feat(enclave,proxy): adopt length prefix for vsock connection

[hyperfinitism]

Summary

This PR introduces a length-prefix framing protocol for vsock communication between the proxy and enclave. Each message is now prefixed with a 4-byte big-endian length field, ensuring that both sides read the exact number of bytes for each message.

Additionally, the vsock buffer size is now unified between proxy and enclave, and can be configured via CLI arguments.

Background (Issue)

When running the full setup flow on a freshly created parent VM for the first time (setup → build enclave/proxy/client → run enclave → run proxy → run client), a JSON parsing error occurs during the key exchange request:

session_id=fUwTZ31ouneVRMoj-cfvmA
Error: EOF while parsing a string at line 1 column 4096
make: *** [Makefile:69: run-client] Error 1

Subsequent runs (either re-running the client or rebuilding from scratch) do not reproduce this error.

Root Cause Analysis

The vsock stream is asynchronous. The proxy's single read() call was returning whatever data was available in the buffer at the time, without waiting for the complete response. On the first run, attestation document generation may be slower (likely due to NSM initialization overhead), causing the response to be split across multiple network chunks. The proxy read only the first chunk (~4096 bytes) and returned it to the client, resulting in truncated JSON.

Note that a similar issue has been observed in Humane-RAFW-MAA, where the initial SGX quote generation takes longer and causes cpp-httplib to time out (exceed the default timeout period = 5 sec).

What's Changed

• Update proxy/src/main.rs
  • Add --vsock-buffer-size CLI argument (default: 8192)
  • max_body_size is now derived as vsock_buffer_size - 4 (accounting for the length prefix)
  • Request transmission now includes 4-byte big-endian length prefix
  • Response reading uses read_exact() to read the length prefix, then reads the exact payload size
  • Add validation to reject responses larger than max_body_size
• Update enclave/src/main.rs
  • Add --vsock-buffer-size CLI argument (default: 8192)
  • Request reading uses length-prefix protocol: reads 4-byte length, then reads exact payload
  • Add validation to reject requests larger than max_request_size
  • Handle UnexpectedEof gracefully for connection termination
  • Response writing uses length-prefix protocol
• Update client-config.json
  • Update PCRs to match the newly built enclave image

Testing

Tested on the environment described in README.md:

• Create a new parent VM
• First-run scenario that previously failed now completes successfully
• Subsequent runs continue to work as expected