Skip to content

Commit 0b06744

Browse files
kariykariy
committed
docs(amdsev): clarify control socket channel
1 parent ac64705 commit 0b06744

File tree

1 file changed

+28
-24
lines changed

1 file changed

+28
-24
lines changed

misc/AMDSEV/README.md

Lines changed: 28 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -101,6 +101,34 @@ qemu-system-x86_64 \
101101
..
102102
```
103103

104+
### Start Katana via Control Channel
105+
106+
In the QEMU example above, this line defines the host-side control channel endpoint:
107+
108+
```sh
109+
-chardev socket,id=katanactl,path=/tmp/katana-control.sock,server=on,wait=off
110+
```
111+
112+
The `path=/tmp/katana-control.sock` value is the Unix socket file on the host.
113+
That socket is connected to the guest virtio-serial port:
114+
115+
```sh
116+
-device virtserialport,chardev=katanactl,name=org.katana.control.0
117+
```
118+
119+
So writes to that Unix socket become control commands inside the VM (`start`, `status`).
120+
121+
Example:
122+
123+
```sh
124+
# Start Katana with comma-separated CLI args
125+
printf 'start --http.addr,0.0.0.0,--http.port,5050,--tee.provider,sev-snp\n' \
126+
| socat - UNIX-CONNECT:/tmp/katana-control.sock
127+
128+
# Check launcher status
129+
printf 'status\n' | socat - UNIX-CONNECT:/tmp/katana-control.sock
130+
```
131+
104132
## Running the VM
105133

106134
The `start-vm.sh` script provides an easy way to launch a TEE VM with SEV-SNP enabled:
@@ -124,30 +152,6 @@ The script:
124152
- Forwards RPC port 5050 to host port 15051
125153
- Outputs serial log to a temp file and follows it
126154

127-
### Start Katana via Control Channel
128-
129-
To start Katana manually over the control channel:
130-
131-
```sh
132-
# 1) Boot VM without auto-starting Katana
133-
sudo ./misc/AMDSEV/start-vm.sh --no-start
134-
135-
# 2) Use the control socket printed by start-vm.sh (example path below)
136-
CONTROL_SOCKET=/tmp/katana-tee-vm-control.12345.sock
137-
138-
# 3) Start Katana with comma-separated CLI args
139-
printf 'start --http.addr,0.0.0.0,--http.port,5050,--tee.provider,sev-snp\n' \
140-
| socat - UNIX-CONNECT:"$CONTROL_SOCKET"
141-
142-
# 4) Check launcher status
143-
printf 'status\n' | socat - UNIX-CONNECT:"$CONTROL_SOCKET"
144-
```
145-
146-
Control responses:
147-
- `ok started pid=...` means Katana was launched.
148-
- `running pid=...` means Katana is still running.
149-
- `stopped exit=...` means Katana is not running.
150-
151155
### Launch Measurement Verification
152156

153157
To verify a TEE VM's integrity, compute the expected launch measurement using `snp-digest`:

0 commit comments

Comments
 (0)