> Enclaves are fully isolated virtual machines, hardened, and highly constrained. They have no persistent storage, no interactive access, and no external networking. Communication between your instance and your enclave is done using a secure local channel. Even a root user or an admin user on the instance will not be able to access or SSH into the enclave.
> Nitro Enclaves uses the proven isolation of the Nitro Hypervisor to further isolate the CPU and memory of the enclave from users, applications, and libraries on the parent instance. These features help isolate the enclave and your software, and significantly reduce the attack surface area.
So it sounds like one virtual machine attached to another virtual machine via something like a point to point NIC. At that point, why not just have that program on its own VM? If the answer is "because I don't want other programs on that VM to get access to it", my response is that you simply don't have any other programs running on the machine, you can list the program as the init process for example.
That's effectively just what they're just doing here.
> Enclaves are fully isolated virtual machines, hardened, and highly constrained. They have no persistent storage, no interactive access, and no external networking. Communication between your instance and your enclave is done using a secure local channel. Even a root user or an admin user on the instance will not be able to access or SSH into the enclave.
> Nitro Enclaves uses the proven isolation of the Nitro Hypervisor to further isolate the CPU and memory of the enclave from users, applications, and libraries on the parent instance. These features help isolate the enclave and your software, and significantly reduce the attack surface area.
So it sounds like one virtual machine attached to another virtual machine via something like a point to point NIC. At that point, why not just have that program on its own VM? If the answer is "because I don't want other programs on that VM to get access to it", my response is that you simply don't have any other programs running on the machine, you can list the program as the init process for example.
That's effectively just what they're just doing here.