Lines Matching full:the
8 no persistent storage and no external networking. The enclave VMs are based
9 on Firecracker microvm with a vhost-vsock device for communication with the
11 for cryptographic attestation. The parent instance VM always has CID 3 while
12 the enclave VM gets a dynamic CID. Enclaves use an EIF (`Enclave Image Format`_)
13 file which contains the necessary kernel, cmdline and ramdisk(s) to boot.
18 which can be difficult for debugging due to its roots in security. The vsock
20 can do the userspace emulation, like `vhost-device-vsock`_ from rust-vmm crate,
21 must be run alongside nitro-enclave for the vsock communication to work.
31 Using the nitro-enclave machine type
37 It supports the following machine-specific options:
39 - nitro-enclave.vsock=string (required) (Id of the chardev from '-chardev' option that vhost-user-v…
49 The forward-cid option below with value 1 forwards all connections from the enclave
50 VM to the host machine and the forward-listen (port numbers separated by '+') is used
51 for forwarding connections from the host machine to the enclave VM::
56 __ https://github.com/rust-vmm/vhost-device/tree/main/vhost-device-vsock#using-the-vsock-backend
58 Now run the necessary applications on the host machine so that the nitro-enclave VM
59 applications' vsock communication works. For example, the nitro-enclave VM's init
60 process connects to CID 3 and sends a single byte hello heartbeat (0xB7) to let the
62 a AF_VSOCK server on the host machine that listens on port 9000 and sends the heartbeat
63 after it receives the heartbeat for enclave VM to boot successfully. You should run all
64 the applications on the host machine that would typically be running in the parent EC2
65 VM for successful communication with the enclave VM.
67 Then run the nitro-enclave VM using the following command where ``hello.eif`` is
74 In this example, the nitro-enclave VM has CID 4. If there are applications that
75 connect to the enclave VM, run them on the host machine after enclave VM starts.
76 You need to modify the applications to connect to CID 1 (instead of the enclave
77 VM's CID) and use the forward-listen (e.g., 9001+9002) option of vhost-device-vsock
78 to forward the ports they connect to.