Comment by rhodey
4 months ago
Amazon Nitro Enclaves not effected
IMO Amazon is the obvious choice for TEE because they make billions selling isolated compute
If you built a product on Intel or AMD and need to pivot do take a look at AWS Nitro Enclaves
I built up a small stack for Nitro: https://lock.host/ has all the links
MIT everything, dev-first focus
AWS will tell you to use AWS KMS to manage enclave keys
AWS KMS is ok if you are ok with AWS root account being able to get to keys
If you want to lock your TEE keys so even root cannot access I have something i the works for this
Write to: hello@lock.host if you want to discuss
Nitro Enclaves also require you to trust Amazon. No thanks, I'll take the hardware based solution.
why wouldn't it be effected?
Because AWS does not sell the Nitro TEE hardware
And so there is no case where you find a Nitro TEE online and the owner is not AWS
And it is practically impossible to break into AWS and perform this attack
The trust model of TEE is always: you trust the manufacturer
Intel and AMD broke this because now they say: you also trust where the TEE is installed
AWS = you trust the manufacturer = full story