Online / 5 & 6 February 2022


Process-based abstractions for VM-based environments

Inaugural secure enclave platforms operate at the single user process level (e.g. SGX), meaning a single address space with potentially multiple threads, with a standard OS outside the enclave responsible for resource management and scheduling. More recent platforms (AMD SEV, Intel TDX, AWS Nitro Enclaves) operate at the VM level. This provides significant new capabilities for multi-process abstractions such as mmap and fork, which will be beneficial for enclavizing legacy software.

However, taking a VM image and running it in an enclave is not great from a TCB minimization standpoint. For platforms where there's currently no alternative (AMD, AWS), how can we build--with a minimal TCB--an abstraction that's similar to single-process enclaves? Of course you can “just run Linux” with a single process but this again is clearly suboptimal. We'll explore the solution space in this interactive session.


Marta Rybczynska
Photo of Vasily A. Sartakov Vasily A. Sartakov
Photo of Mike Bursell Mike Bursell
Photo of Jo Van Bulck Jo Van Bulck
Photo of Jethro G. Beekman Jethro G. Beekman
Photo of Hugo Lefeuvre Hugo Lefeuvre