- Newest
- Most votes
- Most comments
From gvisor documentation :
The Gofer is a standard host process which is started with each container and communicates with the Sentry via the 9P protocol over a socket or shared memory channel. The Sentry process is started in a restricted seccomp container without access to file system resources. The Gofer mediates all access to these resources, providing an additional level of isolation.
However when we talk about Nitro Enclaves, Enclaves are fully isolated virtual machines, hardened, and highly constrained. This makes me believe that the operations that gvisor might be trying to do would be outside the scope of what is available via Nitro Enclaves. The CPU and memory of an Enclave is completely Isolated and hence the resources that Gofer might be requesting access to would keep getting denied by the enclave.
How do I do the same for Nitro Enclave?
This is something that you might want to check from gVisor end if that even would be possible with the restrictions that Nitro Enclaves come with as we cannot say what the application might be trying to do on the OS level. Hope that helps.
https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html
Relevant content
- asked 2 years ago
- asked 3 years ago
- asked 4 years ago
- AWS OFFICIALUpdated 3 months ago
