationSession responder(MigrationSession::Role::Responder, sessionId_ + "-resp", domainName_, destUri_,
+                               localUri_, flags_);
+
+    EXPECT_EQ(initiator.Id(), sessionId_ + "-init");
+    EXPECT_EQ(responder.Id(), sessionId_ + "-resp");
+
+    // Both should be constructed successfully
+    SUCCEED();
+}
+
+TEST_F(MigrationSessionTest, SessionManagerThreadSafety)
+{
+    SessionManager &manager = SessionManager::GetInstance();
+
+    // Test multiple thread operations (basic thread safety test)
+    std::vector<std::thread> threads;
+    std::vector<std::string> sessionIds;
+
+    // Create sessions from multiple threads
+    for (int i = 0; i < 5; i++) {
+        std::string id = "thread-session-" + std::to_string(i);
+        sessionIds.push_back(id);
+
+        threads.emplace_back([&manager, id, this]() {
+            MigrationSession *session =
+                manager.CreateSession(MigrationSession::Role::Initiator, id, domainName_, destUri_, localUri_, flags_);
+            EXPECT_NE(session, nullptr);
+        });
+    }
+
+    // Wait for all threads to complete
+    for (auto &thread : threads) {
+        thread.join();
+    }
+
+    // Verify all sessions were created
+    for (const auto &id : sessionIds) {
+        MigrationSession *session = manager.GetSession(id);
+        EXPECT_NE(session, nullptr);
+    }
+
+    // Clean up
+    for (const auto &id : sessionIds) {
+        manager.RemoveSession(id);
+    }
+}
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/link/proto/migrate.proto b/virtrust/src/virtrust/link/proto/migrate.proto
new file mode 100644
index 0000000000000000000000000000000000000000..9b83b452a3159b7d2783b88701b60330f7e4ecb2
--- /dev/null
+++ b/virtrust/src/virtrust/link/proto/migrate.proto
@@ -0,0 +1,160 @@
+syntax = "proto3";
+
+package virtrust.protos;
+
+// The greeting service definition.
+service MigrationService {
+  // 1: 准备迁移
+  rpc PrepareMigration (PrepareMigRequest) returns (PrepareMigReply) {}
+
+  // 2: 交换公钥
+  rpc ExchangePkAndReport(EXchangePkAndReportRequest) returns(EXchangePkAndReportReply) {}
+
+
+  //3: 开始迁移
+  rpc StartMigration(StartMigRequest) returns(StartMigReply) {}
+
+
+  // 4：迁移虚机密码资源
+  rpc  SendVRsourceData(VRsourceInfoRequest) returns(VRsourceInfoReply) {}
+
+  //5: 通知迁移结果
+  rpc  NotifyVRMigrateResult(MigrateResultRequest) returns (MigrateResultReply) {}
+
+  // 6: 迁移请求
+  rpc DomainMigrate(DomainMigraterRequest) returns (DomainMigraterReply) {}
+
+}
+
+message DomainMigraterRequest {
+    string domainName = 1;
+    string uuid = 2;
+    string destUri = 3;
+    string localUri = 4;
+    uint32 flags = 5;
+}
+
+message DomainMigraterReply {
+    uint32 result = 1;
+}
+
+message PrepareMigRequest {
+     string domainName = 1;
+     string uuid = 2;
+     string destUri = 3;
+     string localUri = 4;
+     uint32 flags = 5;
+}
+
+message PrepareMigReply {
+     uint32 result = 1;
+}
+
+message EXchangePkAndReportRequest {
+    string domainName = 1;
+    string uuid = 2;
+    string cert = 3;
+    bytes publicKey = 4;  //公钥
+    TrustReportNew hostReport = 5; // struct
+    TrustReportNew vmReport = 6; // struct
+}
+
+message EXchangePkAndReportReply{
+    uint32 result = 1;
+    string domainName = 2;
+    string uuid = 3;
+    string cert = 4;
+    bytes publicKey = 5;  //公钥
+    TrustReportNew hostReport = 6; // struct
+    TrustReportNew vmReport = 7; // struct
+}
+
+message StartMigRequest {
+     string domainName = 1;
+     string uuid = 2;
+}
+
+message StartMigReply {
+     uint32 result = 1;
+}
+
+message VRsourceInfoRequest{
+   bytes data = 1;
+   string uuid = 2;
+}
+
+message  VRsourceInfoReply{
+  uint32 result = 1;
+}
+
+message MigrateResultRequest {
+  uint32 result = 1;
+  string domainName = 2;
+  string uuid = 3;
+}
+
+message MigrateResultReply {
+  uint32 result = 1;
+}
+
+// Trust report structures for migration
+message GlobalControlPolicy {
+  uint32 be_size = 1;
+  uint32 be_boot_measure_on = 2;
+  uint32 be_program_measure_on = 3;
+  uint32 be_dynamic_measure_on = 4;
+  uint32 be_boot_control = 5;
+  uint32 be_program_control = 6;
+  uint32 be_tsb_flag1 = 7;
+  uint32 be_tsb_flag2 = 8;
+  uint32 be_tsb_flag3 = 9;
+  uint32 be_program_measure_mode = 10;
+  uint32 be_program_use_cache = 11;
+  uint32 be_dmeasure_use_cache = 12;
+  uint32 be_dmeasure_max_busy_delay = 13;
+  uint32 be_process_dmeasure_ref_mode = 14;
+  uint32 be_process_dmeasure_match_mode = 15;
+  uint32 be_process_measure_match_mode = 16;
+  uint32 be_process_dmeasure_lib_mode = 17;
+  uint32 be_process_verify_lib_mode = 18;
+  uint32 be_process_dmeasure_sub_process_mode = 19;
+  uint32 be_process_dmeasure_old_process_mode = 20;
+  uint32 be_process_dmeasure_interval = 21;
+}
+
+message TrustReportContentNew {
+  uint64 be_host_report_time = 1;
+  uint64 be_host_startup_time = 2;
+  bytes host_id = 3; // MAX_HOST_ID_SIZE (32 bytes)
+  bytes tpcm_id = 4; // MAX_TPCM_ID_SIZE (32 bytes)
+  GlobalControlPolicy global_control_policy = 5;
+  uint32 be_eval = 6;
+  uint32 be_host_ip = 7;
+  uint32 be_illegal_program_load = 8;
+  uint32 be_illegal_lib_load = 9;
+  uint32 be_illegal_kernel_module_load = 10;
+  uint32 be_illegal_file_access = 11;
+  uint32 be_illegal_device_access = 12;
+  uint32 be_illegal_network_inreq = 13;
+  uint32 be_illegal_network_outreq = 14;
+  uint32 be_process_code_measure_fail = 15;
+  uint32 be_process_data_measure_fail = 16;
+  uint32 be_notify_fail = 17;
+  uint32 be_boot_measure_result = 18;
+  uint32 be_boot_times = 19;
+  uint32 be_tpcm_time = 20;
+  uint32 be_tpcm_report_time = 21;
+  uint32 be_log_number = 22;
+  bytes log_hash = 23; // DEFAULT_HASH_SIZE (32 bytes)
+  bytes bios_pcr = 24; // DEFAULT_PCR_SIZE (32 bytes)
+  bytes boot_loader_pcr = 25; // DEFAULT_PCR_SIZE (32 bytes)
+  bytes kernel_pcr = 26; // DEFAULT_PCR_SIZE (32 bytes)
+  bytes tsb_pcr = 27; // DEFAULT_PCR_SIZE (32 bytes)
+  bytes boot_pcr = 28; // DEFAULT_PCR_SIZE (32 bytes)
+  uint64 be_nonce = 29;
+}
+
+message TrustReportNew {
+  TrustReportContentNew content = 1;
+  bytes append_data = 2; // MAX_TRUST_REPORT_APPENDDATA (50KB)
+}
diff --git a/virtrust/src/virtrust/link/proto/proto_tools.h b/virtrust/src/virtrust/link/proto/proto_tools.h
new file mode 100644
index 0000000000000000000000000000000000000000..a9827e840147090362efe682c89cc548c4387f41
--- /dev/null
+++ b/virtrust/src/virtrust/link/proto/proto_tools.h
@@ -0,0 +1,193 @@
+#pragma once
+
+#include <algorithm>
+#include <cstring>
+
+#include "virtrust/link/proto/migrate.pb.h"
+
+namespace virtrust {
+static void ReportToProto(const trust_report_new &report, protos::TrustReportNew *protoReport)
+{
+    // 转换 content
+    auto *content = protoReport->mutable_content();
+    content->set_be_host_report_time(report.content.be_host_report_time);
+    content->set_be_host_startup_time(report.content.be_host_startup_time);
+
+    // Convert byte arrays to strings, only copying actual data length (ignoring null padding)
+    size_t host_id_len = strnlen(reinterpret_cast<const char *>(report.content.host_id), MAX_HOST_ID_SIZE);
+    content->set_host_id(reinterpret_cast<const char *>(report.content.host_id), host_id_len);
+
+    size_t tpcm_id_len = strnlen(reinterpret_cast<const char *>(report.content.tpcm_id), MAX_TPCM_ID_SIZE);
+    content->set_tpcm_id(reinterpret_cast<const char *>(report.content.tpcm_id), tpcm_id_len);
+
+    // 转换 global_control_policy
+    auto *policy = content->mutable_global_control_policy();
+    policy->set_be_size(report.content.global_control_policy.be_size);
+    policy->set_be_boot_measure_on(report.content.global_control_policy.be_boot_measure_on);
+    policy->set_be_program_measure_on(report.content.global_control_policy.be_program_measure_on);
+    policy->set_be_dynamic_measure_on(report.content.global_control_policy.be_dynamic_measure_on);
+    policy->set_be_boot_control(report.content.global_control_policy.be_boot_control);
+    policy->set_be_program_control(report.content.global_control_policy.be_program_control);
+    policy->set_be_tsb_flag1(report.content.global_control_policy.be_tsb_flag1);
+    policy->set_be_tsb_flag2(report.content.global_control_policy.be_tsb_flag2);
+    policy->set_be_tsb_flag3(report.content.global_control_policy.be_tsb_flag3);
+    policy->set_be_program_measure_mode(report.content.global_control_policy.be_program_measure_mode);
+    policy->set_be_program_use_cache(report.content.global_control_policy.be_program_use_cache);
+    policy->set_be_dmeasure_use_cache(report.content.global_control_policy.be_dmeasure_use_cache);
+    policy->set_be_dmeasure_max_busy_delay(report.content.global_control_policy.be_dmeasure_max_busy_delay);
+    policy->set_be_process_dmeasure_ref_mode(report.content.global_control_policy.be_process_dmeasure_ref_mode);
+    policy->set_be_process_dmeasure_match_mode(report.content.global_control_policy.be_process_dmeasure_match_mode);
+    policy->set_be_process_measure_match_mode(report.content.global_control_policy.be_process_measure_match_mode);
+    policy->set_be_process_dmeasure_lib_mode(report.content.global_control_policy.be_process_dmeasure_lib_mode);
+    policy->set_be_process_verify_lib_mode(report.content.global_control_policy.be_process_verify_lib_mode);
+    policy->set_be_process_dmeasure_sub_process_mode(
+        report.content.global_control_policy.be_process_dmeasure_sub_process_mode);
+    policy->set_be_process_dmeasure_old_process_mode(
+        report.content.global_control_policy.be_process_dmeasure_old_process_mode);
+    policy->set_be_process_dmeasure_interval(report.content.global_control_policy.be_process_dmeasure_interval);
+
+    // 转换其他字段
+    content->set_be_eval(report.content.be_eval);
+    content->set_be_host_ip(report.content.be_host_ip);
+    content->set_be_illegal_program_load(report.content.be_illegal_program_load);
+    content->set_be_illegal_lib_load(report.content.be_illegal_lib_load);
+    content->set_be_illegal_kernel_module_load(report.content.be_illegal_kernel_module_load);
+    content->set_be_illegal_file_access(report.content.be_illegal_file_access);
+    content->set_be_illegal_device_access(report.content.be_illegal_device_access);
+    content->set_be_illegal_network_inreq(report.content.be_illegal_network_inreq);
+    content->set_be_illegal_network_outreq(report.content.be_illegal_network_outreq);
+    content->set_be_process_code_measure_fail(report.content.be_process_code_measure_fail);
+    content->set_be_process_data_measure_fail(report.content.be_process_data_measure_fail);
+    content->set_be_notify_fail(report.content.be_notify_fail);
+    content->set_be_boot_measure_result(report.content.be_boot_measure_result);
+    content->set_be_boot_times(report.content.be_boot_times);
+    content->set_be_tpcm_time(report.content.be_tpcm_time);
+    content->set_be_tpcm_report_time(report.content.be_tpcm_report_time);
+    content->set_be_log_number(report.content.be_log_number);
+
+    // Convert PCR and hash byte arrays, only copying actual data length
+    size_t log_hash_len = strnlen(reinterpret_cast<const char *>(report.content.log_hash), DEFAULT_HASH_SIZE);
+    content->set_log_hash(reinterpret_cast<const char *>(report.content.log_hash), log_hash_len);
+
+    size_t bios_pcr_len = strnlen(reinterpret_cast<const char *>(report.content.bios_pcr), DEFAULT_PCR_SIZE);
+    content->set_bios_pcr(reinterpret_cast<const char *>(report.content.bios_pcr), bios_pcr_len);
+
+    size_t boot_loader_pcr_len =
+        strnlen(reinterpret_cast<const char *>(report.content.boot_loader_pcr), DEFAULT_PCR_SIZE);
+    content->set_boot_loader_pcr(reinterpret_cast<const char *>(report.content.boot_loader_pcr), boot_loader_pcr_len);
+
+    size_t kernel_pcr_len = strnlen(reinterpret_cast<const char *>(report.content.kernel_pcr), DEFAULT_PCR_SIZE);
+    content->set_kernel_pcr(reinterpret_cast<const char *>(report.content.kernel_pcr), kernel_pcr_len);
+
+    size_t tsb_pcr_len = strnlen(reinterpret_cast<const char *>(report.content.tsb_pcr), DEFAULT_PCR_SIZE);
+    content->set_tsb_pcr(reinterpret_cast<const char *>(report.content.tsb_pcr), tsb_pcr_len);
+
+    size_t boot_pcr_len = strnlen(reinterpret_cast<const char *>(report.content.boot_pcr), DEFAULT_PCR_SIZE);
+    content->set_boot_pcr(reinterpret_cast<const char *>(report.content.boot_pcr), boot_pcr_len);
+
+    content->set_be_nonce(report.content.be_nonce);
+
+    // 转换 append_data
+    size_t append_data_len = strnlen(reinterpret_cast<const char *>(report.append_data), MAX_TRUST_REPORT_APPENDDATA);
+    protoReport->set_append_data(reinterpret_cast<const char *>(report.append_data), append_data_len);
+}
+
+static trust_report_new ReportFromProto(const protos::TrustReportNew &protoReport)
+{
+    trust_report_new report;
+    memset(&report, 0, sizeof(report));
+
+    const auto &content = protoReport.content();
+
+    // 转换基本字段
+    report.content.be_host_report_time = content.be_host_report_time();
+    report.content.be_host_startup_time = content.be_host_startup_time();
+
+    // 转换字节数组
+    const std::string &host_id = content.host_id();
+    size_t host_id_len = std::min(host_id.size(), static_cast<size_t>(MAX_HOST_ID_SIZE));
+    memcpy(report.content.host_id, host_id.data(), host_id_len);
+
+    const std::string &tpcm_id = content.tpcm_id();
+    size_t tpcm_id_len = std::min(tpcm_id.size(), static_cast<size_t>(MAX_TPCM_ID_SIZE));
+    memcpy(report.content.tpcm_id, tpcm_id.data(), tpcm_id_len);
+
+    // 转换 global_control_policy
+    const auto &policy = content.global_control_policy();
+    report.content.global_control_policy.be_size = policy.be_size();
+    report.content.global_control_policy.be_boot_measure_on = policy.be_boot_measure_on();
+    report.content.global_control_policy.be_program_measure_on = policy.be_program_measure_on();
+    report.content.global_control_policy.be_dynamic_measure_on = policy.be_dynamic_measure_on();
+    report.content.global_control_policy.be_boot_control = policy.be_boot_control();
+    report.content.global_control_policy.be_program_control = policy.be_program_control();
+    report.content.global_control_policy.be_tsb_flag1 = policy.be_tsb_flag1();
+    report.content.global_control_policy.be_tsb_flag2 = policy.be_tsb_flag2();
+    report.content.global_control_policy.be_tsb_flag3 = policy.be_tsb_flag3();
+    report.content.global_control_policy.be_program_measure_mode = policy.be_program_measure_mode();
+    report.content.global_control_policy.be_program_use_cache = policy.be_program_use_cache();
+    report.content.global_control_policy.be_dmeasure_use_cache = policy.be_dmeasure_use_cache();
+    report.content.global_control_policy.be_dmeasure_max_busy_delay = policy.be_dmeasure_max_busy_delay();
+    report.content.global_control_policy.be_process_dmeasure_ref_mode = policy.be_process_dmeasure_ref_mode();
+    report.content.global_control_policy.be_process_dmeasure_match_mode = policy.be_process_dmeasure_match_mode();
+    report.content.global_control_policy.be_process_measure_match_mode = policy.be_process_measure_match_mode();
+    report.content.global_control_policy.be_process_dmeasure_lib_mode = policy.be_process_dmeasure_lib_mode();
+    report.content.global_control_policy.be_process_verify_lib_mode = policy.be_process_verify_lib_mode();
+    report.content.global_control_policy.be_process_dmeasure_sub_process_mode =
+        policy.be_process_dmeasure_sub_process_mode();
+    report.content.global_control_policy.be_process_dmeasure_old_process_mode =
+        policy.be_process_dmeasure_old_process_mode();
+    report.content.global_control_policy.be_process_dmeasure_interval = policy.be_process_dmeasure_interval();
+
+    // 转换其他字段
+    report.content.be_eval = content.be_eval();
+    report.content.be_host_ip = content.be_host_ip();
+    report.content.be_illegal_program_load = content.be_illegal_program_load();
+    report.content.be_illegal_lib_load = content.be_illegal_lib_load();
+    report.content.be_illegal_kernel_module_load = content.be_illegal_kernel_module_load();
+    report.content.be_illegal_file_access = content.be_illegal_file_access();
+    report.content.be_illegal_device_access = content.be_illegal_device_access();
+    report.content.be_illegal_network_inreq = content.be_illegal_network_inreq();
+    report.content.be_illegal_network_outreq = content.be_illegal_network_outreq();
+    report.content.be_process_code_measure_fail = content.be_process_code_measure_fail();
+    report.content.be_process_data_measure_fail = content.be_process_data_measure_fail();
+    report.content.be_notify_fail = content.be_notify_fail();
+    report.content.be_boot_measure_result = content.be_boot_measure_result();
+    report.content.be_boot_times = content.be_boot_times();
+    report.content.be_tpcm_time = content.be_tpcm_time();
+    report.content.be_tpcm_report_time = content.be_tpcm_report_time();
+    report.content.be_log_number = content.be_log_number();
+
+    const std::string &log_hash = content.log_hash();
+    size_t log_hash_len = std::min(log_hash.size(), static_cast<size_t>(DEFAULT_HASH_SIZE));
+    memcpy(report.content.log_hash, log_hash.data(), log_hash_len);
+
+    const std::string &bios_pcr = content.bios_pcr();
+    size_t bios_pcr_len = std::min(bios_pcr.size(), static_cast<size_t>(DEFAULT_PCR_SIZE));
+    memcpy(report.content.bios_pcr, bios_pcr.data(), bios_pcr_len);
+
+    const std::string &boot_loader_pcr = content.boot_loader_pcr();
+    size_t boot_loader_pcr_len = std::min(boot_loader_pcr.size(), static_cast<size_t>(DEFAULT_PCR_SIZE));
+    memcpy(report.content.boot_loader_pcr, boot_loader_pcr.data(), boot_loader_pcr_len);
+
+    const std::string &kernel_pcr = content.kernel_pcr();
+    size_t kernel_pcr_len = std::min(kernel_pcr.size(), static_cast<size_t>(DEFAULT_PCR_SIZE));
+    memcpy(report.content.kernel_pcr, kernel_pcr.data(), kernel_pcr_len);
+
+    const std::string &tsb_pcr = content.tsb_pcr();
+    size_t tsb_pcr_len = std::min(tsb_pcr.size(), static_cast<size_t>(DEFAULT_PCR_SIZE));
+    memcpy(report.content.tsb_pcr, tsb_pcr.data(), tsb_pcr_len);
+
+    const std::string &boot_pcr = content.boot_pcr();
+    size_t boot_pcr_len = std::min(boot_pcr.size(), static_cast<size_t>(DEFAULT_PCR_SIZE));
+    memcpy(report.content.boot_pcr, boot_pcr.data(), boot_pcr_len);
+
+    report.content.be_nonce = content.be_nonce();
+
+    // 转换 append_data
+    const std::string &append_data = protoReport.append_data();
+    size_t append_data_len = std::min(append_data.size(), static_cast<size_t>(MAX_TRUST_REPORT_APPENDDATA));
+    memcpy(report.append_data, append_data.data(), append_data_len);
+
+    return report;
+}
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/link/proto_tools_test.cpp b/virtrust/src/virtrust/link/proto_tools_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..8f1825bda41e40a1889084bd37b6c08cd3512687
--- /dev/null
+++ b/virtrust/src/virtrust/link/proto_tools_test.cpp
@@ -0,0 +1,341 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include <cstring>
+#include <string>
+
+#include "gtest/gtest.h"
+#include "tsb_agent/tsb_agent.h"
+
+#include "virtrust/link/proto/proto_tools.h"
+
+#include "virtrust/link/proto/migrate.pb.h"
+
+namespace virtrust {
+
+class ProtoToolsTest : public ::testing::Test {
+protected:
+    void SetUp() override
+    {
+        // Initialize a test trust report
+        memset(&testReport_, 0, sizeof(testReport_));
+
+        // Set basic fields
+        testReport_.content.be_host_report_time = 1234567890L;
+        testReport_.content.be_host_startup_time = 1234567880L;
+        testReport_.content.be_eval = 100;
+        testReport_.content.be_host_ip = 0x01020304; // 4.3.2.1
+        testReport_.content.be_illegal_program_load = 0;
+        testReport_.content.be_illegal_lib_load = 0;
+        testReport_.content.be_illegal_kernel_module_load = 0;
+        testReport_.content.be_illegal_file_access = 0;
+        testReport_.content.be_illegal_device_access = 0;
+        testReport_.content.be_illegal_network_inreq = 0;
+        testReport_.content.be_illegal_network_outreq = 0;
+        testReport_.content.be_process_code_measure_fail = 0;
+        testReport_.content.be_process_data_measure_fail = 0;
+        testReport_.content.be_notify_fail = 0;
+        testReport_.content.be_boot_measure_result = 1;
+        testReport_.content.be_boot_times = 5;
+        testReport_.content.be_tpcm_time = 1234567891L;
+        testReport_.content.be_tpcm_report_time = 1234567892L;
+        testReport_.content.be_log_number = 100;
+        testReport_.content.be_nonce = 12345;
+
+        // Set global control policy
+        testReport_.content.global_control_policy.be_size = 1024;
+        testReport_.content.global_control_policy.be_boot_measure_on = 1;
+        testReport_.content.global_control_policy.be_program_measure_on = 1;
+        testReport_.content.global_control_policy.be_dynamic_measure_on = 0;
+        testReport_.content.global_control_policy.be_boot_control = 1;
+        testReport_.content.global_control_policy.be_program_control = 1;
+        testReport_.content.global_control_policy.be_tsb_flag1 = 1;
+        testReport_.content.global_control_policy.be_tsb_flag2 = 0;
+        testReport_.content.global_control_policy.be_tsb_flag3 = 1;
+        testReport_.content.global_control_policy.be_program_measure_mode = 2;
+        testReport_.content.global_control_policy.be_program_use_cache = 1;
+        testReport_.content.global_control_policy.be_dmeasure_use_cache = 0;
+        testReport_.content.global_control_policy.be_dmeasure_max_busy_delay = 100;
+        testReport_.content.global_control_policy.be_process_dmeasure_ref_mode = 1;
+        testReport_.content.global_control_policy.be_process_dmeasure_match_mode = 2;
+        testReport_.content.global_control_policy.be_process_measure_match_mode = 3;
+        testReport_.content.global_control_policy.be_process_dmeasure_lib_mode = 1;
+        testReport_.content.global_control_policy.be_process_verify_lib_mode = 2;
+        testReport_.content.global_control_policy.be_process_dmeasure_sub_process_mode = 1;
+        testReport_.content.global_control_policy.be_process_dmeasure_old_process_mode = 0;
+        testReport_.content.global_control_policy.be_process_dmeasure_interval = 60;
+
+        // Set byte arrays with test data
+        const char *hostId = "test_host_id_12345";
+        const char *tpcmId = "test_tpcm_id_67890";
+        const char *logHash = "test_log_hash_abcdef1234567890";
+        const char *biosPcr = "test_bios_pcr_1234567890abcdef";
+        const char *bootLoaderPcr = "test_boot_loader_pcr_1234567890abcdef";
+        const char *kernelPcr = "test_kernel_pcr_1234567890abcdef";
+        const char *tsbPcr = "test_tsb_pcr_1234567890abcdef";
+        const char *bootPcr = "test_boot_pcr_1234567890abcdef";
+        const char *appendData = "test_append_data_for_trust_report_12345";
+
+        size_t hostIdLen = std::min(strlen(hostId), static_cast<size_t>(MAX_HOST_ID_SIZE));
+        size_t tpcmIdLen = std::min(strlen(tpcmId), static_cast<size_t>(MAX_TPCM_ID_SIZE));
+        size_t logHashLen = std::min(strlen(logHash), static_cast<size_t>(DEFAULT_HASH_SIZE));
+        size_t biosPcrLen = std::min(strlen(biosPcr), static_cast<size_t>(DEFAULT_PCR_SIZE));
+        size_t bootLoaderPcrLen = std::min(strlen(bootLoaderPcr), static_cast<size_t>(DEFAULT_PCR_SIZE));
+        size_t kernelPcrLen = std::min(strlen(kernelPcr), static_cast<size_t>(DEFAULT_PCR_SIZE));
+        size_t tsbPcrLen = std::min(strlen(tsbPcr), static_cast<size_t>(DEFAULT_PCR_SIZE));
+        size_t bootPcrLen = std::min(strlen(bootPcr), static_cast<size_t>(DEFAULT_PCR_SIZE));
+        size_t appendDataLen = std::min(strlen(appendData), static_cast<size_t>(MAX_TRUST_REPORT_APPENDDATA));
+
+        memcpy(testReport_.content.host_id, hostId, hostIdLen);
+        memcpy(testReport_.content.tpcm_id, tpcmId, tpcmIdLen);
+        memcpy(testReport_.content.log_hash, logHash, logHashLen);
+        memcpy(testReport_.content.bios_pcr, biosPcr, biosPcrLen);
+        memcpy(testReport_.content.boot_loader_pcr, bootLoaderPcr, bootLoaderPcrLen);
+        memcpy(testReport_.content.kernel_pcr, kernelPcr, kernelPcrLen);
+        memcpy(testReport_.content.tsb_pcr, tsbPcr, tsbPcrLen);
+        memcpy(testReport_.content.boot_pcr, bootPcr, bootPcrLen);
+        memcpy(testReport_.append_data, appendData, appendDataLen);
+    }
+
+    trust_report_new testReport_;
+};
+
+TEST_F(ProtoToolsTest, ReportToProtoBasicFields)
+{
+    protos::TrustReportNew protoReport;
+    ReportToProto(testReport_, &protoReport);
+
+    // Verify basic fields
+    EXPECT_EQ(protoReport.content().be_host_report_time(), testReport_.content.be_host_report_time);
+    EXPECT_EQ(protoReport.content().be_host_startup_time(), testReport_.content.be_host_startup_time);
+    EXPECT_EQ(protoReport.content().be_eval(), testReport_.content.be_eval);
+    EXPECT_EQ(protoReport.content().be_host_ip(), testReport_.content.be_host_ip);
+    EXPECT_EQ(protoReport.content().be_illegal_program_load(), testReport_.content.be_illegal_program_load);
+    EXPECT_EQ(protoReport.content().be_illegal_lib_load(), testReport_.content.be_illegal_lib_load);
+    EXPECT_EQ(protoReport.content().be_boot_measure_result(), testReport_.content.be_boot_measure_result);
+    EXPECT_EQ(protoReport.content().be_boot_times(), testReport_.content.be_boot_times);
+    EXPECT_EQ(protoReport.content().be_tpcm_time(), testReport_.content.be_tpcm_time);
+    EXPECT_EQ(protoReport.content().be_tpcm_report_time(), testReport_.content.be_tpcm_report_time);
+    EXPECT_EQ(protoReport.content().be_log_number(), testReport_.content.be_log_number);
+    EXPECT_EQ(protoReport.content().be_nonce(), testReport_.content.be_nonce);
+}
+
+TEST_F(ProtoToolsTest, ReportToProtoGlobalControlPolicy)
+{
+    protos::TrustReportNew protoReport;
+    ReportToProto(testReport_, &protoReport);
+
+    const auto &policy = protoReport.content().global_control_policy();
+    EXPECT_EQ(policy.be_size(), testReport_.content.global_control_policy.be_size);
+    EXPECT_EQ(policy.be_boot_measure_on(), testReport_.content.global_control_policy.be_boot_measure_on);
+    EXPECT_EQ(policy.be_program_measure_on(), testReport_.content.global_control_policy.be_program_measure_on);
+    EXPECT_EQ(policy.be_dynamic_measure_on(), testReport_.content.global_control_policy.be_dynamic_measure_on);
+    EXPECT_EQ(policy.be_boot_control(), testReport_.content.global_control_policy.be_boot_control);
+    EXPECT_EQ(policy.be_program_control(), testReport_.content.global_control_policy.be_program_control);
+    EXPECT_EQ(policy.be_tsb_flag1(), testReport_.content.global_control_policy.be_tsb_flag1);
+    EXPECT_EQ(policy.be_tsb_flag2(), testReport_.content.global_control_policy.be_tsb_flag2);
+    EXPECT_EQ(policy.be_tsb_flag3(), testReport_.content.global_control_policy.be_tsb_flag3);
+    EXPECT_EQ(policy.be_program_measure_mode(), testReport_.content.global_control_policy.be_program_measure_mode);
+    EXPECT_EQ(policy.be_program_use_cache(), testReport_.content.global_control_policy.be_program_use_cache);
+    EXPECT_EQ(policy.be_dmeasure_use_cache(), testReport_.content.global_control_policy.be_dmeasure_use_cache);
+    EXPECT_EQ(policy.be_dmeasure_max_busy_delay(),
+              testReport_.content.global_control_policy.be_dmeasure_max_busy_delay);
+    EXPECT_EQ(policy.be_process_dmeasure_ref_mode(),
+              testReport_.content.global_control_policy.be_process_dmeasure_ref_mode);
+    EXPECT_EQ(policy.be_process_dmeasure_match_mode(),
+              testReport_.content.global_control_policy.be_process_dmeasure_match_mode);
+    EXPECT_EQ(policy.be_process_measure_match_mode(),
+              testReport_.content.global_control_policy.be_process_measure_match_mode);
+    EXPECT_EQ(policy.be_process_dmeasure_lib_mode(),
+              testReport_.content.global_control_policy.be_process_dmeasure_lib_mode);
+    EXPECT_EQ(policy.be_process_verify_lib_mode(),
+              testReport_.content.global_control_policy.be_process_verify_lib_mode);
+    EXPECT_EQ(policy.be_process_dmeasure_sub_process_mode(),
+              testReport_.content.global_control_policy.be_process_dmeasure_sub_process_mode);
+    EXPECT_EQ(policy.be_process_dmeasure_old_process_mode(),
+              testReport_.content.global_control_policy.be_process_dmeasure_old_process_mode);
+    EXPECT_EQ(policy.be_process_dmeasure_interval(),
+              testReport_.content.global_control_policy.be_process_dmeasure_interval);
+}
+
+TEST_F(ProtoToolsTest, ReportToProtoByteArrays)
+{
+    protos::TrustReportNew protoReport;
+    ReportToProto(testReport_, &protoReport);
+
+    // Verify byte arrays
+    EXPECT_EQ(protoReport.content().host_id(),
+              std::string(reinterpret_cast<const char *>(testReport_.content.host_id),
+                          strnlen(reinterpret_cast<const char *>(testReport_.content.host_id), MAX_HOST_ID_SIZE)));
+    EXPECT_EQ(protoReport.content().tpcm_id(),
+              std::string(reinterpret_cast<const char *>(testReport_.content.tpcm_id),
+                          strnlen(reinterpret_cast<const char *>(testReport_.content.tpcm_id), MAX_TPCM_ID_SIZE)));
+    EXPECT_EQ(protoReport.content().log_hash(),
+              std::string(reinterpret_cast<const char *>(testReport_.content.log_hash),
+                          strnlen(reinterpret_cast<const char *>(testReport_.content.log_hash), DEFAULT_HASH_SIZE)));
+    EXPECT_EQ(protoReport.content().bios_pcr(),
+              std::string(reinterpret_cast<const char *>(testReport_.content.bios_pcr),
+                          strnlen(reinterpret_cast<const char *>(testReport_.content.bios_pcr), DEFAULT_PCR_SIZE)));
+    EXPECT_EQ(
+        protoReport.content().boot_loader_pcr(),
+        std::string(reinterpret_cast<const char *>(testReport_.content.boot_loader_pcr),
+                    strnlen(reinterpret_cast<const char *>(testReport_.content.boot_loader_pcr), DEFAULT_PCR_SIZE)));
+    EXPECT_EQ(protoReport.content().kernel_pcr(),
+              std::string(reinterpret_cast<const char *>(testReport_.content.kernel_pcr),
+                          strnlen(reinterpret_cast<const char *>(testReport_.content.kernel_pcr), DEFAULT_PCR_SIZE)));
+    EXPECT_EQ(protoReport.content().tsb_pcr(),
+              std::string(reinterpret_cast<const char *>(testReport_.content.tsb_pcr),
+                          strnlen(reinterpret_cast<const char *>(testReport_.content.tsb_pcr), DEFAULT_PCR_SIZE)));
+    EXPECT_EQ(protoReport.content().boot_pcr(),
+              std::string(reinterpret_cast<const char *>(testReport_.content.boot_pcr),
+                          strnlen(reinterpret_cast<const char *>(testReport_.content.boot_pcr), DEFAULT_PCR_SIZE)));
+    EXPECT_EQ(protoReport.append_data(), std::string(reinterpret_cast<const char *>(testReport_.append_data),
+                                                     strnlen(reinterpret_cast<const char *>(testReport_.append_data),
+                                                             MAX_TRUST_REPORT_APPENDDATA)));
+}
+
+TEST_F(ProtoToolsTest, ReportFromProtoBasicFields)
+{
+    protos::TrustReportNew protoReport;
+    ReportToProto(testReport_, &protoReport);
+
+    trust_report_new convertedReport = ReportFromProto(protoReport);
+
+    // Verify basic fields
+    EXPECT_EQ(convertedReport.content.be_host_report_time, testReport_.content.be_host_report_time);
+    EXPECT_EQ(convertedReport.content.be_host_startup_time, testReport_.content.be_host_startup_time);
+    EXPECT_EQ(convertedReport.content.be_eval, testReport_.content.be_eval);
+    EXPECT_EQ(convertedReport.content.be_host_ip, testReport_.content.be_host_ip);
+    EXPECT_EQ(convertedReport.content.be_illegal_program_load, testReport_.content.be_illegal_program_load);
+    EXPECT_EQ(convertedReport.content.be_illegal_lib_load, testReport_.content.be_illegal_lib_load);
+    EXPECT_EQ(convertedReport.content.be_boot_measure_result, testReport_.content.be_boot_measure_result);
+    EXPECT_EQ(convertedReport.content.be_boot_times, testReport_.content.be_boot_times);
+    EXPECT_EQ(convertedReport.content.be_tpcm_time, testReport_.content.be_tpcm_time);
+    EXPECT_EQ(convertedReport.content.be_tpcm_report_time, testReport_.content.be_tpcm_report_time);
+    EXPECT_EQ(convertedReport.content.be_log_number, testReport_.content.be_log_number);
+    EXPECT_EQ(convertedReport.content.be_nonce, testReport_.content.be_nonce);
+}
+
+TEST_F(ProtoToolsTest, ReportFromProtoGlobalControlPolicy)
+{
+    protos::TrustReportNew protoReport;
+    ReportToProto(testReport_, &protoReport);
+
+    trust_report_new convertedReport = ReportFromProto(protoReport);
+
+    const auto &policy = protoReport.content().global_control_policy();
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_size, policy.be_size());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_boot_measure_on, policy.be_boot_measure_on());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_program_measure_on, policy.be_program_measure_on());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_dynamic_measure_on, policy.be_dynamic_measure_on());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_boot_control, policy.be_boot_control());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_program_control, policy.be_program_control());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_tsb_flag1, policy.be_tsb_flag1());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_tsb_flag2, policy.be_tsb_flag2());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_tsb_flag3, policy.be_tsb_flag3());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_program_measure_mode, policy.be_program_measure_mode());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_program_use_cache, policy.be_program_use_cache());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_dmeasure_use_cache, policy.be_dmeasure_use_cache());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_dmeasure_max_busy_delay,
+              policy.be_dmeasure_max_busy_delay());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_process_dmeasure_ref_mode,
+              policy.be_process_dmeasure_ref_mode());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_process_dmeasure_match_mode,
+              policy.be_process_dmeasure_match_mode());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_process_measure_match_mode,
+              policy.be_process_measure_match_mode());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_process_dmeasure_lib_mode,
+              policy.be_process_dmeasure_lib_mode());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_process_verify_lib_mode,
+              policy.be_process_verify_lib_mode());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_process_dmeasure_sub_process_mode,
+              policy.be_process_dmeasure_sub_process_mode());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_process_dmeasure_old_process_mode,
+              policy.be_process_dmeasure_old_process_mode());
+    EXPECT_EQ(convertedReport.content.global_control_policy.be_process_dmeasure_interval,
+              policy.be_process_dmeasure_interval());
+}
+
+TEST_F(ProtoToolsTest, ReportFromProtoByteArrays)
+{
+    protos::TrustReportNew protoReport;
+    ReportToProto(testReport_, &protoReport);
+
+    trust_report_new convertedReport = ReportFromProto(protoReport);
+
+    // Verify byte arrays
+    EXPECT_EQ(memcmp(convertedReport.content.host_id, testReport_.content.host_id, MAX_HOST_ID_SIZE), 0);
+    EXPECT_EQ(memcmp(convertedReport.content.tpcm_id, testReport_.content.tpcm_id, MAX_TPCM_ID_SIZE), 0);
+    EXPECT_EQ(memcmp(convertedReport.content.log_hash, testReport_.content.log_hash, DEFAULT_HASH_SIZE), 0);
+    EXPECT_EQ(memcmp(convertedReport.content.bios_pcr, testReport_.content.bios_pcr, DEFAULT_PCR_SIZE), 0);
+    EXPECT_EQ(memcmp(convertedReport.content.boot_loader_pcr, testReport_.content.boot_loader_pcr, DEFAULT_PCR_SIZE),
+              0);
+    EXPECT_EQ(memcmp(convertedReport.content.kernel_pcr, testReport_.content.kernel_pcr, DEFAULT_PCR_SIZE), 0);
+    EXPECT_EQ(memcmp(convertedReport.content.tsb_pcr, testReport_.content.tsb_pcr, DEFAULT_PCR_SIZE), 0);
+    EXPECT_EQ(memcmp(convertedReport.content.boot_pcr, testReport_.content.boot_pcr, DEFAULT_PCR_SIZE), 0);
+    EXPECT_EQ(memcmp(convertedReport.append_data, testReport_.append_data, MAX_TRUST_REPORT_APPENDDATA), 0);
+}
+
+TEST_F(ProtoToolsTest, RoundTripConversion)
+{
+    // Convert to proto and back to verify data integrity
+    protos::TrustReportNew protoReport;
+    ReportToProto(testReport_, &protoReport);
+
+    trust_report_new convertedReport = ReportFromProto(protoReport);
+
+    // Verify all basic fields match
+    EXPECT_EQ(convertedReport.content.be_host_report_time, testReport_.content.be_host_report_time);
+    EXPECT_EQ(convertedReport.content.be_host_startup_time, testReport_.content.be_host_startup_time);
+    EXPECT_EQ(convertedReport.content.be_eval, testReport_.content.be_eval);
+    EXPECT_EQ(convertedReport.content.be_host_ip, testReport_.content.be_host_ip);
+    EXPECT_EQ(convertedReport.content.be_boot_measure_result, testReport_.content.be_boot_measure_result);
+    EXPECT_EQ(convertedReport.content.be_boot_times, testReport_.content.be_boot_times);
+    EXPECT_EQ(convertedReport.content.be_tpcm_time, testReport_.content.be_tpcm_time);
+    EXPECT_EQ(convertedReport.content.be_tpcm_report_time, testReport_.content.be_tpcm_report_time);
+    EXPECT_EQ(convertedReport.content.be_log_number, testReport_.content.be_log_number);
+    EXPECT_EQ(convertedReport.content.be_nonce, testReport_.content.be_nonce);
+
+    // Verify byte arrays match
+    EXPECT_EQ(memcmp(convertedReport.content.host_id, testReport_.content.host_id, MAX_HOST_ID_SIZE), 0);
+    EXPECT_EQ(memcmp(convertedReport.content.tpcm_id, testReport_.content.tpcm_id, MAX_TPCM_ID_SIZE), 0);
+    EXPECT_EQ(memcmp(convertedReport.content.log_hash, testReport_.content.log_hash, DEFAULT_HASH_SIZE), 0);
+    EXPECT_EQ(memcmp(convertedReport.append_data, testReport_.append_data, MAX_TRUST_REPORT_APPENDDATA), 0);
+}
+
+TEST_F(ProtoToolsTest, EmptyReportConversion)
+{
+    trust_report_new emptyReport;
+    memset(&emptyReport, 0, sizeof(emptyReport));
+
+    protos::TrustReportNew protoReport;
+    ReportToProto(emptyReport, &protoReport);
+
+    trust_report_new convertedReport = ReportFromProto(protoReport);
+
+    // Verify all fields are zero
+    EXPECT_EQ(convertedReport.content.be_host_report_time, 0u);
+    EXPECT_EQ(convertedReport.content.be_host_startup_time, 0u);
+    EXPECT_EQ(convertedReport.content.be_eval, 0u);
+    EXPECT_EQ(convertedReport.content.be_host_ip, 0u);
+    EXPECT_EQ(convertedReport.content.be_boot_measure_result, 0u);
+    EXPECT_EQ(convertedReport.content.be_boot_times, 0u);
+    EXPECT_EQ(convertedReport.content.be_tpcm_time, 0u);
+    EXPECT_EQ(convertedReport.content.be_tpcm_report_time, 0u);
+    EXPECT_EQ(convertedReport.content.be_log_number, 0u);
+    EXPECT_EQ(convertedReport.content.be_nonce, 0u);
+
+    // Verify byte arrays are empty
+    for (int i = 0; i < MAX_HOST_ID_SIZE; i++) {
+        EXPECT_EQ(convertedReport.content.host_id[i], 0);
+    }
+    for (int i = 0; i < MAX_TPCM_ID_SIZE; i++) {
+        EXPECT_EQ(convertedReport.content.tpcm_id[i], 0);
+    }
+    for (int i = 0; i < DEFAULT_HASH_SIZE; i++) {
+        EXPECT_EQ(convertedReport.content.log_hash[i], 0);
+    }
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/CMakeLists.txt b/virtrust/src/virtrust/utils/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..8742aec569bfc6407e00336736c2aa0bc8f4f920
--- /dev/null
+++ b/virtrust/src/virtrust/utils/CMakeLists.txt
@@ -0,0 +1,18 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    ${CMAKE_CURRENT_LIST_DIR}/file_io.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/virt_xml_parser.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/migrate_helper.cpp
+    ${CMAKE_CURRENT_LIST_DIR}/foreign_mounter.cpp)
+
+add_virtrust_test_if(file_io_test ${BUILD_TEST})
+add_virtrust_sh_test_if(virt_xml_parser_test ${BUILD_TEST})
+add_virtrust_sh_test_if(foreign_mounter_test ${BUILD_TEST})
+add_virtrust_test_if(migrate_helper_test ${BUILD_TEST})
+# add_virtrust_test_if(async_timer_test ${BUILD_TEST})
+
+set(VIRTRUST_SOURCE_FILES
+    ${VIRTRUST_SOURCE_FILES}
+    PARENT_SCOPE)
diff --git a/virtrust/src/virtrust/utils/async_timer.h b/virtrust/src/virtrust/utils/async_timer.h
new file mode 100644
index 0000000000000000000000000000000000000000..579fbfb37ae2cbef22bba845e30e5ab966aa43e4
--- /dev/null
+++ b/virtrust/src/virtrust/utils/async_timer.h
@@ -0,0 +1,56 @@
+#pragma once
+
+#include <atomic>
+#include <chrono>
+#include <functional>
+#include <thread>
+
+namespace virtrust {
+class AsyncTimer {
+public:
+    AsyncTimer() = default;
+
+    ~AsyncTimer()
+    {
+        Cancel();
+    }
+
+    // 启动一个异步计时器，timeout后执行callback
+    void Start(std::chrono::microseconds timeout, std::function<void()> callback)
+    {
+        Cancel(); // 先取消可能存在的旧线程
+
+        canceled_.store(false);
+        worker_ = std::thread([=]() {
+            auto deadline = std::chrono::steady_clock::now() + timeout;
+            while (!canceled_.load()) {
+                if (std::chrono::steady_clock::now() >= deadline)
+                    break;
+                std::this_thread::sleep_for(std::chrono::milliseconds(50));
+            }
+            if (!canceled_.load()) {
+                callback();
+            }
+        });
+    }
+
+    // 取消定时器
+    void Cancel()
+    {
+        canceled_.store(true);
+        if (worker_.joinable()) {
+            if (std::this_thread::get_id() == worker_.get_id()) {
+                // 通常调用Cancel的现成!=worker_，除非callback中调用Cancel造成死锁
+                worker_.detach();
+            } else {
+                worker_.join();
+            }
+        }
+    }
+
+private:
+    std::thread worker_;
+    std::atomic<bool> canceled_{true};
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/async_timer_test.cpp b/virtrust/src/virtrust/utils/async_timer_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..e93f45abf5b0c33f33ccf263f3334ade55b0cdfb
--- /dev/null
+++ b/virtrust/src/virtrust/utils/async_timer_test.cpp
@@ -0,0 +1,317 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include <atomic>
+#include <chrono>
+#include <thread>
+
+#include "gtest/gtest.h"
+
+#include "virtrust/utils/async_timer.h"
+
+namespace virtrust {
+
+class AsyncTimerTest : public ::testing::Test {
+protected:
+    void SetUp() override
+    {
+        // Reset counters for each test
+        callback_count_ = 0;
+        callback_value_ = 0;
+    }
+
+    void TearDown() override
+    {
+        // Give timers time to clean up
+        std::this_thread::sleep_for(std::chrono::milliseconds(10));
+    }
+
+    // Test helper functions
+    void IncrementCallback()
+    {
+        callback_count_++;
+    }
+
+    void SetValueCallback(int value)
+    {
+        callback_value_ = value;
+    }
+
+    static std::atomic<int> callback_count_;
+    static std::atomic<int> callback_value_;
+};
+
+std::atomic<int> AsyncTimerTest::callback_count_{0};
+std::atomic<int> AsyncTimerTest::callback_value_{0};
+
+TEST_F(AsyncTimerTest, Constructor)
+{
+    AsyncTimer timer;
+
+    // Timer should be constructed successfully
+    SUCCEED();
+}
+
+TEST_F(AsyncTimerTest, Destructor)
+{
+    {
+        AsyncTimer timer;
+        // Timer goes out of scope here
+    }
+
+    // Destructor should be called without issues
+    SUCCEED();
+}
+
+TEST_F(AsyncTimerTest, StartWithShortTimeout)
+{
+    AsyncTimer timer;
+
+    // Start timer with 100ms timeout
+    timer.Start(std::chrono::milliseconds(100), [this]() { IncrementCallback(); });
+
+    // Wait for callback to be called
+    std::this_thread::sleep_for(std::chrono::milliseconds(150));
+
+    EXPECT_EQ(callback_count_.load(), 1);
+}
+
+TEST_F(AsyncTimerTest, StartWithMicrosecondTimeout)
+{
+    AsyncTimer timer;
+
+    // Start timer with 5000 microseconds (5ms)
+    timer.Start(std::chrono::microseconds(5000), [this]() { IncrementCallback(); });
+
+    // Wait for callback to be called
+    std::this_thread::sleep_for(std::chrono::milliseconds(10));
+
+    EXPECT_EQ(callback_count_.load(), 1);
+}
+
+TEST_F(AsyncTimerTest, StartWithZeroTimeout)
+{
+    AsyncTimer timer;
+
+    // Start timer with zero timeout (should trigger quickly)
+    timer.Start(std::chrono::microseconds(0), [this]() { IncrementCallback(); });
+
+    // Wait a very short time
+    std::this_thread::sleep_for(std::chrono::milliseconds(1));
+
+    EXPECT_EQ(callback_count_.load(), 1);
+}
+
+TEST_F(AsyncTimerTest, CancelBeforeTimeout)
+{
+    AsyncTimer timer;
+
+    // Start timer with 200ms timeout
+    timer.Start(std::chrono::milliseconds(200), [this]() { IncrementCallback(); });
+
+    // Cancel after 50ms
+    std::this_thread::sleep_for(std::chrono::milliseconds(50));
+    timer.Cancel();
+
+    // Wait for additional time to ensure callback wasn't called
+    std::this_thread::sleep_for(std::chrono::milliseconds(100));
+
+    EXPECT_EQ(callback_count_.load(), 0);
+}
+
+TEST_F(AsyncTimerTest, CancelImmediatelyAfterStart)
+{
+    AsyncTimer timer;
+
+    // Start timer and immediately cancel
+    timer.Start(std::chrono::milliseconds(100), [this]() { IncrementCallback(); });
+    timer.Cancel();
+
+    // Wait for additional time
+    std::this_thread::sleep_for(std::chrono::milliseconds(150));
+
+    EXPECT_EQ(callback_count_.load(), 0);
+}
+
+TEST_F(AsyncTimerTest, MultipleStartsShouldCancelPrevious)
+{
+    AsyncTimer timer;
+
+    // Start first timer
+    timer.Start(std::chrono::milliseconds(200), [this]() { callback_value_ = 1; });
+
+    // Start second timer immediately
+    timer.Start(std::chrono::milliseconds(100), [this]() { callback_value_ = 2; });
+
+    // Wait for the second timer to trigger
+    std::this_thread::sleep_for(std::chrono::milliseconds(150));
+
+    EXPECT_EQ(callback_value_.load(), 2);
+
+    // Wait longer to ensure first timer doesn't trigger
+    std::this_thread::sleep_for(std::chrono::milliseconds(100));
+
+    EXPECT_EQ(callback_value_.load(), 2); // Should still be 2, not 1
+}
+
+TEST_F(AsyncTimerTest, CancelMultipleTimes)
+{
+    AsyncTimer timer;
+
+    // Start timer
+    timer.Start(std::chrono::milliseconds(100), [this]() { IncrementCallback(); });
+
+    // Cancel multiple times (should not cause issues)
+    timer.Cancel();
+    timer.Cancel();
+    timer.Cancel();
+
+    // Wait to ensure callback wasn't called
+    std::this_thread::sleep_for(std::chrono::milliseconds(150));
+
+    EXPECT_EQ(callback_count_.load(), 0);
+}
+
+TEST_F(AsyncTimerTest, CancelWithoutStart)
+{
+    AsyncTimer timer;
+
+    // Cancel without starting timer (should not cause issues)
+    timer.Cancel();
+
+    SUCCEED();
+}
+
+TEST_F(AsyncTimerTest, RapidStartStopCycles)
+{
+    AsyncTimer timer;
+
+    // Perform multiple rapid start/stop cycles
+    for (int i = 0; i < 10; i++) {
+        timer.Start(std::chrono::milliseconds(50), [this]() { IncrementCallback(); });
+
+        // Cancel immediately
+        timer.Cancel();
+
+        // Brief pause
+        std::this_thread::sleep_for(std::chrono::milliseconds(1));
+    }
+
+    EXPECT_EQ(callback_count_.load(), 0);
+}
+
+TEST_F(AsyncTimerTest, LongTimeout)
+{
+    AsyncTimer timer;
+
+    // Start timer with longer timeout
+    timer.Start(std::chrono::milliseconds(500), [this]() { IncrementCallback(); });
+
+    // Check that callback hasn't been called yet
+    std::this_thread::sleep_for(std::chrono::milliseconds(100));
+    EXPECT_EQ(callback_count_.load(), 0);
+
+    // Wait for callback
+    std::this_thread::sleep_for(std::chrono::milliseconds(500));
+    EXPECT_EQ(callback_count_.load(), 1);
+}
+
+TEST_F(AsyncTimerTest, MultipleTimersConcurrent)
+{
+    AsyncTimer timer1, timer2, timer3;
+
+    // Start multiple timers with different delays
+    timer1.Start(std::chrono::milliseconds(50), [this]() { callback_value_ += 1; });
+
+    timer2.Start(std::chrono::milliseconds(100), [this]() { callback_value_ += 10; });
+
+    timer3.Start(std::chrono::milliseconds(150), [this]() { callback_value_ += 100; });
+
+    // Wait for all timers to complete
+    std::this_thread::sleep_for(std::chrono::milliseconds(200));
+
+    EXPECT_EQ(callback_value_.load(), 111); // 1 + 10 + 100
+}
+
+TEST_F(AsyncTimerTest, TimerScopeAndDestruction)
+{
+    std::atomic<int> destruction_count{0};
+
+    {
+        AsyncTimer timer;
+
+        // Start timer that might outlive the timer object
+        timer.Start(std::chrono::milliseconds(50), [&destruction_count]() { destruction_count++; });
+
+        // Timer goes out of scope here, destructor should be called
+    }
+
+    // Wait a bit to see if callback is called
+    // Note: This behavior depends on destructor implementation
+    std::this_thread::sleep_for(std::chrono::milliseconds(100));
+
+    // The callback may or may not be called depending on destructor behavior
+    // This test mainly ensures destructor doesn't crash
+    SUCCEED();
+}
+
+TEST_F(AsyncTimerTest, CallbackExceptionHandling)
+{
+    AsyncTimer timer;
+
+    // Start timer with callback that throws
+    timer.Start(std::chrono::milliseconds(50), []() { throw std::runtime_error("Test exception"); });
+
+    // Wait for timer to complete
+    // Should not crash the test
+    std::this_thread::sleep_for(std::chrono::milliseconds(100));
+
+    SUCCEED();
+}
+
+TEST_F(AsyncTimerTest, CallbackComplexOperations)
+{
+    AsyncTimer timer;
+    std::vector<int> results;
+
+    // Start timer with complex callback
+    timer.Start(std::chrono::milliseconds(50), [&results]() {
+        for (int i = 0; i < 10; i++) {
+            results.push_back(i * i);
+        }
+    });
+
+    // Wait for callback to complete
+    std::this_thread::sleep_for(std::chrono::milliseconds(100));
+
+    EXPECT_EQ(results.size(), 10u);
+    EXPECT_EQ(results[0], 0);
+    EXPECT_EQ(results[9], 81);
+}
+
+TEST_F(AsyncTimerTest, PrecisionTest)
+{
+    AsyncTimer timer;
+    auto start_time = std::chrono::steady_clock::now();
+    bool callback_called = false;
+
+    // Start timer with 10ms timeout
+    timer.Start(std::chrono::milliseconds(10), [&callback_called]() { callback_called = true; });
+
+    // Wait for callback
+    while (!callback_called) {
+        std::this_thread::sleep_for(std::chrono::milliseconds(1));
+    }
+
+    auto end_time = std::chrono::steady_clock::now();
+    auto duration = std::chrono::duration_cast<std::chrono::milliseconds>(end_time - start_time);
+
+    // Should be approximately 10ms (with some tolerance for scheduling)
+    EXPECT_GE(duration.count(), 8);  // At least 8ms
+    EXPECT_LE(duration.count(), 50); // At most 50ms (allowing for scheduling delays)
+
+    EXPECT_TRUE(callback_called);
+}
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/enum_check.h b/virtrust/src/virtrust/utils/enum_check.h
new file mode 100644
index 0000000000000000000000000000000000000000..5a981f5c9091b43d34ca1ebbef48d6dc031028ac
--- /dev/null
+++ b/virtrust/src/virtrust/utils/enum_check.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+namespace virtrust {
+
+// Define templates for enum range check
+
+template <typename EnumType, EnumType... Values> class EnumCheck {};
+
+template <typename EnumType> class EnumCheck<EnumType> {
+public:
+    template <typename IntType> static bool constexpr IsValue(IntType)
+    {
+        return false;
+    }
+};
+
+template <typename EnumType, EnumType V, EnumType... Next>
+class EnumCheck<EnumType, V, Next...> : private EnumCheck<EnumType, Next...> {
+    using Super = EnumCheck<EnumType, Next...>;
+
+public:
+    template <typename IntType> static bool constexpr IsValue(IntType v)
+    {
+        return v == static_cast<IntType>(V) || Super::IsValue(v);
+    }
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/file_io.cpp b/virtrust/src/virtrust/utils/file_io.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..f107cee0876fc006e3efc69a213a90f775a49e06
--- /dev/null
+++ b/virtrust/src/virtrust/utils/file_io.cpp
@@ -0,0 +1,244 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include "virtrust/utils/file_io.h"
+
+#include <cerrno>
+#include <cstring>
+#include <exception>
+#include <filesystem>
+#include <iostream>
+#include <string>
+#include <utility>
+
+#include "spdlog/fmt/fmt.h"
+#include "spdlog/spdlog.h"
+
+#include "virtrust/base/exception.h"
+#include "virtrust/base/logger.h"
+
+namespace virtrust {
+#define FILE_IO_THROW(msg_prefix)                                                                                  \
+    VIRTRUST_ENFORCE(false, fmt::format("|{}|END|||error on file {}, failure {}", msg_prefix, fileName_, e.what(), \
+                                        std::strerror(errno), errno))
+
+FileInputStream::FileInputStream(std::string fileName) : fileName_(std::move(fileName)), fileLen_(0)
+{
+#ifndef __arm64__
+    in_.exceptions(std::ifstream::badbit | std::ifstream::failbit);
+#endif
+    try {
+        in_.open(fileName_, std::ios::binary | std::ios::ate);
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("Open for read");
+    }
+    fileLen_ = Tellg();
+    Seekg(0);
+}
+
+bool FileInputStream::operator!() const
+{
+    return !static_cast<bool>(in_);
+}
+
+FileInputStream::operator bool() const
+{
+    return static_cast<bool>(in_);
+}
+
+bool FileInputStream::Eof() const
+{
+    return in_.eof();
+}
+
+FileInputStream &FileInputStream::GetLine(std::string *ret, char delim)
+{
+    try {
+        std::getline(in_, *ret, delim);
+    } catch (const std::ifstream::failure &e) {
+        if (!in_.eof() || in_.bad()) {
+            FILE_IO_THROW("GetLine");
+        }
+    }
+
+    return *this;
+}
+
+FileInputStream &FileInputStream::Read(void *buf, size_t length)
+{
+    try {
+        in_.read(static_cast<char *>(buf), length);
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("Read");
+    }
+    return *this;
+}
+
+FileInputStream &FileInputStream::Seekg(size_t pos)
+{
+    try {
+        // clear EOF/FAIL bit
+        in_.clear();
+        in_.seekg(pos);
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("Seekg");
+    }
+    return *this;
+}
+
+size_t FileInputStream::Tellg()
+{
+    size_t ret = 0;
+    try {
+        auto backup = in_.rdstate();
+        in_.clear();
+        // tellg fail if eofbit is set.
+        ret = in_.tellg();
+        in_.clear(backup);
+    } catch (const std::ifstream::failure &e) {
+        if (in_.bad()) {
+            FILE_IO_THROW("Tellg");
+        }
+    }
+    return ret;
+}
+
+void FileInputStream::TransferTo(std::ostringstream &oss)
+{
+    try {
+        // clear EOF/FAIL bit
+        in_.clear();
+        in_.seekg(0);
+        oss << in_.rdbuf();
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("TransferTo");
+    }
+}
+
+std::string FileInputStream::ReadAll()
+{
+    try {
+        std::ostringstream oss;
+        TransferTo(oss);
+        return oss.str();
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("ReadAll");
+    }
+    return "";
+}
+
+size_t FileInputStream::GetLength() const
+{
+    return fileLen_;
+}
+
+const std::string &FileInputStream::GetName() const
+{
+    return fileName_;
+}
+
+void FileInputStream::Close()
+{
+    try {
+        in_.close();
+    } catch (const std::ifstream::failure &e) {
+        FILE_IO_THROW("Close");
+    }
+    fileLen_ = 0;
+}
+
+std::unique_ptr<FileInputStream> FileInputStream::Spawn()
+{
+    auto ret = std::make_unique<FileInputStream>(fileName_);
+    ret->Seekg(Tellg());
+    return ret;
+}
+
+FileOutputStream::FileOutputStream(std::string fileName, bool trunc, bool exitFailInDestructor)
+    : fileName_(std::move(fileName)), exitFailInDestructor_(exitFailInDestructor)
+{
+    std::filesystem::path fp(fileName_);
+    // empty if relative path to pwd.
+    if (!fp.parent_path().empty() && !std::filesystem::exists(fp.parent_path())) {
+        VIRTRUST_ENFORCE(std::filesystem::create_directories(fp.parent_path()), "Failed to create dir ({})",
+                         fp.parent_path().string());
+    }
+    out_.exceptions(std::ofstream::badbit | std::ofstream::failbit);
+    try {
+        out_.open(fileName_, std::ios::binary | (trunc ? std::ios::trunc : std::ios::app));
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Open for write");
+    }
+}
+
+FileOutputStream::~FileOutputStream()
+{
+    try {
+        Close();
+    } catch (const std::exception &e) {
+        SPDLOG_ERROR("IO error in destructor: < {} >", e.what());
+        if (exitFailInDestructor_) {
+            _exit(-1);
+        }
+    }
+}
+
+void FileOutputStream::Write(const void *buf, size_t length)
+{
+    try {
+        out_.write(static_cast<const char *>(buf), length);
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Write");
+    }
+}
+
+void FileOutputStream::Write(std::string_view buf)
+{
+    try {
+        out_.write(buf.data(), buf.size());
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Write");
+    }
+}
+
+const std::string &FileOutputStream::GetName() const
+{
+    return fileName_;
+}
+
+size_t FileOutputStream::Tellp()
+{
+    size_t ret = 0;
+    try {
+        ret = out_.tellp();
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Tellp");
+    }
+    return ret;
+}
+
+void FileOutputStream::Flush()
+{
+    try {
+        if (out_.is_open() && out_.good()) {
+            out_.flush();
+        }
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Flush");
+    }
+}
+
+void FileOutputStream::Close()
+{
+    try {
+        if (out_.is_open() && out_.good()) {
+            Flush();
+            out_.close();
+        }
+    } catch (const std::ofstream::failure &e) {
+        FILE_IO_THROW("Close");
+    }
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/file_io.h b/virtrust/src/virtrust/utils/file_io.h
new file mode 100644
index 0000000000000000000000000000000000000000..6a83f1ef2bfd9543e5bc52e1106212a022ff6c6f
--- /dev/null
+++ b/virtrust/src/virtrust/utils/file_io.h
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <fstream>
+#include <memory>
+#include <string>
+
+namespace virtrust {
+class FileInputStream {
+public:
+    explicit FileInputStream(std::string fileName);
+
+    ~FileInputStream() = default;
+
+    bool operator!() const;
+
+    explicit operator bool() const;
+
+    bool Eof() const;
+
+    FileInputStream &GetLine(std::string *ret, char delim);
+
+    FileInputStream &Read(void *buf, size_t length);
+
+    FileInputStream &Seekg(size_t pos);
+
+    size_t Tellg();
+
+    void TransferTo(std::ostringstream &oss);
+
+    std::string ReadAll();
+
+    size_t GetLength() const;
+
+    const std::string &GetName() const;
+
+    void Close();
+
+    static bool IsStreaming()
+    {
+        return false;
+    }
+
+    std::unique_ptr<FileInputStream> Spawn();
+
+private:
+    const std::string fileName_;
+    std::ifstream in_;
+    size_t fileLen_;
+};
+
+class FileOutputStream {
+public:
+    explicit FileOutputStream(std::string fileName, bool trunc = true, bool exitFailInDestructor = true);
+
+    ~FileOutputStream();
+
+    void Write(const void *buf, size_t length);
+    void Write(std::string_view buf);
+
+    const std::string &GetName() const;
+
+    size_t Tellp();
+
+    void Close();
+
+    void Flush();
+
+    static bool IsStreaming()
+    {
+        return false;
+    }
+
+private:
+    const std::string fileName_;
+    const bool exitFailInDestructor_;
+    std::ofstream out_;
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/file_io_test.cpp b/virtrust/src/virtrust/utils/file_io_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..8238bb8fd87419217fe7b5a499e5e543b63b18fc
--- /dev/null
+++ b/virtrust/src/virtrust/utils/file_io_test.cpp
@@ -0,0 +1,302 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <filesystem>
+#include <fstream>
+#include <sstream>
+
+#include "gtest/gtest.h"
+
+#include "virtrust/base/logger.h"
+#include "virtrust/utils/file_io.h"
+
+namespace virtrust {
+
+namespace {
+constexpr size_t MAX_BYTES_LENGTH = 64;
+constexpr std::string_view TEST_FILE_CONTENT = "this is a test file.\n";
+constexpr std::string_view TEST_FILE_CONTENT_LONG = "this is a test file.\nwith multiple lines\nand more content.\n";
+
+std::string GetTestFilePath()
+{
+    // Get the project root path (Which is the directory)
+    auto filePath = std::filesystem::path(__FILE__).parent_path();
+    return (filePath / ".." / ".." / ".." / "test" / "data" / "test.txt").lexically_normal().string();
+}
+
+std::string GetTempFilePath(const std::string &suffix = "")
+{
+    // Get the project root path (Which is the directory)
+    auto filePath = std::filesystem::path(__FILE__).parent_path();
+    return (filePath / ".." / ".." / ".." / "test" / "data" / ("temp_file" + suffix + ".txt"))
+        .lexically_normal()
+        .string();
+}
+
+} // namespace
+
+TEST(FileIO, Works)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+    std::string content = fis.ReadAll();
+    ASSERT_EQ(content, TEST_FILE_CONTENT);
+}
+
+TEST(FileIO, ReadAll)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+    std::string content = fis.ReadAll();
+    ASSERT_EQ(content, TEST_FILE_CONTENT);
+}
+
+TEST(FileIO, GetLength)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+    size_t length = fis.GetLength();
+    ASSERT_EQ(length, TEST_FILE_CONTENT.length());
+}
+
+TEST(FileIO, GetName)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+    const std::string &name = fis.GetName();
+    ASSERT_EQ(name, path);
+}
+
+TEST(FileIO, Eof)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+
+    // Initially not at EOF
+    ASSERT_FALSE(fis.Eof());
+
+    // Read all content
+    // NOTE EOF/FAIL bit get cleared inside this function
+    std::string content = fis.ReadAll();
+    EXPECT_FALSE(content.empty());
+}
+
+TEST(FileIO, SeekgAndTellg)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+
+    // Get initial position
+    size_t initialPos = fis.Tellg();
+    ASSERT_EQ(initialPos, static_cast<size_t>(0));
+
+    // Read part of the file
+    std::string content;
+    fis.GetLine(&content, '\n');
+
+    // Get current position
+    size_t currentPos = fis.Tellg();
+    ASSERT_GT(currentPos, initialPos);
+
+    // Seek back to beginning
+    fis.Seekg(0);
+    size_t newPos = fis.Tellg();
+    ASSERT_EQ(newPos, static_cast<size_t>(0));
+}
+
+TEST(FileIO, TransferTo)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+
+    std::ostringstream oss;
+    fis.TransferTo(oss);
+
+    ASSERT_EQ(oss.str(), TEST_FILE_CONTENT);
+}
+
+TEST(FileIO, GetLine)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+
+    std::string line;
+    fis.GetLine(&line, '\n');
+
+    ASSERT_EQ(line, "this is a test file.");
+}
+
+TEST(FileIO, Spawn)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+
+    // Save current position
+    size_t originalPos = fis.Tellg();
+
+    // Spawn a new stream from current position
+    auto spawnedStream = fis.Spawn();
+
+    // Both streams should be at same position
+    ASSERT_EQ(spawnedStream->Tellg(), originalPos);
+
+    // Original stream should still work
+    std::string line;
+    fis.GetLine(&line, '\n');
+    EXPECT_EQ(line, "this is a test file.");
+}
+
+TEST(FileIO, FileStreamOperators)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+
+    // Test boolean conversion operators
+    ASSERT_TRUE(static_cast<bool>(fis));
+    ASSERT_FALSE(!fis);
+
+    // Test with invalid file (should throw)
+    try {
+        FileInputStream invalidFis("nonexistent_file.txt");
+        FAIL() << "Should have thrown exception";
+    } catch (...) {
+        // Excepted
+    }
+}
+
+TEST(FileIO, FileInputStreamRead)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+    size_t length = TEST_FILE_CONTENT.size();
+    // Test Read method with buffer
+    char buffer[MAX_BYTES_LENGTH];
+    fis.Read(buffer, length);
+
+    std::string content(buffer, length);
+    ASSERT_EQ(content, TEST_FILE_CONTENT);
+    fis.Close();
+}
+
+TEST(FileIO, FileOutputStreamConstructAndDestroy)
+{
+    std::string tempPath = GetTempFilePath("_construct");
+
+    // Test construction with trunc=true (default)
+    {
+        FileOutputStream fos(tempPath, true);
+        ASSERT_EQ(fos.GetName(), tempPath);
+    }
+
+    // Verify file was created
+    std::ifstream testFile(tempPath);
+    ASSERT_TRUE(testFile.good());
+    testFile.close();
+
+    // Test construction with trunc=false (append mode)
+    {
+        FileOutputStream fos(tempPath, false);
+        ASSERT_EQ(fos.GetName(), tempPath);
+    }
+
+    // Clean up
+    std::filesystem::remove(tempPath);
+}
+
+TEST(FileIO, FileOutputStreamWrite)
+{
+    std::string tempPath = GetTempFilePath("_write");
+
+    {
+        FileOutputStream fos(tempPath);
+
+        // Test Write with buffer
+        const char *testData = "Hello World!";
+        fos.Write(testData, strlen(testData));
+
+        // Test Write with string_view
+        std::string_view testStr = "Test string";
+        fos.Write(testStr);
+
+        // Test Write with string
+        std::string testStr2 = "Another test";
+        fos.Write(testStr2.data(), testStr2.size());
+    }
+
+    // Verify content was written
+    std::ifstream testFile(tempPath);
+    std::ostringstream oss;
+    oss << testFile.rdbuf();
+    std::string content = oss.str();
+
+    ASSERT_NE(content.find("Hello World!"), std::string::npos);
+    ASSERT_NE(content.find("Test string"), std::string::npos);
+    ASSERT_NE(content.find("Another test"), std::string::npos);
+
+    testFile.close();
+    std::filesystem::remove(tempPath);
+}
+
+TEST(FileIO, FileOutputStreamTellpAndFlush)
+{
+    std::string tempPath = GetTempFilePath("_tellp");
+
+    {
+        FileOutputStream fos(tempPath);
+
+        // Initial position should be 0
+        size_t initialPos = fos.Tellp();
+        ASSERT_EQ(initialPos, static_cast<size_t>(0));
+
+        // Write some data
+        const char *testData = "Test data";
+        fos.Write(testData, strlen(testData));
+
+        // Position should be advanced
+        size_t afterWritePos = fos.Tellp();
+        ASSERT_EQ(afterWritePos, strlen(testData));
+
+        // Test flush
+        fos.Flush();
+    }
+
+    // Verify content was written
+    std::ifstream testFile(tempPath);
+    std::ostringstream oss;
+    oss << testFile.rdbuf();
+    std::string content = oss.str();
+
+    ASSERT_EQ(content, "Test data");
+
+    testFile.close();
+    std::filesystem::remove(tempPath);
+}
+
+TEST(FileIO, FileOutputStreamClose)
+{
+    std::string tempPath = GetTempFilePath("_close");
+
+    {
+        FileOutputStream fos(tempPath);
+        const char *testData = "Test data";
+        fos.Write(testData, strlen(testData));
+    }
+
+    // File should be closed and accessible
+    std::ifstream testFile(tempPath);
+    ASSERT_TRUE(testFile.good());
+
+    std::string content((std::istreambuf_iterator<char>(testFile)), std::istreambuf_iterator<char>());
+
+    ASSERT_EQ(content, "Test data");
+
+    testFile.close();
+    std::filesystem::remove(tempPath);
+}
+
+TEST(FileIO, FileOutputStreamIsStreaming)
+{
+    ASSERT_FALSE(FileOutputStream::IsStreaming());
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/foreign_mounter.cpp b/virtrust/src/virtrust/utils/foreign_mounter.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..c9ba75d39f2d78c259c7a2fbe30094db462d6132
--- /dev/null
+++ b/virtrust/src/virtrust/utils/foreign_mounter.cpp
@@ -0,0 +1,371 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include "virtrust/utils/foreign_mounter.h"
+
+#include <cstring>
+#include <string>
+#include <string_view>
+
+#include "spdlog/fmt/fmt.h"
+
+#include "virtrust/base/logger.h"
+#include "virtrust/base/str_utils.h"
+#include "virtrust/crypto/sm3.h"
+#include "virtrust/dllib/common.h"
+
+namespace virtrust {
+
+namespace {
+constexpr std::string_view DEFAULT_SHIM_EFI_REGEX_PATH = "/boot/efi/EFI/{}/shimaa64.efi";
+constexpr std::string_view DEFAULT_GRUB_EFI_REGEX_PATH = "/boot/efi/EFI/{}/grubaa64.efi";
+constexpr std::string_view DEFAULT_GRUB_CFG_REGEX_PATH = "/boot/efi/EFI/{}/grub.cfg";
+constexpr std::string_view DEFAULT_BOOT_PATH = "/boot";
+constexpr std::string_view DEFAULT_INITRD_PREFIX = "initrd";
+constexpr std::string_view DEFAULT_LINUZ_PREFIX = "linux";
+constexpr char PATH_SEPARATOR = '/';
+constexpr std::string_view BACKEND_VALUE = "direct";
+
+inline ForeignMounterRc ParseRc(DllibRc rc)
+{
+    switch (rc) {
+        case DllibRc::OK:
+            return ForeignMounterRc::OK;
+        default:
+            return ForeignMounterRc::ERROR;
+    }
+}
+
+std::string LinuxDistroToString(LinuxDistro distro)
+{
+    switch (distro) {
+        case LinuxDistro::OPENEULER:
+            return "openEuler";
+        case LinuxDistro::CENTOS:
+            return "centos";
+        case LinuxDistro::UBUNTU:
+            return "ubuntu";
+        case LinuxDistro::DEBIAN:
+            return "debian";
+        case LinuxDistro::FEDORA:
+            return "fedora";
+        default:
+            return "unknown";
+    }
+}
+
+size_t CountStrings(char **strs)
+{
+    size_t c = 0;
+    if (strs != nullptr) {
+        while (strs[c] != nullptr) {
+            c++;
+        }
+    }
+    return c;
+}
+
+void GuestfsFreeStringList(char **strs)
+{
+    if (strs == nullptr) {
+        return;
+    }
+    for (size_t i = 0; strs[i] != nullptr; ++i) {
+        free(strs[i]);
+    }
+    free(strs);
+}
+} // namespace
+
+VerifyConfig::VerifyConfig(const std::string &guestName, const std::string &diskPath, const std::string &loaderPath,
+                           const LinuxDistro distro)
+    : guestName_(guestName), diskPath_(diskPath), loaderPath_(loaderPath), linuxDistro_(distro)
+{}
+
+std::string VerifyConfig::GetGuestName()
+{
+    return guestName_;
+}
+
+std::string VerifyConfig::GetDiskPath()
+{
+    return diskPath_;
+}
+
+std::string VerifyConfig::GetLoaderPath()
+{
+    return loaderPath_;
+}
+
+std::string VerifyConfig::GetShimPath()
+{
+    if (shimPath_.empty()) {
+        shimPath_ = fmt::format(DEFAULT_SHIM_EFI_REGEX_PATH, LinuxDistroToString(linuxDistro_));
+    }
+    return shimPath_;
+}
+
+std::string VerifyConfig::GetGrubPath()
+{
+    if (grubPath_.empty()) {
+        grubPath_ = fmt::format(DEFAULT_GRUB_EFI_REGEX_PATH, LinuxDistroToString(linuxDistro_));
+    }
+    return grubPath_;
+}
+
+std::string VerifyConfig::GetGrubCfgPath()
+{
+    if (grubCfgPath_.empty()) {
+        grubCfgPath_ = fmt::format(DEFAULT_GRUB_CFG_REGEX_PATH, LinuxDistroToString(linuxDistro_));
+    }
+    return grubCfgPath_;
+}
+
+std::string VerifyConfig::GetInitrdPath()
+{
+    return initrdPath_;
+}
+
+std::string VerifyConfig::GetLinuzPath()
+{
+    return linuzPath_;
+}
+
+void VerifyConfig::ParseGrubCfgContent(const std::string &content)
+{
+    std::istringstream iss(content);
+    std::string line;
+    bool findInitrd = false;
+    bool findLinuz = false;
+    while (std::getline(iss, line)) {
+        line = StrTrimWhitespace(line);
+        if (line.empty()) {
+            continue;
+        }
+        // find line which starts with "initrd" or "linux"
+        if (StrStartsWith(line, DEFAULT_INITRD_PREFIX)) {
+            initrdPath_ = ParseGrubCfgLine(line);
+            if (initrdPath_.empty()) {
+                VIRTRUST_LOG_ERROR("|ParseGrubCfgContent|END|||Get initrd path from grub.cfg failed.");
+                return;
+            }
+            findInitrd = true;
+        } else if (StrStartsWith(line, DEFAULT_LINUZ_PREFIX)) {
+            linuzPath_ = ParseGrubCfgLine(line);
+            if (linuzPath_.empty()) {
+                VIRTRUST_LOG_ERROR("|ParseGrubCfgContent|END|||Get linuz path from grub.cfg failed.");
+                return;
+            }
+            findLinuz = true;
+        }
+        // found all
+        if (findInitrd && findLinuz) {
+            return;
+        }
+    }
+}
+
+std::string VerifyConfig::ParseGrubCfgLine(const std::string &line)
+{
+    constexpr int lineSplitLimit = 2;
+
+    auto parts = StrSplit(line);
+    // if there are fewer than two substrings
+    if (parts.size() < lineSplitLimit) {
+        return "";
+    }
+    // the second substring is file name or path
+    std::string filename = parts[1];
+
+    // NOTE by cjm. We should check if the path is absolute
+    // prefix already exists
+    if (StrStartsWith(filename, DEFAULT_BOOT_PATH)) {
+        return filename;
+    }
+    // add prefix
+    return fmt::format("{}/{}", DEFAULT_BOOT_PATH, StrTrim(filename, PATH_SEPARATOR));
+}
+
+ForeignMounterRc ForeignMounter::TryInit()
+{
+    if (libguestfs_.CheckOk() != DllibRc::OK) {
+        return ParseRc(libguestfs_.Reload());
+    }
+
+    if (handle_ == nullptr) {
+        handle_ = libguestfs_.guestfs_create();
+    }
+
+    if (handle_ == nullptr) {
+        VIRTRUST_LOG_ERROR("|TryInit|END|returnF||Failed to create the guestfs handle.");
+        return ForeignMounterRc::ERROR;
+    }
+    return ForeignMounterRc::OK;
+}
+
+ForeignMounterRc ForeignMounter::Mount(std::string_view imgPath, size_t osIndex)
+{
+    // Check whether our dllib has been successfully loaded
+    if (!CheckOk()) {
+        return ForeignMounterRc::ERROR;
+    }
+
+    auto res = libguestfs_.guestfs_set_backend(handle_, BACKEND_VALUE.data());
+    if (res == -1) {
+        VIRTRUST_LOG_ERROR("|Mount|END|returnF||Guestfs set backend failed.");
+        return ForeignMounterRc::ERROR;
+    }
+
+    struct guestfs_add_drive_opts_argv optargs = {
+        .bitmask = GUESTFS_ADD_DRIVE_OPTS_FORMAT_BITMASK | GUESTFS_ADD_DRIVE_OPTS_CACHEMODE_BITMASK,
+        .format = "qcow2",
+        .cachemode = "unsafe" // quick but unsafe
+    };
+    // Load qcow2 format image from imgPath
+    // see: https://gitee.com/openeuler/qemu/issues/IADWBA
+    res = libguestfs_.guestfs_add_drive_opts_argv(handle_, imgPath.data(), optargs);
+    if (res == -1) {
+        VIRTRUST_LOG_ERROR("|Mount|END|returnF||Guestfs adds drive opts failed.");
+        return ForeignMounterRc::ERROR;
+    }
+
+    res = libguestfs_.guestfs_launch(handle_);
+    if (res == -1) {
+        VIRTRUST_LOG_ERROR("|Mount|END|returnF||Guestfs launch failed.");
+        return ForeignMounterRc::ERROR;
+    }
+
+    char **roots = libguestfs_.guestfs_inspect_os(handle_);
+    if (roots == nullptr) {
+        VIRTRUST_LOG_ERROR("|Mount|END|returnF||No operating system found in image.");
+        return ForeignMounterRc::ERROR;
+    }
+
+    size_t osCnt = CountStrings(roots);
+    if (osIndex >= osCnt) {
+        VIRTRUST_LOG_ERROR("|Mount|END|returnF||There are {} os in image, index out of range: {}.", osCnt, osIndex);
+        return ForeignMounterRc::ERROR;
+    }
+
+    char *root = roots[osIndex];
+    ForeignMounterRc rc = MountFilesystems(root);
+    GuestfsFreeStringList(roots);
+
+    if (rc == ForeignMounterRc::OK) {
+        isMount_ = true;
+    }
+    return rc;
+}
+
+ForeignMounterRc ForeignMounter::MountFilesystems(const std::string &root)
+{
+    // collect mountpoints and devices
+    char **mountpoints = libguestfs_.guestfs_inspect_get_mountpoints(handle_, root.c_str());
+    if (mountpoints == nullptr) {
+        VIRTRUST_LOG_ERROR("|MountFilesystems|END|returnF||Get mountpoints failed.");
+        return ForeignMounterRc::ERROR;
+    }
+    std::vector<MounterInfo> mps;
+    constexpr int stepLen = 2;
+    for (int i = 0; mountpoints[i] != nullptr && mountpoints[i + 1] != nullptr; i += stepLen) {
+        mps.push_back(MounterInfo{mountpoints[i], mountpoints[i + 1], StrCountChar(mountpoints[i], PATH_SEPARATOR)});
+    }
+
+    // sort by directory level in ascending
+    std::sort(mps.begin(), mps.end(), [](auto &a, auto &b) {
+        return a.dirLevel != b.dirLevel ? a.dirLevel < b.dirLevel : a.mpt.size() < b.mpt.size();
+    });
+
+    // mount all file system
+    for (auto &mp : mps) {
+        auto &mountpoint = mp.mpt;
+        auto &device = mp.device;
+        // mount device to mountpoint
+        int ret = libguestfs_.guestfs_mount_ro(handle_, device.c_str(), mountpoint.c_str());
+        if (ret == -1) {
+            VIRTRUST_LOG_ERROR("|MountFilesystems|END|returnF||Mount {} to {} failed.", device, mountpoint);
+            return ForeignMounterRc::ERROR;
+        }
+    }
+
+    GuestfsFreeStringList(mountpoints);
+    return ForeignMounterRc::OK;
+}
+
+ForeignMounterRc ForeignMounter::ReadFile(std::string_view filePath, std::string &fileContent)
+{
+    if (!isMount_) {
+        VIRTRUST_LOG_ERROR("|ReadFile|END|||The image has not been loaded.");
+        return ForeignMounterRc::ERROR;
+    }
+
+    // check file whether exist in image
+    int exists = libguestfs_.guestfs_exists(handle_, filePath.data());
+    if (exists != 1) {
+        VIRTRUST_LOG_WARN("|ReadFile|END||file path is: {}|File not exist in image.", filePath);
+        return ForeignMounterRc::FILE_NOT_EXIST;
+    }
+
+    // check whether is a file
+    int isFile = libguestfs_.guestfs_is_file(handle_, filePath.data());
+    if (isFile != 1) {
+        VIRTRUST_LOG_ERROR("|ReadFile|END|||file path is: {}|It is not a file.", filePath);
+        return ForeignMounterRc::ERROR;
+    }
+
+    // read content
+    size_t size;
+    char *content = libguestfs_.guestfs_read_file(handle_, filePath.data(), &size);
+    if (content == nullptr) {
+        VIRTRUST_LOG_ERROR("|ReadFile|END|||file path is: {}|Read this file failed.", filePath);
+        return ForeignMounterRc::ERROR;
+    }
+
+    fileContent = std::string(content, size);
+    free(content);
+    return ForeignMounterRc::OK;
+}
+
+ForeignMounterRc ForeignMounter::DoSm3OnVmFile(std::string_view filePath, std::vector<uint8_t> &sm3Data)
+{
+    std::string fileContent;
+    ForeignMounterRc rc = ReadFile(filePath, fileContent);
+    if (rc == ForeignMounterRc::FILE_NOT_EXIST) {
+        return rc;
+    }
+
+    if (rc != ForeignMounterRc::OK) {
+        VIRTRUST_LOG_ERROR("|DoSm3OnVmFile|END|returnF||Read file failed: {}.", filePath);
+        return ForeignMounterRc::ERROR;
+    }
+    if (virtrust::DoSm3(fileContent, sm3Data) != Sm3Rc::OK) {
+        return ForeignMounterRc::ERROR;
+    }
+    return ForeignMounterRc::OK;
+}
+
+ForeignMounterRc ForeignMounter::Unmount() noexcept
+{
+    if (handle_ == nullptr) {
+        return ForeignMounterRc::OK;
+    }
+    isMount_ = false;
+    if (libguestfs_.guestfs_umount_all(handle_) == -1) {
+        VIRTRUST_LOG_ERROR("|Unmount|END|||Guestfs umount all failed.");
+        return ForeignMounterRc::ERROR;
+    }
+    return ForeignMounterRc::OK;
+}
+
+ForeignMounterRc ForeignMounter::EnableStrErrTrace()
+{
+    return libguestfs_.guestfs_set_trace(handle_, 1) == 0 ? ForeignMounterRc::OK : ForeignMounterRc::ERROR;
+}
+
+ForeignMounterRc ForeignMounter::DisableStrErrTrace()
+{
+    return libguestfs_.guestfs_set_trace(handle_, 0) == 0 ? ForeignMounterRc::OK : ForeignMounterRc::ERROR;
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/foreign_mounter.h b/virtrust/src/virtrust/utils/foreign_mounter.h
new file mode 100644
index 0000000000000000000000000000000000000000..c4da9cbb6f050bc6269b26706f9821cd3ce9440a
--- /dev/null
+++ b/virtrust/src/virtrust/utils/foreign_mounter.h
@@ -0,0 +1,123 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <string>
+#include <string_view>
+
+#include "virtrust/base/logger.h"
+#include "virtrust/dllib/libguestfs.h"
+
+namespace virtrust {
+
+enum class LinuxDistro { OPENEULER, CENTOS, UBUNTU, DEBIAN, FEDORA };
+
+class VerifyConfig {
+public:
+    VerifyConfig() = default;
+
+    VerifyConfig(const std::string &guestName, const std::string &diskPath, const std::string &loaderPath,
+                 LinuxDistro distro = LinuxDistro::OPENEULER);
+
+    std::string GetGuestName();
+    std::string GetDiskPath();
+    std::string GetLoaderPath();
+    std::string GetShimPath();
+    std::string GetGrubPath();
+    std::string GetGrubCfgPath();
+    std::string GetInitrdPath();
+    std::string GetLinuzPath();
+
+    void ParseGrubCfgContent(const std::string &content);
+
+private:
+    std::string guestName_;
+    std::string diskPath_;
+    std::string loaderPath_;
+    std::string shimPath_;
+    std::string grubPath_;
+    std::string grubCfgPath_;
+    std::string initrdPath_;
+    std::string linuzPath_;
+    LinuxDistro linuxDistro_;
+
+    std::string ParseGrubCfgLine(const std::string &line);
+};
+
+enum class ForeignMounterRc : uint32_t {
+    OK = 0,
+    ERROR = 1,
+    FILE_NOT_EXIST = 2,
+};
+
+struct MounterInfo {
+    std::string mpt;    // mount point
+    std::string device; // mount device
+    size_t dirLevel;
+};
+
+class ForeignMounter {
+public:
+    ForeignMounter()
+    {
+        // try to init handle, discarding the return process
+        TryInit();
+    };
+
+    ~ForeignMounter() noexcept
+    {
+        Unmount();
+        if (handle_ != nullptr) {
+            libguestfs_.guestfs_close(handle_);
+            handle_ = nullptr;
+        }
+    };
+
+    ForeignMounter(const ForeignMounter &) = delete;
+    ForeignMounter &operator=(const ForeignMounter &) = delete;
+    ForeignMounter(ForeignMounter &&) = delete;
+    ForeignMounter &operator=(ForeignMounter &&) = delete;
+
+    // low-level api, try to initialize handle
+    ForeignMounterRc TryInit();
+
+    // Mount virtual machine img path to filesystem
+    ForeignMounterRc Mount(std::string_view imgPath, size_t osIndex = 0);
+
+    // Read file content to string
+    ForeignMounterRc ReadFile(std::string_view filePath, std::string &content);
+
+    // Get file sm3
+    ForeignMounterRc DoSm3OnVmFile(std::string_view filePath, std::vector<uint8_t> &sm3Data);
+
+    // Unmount
+    ForeignMounterRc Unmount() noexcept;
+
+    // Check if everything is okay
+    bool CheckOk()
+    {
+        return handle_ != nullptr && libguestfs_.CheckOk() == DllibRc::OK;
+    }
+
+    bool CheckMount() const
+    {
+        return isMount_;
+    }
+
+    // Enable trace from libguestfs
+    ForeignMounterRc EnableStrErrTrace();
+
+    // Disable trace from libguestfs
+    ForeignMounterRc DisableStrErrTrace();
+
+private:
+    bool isMount_ = false;
+    guestfs_h *handle_ = nullptr;
+    Libguestfs &libguestfs_ = Libguestfs::GetInstance();
+
+    ForeignMounterRc MountFilesystems(const std::string &root);
+};
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/foreign_mounter_test.cpp b/virtrust/src/virtrust/utils/foreign_mounter_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..b11968caa10eec1cf032078de9eef49a3aa9e1e6
--- /dev/null
+++ b/virtrust/src/virtrust/utils/foreign_mounter_test.cpp
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <filesystem>
+#include <fstream>
+
+#include "gtest/gtest.h"
+
+#include "virtrust/utils/file_io.h"
+#include "virtrust/utils/foreign_mounter.h"
+
+namespace virtrust::test {
+
+namespace {
+constexpr std::string_view IMAGE_PATH = "/data/openEuler-24.03-LTS-SP1-aarch64.gcow2";
+constexpr std::string_view VM_FILE_PATH = "/root/vnTestFile.txt";
+constexpr std::string_view VM_FILE_CONTENT = "This is a file in VM.\n";
+} // namespace
+
+namespace {
+constexpr std::string_view TEST_INITRD_PATH = "/boot/initramfs-5.10.0-60.18.0.50.oe1.x86_64.img";
+constexpr std::string_view TEST_LINUZ_PATH = "/boot/vmlinuz-5.10.0-60.18.0.50.oe1.x86_64";
+std::string GetTestFilePath()
+{
+    auto filePath = std::filesystem::path(__FILE__);
+    return (filePath / ".." / ".." / ".." / ".." / "test" / "data" / "grub.cfg").lexically_normal().string();
+}
+} // namespace
+
+TEST(VerifyConfig, Works)
+{
+    std::string filePath(GetTestFilePath());
+    FileInputStream fis(filePath);
+
+    VerifyConfig config;
+    config.ParseGrubCfgContent(fis.ReadAll());
+
+    EXPECT_EQ(config.GetInitrdPath(), TEST_INITRD_PATH);
+
+    EXPECT_EQ(config.GetLinuzPath(), TEST_LINUZ_PATH);
+}
+
+TEST(DISABLED_ForeignMounterTest, Works)
+{
+    auto mounter = ForeignMounter();
+    EXPECT_TRUE(mounter.CheckOk());
+
+    ForeignMounterRc rc;
+
+    rc = mounter.EnableStrErrTrace();
+    EXPECT_EQ(rc, ForeignMounterRc::OK);
+
+    rc = mounter.DisableStrErrTrace();
+    EXPECT_EQ(rc, ForeignMounterRc::OK);
+}
+
+TEST(DISABLED_ForeignMounterTest, Mount)
+{
+    auto mounter = ForeignMounter();
+    EXPECT_TRUE(mounter.CheckOk());
+
+    ForeignMounterRc rc;
+
+    rc = mounter.TryInit();
+    EXPECT_EQ(rc, ForeignMounterRc::OK);
+
+    rc = mounter.Mount(IMAGE_PATH);
+    EXPECT_EQ(rc, ForeignMounterRc::OK);
+
+    std::string content;
+    mounter.ReadFile(VM_FILE_PATH, content);
+    EXPECT_EQ(content, VM_FILE_CONTENT);
+
+    rc = mounter.Unmount();
+    EXPECT_EQ(rc, ForeignMounterRc::OK);
+}
+} // namespace virtrust::test
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/migrate_helper.cpp b/virtrust/src/virtrust/utils/migrate_helper.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..61d241bd4e886960b7897a46606895c202adb5da
--- /dev/null
+++ b/virtrust/src/virtrust/utils/migrate_helper.cpp
@@ -0,0 +1,7 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include "virtrust/utils/migrate_helper.h"
+
+namespace virtrust {} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/migrate_helper.h b/virtrust/src/virtrust/utils/migrate_helper.h
new file mode 100644
index 0000000000000000000000000000000000000000..52faf356327717ddb44f95f87013988cdc367936
--- /dev/null
+++ b/virtrust/src/virtrust/utils/migrate_helper.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <string>
+#include <utility>
+
+#include "virtrust/api/context.h"
+
+namespace virtrust {
+
+class MigrateHelper {
+public:
+    explicit MigrateHelper() = default;
+    ~MigrateHelper() = default;
+
+    explicit MigrateHelper(std::string destUri) : destUri_(std::move(destUri))
+    {}
+
+    void SetDstUri(const std::string &destUri)
+    {
+        destUri_ = destUri;
+    }
+
+    std::string GetDstUri()
+    {
+        return destUri_;
+    }
+
+    // step 1: get report that the hardware is okay
+    void GetReport();
+
+    // step 2: get the private shared key pair
+    void GetKey();
+
+    // step 3: key exchange to get a shared key
+    void ExchangeKey();
+
+private:
+    ConnCtx conn_;
+    std::string destUri_;
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/migrate_helper_test.cpp b/virtrust/src/virtrust/utils/migrate_helper_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..0a0e8c353ec4eaa11d996965e5530ec9e32645c9
--- /dev/null
+++ b/virtrust/src/virtrust/utils/migrate_helper_test.cpp
@@ -0,0 +1,191 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <filesystem>
+#include <string>
+
+#include "gtest/gtest.h"
+
+#include "virtrust/base/logger.h"
+#include "virtrust/utils/file_io.h"
+#include "virtrust/utils/foreign_mounter.h"
+#include "virtrust/utils/migrate_helper.h"
+#include "virtrust/utils/virt_xml_parser.h"
+
+namespace virtrust {
+
+namespace {
+std::string GetTestFilePath()
+{
+    // Get the project root path (which is the directory)
+    auto filePath = std::filesystem::path(__FILE__);
+    return (filePath / ".." / ".." / ".." / ".." / "test" / "data" / "test.txt").lexically_normal().string();
+}
+
+const std::string TEST_XML_CONTENT = R"(<?xml version='1.0' encoding="UTF-8"?>
+<domain type='kvm'>
+  <name>test-domain</name>
+  <memory unit='KiB'>1048576</memory>
+  <vcpu placement='static'>2</vcpu>
+  <os>
+    <type arch='x86_64'>hvm</type>
+  </os>
+</domain>)";
+
+} // namespace
+
+TEST(UtilsTest, FileIoWorks)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+    std::string connent = fis.ReadAll();
+    EXPECT_FALSE(connent.empty());
+}
+
+TEST(UtilsTest, FileIoReadALL)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+    std::string connent = fis.ReadAll();
+    EXPECT_FALSE(connent.empty());
+}
+
+TEST(UtilsTest, FileIoGetLength)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+    size_t length = fis.GetLength();
+    EXPECT_GT(length, static_cast<size_t>(0));
+}
+
+TEST(UtilsTest, FileIoGetName)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+    const std::string &name = fis.GetName();
+    EXPECT_EQ(name, path);
+}
+
+TEST(UtilsTest, FileIoEof)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+
+    // Initially not at EOF
+    EXPECT_FALSE(fis.Eof());
+
+    // Read all content
+    std::string content = fis.ReadAll();
+    EXPECT_FALSE(content.empty());
+}
+
+TEST(UtilsTest, FileIoSeekgAndTellg)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+
+    // Get initial position
+    size_t initialPos = fis.Tellg();
+    EXPECT_EQ(initialPos, static_cast<size_t>(0));
+
+    // Read part of the file
+    std::string content;
+    fis.GetLine(&content, '\n');
+
+    // Get current position
+    size_t currentPos = fis.Tellg();
+    EXPECT_GT(currentPos, initialPos);
+
+    // Seek back to beginning
+    fis.Seekg(0);
+    size_t newPos = fis.Tellg();
+    EXPECT_EQ(newPos, static_cast<size_t>(0));
+}
+
+TEST(UtilsTest, FileIoTransferTo)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+
+    std::ostringstream oss;
+    fis.TransferTo(oss);
+
+    EXPECT_FALSE(oss.str().empty());
+}
+
+TEST(UtilsTest, FileIoGetLine)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+
+    std::string line;
+    fis.GetLine(&line, '\n');
+
+    EXPECT_FALSE(line.empty());
+}
+
+TEST(UtilsTest, FileIoGetSpawn)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+
+    // Save current position
+    size_t originalPos = fis.Tellg();
+
+    // Spawn a new stream from current position
+    auto spawnedStream = fis.Spawn();
+
+    // Both streams should be at same position
+    ASSERT_EQ(spawnedStream->Tellg(), originalPos);
+
+    // Original stream should still work
+    std::string line;
+    fis.GetLine(&line, '\n');
+    EXPECT_FALSE(line.empty());
+}
+
+TEST(UtilsTest, FileIoFileStreamOperators)
+{
+    std::string path(GetTestFilePath());
+    FileInputStream fis = FileInputStream(path);
+
+    // Test boolean conversion operators
+    EXPECT_TRUE(static_cast<bool>(fis));
+    EXPECT_FALSE(!fis);
+
+    // Test with invalid file (should not throw in constructor but fail on usage)
+    try {
+        FileInputStream invalidFis("nonexistent_file.txt");
+        // Just test that construction didn't crash, but subsequent operations should fail
+    } catch (...) {
+        // Excepted
+    }
+}
+
+TEST(UtilsTest, ForeignMounter)
+{
+    // This is a placeholder test - the actual implementation might depend on
+    // system-specific mount points which are not available in test environment
+    // We mainly test taht the class can be instantiated and basic operations work
+
+    // Test defaulf construstor - wrap in try-catch to handle missing libraries
+    try {
+        ForeignMounter mounter;
+        EXPECT_TRUE(true); // Basic check taht it compiles and can be constructed
+    } catch (...) {
+        // Expected when libguestfs library is not available
+        EXPECT_TRUE(true); // Test passes if we can handle the missing library gracefully
+    }
+}
+
+TEST(UtilsTest, MigrateHelper)
+{
+    // This is a placeholder test - the actual implementation might depend on
+    // complex migration operations that are hard to test without proper environment
+
+    // Test defaulf construstor
+    MigrateHelper helper;
+    EXPECT_TRUE(true); // Basic check taht it compiles and can be constructed
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/smart_deleter.h b/virtrust/src/virtrust/utils/smart_deleter.h
new file mode 100644
index 0000000000000000000000000000000000000000..145e365c19532eeba647dec3f76971c40981cbaf
--- /dev/null
+++ b/virtrust/src/virtrust/utils/smart_deleter.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+namespace virtrust {
+
+template <class T> class SmartDeleter {
+public:
+    SmartDeleter()
+    {
+        core_ = nullptr;
+    }
+
+    explicit SmartDeleter(T *ptr)
+    {
+        core_ = ptr;
+    }
+
+    T *Get() const
+    {
+        return core_;
+    }
+
+protected:
+    T *core_ = nullptr;
+};
+
+#define VIRTRUST_MAKE_DESTRUCTOR(NAME, DELETER) \
+    ~NAME()                                     \
+    {                                           \
+        if (this->core_ != nullptr) {           \
+            DELETER(this->core_);               \
+            this->core_ = nullptr;              \
+        }                                       \
+    }
+
+#define CONCAT_IMPL(x, y) x##y
+#define CONCAT(x, y) CONCAT_IMPL(x, y)
+
+#define VIRTRUST_MAKE_SMART(T, DELETER)                                 \
+    class CONCAT(Smart, T) : public SmartDeleter<T> {                   \
+    public:                                                             \
+        using SmartDeleter<T>::SmartDeleter;                            \
+        CONCAT(Smart, T)(const CONCAT(Smart, T) &) = delete;            \
+        CONCAT(Smart, T) &operator=(const CONCAT(Smart, T) &) = delete; \
+        VIRTRUST_MAKE_DESTRUCTOR(CONCAT(Smart, T), DELETER)             \
+    }
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/virt_xml_parser.cpp b/virtrust/src/virtrust/utils/virt_xml_parser.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..2f39e442b684f2e3d5c014a0d584fe359483ff4f
--- /dev/null
+++ b/virtrust/src/virtrust/utils/virt_xml_parser.cpp
@@ -0,0 +1,173 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#include "virtrust/utils/virt_xml_parser.h"
+
+#include <filesystem>
+
+namespace virtrust {
+
+namespace {
+constexpr std::string_view VIRT_XML_DISK_PATH = "/domain/devices/disk/source";
+const xmlChar VIRT_XML_FILE_PROP[] = "file";
+constexpr std::string_view VIRT_XML_LOADER_PATH = "/domain/os/loader";
+constexpr std::string_view VIRT_XML_NAME_PATH = "/domain/name";
+constexpr std::string_view PATH_SEPARATOR = "/";
+} // namespace
+
+void VirtXmlParser::SearchCurrLevel(std::vector<xmlNodePtr> &currLevel, std::vector<xmlNodePtr> &nextLevel,
+                                    const std::string &nodeName)
+{
+    for (xmlNodePtr parent : currLevel) {
+        for (xmlNodePtr node = parent->children; node != nullptr; node = node->next) {
+            bool pathMatch = node->type == XML_ELEMENT_NODE && nodeName == MakeString(node->name);
+            if (pathMatch) {
+                nextLevel.push_back(node);
+            }
+        }
+    }
+}
+
+std::vector<xmlNodePtr> VirtXmlParser::FindNodesByPath(std::string_view absPath)
+{
+    std::vector<xmlNodePtr> ret;
+    auto root = libxml2_.xmlDocGetRootElement(doc_);
+    if (root == nullptr) {
+        VIRTRUST_LOG_ERROR("|FindNodesByPath|END|||Get xml root node failed.");
+        return ret;
+    }
+    if (absPath.empty()) {
+        VIRTRUST_LOG_ERROR("|FindNodesByPath|END|||Input path is empty.");
+        return ret;
+    }
+    if (absPath[0] != '/') {
+        VIRTRUST_LOG_ERROR("|FindNodesByPath|END||file path: {}|It's not a absolutely path.", absPath);
+        return ret;
+    }
+
+    std::vector<std::string> parts = StrSplit(StrTrim(std::string(absPath), PATH_SEPARATOR[0]), PATH_SEPARATOR);
+
+    std::vector<xmlNodePtr> currLevel = {root};
+    if (parts[0] != MakeString(root->name)) {
+        VIRTRUST_LOG_ERROR("|FindNodesByPath|END||file path: {}|The name of root "
+                           "node in xml file is wrong.",
+                           absPath);
+        return ret;
+    }
+
+    for (size_t i = 1; i < parts.size(); ++i) {
+        const auto &nodeName = parts[i];
+        std::vector<xmlNodePtr> nextLevel;
+        SearchCurrLevel(currLevel, nextLevel, nodeName);
+        if (nextLevel.empty()) { // No matchs found
+            return ret;
+        }
+        currLevel = std::move(nextLevel);
+    }
+    return currLevel;
+}
+
+bool VirtXmlParser::LoadFile(std::string_view filename)
+{
+    if (filename.empty()) {
+        VIRTRUST_LOG_ERROR("|LoadFile|END|returnF||File name is empty.");
+        return false;
+    }
+
+    if (!std::filesystem::exists(filename) || !std::filesystem::is_regular_file(filename)) {
+        VIRTRUST_LOG_ERROR("|LoadFile|END|returnF||The file does not exist: {}.", filename);
+        return false;
+    }
+
+    // the reamining document tree if the file was wellformed, nullptr otherwise
+    if (doc_ != nullptr) {
+        VIRTRUST_LOG_WARN("|LoadFile|END|||Already load file, will load new one.");
+        libxml2_.xmlFreeDoc(doc_);
+        doc_ = nullptr;
+    }
+    doc_ = libxml2_.xmlParseFile(filename.data());
+    return doc_ != nullptr;
+}
+
+std::string VirtXmlParser::GetDiskPath()
+{
+    auto nodes = FindNodesByPath(VIRT_XML_DISK_PATH);
+    if (nodes.empty()) {
+        VIRTRUST_LOG_ERROR("|GetDiskPath|END||node path: {}|Get disk path from xml failed.", VIRT_XML_DISK_PATH);
+        return "";
+    }
+
+    if (nodes.size() != 1) {
+        VIRTRUST_LOG_ERROR("|GetDiskPath|END|||The node of disk path in xml is not only.");
+        return "";
+    }
+
+    xmlNodePtr node = nodes[0];
+    xmlChar *diskPath = libxml2_.xmlGetProp(node, VIRT_XML_FILE_PROP);
+    if (diskPath == nullptr) {
+        VIRTRUST_LOG_ERROR("|GetDiskPath|END||node path: {}|Target node does not "
+                           "have property: {}.",
+                           VIRT_XML_DISK_PATH, reinterpret_cast<const char *>(VIRT_XML_FILE_PROP));
+        return "";
+    }
+
+    std::string ret = MakeString(diskPath);
+    free(diskPath);
+    return ret;
+}
+
+std::string VirtXmlParser::GetLoaderPath()
+{
+    auto nodes = FindNodesByPath(VIRT_XML_LOADER_PATH);
+    if (nodes.empty()) {
+        VIRTRUST_LOG_ERROR("|GetLoaderPath|END|||Get loader path from xml failed: {}.", VIRT_XML_LOADER_PATH);
+        return "";
+    }
+
+    if (nodes.size() != 1) {
+        VIRTRUST_LOG_ERROR("|GetLoaderPath|END|||The node of loader path in xml is not only.");
+        return "";
+    }
+
+    xmlNodePtr node = nodes[0];
+    if (node->children == nullptr || node->children->content == nullptr) {
+        VIRTRUST_LOG_ERROR("|GetLoaderPath|END||node path: {}|Target node does not "
+                           "have any child nodes.",
+                           VIRT_XML_LOADER_PATH);
+        return "";
+    }
+    return MakeString(node->children->content);
+}
+
+std::string VirtXmlParser::GetVmName()
+{
+    auto nodes = FindNodesByPath(VIRT_XML_NAME_PATH);
+    if (nodes.empty()) {
+        VIRTRUST_LOG_ERROR("|GetVmName|END|||Get VM name from xml failed.");
+        return "";
+    }
+
+    if (nodes.size() != 1) {
+        VIRTRUST_LOG_ERROR("|GetVmName|END|||The node of VM name in xml is not only.");
+        return "";
+    }
+
+    xmlNodePtr node = nodes[0];
+    if (node->children == nullptr || node->children->content == nullptr) {
+        VIRTRUST_LOG_ERROR("|GetVmName|END||node path: {}|Target node does not "
+                           "have any child nodes.",
+                           VIRT_XML_NAME_PATH);
+        return "";
+    }
+    return MakeString(node->children->content);
+}
+
+VerifyConfig VirtXmlParser::Parse(const std::string &filePath)
+{
+    LoadFile(filePath);
+    VerifyConfig config(GetVmName(), GetDiskPath(), GetLoaderPath());
+    return config;
+}
+
+} // namespace virtrust
diff --git a/virtrust/src/virtrust/utils/virt_xml_parser.h b/virtrust/src/virtrust/utils/virt_xml_parser.h
new file mode 100644
index 0000000000000000000000000000000000000000..ccdc6b8eb4a674a884d17d2fb6543df13392384f
--- /dev/null
+++ b/virtrust/src/virtrust/utils/virt_xml_parser.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2025. All rights reserved.
+ */
+
+#pragma once
+
+#include <string>
+
+#include "virtrust/base/logger.h"
+#include "virtrust/dllib/libxml2.h"
+#include "virtrust/utils/foreign_mounter.h"
+
+namespace virtrust {
+
+using NodeConditionMatchFunc = std::function<bool(const xmlNodePtr)>;
+
+class VirtXmlParser {
+public:
+    VirtXmlParser() = default;
+
+    ~VirtXmlParser()
+    {
+        if (doc_ != nullptr) {
+            libxml2_.xmlFreeDoc(doc_);
+        }
+    }
+
+    std::vector<xmlNodePtr> FindNodesByPath(std::string_view absPath);
+
+    // Load the VM xml file, the function reloads the file each time it is called.
+    bool LoadFile(std::string_view filename);
+
+    std::string GetVmName();
+
+    std::string GetDiskPath();
+
+    std::string GetLoaderPath();
+
+    VerifyConfig Parse(const std::string &filePath);
+
+private:
+    Libxml2 &libxml2_ = Libxml2::GetInstance();
+    xmlDocPtr doc_ = nullptr;
+
+    void SearchCurrLevel(std::vector<xmlNodePtr> &currLevel, std::vector<xmlNodePtr> &nextLevel,
+                         const std::string &nodeName);
+};
+
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/src/virtrust/utils/virt_xml_parser_test.cpp b/virtrust/src/virtrust/utils/virt_xml_parser_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..fb2ac9db96977d8af43c12c51701b639b7c15820
--- /dev/null
+++ b/virtrust/src/virtrust/utils/virt_xml_parser_test.cpp
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) Huawei Technologies Co., Ltd. 2025-2025.All rights reserved.
+ */
+
+#include <filesystem>
+#include <fstream>
+
+#include "gtest/gtest.h"
+
+#include "virtrust/utils/virt_xml_parser.h"
+
+namespace virtrust {
+
+namespace {
+std::string GetTestXml()
+{
+    auto filePath = std::filesystem::path(__FILE__);
+    return (filePath / ".." / ".." / ".." / ".." / "test" / "data" / "test.xml").lexically_normal().string();
+}
+
+constexpr std::string_view TEST_GUEST_NAME = "open-euler-vm";
+constexpr std::string_view TEST_DISK_PATH = "/data/images/openEuler-24.03-LTS-SP1-x86_64.qcow2";
+constexpr std::string_view TEST_LOADER_PATH = "";
+constexpr std::string_view TEST_SHIM_PATH = "/boot/efi/EFI/openEuler/shimaa64.efi";
+constexpr std::string_view TEST_GRUB_PATH = "/boot/efi/EFI/openEuler/grubaa64.efi";
+constexpr std::string_view TEST_GRUB_CFG_PATH = "/boot/efi/EFI/openEuler/grub.cfg";
+} // namespace
+
+TEST(VirtXmlParserTest, ParseTest)
+{
+    auto parse = VirtXmlParser();
+    auto config = parse.Parse(GetTestXml());
+
+    EXPECT_EQ(config.GetGuestName(), TEST_GUEST_NAME);
+    EXPECT_EQ(config.GetDiskPath(), TEST_DISK_PATH);
+    EXPECT_EQ(config.GetLoaderPath(), TEST_LOADER_PATH);
+    EXPECT_EQ(config.GetShimPath(), TEST_SHIM_PATH);
+    EXPECT_EQ(config.GetGrubPath(), TEST_GRUB_PATH);
+    EXPECT_EQ(config.GetGrubCfgPath(), TEST_GRUB_CFG_PATH);
+}
+
+TEST(VirtXmlParserTest, LoadFileTest)
+{
+    // Test valid file loading
+    auto parse = VirtXmlParser();
+    EXPECT_TRUE(parse.LoadFile(GetTestXml()));
+
+    // Test invalid file path
+    EXPECT_FALSE(parse.LoadFile("/non/existent/file.xml"));
+
+    // Test empty file name
+    EXPECT_FALSE(parse.LoadFile(""));
+}
+
+TEST(VirtXmlParserTest, FindNodesByPathTest)
+{
+    auto parse = VirtXmlParser();
+    EXPECT_TRUE(parse.LoadFile(GetTestXml()));
+
+    // Test valid file path
+    auto nodes = parse.FindNodesByPath("/domain/name");
+    EXPECT_EQ(nodes.size(), 1UL);
+
+    // Test invalid file path
+    auto emptyNodes = parse.FindNodesByPath("/domain/nonexistent");
+    EXPECT_TRUE(emptyNodes.empty());
+
+    // Test empty path
+    auto emptyPathNodes = parse.FindNodesByPath("");
+    EXPECT_TRUE(emptyPathNodes.empty());
+
+    // Test non-absolute path
+    auto nonAbsNodes = parse.FindNodesByPath("domain/name");
+    EXPECT_TRUE(nonAbsNodes.empty());
+}
+} // namespace virtrust
\ No newline at end of file
diff --git a/virtrust/test/CMakeLists.txt b/virtrust/test/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..d24c58019d836da0abf63f59dc41642d77a9678c
--- /dev/null
+++ b/virtrust/test/CMakeLists.txt
@@ -0,0 +1,74 @@
+# Copyright (c)
+
+find_program(OPENSSL_EXECUTABLE openssl)
+
+if(OPENSSL_EXECUTABLE)
+  message(STATUS "Openssl executable found at: ${OPENSSL_EXECUTABLE}")
+  message(
+    STATUS "Generate test certificates at: ${CMAKE_CURRENT_LIST_DIR}/cert")
+
+  # create ca sk and root cert
+  execute_process(
+    COMMAND
+      ${OPENSSL_EXECUTABLE} req -x509 -newkey rsa:2048 -nodes -keyout sk.pem
+      -out cert.pem -days 365 -subj
+      "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=example.com" -nodes
+    WORKING_DIRECTORY ${CMAKE_CURRENT_LIST_DIR}/ca
+    OUTPUT_QUIET)
+
+  # -----------------
+  # server
+  # -----------------
+
+  # create server's sk
+  execute_process(
+    COMMAND ${OPENSSL_EXECUTABLE} genrsa -out sk.pem 2048
+    WORKING_DIRECTORY ${CMAKE_CURRENT_LIST_DIR}/server
+    OUTPUT_QUIET)
+
+  # create csr for server
+  execute_process(
+    COMMAND ${OPENSSL_EXECUTABLE} req -new -key sk.pem -out server.csr -subj
+            "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=example.com"
+    WORKING_DIRECTORY ${CMAKE_CURRENT_LIST_DIR}/server
+    OUTPUT_QUIET)
+
+  # Make CA sign server's csr
+  execute_process(
+    COMMAND ${OPENSSL_EXECUTABLE} x509 -req -in server.csr -CA ../ca/cert.pem
+            -CAkey ../ca/sk.pem -CAcreateserial -out cert.pem -days 365 -sha256
+    WORKING_DIRECTORY ${CMAKE_CURRENT_LIST_DIR}/server
+    OUTPUT_QUIET)
+
+  # ------------
+  # client
+  # -----------
+
+  # create client's sk
+  execute_process(
+    COMMAND ${OPENSSL_EXECUTABLE} genrsa -out sk.pem 2048
+    WORKING_DIRECTORY ${CMAKE_CURRENT_LIST_DIR}/client
+    OUTPUT_QUIET)
+
+  # create csr for client
+  execute_process(
+    COMMAND ${OPENSSL_EXECUTABLE} req -new -key sk.pem -out client.csr -subj
+            "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=example.com"
+    WORKING_DIRECTORY ${CMAKE_CURRENT_LIST_DIR}/client
+    OUTPUT_QUIET)
+
+  # Make CA sign client's csr
+  execute_process(
+    COMMAND ${OPENSSL_EXECUTABLE} x509 -req -in client.csr -CA ../ca/cert.pem
+            -CAkey ../ca/sk.pem -CAcreateserial -out cert.pem -days 365 -sha256
+    WORKING_DIRECTORY ${CMAKE_CURRENT_LIST_DIR}/client
+    OUTPUT_QUIET)
+
+  message(
+    STATUS
+      "Generated test certificates generated at: ${CMAKE_CURRENT_LIST_DIR}/cert"
+  )
+else()
+  message(
+    WARNING "Openssl executable not found. Test certificates not generated.")
+endif()
diff --git a/virtrust/test/ca/.keep b/virtrust/test/ca/.keep
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/virtrust/test/client/.keep b/virtrust/test/client/.keep
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/virtrust/test/data/config.json b/virtrust/test/data/config.json
new file mode 100644
index 0000000000000000000000000000000000000000..9d6b3298bfd335a53168f4c4771069c33f238a4c
--- /dev/null
+++ b/virtrust/test/data/config.json
@@ -0,0 +1,7 @@
+{
+    "caPath": "ca-cert.pem",
+    "certPath": "server-cert.pem",
+    "skPath": "server-sk.pem",
+    "ip": "127.0.0.1",
+    "udsPath": "/tmp/grpc.sock"
+}
\ No newline at end of file
diff --git a/virtrust/test/data/grub.cfg b/virtrust/test/data/grub.cfg
new file mode 100644
index 0000000000000000000000000000000000000000..35cf85a90fa88994f14b0f0c700f1b6c16dd6854
--- /dev/null
+++ b/virtrust/test/data/grub.cfg
@@ -0,0 +1,9 @@
+# GRUB configuration file for testing
+set default="0"
+set timeout=5
+
+menuentry "openEuler" {
+    set root=(hd0,1)
+    linux /boot/vmlinuz-5.10.0-60.18.0.50.oe1.x86_64 root=/dev/mapper/root ro
+    initrd /boot/initramfs-5.10.0-60.18.0.50.oe1.x86_64.img
+}
\ No newline at end of file
diff --git a/virtrust/test/data/test.txt b/virtrust/test/data/test.txt
new file mode 100644
index 0000000000000000000000000000000000000000..4876a51f78f57e8d79ee278d59c1527a58184379
--- /dev/null
+++ b/virtrust/test/data/test.txt
@@ -0,0 +1 @@
+this is a test file.
diff --git a/virtrust/test/data/test.xml b/virtrust/test/data/test.xml
new file mode 100644
index 0000000000000000000000000000000000000000..e902066a84589025432985ffccefa23b30c46010
--- /dev/null
+++ b/virtrust/test/data/test.xml
@@ -0,0 +1,84 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. DO NOT EDIT IT DIRECTLY.
+OVERWRITTEN AND LOST. Changs to this xml configuration should be made using:
+  virsh edit open-euler-vm
+or other application using the libvirt API.
+-->
+<domain type='qemu'>
+  <name>open-euler-vm</name>
+  <uuid>496eef9e-003f-46b8-a81d-178753825fa7</uuid>
+  <memory unit='KiB'>4194304</memory>
+  <currentMemory unit='KiB'>4194304</currentMemory>
+  <vcpu placement='static'>4</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-i440fx-8.2'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+  </features>
+  <cpu mode='custom' match='exact' check='none'>
+    <model fallback='forbid'>qemu64</model>
+  </cpu>
+  <clock offset='utc'>
+    <timer name='rtc' tickpolicy='catchup'/>
+    <timer name='pit' tickpolicy='delay'/>
+    <timer name='hpet' present='no'/>
+  </clock>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <pm>
+    <suspend-to-mem enabled='no'/>
+    <suspend-to-disk enabled='no'/>
+  </pm>
+  <devices>
+    <emulator>/usr/libexec/qemu-kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2'/>
+      <source file='/data/images/openEuler-24.03-LTS-SP1-x86_64.qcow2'/>
+      <target dev='hda' bus='ide'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='usb' index='0' model='ich9-ehci1'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x7'/>
+    </controller>
+    <controller type='usb' index='0' model='ich9-uhci1'>
+      <master startport='0'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='usb' index='0' model='ich9-uhci2'>
+      <master startport='2'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x1'/>
+    </controller>
+    <controller type='usb' index='0' model='ich9-uhci3'>
+      <master startport='4'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x2'/>
+    </controller>
+    <controller type='pci' index='0' model='pci-root'/>
+    <controller type='ide' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
+    </controller>
+    <interface type='network'>
+      <mac address='52:54:00:cd:6c:d2'/>
+      <source network='default'/>
+      <model type='e1000'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target type='isa-serial' port='0'>
+        <model name='isa-serial'/>
+      </target>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='mouse' bus='ps2'/>
+    <input type='keyboard' bus='ps2'/>
+    <audio id='1' type='none'/>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
\ No newline at end of file
diff --git a/virtrust/test/server/.keep b/virtrust/test/server/.keep
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391