Linux 5.10 To Support Nitro Enclaves For Security-Critical Applications
The kernel support for Nitro Enclaves landed this week in char-misc-next ahead of the Linux 5.10 cycle kicking off next month.
Nitro Enclaves is a capability of Amazon AWS' EC2 cloud for protecting highly sensitive data. Nitro Enclaves provide additional isolation and security by punting the sensitive work/data off to an isolated virtual machine without persistent storage access and other reductions to possible attack surfaces while also providing cryptographic attestation for ensuring only trusted/authorized code is running.
Earlier this year Amazon Web Services engineers began the process of upstreaming Nitro Enclaves with the relevant kernel bits for supporting this security feature. Now for Linux 5.10 with the queued char-misc changes this support will land.
The new kernel documentation goes on to further describe Nitro Enclaves:
See the proposed documentation for more information on the kernel-side portion. There is also the aws.amazon.com page outlining Nitro Enclaves at a higher level.
The PCI device driver and other enclave code and exposing the new ioctl are all part of the queued patches. After going through ten rounds of patch review, the code appears all squared away and is exposed via the new NITRO_ENCLAVES Kconfig switch.
Nitro Enclaves is a capability of Amazon AWS' EC2 cloud for protecting highly sensitive data. Nitro Enclaves provide additional isolation and security by punting the sensitive work/data off to an isolated virtual machine without persistent storage access and other reductions to possible attack surfaces while also providing cryptographic attestation for ensuring only trusted/authorized code is running.
Earlier this year Amazon Web Services engineers began the process of upstreaming Nitro Enclaves with the relevant kernel bits for supporting this security feature. Now for Linux 5.10 with the queued char-misc changes this support will land.
The new kernel documentation goes on to further describe Nitro Enclaves:
For example, an application that processes sensitive data and runs in a VM, can be separated from other applications running in the same VM. This application then runs in a separate VM than the primary VM, namely an enclave.
An enclave runs alongside the VM that spawned it. This setup matches low latency applications needs. The resources that are allocated for the enclave, such as memory and CPUs, are carved out of the primary VM. Each enclave is mapped to a process running in the primary VM, that communicates with the NE driver via an ioctl interface.
See the proposed documentation for more information on the kernel-side portion. There is also the aws.amazon.com page outlining Nitro Enclaves at a higher level.
The PCI device driver and other enclave code and exposing the new ioctl are all part of the queued patches. After going through ten rounds of patch review, the code appears all squared away and is exposed via the new NITRO_ENCLAVES Kconfig switch.
2 Comments