Re: QEMU Nitro Enclave Emulation on macOS

Tue, 05 Nov 2024 10:30:16 -0800 

Hi Payton,

On 05.11.24 18:31, Payton Garland wrote:


Hello all,
I have been watching the Nitro Enclave Emulation patch <https://patchwork.kernel.org/project/qemu-devel/cover/20241008211727.49088-1-dorjoychy...@gmail.com/>. This would be a huge win for developer experience in Nitro Enclave development.
Thank you for confirming! I also agree that it can dramatically simplify local development, debugging and CI loops. Kudos to Dorjoy for getting it all assembled :).
I ran into some hardware issues and am curious if there are any known workarounds. I was messaging with @Dorjoy Chowdhury <mailto:dorjoychy...@gmail.com> on this issue and they suggested this group may have some ideas / definitive answers.
*Goal*: /emulate AWS Nitro Enclaves locally running on macOS with Apple silicon 
/
*Attempt*: /built vhost-device-vsock <https://github.com/rust-vmm/vhost-device/tree/main/vhost-device-vsock> and qemu <https://gitlab.com/dorjoy03/qemu/-/commit/fe4ddb4e5b99136c948e687b8b18a505decc57bf> (on /@Dorjoy Chowdhury <mailto:dorjoychy...@gmail.com>/ 's branch) in an alpine Docker image and attempted to run both with this script <https://gist.github.com/payton/4ec0a08e618888adafb4b9a888513d91>/
*Problem*: /enclave emulation requires KVM support per the latest documentation <https://gitlab.com/dorjoy03/qemu/-/commit/fe4ddb4e5b99136c948e687b8b18a505decc57bf>, which is specific to Linux, so even running Docker with privileged access does not help because there is no KVM on macOS/ 
/
/
*Question:*/is there a known way to get Nitro Enclave emulation working on macOS with Apple silicon? One option that comes to mind is Apple's hypervisor framework, but it's unclear to me if that can be a viable replacement for enclave emulation./
The new Nitro Enclave emulation support that Dorjoy built implements an x86 Enclave. If you want to run a virtual machine with very fast performance through Hypervisor.Framework, you would need to run an ARM Enclave. QEMU does not have emulation support for ARM Enclaves yet.
However, you can run the x86 Enclave using x86-on-ARM instruction emulation. To do that, follow the documentation you linked above, but remove the "--enable-kvm" parameters. The VM will be a bit slower, but still usable. 


Thanks!

Alex




Amazon Web Services Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597

Reply via email to