anjuna-nitro-cli run-enclave

anjuna-nitro-cli run-enclave \
  --enclave-name <enclave-name> \
  --cpu-count <cpu-count> \
  --cpu-ids <cpu-ids> \
  --eif-path <eif-path> \
  --memory <memory> [OPTIONS...]

Launches a new enclave by specifying the following:

  • the name of the enclave

  • enclave image file (.eif) which contains the application that you want to run inside the enclave (created by the anjuna-nitro-cli build-enclave command),

  • an even number of vCPUs to allocate to the enclave,

  • the amount of memory to allocate to the enclave

Before calling run-enclave, you must start the anjuna-nitro-netd-parent agent, passing the same enclave name that you will use for the run-enclave command. It is important to run anjuna-nitro-netd-parent before starting the enclave, even if no ports need to be exposed.

After starting the AWS Nitro Enclave, the anjuna-nitro-cli run-enclave tool prints some information that describes the resources used by the enclave (number of vCPUs, amount of memory) and some of its attributes (enclave ID, flags, state).

You can start AWS Nitro Enclaves in debug mode, which differs from production enclaves in the following two ways:

  • debug enclaves produce some output that can be viewed by running the anjuna-nitro-cli console command,

  • debug enclaves will produce an attestation report where all the enclave measurements are set to a fixed value (00000…​0000).

debug enclaves should be used only for testing. In a typical deployment environment, you should use production enclaves and make sure that the AWS KMS policies use the correct enclave measurements.
Specifying the --enclave-name option is recommended in order to identify AWS Nitro Enclaves and related services, such as enclave networking, especially when multiple simultaneous enclaves run on the same host. Not specifying --enclave-name is only supported when running a single enclave per host.
Due to an AWS Nitro limitation, only up to four simultaneous enclaves are supported per host.

Enclave name

In cases where there are multiple enclaves running on the same host, the Anjuna Nitro Runtime needs an identifier to coordinate between the enclave and other running services such as the network proxy. This identifier is the “enclave name”, which is a user-provided string consisting of alphanumeric characters (a-z, A-Z, and 0-9), dash, underscore, and period, and not longer than 128 characters.

Options

Usage

anjuna-nitro-cli run-enclave \
  --enclave-name <enclave-name> \
  --cpu-count <cpu-count> \
  --cpu-ids <cpu-ids> \
  --eif-path <eif-path> \
  --memory <memory> [OPTIONS...]

--enclave-name

(Recommended) Custom name assigned to the enclave by the user, used to uniquely identify an enclave

Specifying the --enclave-name option is recommended in order to identify AWS Nitro Enclaves and related services, such as enclave networking, especially when multiple simultaneous enclaves run on the same host.

Not specifying --enclave-name is only supported when running a single enclave per host.

--attach-console

Attach the enclave console immediately after starting the enclave. (debug-mode only)

--auto-terminate

Automatically terminate the enclave resources when the enclave’s main process exits

--debug-mode

Starts enclave in debug-mode

This makes the console of the enclave available over vsock at CID: VMADDR_CID_HYPERVISOR (0), port: enclave_cid + 10000.

The stream can be accessed with the console sub-command.

--config

Config is used to read enclave settings from JSON file

--cpu-count

Number of CPUs (must be even due to hyper-threading)

--cpu-ids

List of cpu-ids that will be provided to the enclave

--eif-path

Path pointing to a prebuilt Enclave Image File

--enclave-cid

CID to be used for the newly started enclave

--encrypted-config

Path to a local encrypted enclave configuration file

--memory

Memory to allocate for the enclave in MiB

Global options

The following options are available for all commands.

Global options

-h, --help

Prints the help information for the command

-v, --version

Prints version information

Exit status

  • 0 on success

  • > 0 on error

Example

$ anjuna-nitro-cli run-enclave \
  --enclave-name nginx \
  --cpu-count 2 \
  --memory 512
  --eif-path nginx.eif
  --auto-terminate