AWS AWS Nitro Enclaves User Guide AWS AWS Nitro Enclaves User Guide AWS: AWS Nitro Enclaves User Guide Copyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. AWS AWS Nitro Enclaves User Guide Table of Contents What is Nitro Enclaves? ....................................................................................................................... 1 Learn more ............................................................................................................................... 1 Requirements ............................................................................................................................ 2 Considerations ........................................................................................................................... 2 Pricing ...................................................................................................................................... 2 Related services ......................................................................................................................... 2 Nitro Enclaves concepts ...................................................................................................................... 4 Enclave ..................................................................................................................................... 4 Enclave ID ................................................................................................................................. 4 Parent instance .......................................................................................................................... 4 Enclave image file ...................................................................................................................... 4 AWS Nitro Enclaves CLI ............................................................................................................... 5 AWS Nitro Enclaves SDK ............................................................................................................. 5 Cryptographic attestation ............................................................................................................ 5 Attestation document ................................................................................................................. 5 Platform configuration registers ................................................................................................... 5 KMS proxy ................................................................................................................................. 5 Vsock socket .............................................................................................................................. 6 Getting started: Hello enclave ............................................................................................................. 7 Step 1: Prepare the enclave-enabled parent instance ...................................................................... 7 Step 2: Build the enclave image file ............................................................................................. 8 Step 3: Run the enclave .............................................................................................................. 9 Step 4: Validate the enclave ........................................................................................................ 9 Step 5: Terminate the enclave ................................................................................................... 10 Using enclaves ................................................................................................................................. 11 Enclaves workflow .................................................................................................................... 11 Involved parties ............................................................................................................... 11 Data and environment preparation ..................................................................................... 11 Attestation and data decryption ......................................................................................... 12 Building an enclave image file ................................................................................................... 12 Creating an enclave .................................................................................................................. 14 Launch the parent instance ............................................................................................... 14 Create the enclave ............................................................................................................ 15 Cryptographic attestation .................................................................................................................. 16 Integration with AWS KMS ........................................................................................................ 16 Where to get an enclave's measurements .................................................................................... 16 PCR0, PCR1, and PCR2 ...................................................................................................... 17 PCR3 ............................................................................................................................... 18 PCR4 ............................................................................................................................... 18 PCR8 ............................................................................................................................... 18 How to get an enclave's attestation document ............................................................................. 19 Using cryptographic attestation with AWS KMS ........................................................................... 20 Secret data preparation .................................................................................................... 11 KMS key preparation ........................................................................................................ 20 Getting started with cryptographic attestation: KMS Tool tutorial ................................................... 21 Nitro Enclaves application development .............................................................................................. 23 Nitro Enclaves Developer AMI .................................................................................................... 23 Nitro Enclaves SDK ................................................................................................................... 23 Application development on Linux ............................................................................................. 23 Getting started with the vsock: Vsock tutorial ...................................................................... 23 Application development on Windows ........................................................................................ 25 Considerations for Windows instances ................................................................................. 26 Nitro Enclaves for Windows release notes ............................................................................ 26 Subscribe to notifications of new versions ........................................................................... 27 iii AWS AWS Nitro Enclaves User Guide Working with the vsock socket in Windows .......................................................................... 28 Verifying the root of trust ................................................................................................................. 33 Attestation in the Nitro Enclaves world ....................................................................................... 33 The attestation document ......................................................................................................... 33 Attestation document specification ..................................................................................... 33 Attestation document validation ................................................................................................ 34 COSE and CBOR ............................................................................................................... 35 Semantical validity ........................................................................................................... 35 Certificate validity ............................................................................................................ 36 Certificate chain validity .................................................................................................... 36 Security ........................................................................................................................................... 37 Shared responsibility ................................................................................................................ 37 Amazon EC2 security ...............................................................................................................