* [Qemu Nitro Enclave] NSM virtio attestation response is always of size 0x3000 @ 2025-02-13 10:01 Vikrant Garg 2025-02-13 10:30 ` Alexander Graf 0 siblings, 1 reply; 3+ messages in thread From: Vikrant Garg @ 2025-02-13 10:01 UTC (permalink / raw) To: qemu-devel; +Cc: Dorjoy Chowdhury, graf [-- Attachment #1: Type: text/plain, Size: 693 bytes --] Hello All, I am using the QEMU for emulating nitro enclave images. In my enclave image, I have an attestation service implemented in Rust. This application fetches attestations using IOCTL command. I have noticed that response from the nsm virtio device is always of length 0x3000 (i.e. maximum NSM response size). Instead, it should be the actual size of response bytes. Same case is also happening with the attestation service implemented in python. On the other hand, the same Rust attestation service is working with AWS nitro enclaves. It looks like an NSM emulation issue. I would like to confirm if this is the expected behaviour and need help on further debugging. Regards, Vikrant [-- Attachment #2: Type: text/html, Size: 808 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Qemu Nitro Enclave] NSM virtio attestation response is always of size 0x3000 2025-02-13 10:01 [Qemu Nitro Enclave] NSM virtio attestation response is always of size 0x3000 Vikrant Garg @ 2025-02-13 10:30 ` Alexander Graf 2025-02-13 10:46 ` Vikrant Garg 0 siblings, 1 reply; 3+ messages in thread From: Alexander Graf @ 2025-02-13 10:30 UTC (permalink / raw) To: Vikrant Garg, qemu-devel; +Cc: Dorjoy Chowdhury Hi Vikrant, On 13.02.25 11:01, Vikrant Garg wrote: > Hello All, > > I am using the QEMU for emulating nitro enclave images. In my enclave > image, I have an attestation service implemented in Rust. This > application fetches attestations using IOCTL command. I have noticed > that response from the nsm virtio device is always of length 0x3000 > (i.e. maximum NSM response size). Instead, it should be the actual > size of response bytes. Same case is also happening with the > attestation service implemented in python. On the other hand, the same > Rust attestation service is working with AWS nitro enclaves. It looks > like an NSM emulation issue. > > I would like to confirm if this is the expected behaviour and need > help on further debugging. Thanks a lot for the report! Does this happen with all commands or only the Attest command? The NSM emulation code attempts to trim the response size to the actual payload, but there may well be a bug in that logic. I do have a hunch on what the problem may be. Can you please quickly try the patch below? Thanks! Alex index 098e1aeac6..b22aa74e34 100644 --- a/hw/virtio/virtio-nsm.c +++ b/hw/virtio/virtio-nsm.c @@ -1596,7 +1596,7 @@ static void handle_input(VirtIODevice *vdev, VirtQueue *vq) g_free(req.iov_base); g_free(res.iov_base); virtqueue_push(vq, out_elem, 0); - virtqueue_push(vq, in_elem, in_elem->in_sg->iov_len); + virtqueue_push(vq, in_elem, sz); virtio_notify(vdev, vq); return; ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Qemu Nitro Enclave] NSM virtio attestation response is always of size 0x3000 2025-02-13 10:30 ` Alexander Graf @ 2025-02-13 10:46 ` Vikrant Garg 0 siblings, 0 replies; 3+ messages in thread From: Vikrant Garg @ 2025-02-13 10:46 UTC (permalink / raw) To: Alexander Graf; +Cc: qemu-devel, Dorjoy Chowdhury [-- Attachment #1: Type: text/plain, Size: 1838 bytes --] Thanks a lot, Alex. You got the right fix. This is working for me. Expected length of response is being returned now. Vikrant On Thu, Feb 13, 2025 at 4:00 PM Alexander Graf <graf@amazon.com> wrote: > Hi Vikrant, > > On 13.02.25 11:01, Vikrant Garg wrote: > > > Hello All, > > > > I am using the QEMU for emulating nitro enclave images. In my enclave > > image, I have an attestation service implemented in Rust. This > > application fetches attestations using IOCTL command. I have noticed > > that response from the nsm virtio device is always of length 0x3000 > > (i.e. maximum NSM response size). Instead, it should be the actual > > size of response bytes. Same case is also happening with the > > attestation service implemented in python. On the other hand, the same > > Rust attestation service is working with AWS nitro enclaves. It looks > > like an NSM emulation issue. > > > > I would like to confirm if this is the expected behaviour and need > > help on further debugging. > > > Thanks a lot for the report! Does this happen with all commands or only > the Attest command? The NSM emulation code attempts to trim the response > size to the actual payload, but there may well be a bug in that logic. > > I do have a hunch on what the problem may be. Can you please quickly try > the patch below? > > > Thanks! > > Alex > > > index 098e1aeac6..b22aa74e34 100644 > --- a/hw/virtio/virtio-nsm.c > +++ b/hw/virtio/virtio-nsm.c > @@ -1596,7 +1596,7 @@ static void handle_input(VirtIODevice *vdev, > VirtQueue *vq) > g_free(req.iov_base); > g_free(res.iov_base); > virtqueue_push(vq, out_elem, 0); > - virtqueue_push(vq, in_elem, in_elem->in_sg->iov_len); > + virtqueue_push(vq, in_elem, sz); > virtio_notify(vdev, vq); > return; > > [-- Attachment #2: Type: text/html, Size: 2377 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-02-13 14:10 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-02-13 10:01 [Qemu Nitro Enclave] NSM virtio attestation response is always of size 0x3000 Vikrant Garg 2025-02-13 10:30 ` Alexander Graf 2025-02-13 10:46 ` Vikrant Garg
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).