GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → aws → aws-nitro-enclaves-cli

aws / aws-nitro-enclaves-cli

Licence: other
Tooling for Nitro Enclave Management

Programming Languages

rust
11053 projects
c
50402 projects - #5 most used programming language
shell
77523 projects
python
139335 projects - #7 most used programming language
Makefile
30231 projects
Handlebars
879 projects
Dockerfile
14818 projects

Labels

nitroenclavenitro-enclaves

Projects that are alternatives of or similar to aws-nitro-enclaves-cli

aws-nitro-enclaves-sdk-c
This repo provides a C API for AWS Nitro Enclaves, including a KMS SDK that integrates it with attestation.
Stars: ✭ 73 (+14.06%)
Mutual labels:  nitro, enclave, nitro-enclaves
aws-nitro-enclaves-nsm-api
This provides a library for interacting with the Nitro Secure Module, which provides Nitro Enclaves with attestation capability.
Stars: ✭ 41 (-35.94%)
Mutual labels:  nitro, nitro-enclaves
Discord-Nitro-BruteForce
simple discord nitro code generator and checker written in c#
Stars: ✭ 26 (-59.37%)
Mutual labels:  nitro
generator-nitro
Your frontend? Fuel it with Nitro! Develop your frontend with a proven but flexible Node.js app, even in a large team.
Stars: ✭ 65 (+1.56%)
Mutual labels:  nitro
secure-xgboost
Secure collaborative training and inference for XGBoost.
Stars: ✭ 80 (+25%)
Mutual labels:  enclave
Awesome-SGX-Open-Source
A curated list of open-source projects that help exploit Intel SGX technology
Stars: ✭ 169 (+164.06%)
Mutual labels:  enclave
crowntool
Multi Tool with many functions coming
Stars: ✭ 55 (-14.06%)
Mutual labels:  nitro
go-nitro
A Golang client to the Citrix ADC API
Stars: ✭ 18 (-71.87%)
Mutual labels:  nitro
sgx-tutorial-space18
Tutorial: Uncovering and mitigating side-channel leakage in Intel SGX enclaves
Stars: ✭ 44 (-31.25%)
Mutual labels:  enclave
Nitro-5-Hackintosh-OC
** macOS Monterey ** Acer Nitro 5 - AN515-54 Hackintosh
Stars: ✭ 40 (-37.5%)
Mutual labels:  nitro
inclavare-containers
A novel container runtime, aka confidential container, for cloud-native confidential computing and enclave runtime ecosystem.
Stars: ✭ 510 (+696.88%)
Mutual labels:  enclave
bbcapis
Nodejs-based utilities, SDK to consume BBC Nitro, iBL and /programmes APIs
Stars: ✭ 21 (-67.19%)
Mutual labels:  nitro
opaque-sql
An encrypted data analytics platform
Stars: ✭ 169 (+164.06%)
Mutual labels:  enclave
Penglai-Enclave
This is the main repo for Penglai.
Stars: ✭ 47 (-26.56%)
Mutual labels:  enclave
confidential-computing-zoo
Confidential Computing Zoo provides confidential computing solutions based on Intel SGX, TDX, HEXL, etc. technologies.
Stars: ✭ 177 (+176.56%)
Mutual labels:  enclave
BetterDiscordPlugins
🔥 My collection of Discord plugins for BetterDiscord, the Discord enhancement project
Stars: ✭ 120 (+87.5%)
Mutual labels:  nitro
discord-sniper
🔰 Discord Nitro, Giveaway and Privnote sniper! Made with Python
Stars: ✭ 120 (+87.5%)
Mutual labels:  nitro
YANG
🔥 The most efficient, open-source, and unlimited discord nitro generator & checker. 🚀
Stars: ✭ 215 (+235.94%)
Mutual labels:  nitro
Discord-Nitro-Gen-Checker
Generate and check nitro gift codes, with proxies or not, without limits.
Stars: ✭ 26 (-59.37%)
Mutual labels:  nitro
UltraTypeBot
A fast, easy to use bot for NitroType.com
Stars: ✭ 24 (-62.5%)
Mutual labels:  nitro

Nitro Enclaves Command Line Interface (Nitro CLI)

This repository contains a collection of tools and commands used for managing the lifecycle of enclaves. The Nitro CLI needs to be installed on the parent instance, and it can be used to start, manage, and terminate enclaves.

Prerequisites

  1. A working docker setup, follow https://docs.docker.com/install/overview/ for details of how to install docker on your host, including how to run it as non-root.
  2. Install gcc, make, git, llvm-dev, libclang-dev, clang.

Driver information

The Nitro Enclaves kernel driver is available in the upstream Linux kernel starting with the v5.10 kernel for x86_64 and starting with the v5.16 kernel for arm64. The codebase from the 'drivers/virt/nitro_enclaves' directory in this GitHub repository is similar to the one merged into the upstream Linux kernel.

The Nitro Enclaves kernel driver is currently available in the following distro kernels:

  • x86_64

    • Amazon Linux 2 v4.14 kernel starting with kernel-4.14.198-152.320.amzn2.x86_64
    • Amazon Linux 2 v5.4 kernel starting with kernel-5.4.68-34.125.amzn2.x86_64
    • Amazon Linux 2 v5.10+ kernel (e.g. kernel-5.10.29-27.128.amzn2.x86_64)
    • Amazon Linux 2022 v5.10+ kernel (e.g. kernel-5.10.75-82.359.amzn2022.x86_64)
    • CentOS Stream v4.18+ kernel starting with kernel-4.18.0-257.el8.x86_64
    • Fedora v5.10+ kernel (e.g. kernel-5.10.12-200.fc33.x86_64)
    • openSUSE Tumbleweed v5.10+ kernel (e.g. kernel-default-5.10.1-1.1.x86_64)
    • Red Hat Enterprise Linux v4.18+ kernel starting with kernel-4.18.0-305.el8.x86_64
    • Ubuntu v5.4 kernel starting with linux-aws 5.4.0-1030-aws x86_64
    • Ubuntu v5.8 kernel starting with linux-aws 5.8.0-1017-aws x86_64
    • Ubuntu v5.11+ kernel (e.g. linux-aws 5.11.0-1006-aws x86_64)

  • aarch64

    • Amazon Linux 2 v4.14 kernel starting with kernel-4.14.252-195.483.amzn2.aarch64
    • Amazon Linux 2 v5.4 kernel starting with kernel-5.4.156-83.273.amzn2.aarch64
    • Amazon Linux 2 v5.10+ kernel starting with kernel-5.10.75-79.358.amzn2.aarch64
    • Amazon Linux 2022 v5.10+ kernel starting with kernel-5.10.75-82.359.amzn2022.aarch64
    • CentOS Stream v4.18 kernel starting with kernel-4.18.0-358.el8.aarch64
    • CentOS Stream v5.14+ kernel starting with kernel-5.14.0-24.el9.aarch64
    • Fedora v5.16+ kernel (e.g. kernel-5.16.5-200.fc35.aarch64)
    • Ubuntu v5.4 kernel starting with linux-aws 5.4.0-1064-aws aarch64
    • Ubuntu v5.13+ kernel starting with linux-aws 5.13.0-1012-aws aarch64

The following packages need to be installed or updated to have the Nitro Enclaves kernel driver available in the mentioned distros:

  • Amazon Linux 2 - "kernel" (amzn2-core) for the v4.14 kernel, "kernel" (amzn2extra-kernel-5.4) for the v5.4 kernel, "kernel" (amzn2extra-kernel-5.10) for the v5.10 kernel
  • CentOS Stream - "kernel" for the v4.18+ kernel
  • Fedora - "kernel" for the v5.10+ kernel
  • openSUSE Tumbleweed - "kernel-default" for the v5.10+ kernel
  • Red Hat Enterprise Linux - "kernel" for the v4.18+ kernel
  • Ubuntu - "linux-aws" and "linux-modules-extra-aws" for the v5.4, v5.8 and v5.11+ kernels

Out-of-tree driver build can be done using the Makefile in the 'drivers/virt/nitro_enclaves' directory.

How to install (GitHub sources):

  1. Clone the repository.
  2. Set NITRO_CLI_INSTALL_DIR to the desired location, by default everything will be installed in build/install
  3. Run 'make nitro-cli && make vsock-proxy && make install'.
  4. [Rerun after reboot] Source the script ${NITRO_CLI_INSTALL_DIR}/etc/profile.d/nitro-cli-env.sh.
  5. [Rerun after reboot] Preallocate resources for the enclaves(s). For example, to configure 2 vCPUs and 256 Mib for enclave use: nitro-cli-config -i -m 256 -t 2
  6. [Optional] You could add ${NITRO_CLI_INSTALL_DIR}/etc/profile.d/nitro-cli-env.sh in your local shell configuration.
  7. You are now ready to go.

A set of steps options to install on distros the Nitro CLI from GitHub sources can be found in the docs directory:

How to use Nitro Enclaves CLI

The user guide for the Nitro Enclaves CLI can be found at https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-cli.html.

Ensure that your EC2 instance was created with enclave support enabled and that your system (and container if applicable) has read/write access to /dev/nitro_enclaves.

Ensure that your Linux system (and container if applicable) has Linux hugepages available.

The AWS Nitro Enclaves CLI package is currently available for:

Enclave disk size

The enclaves do not have access to a physical disk, just a RAM filesystem. One can configure the disk space by changing memory size or by using kernel command line arguments.

The init.c file keeps the default configuration for each volume. The below example shows the default options for /tmp.

{ OpMount, .mount = { "tmpfs", "/tmp", "tmpfs", MS_NODEV | MS_NOSUID | MS_NOEXEC } },

To modify the memory allocated to this volume, another parameter is needed

{ OpMount, .mount = { "tmpfs", "/tmp", "tmpfs", MS_NODEV | MS_NOSUID | MS_NOEXEC, "size=100%" } },

Note that the parameter size specifies only the maximum allocated size. After modifying the configuration, the file needs to be recompiled using make init and moved to /usr/share/nitro_enclaves/blobs/init.

License

This library is licensed under the Apache 2.0 License.

Source-code components

The components of the Nitro Enclaves CLI are organized as follows (all paths are relative to the Nitro Enclaves CLI's root directory):

  • 'blobs': Binary blobs providing pre-compiled components needed for the building of enclave images:

    • 'blobs/aarch64/Image': Kernel image
    • 'blobs/aarch64/Image.config': Kernel config
    • 'blobs/aarch64/cmdline': Kernel boot command line
    • 'blobs/aarch64/init': Init process executable
    • 'blobs/aarch64/linuxkit': LinuxKit-based user-space environment
    • 'blobs/aarch64/nsm.ko': The driver which enables the Nitro Secure Module (NSM) component inside the enclave
    • 'blobs/x86_64/bzImage': Kernel image
    • 'blobs/x86_64/bzImage.config': Kernel config
    • 'blobs/x86_64/cmdline': Kernel boot command line
    • 'blobs/x86_64/init': Init process executable
    • 'blobs/x86_64/linuxkit': LinuxKit-based user-space environment
    • 'blobs/x86_64/nsm.ko': The driver which enables the Nitro Secure Module (NSM) component inside the enclave
    • The enclave kernel is based on the v4.14 Amazon Linux kernel - https://github.com/amazonlinux/linux/tree/amazon-4.14.y/master
    • The source code for the init process and the NSM kernel driver can be found in the following GitHub repository - https://github.com/aws/aws-nitro-enclaves-sdk-bootstrap

  • 'build': An automatically-generated directory which stores the build output for various components (the CLI, the command executer etc.)

  • 'bootstrap': Various useful scripts for CLI environment configuration, namely:

    • 'allocatior.yaml': Configuration file for enclave memory and CPUs reservation
    • 'env.sh': A script which inserts the pre-built Nitro Enclaves kernel module, adds the CLI binary directory to $PATH and sets the blobs directory
    • 'nitro-cli-config': A script which can build, configure and install the Nitro Enclaves kernel module, as well as configure the memory and CPUs available for enclave launches (depending on the operation, root privileges may be required)
    • 'nitro-enclaves-allocator': Configuration script for enclave memory and CPUs reservation
    • 'nitro-enclaves-allocator.service': Configuration service for enclave memory and CPUs reservation

  • 'docs': Useful documentation

  • 'drivers': The source code of the kernel modules used by the CLI in order to control enclave behavior, containing:

    • 'drivers/virt/nitro_enclaves': The Nitro Enclaves driver used by the Nitro CLI

  • 'eif_defs': The definition of the enclave image format (EIF) file

  • 'eif_loader': The source code for the EIF loader, a module which ensures that an enclave has booted successfully

  • 'eif_utils': Utilities for the EIF files, focused mostly on building EIFs

  • 'enclave_build': A tool which builds EIF files starting from a Docker image and pre-existing binary blobs (such as those from 'blobs')

  • 'examples': Basic examples of enclaves. One example is the hello world enclave.

  • 'include': The header files exposed by the Nitro Enclaves kernel module used by the Nitro CLI

  • 'samples': A collection of CLI-related sample applications. One sample is the command executer - an application that enables a parent instance to issue commands to an enclave (such as transferring a file, executing an application on the enclave etc.)

  • 'src': The Nitro CLI implementation, divided into 3 components:

    • The implementation of the background enclave process: 'src/enclave_proc'
    • The implementation of the CLI, which takes user commands and communicates with enclave processes: 'src/*.rs'
    • A common module used by both the CLI and the enclave process: 'src/common'

  • 'tests': Various unit and integration tests for the CLI

  • 'tools': Various useful configuration files used for CLI and EIF builds

  • 'vsock_proxy': The implementation of the Vsock - TCP proxy application, which is used to allow an enclave to communicate with an external service through the parent instance

  • 'ci_entrypoint.sh': The script which launches the CLI continuous integration tests

  • 'run_tests.sh': The continuous integration test suite for the CLI across all supported platforms

Security issue notifications

If you discover a potential security issue in nitro-cli, we ask that you notify AWS Security via our vulnerability reporting page. Please do not create a public GitHub issue.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].