We had emulated Nitro Enclaves support in QEMU since 2024, but to launch a native Nitro Enclave, you could only use the AWS nitro-cli tooling.
To simplify tooling and allow users to leverage the most convenient swiss army knife of virtualization known to mankind (QEMU!), add native support to launch a Nitro Enclave from within QEMU. A Nitro Enclave is a Confidential Computing Virtual Machine spawned by the Nitro Hypervisor which has a very basic machine model, with virtio-vsock as the only real I/O between parent and enclave. This means the amount of interactions between QEMU and the VM are limited, but for debugging, experimentation and non-conventional use cases, it can be handy to spawn a Nitro Enclave directly in a more fully featured virtualization stack. Example invocation: $ qemu-system-x86_64 -nographic -accel nitro,debug-mode=on -M nitro -kernel test.eif -smp 2 QEMU 10.2.50 monitor - type 'help' for more information (qemu) [ 0.000000] Linux version 4.14.256-209.484.amzn2.x86_64 (mockbuild@ip-10-0-50-84) (gcc version 7.3.1 20180712 (Red Hat 7.3.1-13) (GCC)) #1 SMP Tue Jan 11 21:47:36 UTC 2022 [ 0.000000] Command line: reboot=k panic=30 pci=off nomodules console=ttyS0 i8042.noaux i8042.nomux i8042.nopnp i8042.dumbkbd random.trust_cpu=on virtio_mmio.device=4K@0xd0000000:5 virtio_mmio.device=4K@0xd0001000:6 [ 0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' [ 0.000000] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers' [ 0.000000] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers' This patch set supports x86_64 as well as aarch64 Nitro Enclaves. Virtio-vsock communication with the Enclave is handled directly through the parent's virtio-vsock device. Alex Alexander Graf (10): scripts/update-linux-headers: Add Nitro Enclaves header linux-headers: Add nitro_enclaves.h accel: Add Nitro Enclaves accelerator hw/nitro/nitro-serial-vsock: Nitro Enclaves vsock console hw/nitro: Introduce Nitro Enclave Heartbeat device target/arm/cpu64: Allow -host for nitro hw/nitro: Add nitro machine hw/core/eif: Move definitions to header hw/nitro: Enable direct kernel boot docs: Add Nitro Enclaves documentation MAINTAINERS | 12 + accel/Kconfig | 3 + accel/meson.build | 1 + accel/nitro/meson.build | 3 + accel/nitro/nitro-accel.c | 334 ++++++++++++++++ accel/nitro/trace-events | 6 + accel/nitro/trace.h | 2 + accel/stubs/meson.build | 1 + accel/stubs/nitro-stub.c | 11 + docs/system/confidential-guest-support.rst | 1 + docs/system/index.rst | 1 + docs/system/nitro.rst | 114 ++++++ hw/Kconfig | 1 + hw/core/eif.c | 38 -- hw/core/eif.h | 41 ++ hw/meson.build | 1 + hw/nitro/Kconfig | 14 + hw/nitro/heartbeat.c | 118 ++++++ hw/nitro/machine.c | 297 +++++++++++++++ hw/nitro/meson.build | 3 + hw/nitro/serial-vsock.c | 155 ++++++++ hw/nitro/trace-events | 8 + hw/nitro/trace.h | 1 + include/hw/nitro/heartbeat.h | 25 ++ include/hw/nitro/machine.h | 20 + include/hw/nitro/serial-vsock.h | 26 ++ .../standard-headers/linux/nitro_enclaves.h | 359 ++++++++++++++++++ include/system/hw_accel.h | 1 + include/system/nitro-accel.h | 25 ++ meson.build | 12 + meson_options.txt | 2 + qemu-options.hx | 8 +- scripts/meson-buildoptions.sh | 3 + scripts/update-linux-headers.sh | 1 + target/arm/cpu64.c | 8 + 35 files changed, 1614 insertions(+), 42 deletions(-) create mode 100644 accel/nitro/meson.build create mode 100644 accel/nitro/nitro-accel.c create mode 100644 accel/nitro/trace-events create mode 100644 accel/nitro/trace.h create mode 100644 accel/stubs/nitro-stub.c create mode 100644 docs/system/nitro.rst create mode 100644 hw/nitro/Kconfig create mode 100644 hw/nitro/heartbeat.c create mode 100644 hw/nitro/machine.c create mode 100644 hw/nitro/meson.build create mode 100644 hw/nitro/serial-vsock.c create mode 100644 hw/nitro/trace-events create mode 100644 hw/nitro/trace.h create mode 100644 include/hw/nitro/heartbeat.h create mode 100644 include/hw/nitro/machine.h create mode 100644 include/hw/nitro/serial-vsock.h create mode 100644 include/standard-headers/linux/nitro_enclaves.h create mode 100644 include/system/nitro-accel.h -- 2.47.1 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597
