| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Jun 2020 17:39:39 +0300
From: "Paraschiv, Andra-Irina" <andraprs@...zon.com>
To: Stefan Hajnoczi <stefanha@...hat.com>
CC: <linux-kernel@...r.kernel.org>,
Anthony Liguori <aliguori@...zon.com>,
Benjamin Herrenschmidt <benh@...nel.crashing.org>,
Colm MacCarthaigh <colmmacc@...zon.com>,
Bjoern Doebel <doebel@...zon.de>,
David Woodhouse <dwmw@...zon.co.uk>,
Frank van der Linden <fllinden@...zon.com>,
"Alexander Graf" <graf@...zon.de>,
Greg KH <gregkh@...uxfoundation.org>,
Martin Pohlack <mpohlack@...zon.de>,
Matt Wilson <msw@...zon.com>,
Paolo Bonzini <pbonzini@...hat.com>,
Balbir Singh <sblbir@...zon.com>,
Stefano Garzarella <sgarzare@...hat.com>,
Stewart Smith <trawets@...zon.com>,
Uwe Dannowski <uwed@...zon.de>, <kvm@...r.kernel.org>,
<ne-devel-upstream@...zon.com>
Subject: Re: [PATCH v4 17/18] nitro_enclaves: Add overview documentation
On 23/06/2020 11:59, Stefan Hajnoczi wrote:
> On Mon, Jun 22, 2020 at 11:03:28PM +0300, Andra Paraschiv wrote:
>> +The kernel bzImage, the kernel command line, the ramdisk(s) are part of the
>> +Enclave Image Format (EIF); plus an EIF header including metadata such as magic
>> +number, eif version, image size and CRC.
>> +
>> +Hash values are computed for the entire enclave image (EIF), the kernel and
>> +ramdisk(s). That's used, for example, to check that the enclave image that is
>> +loaded in the enclave VM is the one that was intended to be run.
>> +
>> +These crypto measurements are included in a signed attestation document
>> +generated by the Nitro Hypervisor and further used to prove the identity of the
>> +enclave; KMS is an example of service that NE is integrated with and that checks
>> +the attestation doc.
>> +
>> +The enclave image (EIF) is loaded in the enclave memory at offset 8 MiB. The
>> +init process in the enclave connects to the vsock CID of the primary VM and a
>> +predefined port - 9000 - to send a heartbeat value - 0xb7. This mechanism is
>> +used to check in the primary VM that the enclave has booted.
>> +
>> +If the enclave VM crashes or gracefully exits, an interrupt event is received by
>> +the NE driver. This event is sent further to the user space enclave process
>> +running in the primary VM via a poll notification mechanism. Then the user space
>> +enclave process can exit.
>> +
>> +[1] https://aws.amazon.com/ec2/nitro/nitro-enclaves/
>> +[2] https://www.kernel.org/doc/Documentation/vm/hugetlbpage.txt
>> +[3] https://lwn.net/Articles/807108/
>> +[4] https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
>> +[5] https://man7.org/linux/man-pages/man7/vsock.7.html
> Is the EIF specification and the attestation protocol available?
For now, they are not publicly available. Once the refs are available
(e.g. AWS documentation, GitHub documentation), I'll include them in the
kernel documentation as well.
As a note here, the NE project is currently in preview
(https://aws.amazon.com/ec2/nitro/nitro-enclaves/) and part of the
documentation / codebase will be publicly available when NE is generally
available (GA). This will be in addition to the ones already publicly
available, like the NE kernel driver.
Let me know if I can help with any particular questions / clarifications.
Thanks,
Andra
Amazon Development Center (Romania) S.R.L. registered office: 27A Sf. Lazar Street, UBC5, floor 2, Iasi, Iasi County, 700045, Romania. Registered in Romania. Registration number J22/2621/2005.
Powered by blists - more mailing lists