Concepts

This section explains a few high-level concepts that are important to understand when working with Nitro Secure Enclaves.

Attestation and Key-Access Policies

Attestation enables Nitro Enclaves to authenticate themselves to client applications connecting to them, or to other services, including other enclaves. When connecting to services that support Nitro attestation, an enclave can present a signed attestation document that includes information about the software that is running inside the enclave. This information comes in the form of measurements, or hashes computed by the Nitro root-of-trust. This is similar in essence to how Trusted Platform Modules (TPMs) provide a measured boot sequence.

A client or an external services communicating with the enclave can then:

  • Inspect the attestation document

  • Verify that it was signed by a genuine Nitro Enclave

  • Compare the measurements in the attestation document against known hashes of the software stack that the client expects to run in the enclave

The AWS Key Management Service (KMS) is one of the services that are Nitro-aware. It allows an administrator to generate a Customer Master Key (CMK) policies to it that grant permissions to specific enclaves to decrypt data encrypted under this master key. Such policies authorize enclaves based on their attested measurements. The KMS automatically compares the measurements from an attestation document against the hashes specified in the policy, and fulfills the request to decrypt data if there is a valid match.

When set up correctly, using Nitro Enclaves with KMS guarantees that encrypted data can only be decrypted by an approved enclave. Applications that are not running in a Nitro Enclave would not be able to provide an attestation document that would be validated, and KMS would reject any requests to decrypt data using this CMK. Nitro Enclaves that are different from those that are approved would present an attestation document with different measurements. As such, they would not be able to decrypt data encrypted under this CMK.

Enclave Measurement

The enclave’s measurements are a set of hashes that uniquely identify the enclave’s content, the parent instance’s identifier, and optionally the certificate used to sign the enclave.

See this page for more information:

https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html#where

When building a Nitro Enclave Image File (EIF), the building tool outputs the measurements PCR0, PCR1, PCR2, and optionally PCR8 (if a certificate is used to sign the enclave).

The PCR3 and PCR4 measurements are automatically retrieved from the parent instance when the Nitro Enclave is created.