Skip to content

fix(vmcall_raw): chunk send to honor VMCALL buffer MTU#918

Merged
sgrams merged 1 commit into
mainfrom
fix_huge_cert_migtd_send
Jun 30, 2026
Merged

fix(vmcall_raw): chunk send to honor VMCALL buffer MTU#918
sgrams merged 1 commit into
mainfrom
fix_huge_cert_migtd_send

Conversation

@sgrams

@sgrams sgrams commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

A single TDG.VP.VMCALL<Service.MigTD.Send> can only carry up to the same MTU the receive side advertises (MAX_VMCALL_RAW_STREAM_MTU, 64KB). With policy_v2's peer-data blob now carrying the signed policy plus issuer chain (~180KB in practice), the rebinding pre-session body send fails with TdVmcallError::Other right after hello and the 8-byte data header succeed.

Chunk on the send path so any single VMCALL payload stays at MAX_VMCALL_RAW_STREAM_MTU - 12 bytes (room for the GHCI 1.5 status+length header prepended by vmcall_raw_transport_enqueue). Loop inside VmcallRaw::send and keep returning buf.len(); this keeps the AsyncWrite contract intact for callers that don't loop on partial writes (rustls SecureChannel, SpdmDeviceIo). The wire framing is unchanged — the peer's receive loop already reassembles multiple packets in VmcallRaw::recv.

Promote MAX_VMCALL_RAW_STREAM_MTU to pub(crate) and add explicit VMCALL_RAW_GHCI_HEADER_LEN / VMCALL_RAW_SEND_PAYLOAD_MTU consts so the overhead arithmetic is named at one site.

@sgrams sgrams requested a review from MichalTarnacki June 30, 2026 12:25
@sgrams sgrams self-assigned this Jun 30, 2026
@sgrams sgrams requested a review from jyao1 as a code owner June 30, 2026 12:25
A single TDG.VP.VMCALL<Service.MigTD.Send> can only carry up to the
same MTU the receive side advertises (MAX_VMCALL_RAW_STREAM_MTU,
64KB). With policy_v2's peer-data blob now carrying the signed policy
plus issuer chain (~180KB in practice), the rebinding pre-session
body send fails with TdVmcallError::Other right after hello and the
8-byte data header succeed.

Chunk on the send path so any single VMCALL payload stays at
MAX_VMCALL_RAW_STREAM_MTU - 12 bytes (room for the GHCI 1.5
status+length header prepended by vmcall_raw_transport_enqueue).
Loop inside VmcallRaw::send and keep returning buf.len(); this keeps
the AsyncWrite contract intact for callers that don't loop on partial
writes (rustls SecureChannel, SpdmDeviceIo). The wire framing is
unchanged — the peer's receive loop already reassembles multiple
packets in VmcallRaw::recv.

Promote MAX_VMCALL_RAW_STREAM_MTU to pub(crate) and add explicit
VMCALL_RAW_GHCI_HEADER_LEN / VMCALL_RAW_SEND_PAYLOAD_MTU consts so the
overhead arithmetic is named at one site.

Signed-off-by: Stanislaw Grams <stanislaw.grams@intel.com>
@sgrams sgrams force-pushed the fix_huge_cert_migtd_send branch from bd9b144 to f39f3f8 Compare June 30, 2026 12:59
@sgrams sgrams merged commit 11156b8 into main Jun 30, 2026
111 checks passed
@sgrams sgrams deleted the fix_huge_cert_migtd_send branch June 30, 2026 19:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants