VComLink: Asynchronous Communication Between EVE-OS and Virtual Machines

Introduction

VComLink is a lightweight, efficient communication agent designed to enable asynchronous, secure, and streamlined communication between EVE-OS and its Virtual Machines (VMs) using the vsock protocol.

Designed with modularity and performance in mind, VComLink allows EVE-OS to expose a variety of services, such as Trusted Platform Module (TPM) access, attestation workflows, or custom management commands to guest VMs via well-defined channels. TPM communication is the first available channel, with additional channels under development.

Prerequisites

• This feature requires EVE-OS version 14.5.0-LTS or greater.  
• See Overview of the Trusted Platform Module (TPM) in EVE-OS for more information about TPM in general. 

Key Features

• Multi-Channel Architecture
  VComLink is designed to support multiple independent communication channels, each tailored to a specific service or function (for example, TPM, telemetry, and more).
  
  
• Asynchronous, Transaction-Based Communication
  Each request/response pair is handled independently, simplifying concurrency and improving reliability.
  
  
• Kernel-Based Host-VM Communication (vsock)
  VComLink uses HTTP over the virtio socket (vsock) interface (a kernel-mediated transport layer) for direct, secure communication between the host and guest.
  
  
• Secure and Lightweight
  Because communication occurs entirely within the host’s kernel space, VComLink avoids the overhead and exposure of traditional socket networking.

Communication Framework

VComLink operates as a multiplexed message broker over the vsock channel. Each message specifies a target channel, and VComLink routes the message to the appropriate service handler. Initial implementation supports a TPM Service channel, allowing VMs to invoke cryptographic functions securely on the EVE’s HW TPM.

vComLink TPM Service

VComLink provides a TPM service channel, allowing VMs to delegate security-sensitive operations to a TPM instance on the host. All communication is defined using Protocol Buffers (protobuf) for clarity and efficiency.

Example Use Cases

• Retrieving a TPM-stored public key
• Signing data with a hardware-backed key
• Performing remote attestation via credential activation
• Reading non-volatile TPM memory
• Certifying a TPM key for integrity validation

Getting Started

To get started with VComLink on EVE-OS, the service is already available by default to all virtual machines running on EVE-OS.

• The VComLink daemon runs natively on the EVE-OS host.
• It is automatically exposed to all VMs via the vsock interface (port 2000).
• Communication is fully managed by EVE-OS, with no network setup or extra configuration required.
  
  

How to Use it in Your Application

1. Review the Protobuf API Definitions
   Browse the VComLink .proto files to understand the structure of request/response messages. These define the communication contract for each supported channel (for example, TPM service). 
   
   
2. Choose Your Programming Language
   Generate protobuf client code in your preferred language (Go, Python, Rust, C++, etc.). You can find bindings for Go and Python in the EVE-OS repository. 
   
   
3. Write Your VM Application
   Implement your logic inside the VM, using the generated protobuf stubs to send messages over vsock to the VComLink service.

Example

The following Python example demonstrates how to interact with the VComLink TPM service over HTTP on vsock. It sends a TpmRequestGetPub message via HTTP POST request to /tpm/getpub endpoint to request the public part of a TPM key and then prints the response.

import socket
import struct
import messages_pb2
import http.client
import io


VSOCK_CID_HOST = 2
VSOCK_PORT = 2000


class VsockHTTPConnection(http.client.HTTPConnection):
   def connect(self):
       self.sock = socket.socket(socket.AF_VSOCK, socket.SOCK_STREAM)
       self.sock.connect((VSOCK_CID_HOST, VSOCK_PORT))


def main():
   # Create the protobuf request
   request_proto = messages_pb2.TpmRequestGetPub()
   request_proto.index = 0x81010001  # Example TPM index
   request_bytes = request_proto.SerializeToString()


   # Setup connection to vsock "host"
   conn = VsockHTTPConnection("vsock", VSOCK_PORT)
   conn.request("POST", "/tpm/getpub", body=request_bytes, headers={
       "Content-Type": "application/octet-stream"
   })


   # Get the HTTP response
   resp = conn.getresponse()
   if resp.status != 200:
       raise Exception(f"HTTP error: {resp.status} {resp.reason}")


   # Read and parse the response protobuf
   response_bytes = resp.read()
   response_proto = messages_pb2.TpmResponseGetPub()
   response_proto.ParseFromString(response_bytes)


   # Dump result
   print("TPM Public Key Retrieved:")
   print(f"- Public Key (hex): {response_proto.public.hex()}...")
   print(f"- Algorithm: {response_proto.algorithm}")
   print(f"- Attributes (bitmask): {response_proto.attributes:#010x}")


   conn.close()


if __name__ == "__main__":
   main()

Sample Output:

TPM Public Key Retrieved:
- Public Key (hex): 0001000b000300b200208371976... (truncated)
- Algorithm: 1
- Attributes (bitmask): 0x000300b2

Conclusion

VComLink is more than a TPM tool, it’s a flexible communication framework for EVE-VM services, VComLink’s architecture is designed to be extensible, with support for additional channels under development.

Next Steps

After using VComLink in your application, you might be interested in the following article: 

• Deploy an Edge Application Instance