Online / 5 & 6 February 2022


Developing for the AWS Nitro Enclave Platform

A new Enclave Development Platform (EDP) Target

Intel, AMD, ARM, all have launched their own TEE. Amazon can be added to that list with AWS Nitro, but unlike the others it is not a hardware manufacturer. Instead, it chooses to provides its own abstractions over the platform used. This leads to some interesting characteristics. The Enclave Development Platform (EDP) is a TEE platform SDK developed by Fortanix. EDP already targeted the Intel SGX platform. Recently we also support the AWS Nitro platform. In this talk we discuss the AWS Nitro platform in detail and interesting design decisions we made for the EDP platform.

In the AWS Nitro architecture, the hypervisor plays a key role. Hardware resources (processor cores and memory) are split off of a parent VM and can be repurposed to run the Nitro enclave. This enclave can be viewed as a separate VM with only processor cores and memory. A hard disk drive is not present, nor can it directly access an Ethernet network. All communication needs to take place over VSOCK to the parent VM. An attestation report can be provided by the hypervisor to ensure that the enclave has been build correctly. The Enclave Development Platform (EDP) provides a way to easily build Rust applications on top of TEEs. It should be as easy for developers to target TEEs any other modern operating system. Next to Intel SGX, the Nitro platform has been added recently. To target the Nitro platform, EDP reimplements parts of the Rust standard library. It takes care of starting a runner process in the parent VM, forwarding network packets to/from the enclave and providing attestation evidence.


Photo of Raoul Strackx Raoul Strackx