Hacker News new | ask | show | jobs
by rhodey 237 days ago
Amazon Nitro Enclaves not effected

IMO Amazon is the obvious choice for TEE because they make billions selling isolated compute

If you built a product on Intel or AMD and need to pivot do take a look at AWS Nitro Enclaves

I built up a small stack for Nitro: https://lock.host/ has all the links

MIT everything, dev-first focus

AWS will tell you to use AWS KMS to manage enclave keys

AWS KMS is ok if you are ok with AWS root account being able to get to keys

If you want to lock your TEE keys so even root cannot access I have something i the works for this

Write to: hello@lock.host if you want to discuss
2 comments
7e 237 days ago
Nitro Enclaves also require you to trust Amazon. No thanks, I'll take the hardware based solution.
link
beeflet 237 days ago
why wouldn't it be effected?
link
rhodey 237 days ago
Because AWS does not sell the Nitro TEE hardware

And so there is no case where you find a Nitro TEE online and the owner is not AWS

And it is practically impossible to break into AWS and perform this attack

The trust model of TEE is always: you trust the manufacturer

Intel and AMD broke this because now they say: you also trust where the TEE is installed

AWS = you trust the manufacturer = full story

link