[PATCH v1 00/15] Add support for Nitro Enclaves

From: Andra Paraschiv
Date: Tue Apr 21 2020 - 14:42:25 EST


Nitro Enclaves (NE) is a new Amazon Elastic Compute Cloud (EC2) capability
that allows customers to carve out isolated compute environments within EC2
instances [1].

For example, an application that processes highly sensitive data and
runs in a VM, can be separated from other applications running in the same VM.
This application then runs in a separate VM than the primary VM, namely an
enclave.

An enclave runs alongside the VM that spawned it. This setup matches low latency
applications needs. The resources that are allocated for the enclave, such as
memory and CPU, are carved out of the primary VM. Each enclave is mapped to a
process running in the primary VM, that communicates with the NE driver via an
ioctl interface.

An enclave communicates with the primary VM via a local communication channel,
using virtio-vsock [2]. An enclave does not have a disk or a network device
attached.

The following patch series covers the NE driver for enclave lifetime management.
It provides an ioctl interface to the user space and includes a PCI device
driver that is the means of communication with the hypervisor running on the
host where the primary VM and the enclave are launched.

The proposed solution is following the KVM model and uses the KVM API to be able
to create and set resources for enclaves. An additional ioctl command, besides
the ones provided by KVM, is used to start an enclave and setup the addressing
for the communication channel and an enclave unique id.

Thank you.

Andra

[1] https://aws.amazon.com/ec2/nitro/nitro-enclaves/
[2] http://man7.org/linux/man-pages/man7/vsock.7.html

---

Patch Series Changelog

The patch series is built on top of v5.7-rc2.

v1

* The current patch series.

---

Andra Paraschiv (15):
nitro_enclaves: Add ioctl interface definition
nitro_enclaves: Define the PCI device interface
nitro_enclaves: Define enclave info for internal bookkeeping
nitro_enclaves: Init PCI device driver
nitro_enclaves: Handle PCI device command requests
nitro_enclaves: Handle out-of-band PCI device events
nitro_enclaves: Init misc device providing the ioctl interface
nitro_enclaves: Add logic for enclave vm creation
nitro_enclaves: Add logic for enclave vcpu creation
nitro_enclaves: Add logic for enclave memory region set
nitro_enclaves: Add logic for enclave start
nitro_enclaves: Add logic for enclave termination
nitro_enclaves: Add Kconfig for the Nitro Enclaves driver
nitro_enclaves: Add Makefile for the Nitro Enclaves driver
MAINTAINERS: Add entry for the Nitro Enclaves driver

MAINTAINERS | 11 +
drivers/virt/Kconfig | 2 +
drivers/virt/Makefile | 2 +
drivers/virt/amazon/Kconfig | 28 +
drivers/virt/amazon/Makefile | 19 +
drivers/virt/amazon/nitro_enclaves/Makefile | 23 +
.../virt/amazon/nitro_enclaves/ne_misc_dev.c | 1039 +++++++++++++++++
.../virt/amazon/nitro_enclaves/ne_misc_dev.h | 120 ++
.../virt/amazon/nitro_enclaves/ne_pci_dev.c | 675 +++++++++++
.../virt/amazon/nitro_enclaves/ne_pci_dev.h | 266 +++++
include/linux/nitro_enclaves.h | 23 +
include/uapi/linux/nitro_enclaves.h | 52 +
12 files changed, 2260 insertions(+)
create mode 100644 drivers/virt/amazon/Kconfig
create mode 100644 drivers/virt/amazon/Makefile
create mode 100644 drivers/virt/amazon/nitro_enclaves/Makefile
create mode 100644 drivers/virt/amazon/nitro_enclaves/ne_misc_dev.c
create mode 100644 drivers/virt/amazon/nitro_enclaves/ne_misc_dev.h
create mode 100644 drivers/virt/amazon/nitro_enclaves/ne_pci_dev.c
create mode 100644 drivers/virt/amazon/nitro_enclaves/ne_pci_dev.h
create mode 100644 include/linux/nitro_enclaves.h
create mode 100644 include/uapi/linux/nitro_enclaves.h

--
2.20.1 (Apple Git-117)




Amazon Development Center (Romania) S.R.L. registered office: 27A Sf. Lazar Street, UBC5, floor 2, Iasi, Iasi County, 700045, Romania. Registered in Romania. Registration number J22/2621/2005.