Revert "Launch Katana asynchronously via VM control channel"

kariy · kariy · commit 03f289136699 · 2026-02-26T11:27:51.000-06:00
This reverts commit a2bc333.
diff --git a/misc/AMDSEV/README.md b/misc/AMDSEV/README.md
@@ -40,7 +40,7 @@ If `--katana` is not provided, `build.sh` prompts for confirmation (`y/N`) befor
 | `build-kernel.sh` | Downloads and extracts Ubuntu kernel (`vmlinuz`) |
 | `build-initrd.sh` | Creates minimal initrd with busybox, SEV-SNP modules, and katana |
 | `build-config` | Pinned versions and checksums for reproducible builds |
-| `start-vm.sh` | Starts a TEE VM with SEV-SNP and launches Katana asynchronously |
+| `start-vm.sh` | Starts a TEE VM with SEV-SNP enabled using QEMU |
 
 ## SNP Tools
 
@@ -93,11 +93,8 @@ qemu-system-x86_64 \
     # Initial ramdisk containing katana (measured when kernel-hashes=on)
     -initrd output/qemu/initrd.img \
     # Kernel command line (measured when kernel-hashes=on)
-    -append "console=ttyS0" \
-    # Katana control channel (used to start Katana asynchronously after boot)
-    -device virtio-serial-pci,id=virtio-serial0 \
-    -chardev socket,id=katanactl,path=/tmp/katana-control.sock,server=on,wait=off \
-    -device virtserialport,chardev=katanactl,name=org.katana.control.0 \
+    # katana.args passes arguments to katana via init script
+    -append "console=ttyS0 katana.args=--http.addr,0.0.0.0,--http.port,5050,--tee.provider,sev-snp" \
     ..
 ```
 
@@ -111,16 +108,11 @@ sudo ./misc/AMDSEV/start-vm.sh
 
 # Or specify a custom boot components directory
 sudo ./misc/AMDSEV/start-vm.sh /path/to/boot-components
-
-# Or customize Katana runtime flags (comma-separated)
-sudo ./misc/AMDSEV/start-vm.sh --katana-args "--http.addr,0.0.0.0,--http.port,5050,--tee.provider,sev-snp,--dev"
 ```
 
 The script:
 - Starts QEMU with SEV-SNP confidential computing enabled
 - Uses direct kernel boot with kernel-hashes=on for attestation
-- Keeps kernel cmdline stable (`console=ttyS0`) for deterministic measurement
-- Starts Katana asynchronously via virtio-serial control channel
 - Forwards RPC port 5050 to host port 15051
 - Outputs serial log to a temp file and follows it
 
@@ -137,7 +129,7 @@ cargo build -p snp-tools
     --ovmf output/qemu/OVMF.fd \
     --kernel output/qemu/vmlinuz \
     --initrd output/qemu/initrd.img \
-    --append "console=ttyS0" \
+    --append "console=ttyS0 katana.args=--http.addr,0.0.0.0,--http.port,5050,--tee.provider,sev-snp" \
     --vcpus 1 \
     --cpu epyc-v4 \
     --vmm qemu \
diff --git a/misc/AMDSEV/build-initrd.sh b/misc/AMDSEV/build-initrd.sh
@@ -293,9 +293,6 @@ log() { echo "[init] $*"; }
 KATANA_PID=""
 KATANA_DB_DIR="/mnt/data/katana-db"
 SHUTTING_DOWN=0
-KATANA_EXIT_CODE="never"
-CONTROL_PORT_NAME="org.katana.control.0"
-CONTROL_PORT_LINK="/dev/virtio-ports/org.katana.control.0"
 
 fatal_boot() {
     log "ERROR: $*"
@@ -306,90 +303,6 @@ fatal_boot() {
     done
 }
 
-refresh_katana_state() {
-    if [ -n "$KATANA_PID" ] && ! kill -0 "$KATANA_PID" 2>/dev/null; then
-        if wait "$KATANA_PID"; then
-            KATANA_EXIT_CODE=0
-        else
-            KATANA_EXIT_CODE=$?
-        fi
-        log "Katana exited with code $KATANA_EXIT_CODE"
-        KATANA_PID=""
-    fi
-}
-
-respond_control() {
-    printf '%s\n' "$1" >&3 2>/dev/null || true
-}
-
-resolve_control_port() {
-    mkdir -p /dev/virtio-ports
-    for name_file in /sys/class/virtio-ports/*/name; do
-        [ -f "$name_file" ] || continue
-
-        PORT_NAME_VALUE="$(cat "$name_file" 2>/dev/null || true)"
-        if [ "$PORT_NAME_VALUE" != "$CONTROL_PORT_NAME" ]; then
-            continue
-        fi
-
-        PORT_DIR="${name_file%/name}"
-        PORT_DEV="/dev/${PORT_DIR##*/}"
-        if [ -e "$PORT_DEV" ]; then
-            ln -sf "$PORT_DEV" "$CONTROL_PORT_LINK"
-            echo "$CONTROL_PORT_LINK"
-            return 0
-        fi
-    done
-    return 1
-}
-
-handle_control_command() {
-    RAW_CMD="$1"
-    CMD="${RAW_CMD%% *}"
-    CMD_PAYLOAD=""
-    if [ "$CMD" != "$RAW_CMD" ]; then
-        CMD_PAYLOAD="${RAW_CMD#* }"
-    fi
-
-    case "$CMD" in
-        start)
-            refresh_katana_state
-            if [ -n "$KATANA_PID" ] && kill -0 "$KATANA_PID" 2>/dev/null; then
-                respond_control "err already-running pid=$KATANA_PID"
-                return 0
-            fi
-
-            KATANA_ARGS=""
-            if [ -n "$CMD_PAYLOAD" ]; then
-                KATANA_ARGS="$(echo "$CMD_PAYLOAD" | tr ',' ' ')"
-            fi
-
-            log "Starting katana asynchronously..."
-            # shellcheck disable=SC2086
-            /bin/katana --db-dir="$KATANA_DB_DIR" $KATANA_ARGS &
-            KATANA_PID=$!
-            KATANA_EXIT_CODE="running"
-            respond_control "ok started pid=$KATANA_PID"
-            ;;
-
-        status)
-            refresh_katana_state
-            if [ -n "$KATANA_PID" ] && kill -0 "$KATANA_PID" 2>/dev/null; then
-                respond_control "running pid=$KATANA_PID"
-            else
-                respond_control "stopped exit=$KATANA_EXIT_CODE"
-            fi
-            ;;
-
-        "")
-            ;;
-
-        *)
-            respond_control "err unknown-command"
-            ;;
-    esac
-}
-
 shutdown_handler() {
     if [ "$SHUTTING_DOWN" -eq 1 ]; then
         return 0
@@ -491,6 +404,15 @@ else
     log "WARNING: eth0 interface not found; skipping static network setup"
 fi
 
+# Parse katana args from cmdline
+CMDLINE="$(cat /proc/cmdline 2>/dev/null || true)"
+KATANA_ARGS=""
+for tok in $CMDLINE; do
+    case "$tok" in
+        katana.args=*) KATANA_ARGS="$(echo "${tok#katana.args=}" | tr ',' ' ')" ;;
+    esac
+done
+
 # Require persistent storage at /dev/sda
 if [ ! -b /dev/sda ]; then
     fatal_boot "required storage device /dev/sda not found"
@@ -504,30 +426,22 @@ fi
 mkdir -p "$KATANA_DB_DIR"
 log "Storage mounted at /mnt/data"
 
-# Start async control loop for Katana startup/status commands.
-log "Waiting for control channel ($CONTROL_PORT_NAME)..."
-CONTROL_PORT=""
-while [ -z "$CONTROL_PORT" ]; do
-    CONTROL_PORT="$(resolve_control_port || true)"
-    [ -n "$CONTROL_PORT" ] || sleep 1
-done
-log "Control channel ready: $CONTROL_PORT"
-
-while true; do
-    refresh_katana_state
+log "Starting katana..."
+# shellcheck disable=SC2086
+/bin/katana --db-dir="$KATANA_DB_DIR" $KATANA_ARGS &
+KATANA_PID=$!
+log "Katana started with PID $KATANA_PID"
 
-    if ! exec 3<>"$CONTROL_PORT"; then
-        log "WARNING: failed to open control channel, retrying..."
-        sleep 1
-        continue
-    fi
-
-    while IFS= read -r CONTROL_CMD <&3; do
-        handle_control_command "$CONTROL_CMD"
-    done
+if wait "$KATANA_PID"; then
+    EXIT_CODE=0
+else
+    EXIT_CODE=$?
+fi
+log "Katana exited with code $EXIT_CODE"
 
-    exec 3>&- 3<&-
-    sleep 1
+# PID 1 must stay alive unless explicitly powered off.
+while true; do
+    sleep 60
 done
 INIT_EOF
 
diff --git a/misc/AMDSEV/start-vm.sh b/misc/AMDSEV/start-vm.sh
