Nitro Enclaves (NE) is a new Amazon Elastic Compute Cloud (EC2) capability that allows customers to carve out isolated compute environments within EC2 instances [1]. For example, an application that processes highly sensitive data and runs in a VM, can be separated from other applications running in the same VM. This application then runs in a separate VM than the primary VM, namely an enclave. An enclave runs alongside the VM that spawned it. This setup matches low latency applications needs. The resources that are allocated for the enclave, such as memory and CPU, are carved out of the primary VM. Each enclave is mapped to a process running in the primary VM, that communicates with the NE driver via an ioctl interface. An enclave communicates with the primary VM via a local communication channel, using virtio-vsock [2]. An enclave does not have a disk or a network device attached. The following patch series covers the NE driver for enclave lifetime management. It provides an ioctl interface to the user space and includes a PCI device driver that is the means of communication with the hypervisor running on the host where the primary VM and the enclave are launched. The proposed solution is following the KVM model and uses the KVM API to be able to create and set resources for enclaves. An additional ioctl command, besides the ones provided by KVM, is used to start an enclave and setup the addressing for the communication channel and an enclave unique id. Thank you. Andra [1] https://aws.amazon.com/ec2/nitro/nitro-enclaves/ [2] http://man7.org/linux/man-pages/man7/vsock.7.html --- Patch Series Changelog The patch series is built on top of v5.7-rc2. v1 * The current patch series. --- Andra Paraschiv (15): nitro_enclaves: Add ioctl interface definition nitro_enclaves: Define the PCI device interface nitro_enclaves: Define enclave info for internal bookkeeping nitro_enclaves: Init PCI device driver nitro_enclaves: Handle PCI device command requests nitro_enclaves: Handle out-of-band PCI device events nitro_enclaves: Init misc device providing the ioctl interface nitro_enclaves: Add logic for enclave vm creation nitro_enclaves: Add logic for enclave vcpu creation nitro_enclaves: Add logic for enclave memory region set nitro_enclaves: Add logic for enclave start nitro_enclaves: Add logic for enclave termination nitro_enclaves: Add Kconfig for the Nitro Enclaves driver nitro_enclaves: Add Makefile for the Nitro Enclaves driver MAINTAINERS: Add entry for the Nitro Enclaves driver MAINTAINERS | 11 + drivers/virt/Kconfig | 2 + drivers/virt/Makefile | 2 + drivers/virt/amazon/Kconfig | 28 + drivers/virt/amazon/Makefile | 19 + drivers/virt/amazon/nitro_enclaves/Makefile | 23 + .../virt/amazon/nitro_enclaves/ne_misc_dev.c | 1039 +++++++++++++++++ .../virt/amazon/nitro_enclaves/ne_misc_dev.h | 120 ++ .../virt/amazon/nitro_enclaves/ne_pci_dev.c | 675 +++++++++++ .../virt/amazon/nitro_enclaves/ne_pci_dev.h | 266 +++++ include/linux/nitro_enclaves.h | 23 + include/uapi/linux/nitro_enclaves.h | 52 + 12 files changed, 2260 insertions(+) create mode 100644 drivers/virt/amazon/Kconfig create mode 100644 drivers/virt/amazon/Makefile create mode 100644 drivers/virt/amazon/nitro_enclaves/Makefile create mode 100644 drivers/virt/amazon/nitro_enclaves/ne_misc_dev.c create mode 100644 drivers/virt/amazon/nitro_enclaves/ne_misc_dev.h create mode 100644 drivers/virt/amazon/nitro_enclaves/ne_pci_dev.c create mode 100644 drivers/virt/amazon/nitro_enclaves/ne_pci_dev.h create mode 100644 include/linux/nitro_enclaves.h create mode 100644 include/uapi/linux/nitro_enclaves.h -- 2.20.1 (Apple Git-117) Amazon Development Center (Romania) S.R.L. registered office: 27A Sf. Lazar Street, UBC5, floor 2, Iasi, Iasi County, 700045, Romania. Registered in Romania. Registration number J22/2621/2005.
