[https://nvbugs/5922880][fix] Enable HMAC authentication in VisualGen ZMQ IPC channels by yibinl-nvidia · Pull Request #12680 · NVIDIA/TensorRT-LLM

yibinl-nvidia · 2026-04-02T03:45:51Z

Summary by CodeRabbit

Release Notes

Security
- Enhanced inter-process communication with HMAC encryption for visual generation tasks, protecting data in transit between workers and executors.
- Implemented per-client secure key generation for encrypted communication channels.

Description

Test Coverage

PR Checklist

Please review the following before submitting your PR:

PR description clearly explains what and why. If using CodeRabbit's summary, please make sure it makes sense.
PR Follows TRT-LLM CODING GUIDELINES to the best of your knowledge.
Test cases are provided for new code paths (see test instructions)
Any new dependencies have been scanned for license and vulnerabilities
CODEOWNERS updated if ownership changes
Documentation updated as needed
Update tava architecture diagram if there is a significant design change in PR.
The reviewers assigned automatically/manually are appropriate for the PR.
Please check this after reviewing the above items as appropriate for this PR.

GitHub Bot Help

To see a list of available CI bot commands, please comment /bot help.

coderabbitai · 2026-04-02T03:51:40Z

📝 Walkthrough

Walkthrough

These changes add HMAC encryption support to the diffusion executor's inter-process communication. The client generates random HMAC keys and passes them to worker processes, which then configure ZeroMQ IPC channels to use authenticated encryption.

Changes

Cohort / File(s)	Summary
HMAC Encryption for Diffusion IPC `tensorrt_llm/_torch/visual_gen/executor.py`, `tensorrt_llm/llmapi/visual_gen.py`	Adds optional `req_hmac_key` and `resp_hmac_key` parameters to executor initialization; client generates 32-byte HMAC keys via `os.urandom()` and passes them to worker processes; ZeroMQ queues reconfigured to enable HMAC encryption for request and response channels instead of operating without encryption.

Sequence Diagram

sequenceDiagram
    participant Client as DiffusionRemoteClient
    participant Worker as Worker Process
    participant ZMQ as ZeroMQ IPC
    
    Client->>Client: Generate req_hmac_key (32 bytes)
    Client->>Client: Generate resp_hmac_key (32 bytes)
    Client->>Worker: Spawn mp.Process with HMAC keys in kwargs
    Worker->>Worker: DiffusionExecutor.__init__(req_hmac_key, resp_hmac_key)
    Worker->>ZMQ: Configure request queue with req_hmac_key + use_hmac_encryption=True
    Worker->>ZMQ: Configure response queue with resp_hmac_key + use_hmac_encryption=True
    Client->>ZMQ: Send encrypted request message
    ZMQ->>Worker: Receive and decrypt request
    Worker->>ZMQ: Send encrypted response message
    ZMQ->>Client: Receive and decrypt response

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	⚠️ Warning	The PR description is largely empty, containing only the template placeholder text with no actual implementation details, justification, test coverage information, or checklist completion beyond a single checked checkbox.	Fill in the Description section explaining the issue and solution, list relevant test cases under Test Coverage, and provide details on how the implementation follows coding guidelines.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is specific and clearly summarizes the main change: enabling HMAC authentication in VisualGen ZMQ IPC channels.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

yibinl-nvidia · 2026-04-03T03:43:03Z

/bot run

Signed-off-by: Yibin Li <[email protected]>

yibinl-nvidia · 2026-04-03T18:36:14Z

/bot run

tensorrt-cicd · 2026-04-03T18:42:09Z

PR_Github #41723 [ run ] triggered by Bot. Commit: 007688d Link to invocation

tensorrt-cicd · 2026-04-03T22:33:26Z

PR_Github #41723 [ run ] completed with state SUCCESS. Commit: 007688d
/LLM/main/L0_MergeRequest_PR pipeline #32625 completed with status: 'FAILURE'

CI Report

⚠️ Action Required:

Please check the failed tests and fix your PR
If you cannot view the failures, ask the CI triggerer to share details
Once fixed, request an NVIDIA team member to trigger CI again

Link to invocation

yibinl-nvidia · 2026-04-03T22:52:02Z

/bot run

tensorrt-cicd · 2026-04-03T22:57:29Z

PR_Github #41753 [ run ] triggered by Bot. Commit: 007688d Link to invocation

tensorrt-cicd · 2026-04-04T02:59:56Z

PR_Github #41753 [ run ] completed with state SUCCESS. Commit: 007688d
/LLM/main/L0_MergeRequest_PR pipeline #32653 completed with status: 'SUCCESS'

CI Report

Link to invocation

yibinl-nvidia · 2026-04-07T16:07:13Z

@hchings pipeline has passed, could you please review this PR? Thank you!

hchings

LGTM.

yibinl-nvidia · 2026-04-07T20:37:53Z

@zhenhuaw-me could you help to review this as @chang-l is OOO? Thanks!

zhenhuaw-me

LGTM. Thanks!

… ZMQ IPC channels (NVIDIA#12680) Signed-off-by: Yibin Li <[email protected]>

yibinl-nvidia requested review from a team as code owners April 2, 2026 03:45

yibinl-nvidia requested a review from hchings April 2, 2026 03:45

github-actions Bot assigned yibinl-nvidia Apr 2, 2026

yibinl-nvidia changed the title ~~[https://nvbugs/5922880][fix]: Enable HMAC authentication in VisualGen ZMQ IPC channels~~ [https://nvbugs/5922880][fix] Enable HMAC authentication in VisualGen ZMQ IPC channels Apr 3, 2026

yibinl-nvidia added 2 commits April 3, 2026 14:48

fix: enable HMAC authentication in VisualGen ZMQ IPC channels

3f1eeca

Signed-off-by: Yibin Li <[email protected]>

pre-commit

007688d

Signed-off-by: Yibin Li <[email protected]>

yibinl-nvidia force-pushed the fix/visualgen-zmq-hmac-5922880 branch from dd8ed8d to 007688d Compare April 3, 2026 14:53

hchings approved these changes Apr 7, 2026

View reviewed changes

hchings enabled auto-merge (squash) April 7, 2026 20:04

yibinl-nvidia requested a review from zhenhuaw-me April 7, 2026 20:38

zhenhuaw-me approved these changes Apr 8, 2026

View reviewed changes

hchings merged commit 1431153 into NVIDIA:main Apr 8, 2026
5 checks passed

suyoggupta pushed a commit to nv-auto-deploy/TensorRT-LLM that referenced this pull request Apr 8, 2026

[https://nvbugs/5922880][fix] Enable HMAC authentication in VisualGen…

c4d9577

… ZMQ IPC channels (NVIDIA#12680) Signed-off-by: Yibin Li <[email protected]>

Conversation

yibinl-nvidia commented Apr 2, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Release Notes

Description

Test Coverage

PR Checklist

GitHub Bot Help

Uh oh!

coderabbitai Bot commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Sequence Diagram

Estimated code review effort

❌ Failed checks (2 warnings)

Uh oh!

yibinl-nvidia commented Apr 3, 2026

Uh oh!

yibinl-nvidia commented Apr 3, 2026

Uh oh!

tensorrt-cicd commented Apr 3, 2026

Uh oh!

tensorrt-cicd commented Apr 3, 2026

Uh oh!

yibinl-nvidia commented Apr 3, 2026

Uh oh!

tensorrt-cicd commented Apr 3, 2026

Uh oh!

tensorrt-cicd commented Apr 4, 2026

Uh oh!

yibinl-nvidia commented Apr 7, 2026

Uh oh!

hchings left a comment

Choose a reason for hiding this comment

Uh oh!

yibinl-nvidia commented Apr 7, 2026

Uh oh!

zhenhuaw-me left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

yibinl-nvidia commented Apr 2, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Apr 2, 2026 •

edited

Loading