Comment by rhodey

4 months ago

Amazon Nitro Enclaves not effected

IMO Amazon is the obvious choice for TEE because they make billions selling isolated compute

If you built a product on Intel or AMD and need to pivot do take a look at AWS Nitro Enclaves

I built up a small stack for Nitro: https://lock.host/ has all the links

MIT everything, dev-first focus

AWS will tell you to use AWS KMS to manage enclave keys

AWS KMS is ok if you are ok with AWS root account being able to get to keys

If you want to lock your TEE keys so even root cannot access I have something i the works for this

Write to: hello@lock.host if you want to discuss

3 comments

rhodey

Reply
7e  4 months ago

Nitro Enclaves also require you to trust Amazon. No thanks, I'll take the hardware based solution.

beeflet  4 months ago

why wouldn't it be effected?

  • rhodey  4 months ago

    Because AWS does not sell the Nitro TEE hardware

    And so there is no case where you find a Nitro TEE online and the owner is not AWS

    And it is practically impossible to break into AWS and perform this attack

    The trust model of TEE is always: you trust the manufacturer

    Intel and AMD broke this because now they say: you also trust where the TEE is installed

    AWS = you trust the manufacturer = full story