Amazon Plumbing Nitro Enclaves Support For Linux To Isolate Highly Sensitive Data

Written by Michael Larabel in Virtualization on 21 April 2020 at 04:41 PM EDT. 10 Comments
VIRTUALIZATION
Amazon is working on upstreaming support into the Linux kernel for AWS Nitro Enclaves for additional isolation around highly sensitive data within the EC2 cloud.

As explained on the AWS page, "AWS Nitro Enclaves enables customers to create isolated compute environments to further protect and securely process highly sensitive data such as personally identifiable information (PII), healthcare, financial, and intellectual property data within their Amazon EC2 instances. Nitro Enclaves uses the same Nitro Hypervisor technology that provides CPU and memory isolation for EC2 instances."

Amazon engineers are trying to get the Nitro Enclaves capabilities into the upstream Linux kernel so it's easier to support this EC2 feature by the many Linux distributions running in the Elastic Compute Cloud.

This feature for dealing with highly sensitive data spins up an enclave that runs alongside the VM that spawned it. Resources for that enclave are carved out of the memory and vCPUs allocated to the existing VM. Communication between the NWS Nitro Enclaves and VM are done using VirtIO-Vsock while the enclave does not have disk or network access itself.

The Nitro Enclaves kernel support introduces new kernel ioctls and logic for dealing with enclave creation and allocating of resources in a KVM-focused manner. Those wanting to learn more about the proposed Nitro Enclaves support for the upstream Linux kernel can do so via this patch series.
10 Comments
Related News
Linux Developers Consider Ending 32-bit KVM Host Virtualization Support`
QEMU 9.2 Released With VirtIO GPU Vulkan Support, AVX10 & Experimental Rust Support
Rust Hypervisor Firmware v0.5 Supports For More CPUs & Improves EFI Support
Linux 6.13 KVM Eliminates An "Awful Idea", Many x86_64 Improvements
Virtual CPUFreq Driver Coming With Linux 6.13 For Better Power/Performance Within VMs
IBM Power11 CPUs Launching In 2025 - Linux 6.13 Preps KVM Nested Guests For Power11
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
Linus Torvalds Comes Out Against "Completely Broken" x86_64 Feature Levels
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
COSMIC Alpha 4 Released For System76's Rust-Based Desktop
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features