Modern kernels

[roshanr95]

Are there plans to provide images based on modern kernels? E.g. 6.1 (or 5.15) Amazon Linux mainlines, there quite a lot of useful features in the newer kernels.

[meerd]

Hi @roshanr95,

This is on our radar. The NSM driver is already going upstream for Linux 6.8. Although there is no certain date, we will provide newer configurations for the newer kernel versions.

[cottand]

Hi @meerd - I am trying to boot a Nitro enclave with a 6.8 kernel blob (and its kernel config). The enclave hangs at boot, suggesting it does not even get to initialising the console. Is there anything in Amazon Linux kernels (as opposed to mainline) that is specific to the enclave and is required to boot?

[roshanr95]

@cottand you want these enabled on x64, haven't managed to make it work on arm64 yet

CONFIG_VIRTIO_MMIO
CONFIG_VIRTIO_MENU
CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES
CONFIG_NET
CONFIG_VSOCKETS
CONFIG_VIRTIO_VSOCKETS

[cottand]

Thanks @roshanr95 , that helped!

For reference, we have open-sourced a Nitro CLI alternative that allows using modern kernels without having to wait for this repo to provide a new image or a new init binary

see https://github.com/monzo/aws-nitro-util . We have successfully booted a 6.8 Kernel compiled from source in an enclave.

[roshanr95]

ayo @cottand, that repo's amazing 😍

[foersleo]

We have restructured how we build the binary blobs and are now also offering kernels based on upstream LTS v6.6 series. We plan to improve on the regularity of our kernel updates.

What is still missing at the moment is a new release of the aws-nitro-enclaves-cli to package these newly build binaries.

[roshanr95]

Trying it out, nix support is great! I assume it's reproducible as well?

[roshanr95]

@foersleo does it need a different cmdline as well? compared to the existing nitro-cli?

[foersleo]

Hi @roshanr95, I have run the newer kernels without changes to the cmdline. So, I do not think there is a vital part missing.

Do you run into any problems with the newer kernels with the existing cmdline files?

[roshanr95]

Yes, was facing issues, but it turned out to not be the kernel. It was linuxkit actually, I guess nitro-cli needs to be updated to work with newer versions. Switched to the old linuxkit and everything works now.

[foersleo]

Yes, you are right. Through all of this I have not had too close of an eye on getting all of this out into a cli release.

We have had updated the linuxkit binary shipped with the CLI in the source tree a while ago (aws/aws-nitro-enclaves-cli@04f48e0) with the necessary adjustments to work with the new linuxkit.

The new CLI with that linuxkit included was just released today as v1.3.2, although it will be a bit longer until it is available as an rpm through the Amazon Linux package repositories.

A release of the CLI including the new kernel binaries is still pending some additional testing and preparation, and unfortunately I can not share a firm timeline for that yet.

Sorry, for the confusion.

So, to summarize:

• You can use the latest release 1.3.2 of aws-nitro-enclaves-cli today if you are fine building it from source.
• That release does include the new linuxkit binary alongside the adjustments needed to make the new linuxkit work.
• That release does not include the new binaries of kernel, nsm.ko (Neither init, however the only change not included is it being build reproducibly)

I hope this helps. Let me know how we can assist more.

[roshanr95]

Perfect, thanks!