in src/common/commands_parser.rs [380:449]
fn parse_enclave_cid(args: &ArgMatches) -> NitroCliResult<Option<u64>> {
let enclave_cid = if let Some(enclave_cid) = args.get_one::<String>("enclave-cid") {
let enclave_cid: u64 = enclave_cid.parse().map_err(|_| {
new_nitro_cli_failure!(
"`enclave-cid` is not a number",
NitroCliErrorEnum::InvalidArgument
)
.add_info(vec!["enclave-cid", enclave_cid])
})?;
// Do not use well-known CID values - 0, 1, 2 - as the enclave CID.
// VMADDR_CID_ANY = -1U
// VMADDR_CID_HYPERVISOR = 0
// VMADDR_CID_LOCAL = 1
// VMADDR_CID_HOST = 2
// Note: 0 is used as a placeholder to auto-generate a CID.
// <http://man7.org/linux/man-pages/man7/vsock.7.html>
if enclave_cid == 0 {
eprintln!("The enclave CID will be auto-generated as the provided CID is 0");
}
if enclave_cid > 0 && enclave_cid <= VMADDR_CID_HOST as u64 {
return Err(new_nitro_cli_failure!(
&format!(
"CID {} is a well-known CID, not to be used for enclaves",
enclave_cid
),
NitroCliErrorEnum::InvalidArgument
));
}
if enclave_cid == u32::MAX as u64 {
return Err(new_nitro_cli_failure!(
&format!(
"CID {} is a well-known CID, not to be used for enclaves",
enclave_cid
),
NitroCliErrorEnum::InvalidArgument
));
}
// Do not use the CID of the parent VM as the enclave CID.
if enclave_cid == VMADDR_CID_PARENT as u64 {
return Err(new_nitro_cli_failure!(
&format!(
"CID {} is the CID of the parent VM, not to be used for enclaves",
enclave_cid
),
NitroCliErrorEnum::InvalidArgument
));
}
// 64-bit CIDs are not yet supported for the vsock device.
if enclave_cid > u32::MAX as u64 {
return Err(new_nitro_cli_failure!(
&format!(
"CID {} is higher than the maximum supported (u32 max) for a vsock device",
enclave_cid
),
NitroCliErrorEnum::InvalidArgument
));
}
Some(enclave_cid)
} else {
None
};
Ok(enclave_cid)
}