Can you run multiple programs inside one AWS Nitro Enclave at the same time?

Question

The [AWS Nitro Enclave Concepts](https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html) states that "An enclave is a **virtual machine** with its own kernel, memory, and CPUs" and "An enclave image file (.eif) includes a **Linux operating system**, libraries, and enclave **applications** that will be booted into an enclave when it is launched".

So, if the Enclave is in fact a Linux VM, can we run multiple programs inside one Nitro Enclave instance at once (as opposed to creating separate Nitro Enclave instances for each program)? The documentation makes be believe this is possible, but I have not found an example illustrating how this would be done---the [closest example](https://github.com/aws/aws-nitro-enclaves-samples/tree/main/multiple-enclaves) creates multiple enclave instances.

And if you can run multiple programs in one Enclave instance, do they have the same safety guarantees that programs would normally have (e.g., memory safety between programs)?

Answer

It is possible to run multiple programs in an enclave. But the question to ask is, why would you want to do that if you want isolation between those multiple programs to begin with? Package each program into a separate enclave if you want that isolation between them, most importantly run only trusted pieces of software inside the enclave, this is not a sand boxing solution.

Answer

to answer your question, yes it IS possible to run multiple programs inside of a Nitro Enclave. You'll need to provide customization to navigate the VSOCK for networking/storage considerations. Ideally with a DIY approach you'd want to use separate enclaves for each component that you want to isolate - if you're looking to run a full container/application with multiple components, you might want to look into some third party solutions since DIY for OSS/large apps can be a heavy lift.

Can you run multiple programs inside one AWS Nitro Enclave at the same time?

相关内容