Overview of the AWS Nitro Enclaves Nitro Secure Module and its API

Nitro Security Module and Cape

Nitro Secure Module and its API

The NSM is a powerful tool that allows developers and clients to customize the Nitro Secure Enclave system to fit the needs of problems they are solving. The Nitro Secure Module (NSM) provides some of the core functionality of the Nitro Enclave. The NSM API allows the client to set, query and lock PCRs, enabling precise control over the PCRs depending on the security guarantees built on top of the NSM. Note: by default the built-in PCRs are already locked and can only be queried. See here for more details of built-in PCRs. With the NSM API, the client can also get an attestation document and generate secure random values for use in cryptography.

AWS has open-sourced a Rust library that has a helpful interface for completing any API calls that the client might want to do. It is a quite simple library that I would recommend checking out if you would like to understand more about how the library interacts with the NSM device. The NSM is represented by a device on the VM at /dev/nsm. The API library communicates directly with this device using the system call ioctl. At Cape we mainly develop using Golang so we use this Go library for our NSM API communication. It provides all the same functionality as the AWS library in pure Go.

At Cape, we're currently using the NSM to request attestation documents and to generate random numbers for cryptography. When requesting attestation documents the client can optionally pass user data, a nonce and a public key. User data can be almost anything that you want the end user to be assured was generated or validated by the enclave. The nonce helps protect against replay attacks. The public key is added to another field in the attestation document confirming that it was generated by the enclave. This attestation document is sent back to the user so that the client can use the public key to encrypt their data before inputting it into Cape. You can find more information about the attestation document and how Cape uses it here. Random numbers can be used to generate nonces internal to the enclave which are used during encryption.

Check out the Getting Started Docs to try Cape for free. We'd love to hear what you think.

Share this post