Linux 5.10 To Support Nitro Enclaves For Security-Critical Applications

Written by Michael Larabel in Linux Security on 24 September 2020 at 01:42 PM EDT. 2 Comments
LINUX SECURITY
The kernel support for Nitro Enclaves landed this week in char-misc-next ahead of the Linux 5.10 cycle kicking off next month.

Nitro Enclaves is a capability of Amazon AWS' EC2 cloud for protecting highly sensitive data. Nitro Enclaves provide additional isolation and security by punting the sensitive work/data off to an isolated virtual machine without persistent storage access and other reductions to possible attack surfaces while also providing cryptographic attestation for ensuring only trusted/authorized code is running.

Earlier this year Amazon Web Services engineers began the process of upstreaming Nitro Enclaves with the relevant kernel bits for supporting this security feature. Now for Linux 5.10 with the queued char-misc changes this support will land.

The new kernel documentation goes on to further describe Nitro Enclaves:
For example, an application that processes sensitive data and runs in a VM, can be separated from other applications running in the same VM. This application then runs in a separate VM than the primary VM, namely an enclave.

An enclave runs alongside the VM that spawned it. This setup matches low latency applications needs. The resources that are allocated for the enclave, such as memory and CPUs, are carved out of the primary VM. Each enclave is mapped to a process running in the primary VM, that communicates with the NE driver via an ioctl interface.

See the proposed documentation for more information on the kernel-side portion. There is also the aws.amazon.com page outlining Nitro Enclaves at a higher level.

The PCI device driver and other enclave code and exposing the new ioctl are all part of the queued patches. After going through ten rounds of patch review, the code appears all squared away and is exposed via the new NITRO_ENCLAVES Kconfig switch.
2 Comments
Related News
Linux BHI Mitigation Being Tweaked Following 12% Database Performance Hit
Linux 6.9-rc4 To Bring New Fixes For x86 Speculation Mitigations
Linux Kernel Patched For Branch History Injection "BHI" Intel CPU Vulnerability
GitHub Disables The XZ Repository Following Today's Malicious Disclosure
XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access
Linux 6.9 Sees Further Security Hardening
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Former Nouveau Lead Developer Joins NVIDIA, Continues Working On Open-Source Driver
Fedora Linux 40 Cleared For Release Next Week
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Ubuntu 24.04 Supports Easy Installation Of OpenZFS Root File-System With Encryption
openSUSE Factory Achieves Bit-By-Bit Reproducible Builds
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"