
AWS Nitro Enclaves - louis-paul
https://aws.amazon.com/ec2/nitro/nitro-enclaves/
======
ngneer
How does it compare to SGX?

~~~
wahern
I don't work at AWS but anything Nitro-qualified likely refers to their
integrated hypervisor system that relies on a software hypervisor that works
in tandem with various FPGA-based hardware controllers to provide boot chain
and device attestation, and device binding (e.g. ephemeral storage keys never
leave the block device FPGA controller). In this case Nitro "enclaves"
presumably encompass a public API to bring up EC2 instances that are attested
using the same internal PKI that Nitro-based EC2 systems use for their control
plane.

From a side-channel perspective it's likely better than SGX as I presume EC2
already uses more resilient core affinity (e.g. no hyperthreaded core sharing
across instances) and other mitigations, many of which aren't even possible
with SGX.

OTOH, their PKI system and other implementation details are likely much more
complicated than Intel's SGX system (which also utilizes an online,
centralized authority), with many more avenues of attack. There are just many
more moving parts with EC2. But it's difficult to say as it's all proprietary.

TL;DR: From a general data confidentiality perspective, EC2 is likely better.
From a nation state-level attacker looking to subvert attestation, I'd lean
Intel.

~~~
amscanne
> From a side-channel perspective it's likely better than SGX as I presume EC2
> already uses more resilient core affinity (e.g. no hyperthreaded core
> sharing across instances) and other mitigations, many of which aren't even
> possible with SGX.

A primary point of SGX is confidentiality: the host OS can’t map and read
enclave pages because the contents are encrypted and the hardware will
generate an exception on any attempt. In other words, your data is
confidential from even the infrastructure operator.

None of this confidentiality applies here, so it’s mostly irrelevant whether
the side channels are better mitigated. The host OS can dump data whenever it
wants. The better protections against side channels is pure speculation, ...
and it’s nonsense to say that Nitro is uniquely capable of core isolation.
This would work equally as well for limiting side channels for SGX — disabling
hyperthreading is literally Intel’s recommendation AFAIK.

Of course, those side channels would still be exploitable by the host. But in
this case, Amazon wouldn’t even need the side channels, since the door is wide
open. This system appears to be providing only integrity measurements, a
locked down data plane, and standard hypervisor isolation.

I’ve got nothing against this product (and I have mixed feelings about SGX)
but the conclusion that EC2 is better for “general data confidentiality” is a
weird assertion. Maybe you could make an argument that it makes integrity
better, easier, etc. but not confidentiality.

~~~
wahern
> A primary point of SGX is confidentiality: the host OS can’t map and read
> enclave pages because the contents are encrypted and the hardware will
> generate an exception on any attempt. In other words, your data is
> confidential from even the infrastructure operator.

You're still trusting Intel to truthfully verify attestation. Intel could lie
about this. Ultimately you're trusting the vendor implementing the environment
and providing the attestations to behave as they claim, independent of the
technical characteristics of the environment.

But in terms of the technical characteristics, it seems far easier to mitigate
side channels in an environment like EC2 than SGX. And that's what I based my
opinion on.

