Skip to content

Commit b3d8703

Browse files
tylerfanellislp
tylerfanelli
authored and
slp
committed
nitro: Don't listen on enclave vsock for console
Since the nitro enclave CID is returned to the caller, the caller can be responsible for setting up the vsock to read enclave console output. Signed-off-by: Tyler Fanelli <[email protected]>
1 parent 0d91b43 commit b3d8703

File tree

2 files changed

+2
-99
lines changed

2 files changed

+2
-99
lines changed

src/libkrun/src/lib.rs

Lines changed: 0 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -12,8 +12,6 @@ use std::fs::File;
1212
#[cfg(target_os = "linux")]
1313
use std::os::fd::AsRawFd;
1414
use std::os::fd::{FromRawFd, RawFd};
15-
#[cfg(feature = "nitro")]
16-
use std::os::unix::net::UnixStream;
1715
use std::path::PathBuf;
1816
use std::slice;
1917
use std::sync::atomic::{AtomicI32, Ordering};
@@ -325,31 +323,10 @@ impl TryFrom<ContextConfig> for NitroEnclave {
325323
return Err(-libc::EINVAL);
326324
};
327325

328-
let Some(port_map) = ctx.unix_ipc_port_map else {
329-
error!("enclave vsock not configured");
330-
return Err(-libc::EINVAL);
331-
};
332-
333-
if port_map.len() > 1 {
334-
error!("too many nitro vsocks detected (max 1)");
335-
return Err(-libc::EINVAL);
336-
}
337-
338-
let ipc_stream = {
339-
let mut vec = Vec::from_iter(port_map.values());
340-
let Some((path, _)) = vec.pop() else {
341-
error!("enclave vsock path not found");
342-
return Err(-libc::EINVAL);
343-
};
344-
345-
UnixStream::connect(path).unwrap()
346-
};
347-
348326
Ok(Self {
349327
image,
350328
mem_size_mib,
351329
vcpus,
352-
ipc_stream,
353330
start_flags: ctx.nitro_start_flags,
354331
})
355332
}

src/nitro/src/enclaves.rs

Lines changed: 2 additions & 76 deletions
Original file line numberDiff line numberDiff line change
@@ -5,33 +5,19 @@ use nitro_enclaves::{
55
launch::{ImageType, Launcher, MemoryInfo, PollTimeout, StartFlags},
66
Device,
77
};
8-
use nix::{
9-
poll::{poll, PollFd, PollFlags},
10-
sys::{
11-
socket::{connect, socket, AddressFamily, SockFlag, SockType, VsockAddr as NixVsockAddr},
12-
time::{TimeVal, TimeValLike},
13-
},
14-
unistd::read,
15-
};
8+
use nix::poll::{poll, PollFd, PollFlags};
169
use std::{
1710
fs::File,
1811
io::{Read, Write},
19-
os::{
20-
fd::{AsRawFd, RawFd},
21-
unix::net::UnixStream,
22-
},
12+
os::fd::AsRawFd,
2313
};
2414
use vsock::{VsockAddr, VsockListener};
2515

2616
type Result<T> = std::result::Result<T, NitroError>;
2717

2818
const ENCLAVE_READY_VSOCK_PORT: u32 = 9000;
29-
const CID_TO_CONSOLE_PORT_OFFSET: u32 = 10000;
3019

3120
const VMADDR_CID_PARENT: u32 = 3;
32-
const VMADDR_CID_HYPERVISOR: u32 = 0;
33-
34-
const SO_VM_SOCKETS_CONNECT_TIMEOUT: i32 = 6;
3521

3622
const HEART_BEAT: u8 = 0xb7;
3723

@@ -43,8 +29,6 @@ pub struct NitroEnclave {
4329
pub mem_size_mib: usize,
4430
/// Number of vCPUs.
4531
pub vcpus: u8,
46-
/// Path of vsock for initial enclave communication.
47-
pub ipc_stream: UnixStream,
4832
/// Enclave start flags.
4933
pub start_flags: StartFlags,
5034
}
@@ -78,45 +62,8 @@ impl NitroEnclave {
7862

7963
enclave_check(listener, poll_timeout.into(), cid)?;
8064

81-
self.listen(VMADDR_CID_HYPERVISOR, cid + CID_TO_CONSOLE_PORT_OFFSET)?;
82-
8365
Ok(cid)
8466
}
85-
86-
fn listen(&mut self, cid: u32, port: u32) -> Result<()> {
87-
let socket_fd = socket(
88-
AddressFamily::Vsock,
89-
SockType::Stream,
90-
SockFlag::empty(),
91-
None,
92-
)
93-
.map_err(|_| NitroError::VsockCreate)?;
94-
95-
let sockaddr = NixVsockAddr::new(cid, port);
96-
97-
vsock_timeout(socket_fd)?;
98-
99-
connect(socket_fd, &sockaddr).map_err(|_| NitroError::VsockConnect)?;
100-
101-
let mut buf = [0u8; 512];
102-
loop {
103-
// Read debug output from vsock.
104-
if let Ok(sz) = read(socket_fd, &mut buf) {
105-
// If there is enclave debug output read, write it to the IPC socket.
106-
if sz > 0 {
107-
self.ipc_stream
108-
.write_all(&buf[..sz])
109-
.map_err(NitroError::IpcWrite)?;
110-
111-
continue;
112-
}
113-
}
114-
115-
break;
116-
}
117-
118-
Ok(())
119-
}
12067
}
12168

12269
fn enclave_check(listener: VsockListener, poll_timeout_ms: libc::c_int, cid: u32) -> Result<()> {
@@ -148,24 +95,3 @@ fn enclave_check(listener: VsockListener, poll_timeout_ms: libc::c_int, cid: u32
14895

14996
Ok(())
15097
}
151-
152-
fn vsock_timeout(socket_fd: RawFd) -> Result<()> {
153-
// Set the timeout to 20 seconds.
154-
let timeval = TimeVal::milliseconds(20000);
155-
156-
let ret = unsafe {
157-
libc::setsockopt(
158-
socket_fd,
159-
libc::AF_VSOCK,
160-
SO_VM_SOCKETS_CONNECT_TIMEOUT,
161-
&timeval as *const _ as *const libc::c_void,
162-
size_of::<TimeVal>() as u32,
163-
)
164-
};
165-
166-
if ret != 0 {
167-
return Err(NitroError::VsockSetTimeout);
168-
}
169-
170-
Ok(())
171-
}

0 commit comments

Comments
 (0)