Confidential computing on AWS Nitro Enclave with Red Hat Enterprise Linux

Source: Red Hat Blog

Why run workloads in a confidential computing environment

In conventional environments, data in use can be exposed to threats such as privileged insiders, compromised hypervisors, or advanced malware capable of reading servers’ memory. Confidential computing solves this by placing workloads inside a hardware‑protected Trusted Execution Environment (TEE) that encrypts memory and strictly controls access, helping ensure that even cloud providers, system administrators, and system‑level software cannot view or modify data in use.

RHEL plays a key role by providing a hardened, enterprise‑grade operating system that’s fully compatible with modern confidential computing technologies. RHEL integrates with CPU‑level features such as AMD SEV‑SNP, Intel TDX, and IBM Secure Execution, to enable encrypted virtual machines and secure enclaves. RHEL abstracts much of the complexity involved in configuring these hardware protections, offering security profiles, attestation tooling, and lifecycle management that make confidential computing easier to deploy and operate in production.

By running workloads on RHEL within a confidential computing environment, organizations can maintain compliance with increasingly stricter regulatory requirements and achieve a high level of data assurance in hybrid or cloud‑hosted architecture. RHEL’s long support lifecycle, predictable updates, and security certifications help ensure that confidential computing deployments remain stable and secure over time. This combination of hardware‑level isolation with RHEL’s enterprise security capabilities provides a trusted foundation for processing the most sensitive workloads, from financial data to healthcare records to AI models.

Deploy workloads in an environment you trust

The purpose of this guide is to show how you can use confidential computing technology to deploy workloads in a TEE. The fundamental feature of confidential computing is the ability to prove that you are running in a secure environment. To achieve this objective, you must:

• Build a workload in such a way that you can prove its identity using cryptographic measurements.
• Deploy services that will verify the identity of the workload and the validity of the TEE it is running on.
• Deploy the workload itself in such a way that it cannot run if not executing in a suitably protected TEE.

Resources available to enclaved workloads on AWS EC2 supported instances

The operating system and container orchestration system don’t impose limits on the number of application enclaves you can run, but system resource constraints must be considered. Specifically, the vCPU and memory allocated to each enclave impact the total number of enclaves you can deploy on a single host.

For example, on an instance with 8 vCPUs and 32 GB of memory, the vCPU allocation is the limiting factor if multi‑threading is required. With 2 vCPUs reserved for the parent host, the remaining 6 vCPUs can support no more than three enclaves of 2 vCPUs and 8 GB of memory each. Additionally, on AWS Nitro Enclave, the absolute maximum number of enclaves per parent instance is four. For further details on system considerations for multi‑enclave deployment, refer to the official AWS documentation.

Implementing confidential computing on AWS Nitro Enclaves

In the following example, application code runs in a Podman container on AWS’s Nitro Enclave, which uses RHEL as its parent host. The example shows how to:

• Build and pack the application into the enclave.
• Communicate over Linux Virtual Socket (Vsock), a mechanism designed for efficient, isolated communication between a hypervisor and its guest VM.
• Verify the attestation certificate chain with OpenSSL.
• Verify the enclave measurements (PCR) against the values reported in the attestation document.

Preparing the EC2 instance

Start with an EC2 instance that supports AWS Nitro Enclaves (see the latest enabled parent instances in the AWS documentation). From the EC2 console:

1. Navigate to the instance’s Advanced Details.
2. Enable the Nitro Enclave option.
3. Select RHEL 9 as the operating system.

In this sample, a m5.2xlarge instance (8 vCPUs, 32 GB RAM) was used, with a 30 GB boot volume running RHEL 9.7.

After provisioning, enable Nitro Enclave support by adjusting the instance metadata settings and the enclave environment settings for memory and CPU allocation policies. See the AWS getting‑started guide for detailed instructions.

Install the Nitro Enclave CLI and SDK

For RHEL, build the CLI and SDK tools from the AWS Git repository. Pull the source code and follow the repository’s build instructions. Ensure at least 20 GB of instance storage is available for the build process.

After compilation, start the Nitro Enclave allocator service:

sudo systemctl start nitro-enclaves-allocator.service

Create an example server and client

The sample uses a simple Python application as the enclave server, communicating with a Python client on the parent host via Vsock.

Enclave server (server.py)

import socket

VSOCK_PORT = 5000
ANY_CID = socket.VMADDR_CID_ANY

def main():
    server = socket.socket(socket.AF_VSOCK, socket.SOCK_STREAM)
    server.bind((ANY_CID, VSOCK_PORT))
    server.listen(5)
    print(f"[Enclave] vsock server listening on port {VSOCK_PORT}...")
    while True