lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <746fcd7d-5946-35ec-6471-8bf8dccdf400@amazon.com>
Date:   Wed, 24 Jun 2020 17:39:39 +0300
From:   "Paraschiv, Andra-Irina" <andraprs@...zon.com>
To:     Stefan Hajnoczi <stefanha@...hat.com>
CC:     <linux-kernel@...r.kernel.org>,
        Anthony Liguori <aliguori@...zon.com>,
        Benjamin Herrenschmidt <benh@...nel.crashing.org>,
        Colm MacCarthaigh <colmmacc@...zon.com>,
        Bjoern Doebel <doebel@...zon.de>,
        David Woodhouse <dwmw@...zon.co.uk>,
        Frank van der Linden <fllinden@...zon.com>,
        "Alexander Graf" <graf@...zon.de>,
        Greg KH <gregkh@...uxfoundation.org>,
        Martin Pohlack <mpohlack@...zon.de>,
        Matt Wilson <msw@...zon.com>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Balbir Singh <sblbir@...zon.com>,
        Stefano Garzarella <sgarzare@...hat.com>,
        Stewart Smith <trawets@...zon.com>,
        Uwe Dannowski <uwed@...zon.de>, <kvm@...r.kernel.org>,
        <ne-devel-upstream@...zon.com>
Subject: Re: [PATCH v4 17/18] nitro_enclaves: Add overview documentation



On 23/06/2020 11:59, Stefan Hajnoczi wrote:
> On Mon, Jun 22, 2020 at 11:03:28PM +0300, Andra Paraschiv wrote:
>> +The kernel bzImage, the kernel command line, the ramdisk(s) are part of the
>> +Enclave Image Format (EIF); plus an EIF header including metadata such as magic
>> +number, eif version, image size and CRC.
>> +
>> +Hash values are computed for the entire enclave image (EIF), the kernel and
>> +ramdisk(s). That's used, for example, to check that the enclave image that is
>> +loaded in the enclave VM is the one that was intended to be run.
>> +
>> +These crypto measurements are included in a signed attestation document
>> +generated by the Nitro Hypervisor and further used to prove the identity of the
>> +enclave; KMS is an example of service that NE is integrated with and that checks
>> +the attestation doc.
>> +
>> +The enclave image (EIF) is loaded in the enclave memory at offset 8 MiB. The
>> +init process in the enclave connects to the vsock CID of the primary VM and a
>> +predefined port - 9000 - to send a heartbeat value - 0xb7. This mechanism is
>> +used to check in the primary VM that the enclave has booted.
>> +
>> +If the enclave VM crashes or gracefully exits, an interrupt event is received by
>> +the NE driver. This event is sent further to the user space enclave process
>> +running in the primary VM via a poll notification mechanism. Then the user space
>> +enclave process can exit.
>> +
>> +[1] https://aws.amazon.com/ec2/nitro/nitro-enclaves/
>> +[2] https://www.kernel.org/doc/Documentation/vm/hugetlbpage.txt
>> +[3] https://lwn.net/Articles/807108/
>> +[4] https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
>> +[5] https://man7.org/linux/man-pages/man7/vsock.7.html
> Is the EIF specification and the attestation protocol available?

For now, they are not publicly available. Once the refs are available 
(e.g. AWS documentation, GitHub documentation), I'll include them in the 
kernel documentation as well.

As a note here, the NE project is currently in preview 
(https://aws.amazon.com/ec2/nitro/nitro-enclaves/) and part of the 
documentation / codebase will be publicly available when NE is generally 
available (GA). This will be in addition to the ones already publicly 
available, like the NE kernel driver.

Let me know if I can help with any particular questions / clarifications.

Thanks,
Andra



Amazon Development Center (Romania) S.R.L. registered office: 27A Sf. Lazar Street, UBC5, floor 2, Iasi, Iasi County, 700045, Romania. Registered in Romania. Registration number J22/2621/2005.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ