Documentation/virt/ne_overview.rst

1 .. SPDX-License-Identifier: GPL-2.0
11 that allows customers to carve out isolated compute environments within EC2
24 carved out of the primary VM. Each enclave is mapped to a process running in the
29 1. An enclave abstraction process - a user space process running in the primary
30 VM guest that uses the provided ioctl interface of the NE driver to spawn an
33 There is a NE emulated PCI device exposed to the primary VM. The driver for this
34 new PCI device is included in the NE driver.
36 The ioctl logic is mapped to PCI device commands e.g. the NE_START_ENCLAVE ioctl
37 maps to an enclave start PCI command. The PCI device commands are then
42 2. The enclave itself - a VM running on the same host as the primary VM that
46 The memory regions carved out of the primary VM and given to an enclave need to
49 user space [2][3][7]. The memory size for an enclave needs to be at least
50 64 MiB. The enclave memory and CPUs need to be from the same NUMA node.
52 An enclave runs on dedicated cores. CPU 0 and its CPU siblings need to remain
53 available for the primary VM. A CPU pool has to be set for NE purposes by an
54 user with admin capability. See the cpu list section from the kernel
55 documentation [4] for how a CPU pool format looks.
58 using virtio-vsock [5]. The primary VM has virtio-pci vsock emulated device,
59 while the enclave VM has a virtio-mmio vsock emulated device. The vsock device
60 uses eventfd for signaling. The enclave VM sees the usual interfaces - local
61 APIC and IOAPIC - to get interrupts from virtio-vsock device. The virtio-mmio
64 The application that runs in the enclave needs to be packaged in an enclave
74 ramdisk(s). That's used, for example, to check that the enclave image that is
75 loaded in the enclave VM is the one that was intended to be run.
78 generated by the Nitro Hypervisor and further used to prove the identity of the
83 init process in the enclave connects to the vsock CID of the primary VM and a
84 predefined port - 9000 - to send a heartbeat value - 0xb7. This mechanism is
85 used to check in the primary VM that the enclave has booted. The CID of the
89 the NE driver. This event is sent further to the user space enclave process
93 [1] https://aws.amazon.com/ec2/nitro/nitro-enclaves/
94 [2] https://www.kernel.org/doc/html/latest/admin-guide/mm/hugetlbpage.html
96 [4] https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
97 [5] https://man7.org/linux/man-pages/man7/vsock.7.html