Vsocks in Node.js
abhigupta768 opened this issue · 9 comments
Hey, I am trying to make a Node.js application support nitro enclaves. But, I cannot find a way to implement vsock in Node.js. Can you point to something?
Also, can you let me know if Unix IPC Sockets would work?
Hi @abhigupta768. Looks like Node.js doesn't support it. I found that net
library only implements AF_INET
and AF_UNIX
SOCK_STREAM
while UDP/Datagram
implements AF_INET
SOCK_DGRAM
BSD socket API. And neither of them suits for AF_VSOCK
SOCK_STREAM
API required for communication with nitro enclaves.
In this case you could try some relay software, which could forward vsock traffic to some other suitable for you endpoint, e.g https://github.com/stefano-garzarella/socat-vsock.
Thanks for getting back. I am thinking of the following solution:
- Have a Python script with
AF_VSOCK
implementation in the parent. - Have a Python script with
AF_VSOCK
implementation in the enclave. - Have the Node.js code in the parent initiate the Python script in the parent using a child process which in turn passes on data to the enclave using the Vsock.
- Have the Python script in the enclave receive the data and initiate a child process to run the Node.js code in the enclave to process the data and return it to the Python script.
- Have the Python script in the enclave send the processed data back to the Python script child process in the parent via Vsock, which in turn returns it to the Node.js code.
Can you please let me know if this would work? And also if there are any security issues around the same?
Thanks!
Yes, Python can use vsock as you can find from the example and then it's up to you how to further arrange the communication.
Sounds good, thanks!
@abhigupta768 Did you ever get it working?
@abhigupta768 Did you ever got it working?
Hey, nope. I ended up using Evervault (https://evervault.com/). They provide Node.js support for AWS Nitro Enclaves.
Hey, nope. I ended up using Evervault (https://evervault.com/). They provide Node.js support for AWS Nitro Enclaves.
Very interesting. Thanks. Do you know if they support e.g. Mysql/MariaDB as external services?
Hey, nope. I ended up using Evervault (https://evervault.com/). They provide Node.js support for AWS Nitro Enclaves.
Very interesting. Thanks. Do you know if they support e.g. Mysql/MariaDB as external services?
Umm, I am not very sure. They do intercept network requests inside the enclave, then relay them to the parent, which can then interact with whitelisted IPs. So I am guessing that using a managed service like RDS with the appropriate permissions should work. I am not entirely sure though.