nitro: Add API to configure enclave start flags

tylerfanelli · tylerfanelli · commit 5f4dfb7da502 · 2025-06-06T11:30:39.000-04:00
Signed-off-by: Tyler Fanelli &lt;tfanelli@redhat.com&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/examples/nitro.c b/examples/nitro.c
@@ -154,6 +154,13 @@ int main(int argc, char *const argv[])
 
     }
 
+    // Configure the nitro enclave to run in debug mode.
+    if (err = krun_nitro_set_start_flags(ctx_id, KRUN_NITRO_START_FLAG_DEBUG)) {
+        errno = -err;
+        perror("Error configuring nitro enclave start flags");
+        return -1;
+    }
+
     // Create and initialize UNIX IPC socket for reading enclave output.
     sock_fd = socket(AF_UNIX, SOCK_STREAM, 0);
     if (sock_fd < 0) {
diff --git a/include/libkrun.h b/include/libkrun.h
@@ -636,6 +636,16 @@ int32_t krun_split_irqchip(uint32_t ctx_id, bool enable);
 int32_t krun_nitro_set_image(uint32_t ctx_id, const char *image_path,
                              uint32_t image_type);
 
+#define KRUN_NITRO_START_FLAG_DEBUG (1 << 0)
+/**
+ * Configure a Nitro Enclave's start flags.
+ *
+ * Arguments:
+ *  "ctx_id" - the configuration context ID.
+ *  "start_flags" - Start flags.
+ */
+int32_t krun_nitro_set_start_flags(uint32_t ctx_id, uint64_t start_flags);
+
 /**
  * Starts and enters the microVM with the configured parameters. The VMM will attempt to take over
  * stdin/stdout to manage them on behalf of the process running inside the isolated environment,
diff --git a/src/libkrun/Cargo.toml b/src/libkrun/Cargo.toml
@@ -14,7 +14,7 @@ efi = [ "blk", "net" ]
 gpu = []
 snd = []
 virgl_resource_map2 = []
-nitro = [ "dep:nitro" ]
+nitro = [ "dep:nitro", "dep:nitro-enclaves" ]
 
 [dependencies]
 crossbeam-channel = ">=0.5.15"
@@ -36,6 +36,7 @@ hvf = { path = "../hvf" }
 kvm-bindings = { version = ">=0.11", features = ["fam-wrappers"] }
 kvm-ioctls = ">=0.21"
 nitro = { path = "../nitro", optional = true }
+nitro-enclaves = { version = "0.2.0", optional = true }
 vm-memory = ">=0.13"
 
 [lib]
diff --git a/src/libkrun/src/lib.rs b/src/libkrun/src/lib.rs
@@ -56,6 +56,9 @@ use vmm::vmm_config::vsock::VsockDeviceConfig;
 #[cfg(feature = "nitro")]
 use nitro::NitroEnclave;
 
+#[cfg(feature = "nitro")]
+use nitro_enclaves::launch::StartFlags;
+
 // Value returned on success. We use libc's errors otherwise.
 const KRUN_SUCCESS: i32 = 0;
 // Maximum number of arguments/environment variables we allow
@@ -159,6 +162,8 @@ struct ContextConfig {
     vmm_gid: Option<libc::gid_t>,
     #[cfg(feature = "nitro")]
     nitro_image_path: Option<PathBuf>,
+    #[cfg(feature = "nitro")]
+    nitro_start_flags: StartFlags,
 }
 
 impl ContextConfig {
@@ -308,6 +313,11 @@ impl ContextConfig {
     fn set_nitro_image(&mut self, image_path: PathBuf) {
         self.nitro_image_path = Some(image_path);
     }
+
+    #[cfg(feature = "nitro")]
+    fn set_nitro_start_flags(&mut self, start_flags: StartFlags) {
+        self.nitro_start_flags = start_flags;
+    }
 }
 
 #[cfg(feature = "nitro")]
@@ -362,6 +372,7 @@ impl TryFrom<ContextConfig> for NitroEnclave {
             mem_size_mib,
             vcpus,
             ipc_stream,
+            start_flags: ctx.nitro_start_flags,
         })
     }
 }
@@ -1493,6 +1504,30 @@ pub unsafe extern "C" fn krun_nitro_set_image(ctx_id: u32, c_image_filepath: *co
     KRUN_SUCCESS
 }
 
+#[cfg(feature = "nitro")]
+#[allow(clippy::missing_safety_doc)]
+#[no_mangle]
+pub unsafe extern "C" fn krun_nitro_set_start_flags(ctx_id: u32, start_flags: u64) -> i32 {
+    let mut flags = StartFlags::empty();
+
+    // Only debug mode is supported at the moment. To avoid doing conversion and
+    // checking if the "start_flags" argument is valid, set the flags to debug mode
+    // if the "start_flags" argument is greater than zero.
+    if start_flags > 0 {
+        flags |= StartFlags::DEBUG;
+    }
+
+    match CTX_MAP.lock().unwrap().entry(ctx_id) {
+        Entry::Occupied(mut ctx_cfg) => {
+            let cfg = ctx_cfg.get_mut();
+            cfg.set_nitro_start_flags(flags);
+        }
+        Entry::Vacant(_) => return -libc::ENOENT,
+    }
+
+    KRUN_SUCCESS
+}
+
 #[no_mangle]
 #[allow(unreachable_code)]
 pub extern "C" fn krun_start_enter(ctx_id: u32) -> i32 {
diff --git a/src/nitro/src/lib.rs b/src/nitro/src/lib.rs
@@ -38,7 +38,6 @@ const SO_VM_SOCKETS_CONNECT_TIMEOUT: i32 = 6;
 const HEART_BEAT: u8 = 0xb7;
 
 /// Nitro Enclave data.
-#[derive(Debug)]
 pub struct NitroEnclave {
     /// Enclave image.
     pub image: File,
@@ -48,6 +47,8 @@ pub struct NitroEnclave {
     pub vcpus: u8,
     /// Path of vsock for initial enclave communication.
     pub ipc_stream: UnixStream,
+    /// Enclave start flags.
+    pub start_flags: StartFlags,
 }
 
 impl NitroEnclave {
@@ -68,7 +69,7 @@ impl NitroEnclave {
         let listener = VsockListener::bind(&sockaddr).map_err(NitroError::HeartbeatBind)?;
 
         let cid = launcher
-            .start(StartFlags::DEBUG, None)
+            .start(self.start_flags, None)
             .map_err(NitroError::VmStart)?;
 
         // Safe to unwrap.
