* [Qemu Nitro Enclave] NSM virtio attestation response is always of size 0x3000
@ 2025-02-13 10:01 Vikrant Garg
2025-02-13 10:30 ` Alexander Graf
0 siblings, 1 reply; 3+ messages in thread
From: Vikrant Garg @ 2025-02-13 10:01 UTC (permalink / raw)
To: qemu-devel; +Cc: Dorjoy Chowdhury, graf
[-- Attachment #1: Type: text/plain, Size: 693 bytes --]
Hello All,
I am using the QEMU for emulating nitro enclave images. In my enclave
image, I have an attestation service implemented in Rust. This application
fetches attestations using IOCTL command. I have noticed that response from
the nsm virtio device is always of length 0x3000 (i.e. maximum NSM response
size). Instead, it should be the actual size of response bytes. Same case
is also happening with the attestation service implemented in python. On
the other hand, the same Rust attestation service is working with AWS nitro
enclaves. It looks like an NSM emulation issue.
I would like to confirm if this is the expected behaviour and need help on
further debugging.
Regards,
Vikrant
[-- Attachment #2: Type: text/html, Size: 808 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Qemu Nitro Enclave] NSM virtio attestation response is always of size 0x3000
2025-02-13 10:01 [Qemu Nitro Enclave] NSM virtio attestation response is always of size 0x3000 Vikrant Garg
@ 2025-02-13 10:30 ` Alexander Graf
2025-02-13 10:46 ` Vikrant Garg
0 siblings, 1 reply; 3+ messages in thread
From: Alexander Graf @ 2025-02-13 10:30 UTC (permalink / raw)
To: Vikrant Garg, qemu-devel; +Cc: Dorjoy Chowdhury
Hi Vikrant,
On 13.02.25 11:01, Vikrant Garg wrote:
> Hello All,
>
> I am using the QEMU for emulating nitro enclave images. In my enclave
> image, I have an attestation service implemented in Rust. This
> application fetches attestations using IOCTL command. I have noticed
> that response from the nsm virtio device is always of length 0x3000
> (i.e. maximum NSM response size). Instead, it should be the actual
> size of response bytes. Same case is also happening with the
> attestation service implemented in python. On the other hand, the same
> Rust attestation service is working with AWS nitro enclaves. It looks
> like an NSM emulation issue.
>
> I would like to confirm if this is the expected behaviour and need
> help on further debugging.
Thanks a lot for the report! Does this happen with all commands or only
the Attest command? The NSM emulation code attempts to trim the response
size to the actual payload, but there may well be a bug in that logic.
I do have a hunch on what the problem may be. Can you please quickly try
the patch below?
Thanks!
Alex
index 098e1aeac6..b22aa74e34 100644
--- a/hw/virtio/virtio-nsm.c
+++ b/hw/virtio/virtio-nsm.c
@@ -1596,7 +1596,7 @@ static void handle_input(VirtIODevice *vdev,
VirtQueue *vq)
g_free(req.iov_base);
g_free(res.iov_base);
virtqueue_push(vq, out_elem, 0);
- virtqueue_push(vq, in_elem, in_elem->in_sg->iov_len);
+ virtqueue_push(vq, in_elem, sz);
virtio_notify(vdev, vq);
return;
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Qemu Nitro Enclave] NSM virtio attestation response is always of size 0x3000
2025-02-13 10:30 ` Alexander Graf
@ 2025-02-13 10:46 ` Vikrant Garg
0 siblings, 0 replies; 3+ messages in thread
From: Vikrant Garg @ 2025-02-13 10:46 UTC (permalink / raw)
To: Alexander Graf; +Cc: qemu-devel, Dorjoy Chowdhury
[-- Attachment #1: Type: text/plain, Size: 1838 bytes --]
Thanks a lot, Alex.
You got the right fix. This is working for me. Expected length of response
is being returned now.
Vikrant
On Thu, Feb 13, 2025 at 4:00 PM Alexander Graf <graf@amazon.com> wrote:
> Hi Vikrant,
>
> On 13.02.25 11:01, Vikrant Garg wrote:
>
> > Hello All,
> >
> > I am using the QEMU for emulating nitro enclave images. In my enclave
> > image, I have an attestation service implemented in Rust. This
> > application fetches attestations using IOCTL command. I have noticed
> > that response from the nsm virtio device is always of length 0x3000
> > (i.e. maximum NSM response size). Instead, it should be the actual
> > size of response bytes. Same case is also happening with the
> > attestation service implemented in python. On the other hand, the same
> > Rust attestation service is working with AWS nitro enclaves. It looks
> > like an NSM emulation issue.
> >
> > I would like to confirm if this is the expected behaviour and need
> > help on further debugging.
>
>
> Thanks a lot for the report! Does this happen with all commands or only
> the Attest command? The NSM emulation code attempts to trim the response
> size to the actual payload, but there may well be a bug in that logic.
>
> I do have a hunch on what the problem may be. Can you please quickly try
> the patch below?
>
>
> Thanks!
>
> Alex
>
>
> index 098e1aeac6..b22aa74e34 100644
> --- a/hw/virtio/virtio-nsm.c
> +++ b/hw/virtio/virtio-nsm.c
> @@ -1596,7 +1596,7 @@ static void handle_input(VirtIODevice *vdev,
> VirtQueue *vq)
> g_free(req.iov_base);
> g_free(res.iov_base);
> virtqueue_push(vq, out_elem, 0);
> - virtqueue_push(vq, in_elem, in_elem->in_sg->iov_len);
> + virtqueue_push(vq, in_elem, sz);
> virtio_notify(vdev, vq);
> return;
>
>
[-- Attachment #2: Type: text/html, Size: 2377 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-02-13 14:10 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-02-13 10:01 [Qemu Nitro Enclave] NSM virtio attestation response is always of size 0x3000 Vikrant Garg
2025-02-13 10:30 ` Alexander Graf
2025-02-13 10:46 ` Vikrant Garg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).