AWS Nitro Cryptographic Attestation

Applications running in Nitro Enclaves can request a Signed Attestation Document from the Nitro Hypervisor, which includes a set of measurements that uniquely describe an enclave and the environment it is running in.

An authorized user can attach a policy to a specific KMS Customer Master Key (CMK) and restrict the usage of that CMK to authorized Nitro Enclaves. This mechanism guarantees that encryption/decryption operations are allowed only from Nitro Enclaves and makes sensitive data inaccessible to any entity but the approved applications running in Nitro Enclaves.

Using the measurements provided in the Attestation Document (after verifying that it was signed by a valid Nitro Enclave), KMS evaluates the policy attached to the CMK to authorize operations using the CMK. If the conditions specified in the policy do not match the measurements from the provided Attestation Document, KMS rejects the operation.

The following table describes the measurements (or PCRxx value) included in the Attestation Document:

PCR	Hash of	Description
PCR0	Enclave image file	A contiguous measure of the contents of the image file, without the section data.
PCR1	Linux kernel and bootstrap	A contiguous measurement of the kernel and boot ramfs data.
PCR2	Application	A contiguous, in-order measurement of the user applications, without the boot ramfs .
PCR3	IAM role assigned to the parent instance	A contiguous measurement of the IAM role assigned to the parent instance. Ensures that the attestation process succeeds only when the parent instance has the correct IAM role.
PCR4	Instance ID of the parent instance	A contiguous measurement of the ID of the parent instance. Ensures that the process succeeds only when the parent instance has a specific instance ID.
PCR8	Enclave image file signing certificate	A measure of the signing certificate specified for the enclave image file. Ensures that the attestation process succeeds only when the enclave was booted from an enclave image file signed by a specific certificate.

PCR

Hash of

Description

PCR0

Enclave image file

A contiguous measure of the contents of the image file, without the section data.

PCR1

Linux kernel and bootstrap

A contiguous measurement of the kernel and boot ramfs data.

PCR2

Application

A contiguous, in-order measurement of the user applications, without the boot ramfs .

PCR3

IAM role assigned to the parent instance

A contiguous measurement of the IAM role assigned to the parent instance. Ensures that the attestation process succeeds only when the parent instance has the correct IAM role.

PCR4

Instance ID of the parent instance

A contiguous measurement of the ID of the parent instance. Ensures that the process succeeds only when the parent instance has a specific instance ID.

PCR8

Enclave image file signing certificate

A measure of the signing certificate specified for the enclave image file. Ensures that the attestation process succeeds only when the enclave was booted from an enclave image file signed by a specific certificate.

A policy using any combinations of the PCRxx values above can be created to exactly describe the enclaves that are allowed to perform operations on a specific CMK object.