From: Alexander Graf <graf@amazon.com>
To: <qemu-devel@nongnu.org>
Cc: <qemu-arm@nongnu.org>, Peter Maydell <peter.maydell@linaro.org>,
"Thomas Huth" <thuth@redhat.com>, <alex.bennee@linaro.org>,
<philmd@linaro.org>, <berrange@redhat.com>,
<marcandre.lureau@redhat.com>, Cornelia Huck <cohuck@redhat.com>,
<mst@redhat.com>, Dorjoy Chowdhury <dorjoychy111@gmail.com>,
Pierrick Bouvier <pierrick.bouvier@linaro.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Tyler Fanelli <tfanelli@redhat.com>, <mknaust@amazon.com>,
<nh-open-source@amazon.com>
Subject: [PATCH 00/10] Native Nitro Enclaves support
Date: Wed, 18 Feb 2026 01:51:40 +0000 [thread overview]
Message-ID: <20260218015151.4052-1-graf@amazon.com> (raw)
We had emulated Nitro Enclaves support in QEMU since 2024, but to launch
a native Nitro Enclave, you could only use the AWS nitro-cli tooling.
To simplify tooling and allow users to leverage the most convenient swiss
army knife of virtualization known to mankind (QEMU!), add native support
to launch a Nitro Enclave from within QEMU.
A Nitro Enclave is a Confidential Computing Virtual Machine spawned by
the Nitro Hypervisor which has a very basic machine model, with
virtio-vsock as the only real I/O between parent and enclave. This means
the amount of interactions between QEMU and the VM are limited, but for
debugging, experimentation and non-conventional use cases, it can be handy
to spawn a Nitro Enclave directly in a more fully featured virtualization
stack.
Example invocation:
$ qemu-system-x86_64 -nographic -accel nitro,debug-mode=on -M nitro -kernel test.eif -smp 2
QEMU 10.2.50 monitor - type 'help' for more information
(qemu) [ 0.000000] Linux version 4.14.256-209.484.amzn2.x86_64 (mockbuild@ip-10-0-50-84) (gcc version 7.3.1 20180712 (Red Hat 7.3.1-13) (GCC)) #1 SMP Tue Jan 11 21:47:36 UTC 2022
[ 0.000000] Command line: reboot=k panic=30 pci=off nomodules console=ttyS0 i8042.noaux i8042.nomux i8042.nopnp i8042.dumbkbd random.trust_cpu=on virtio_mmio.device=4K@0xd0000000:5 virtio_mmio.device=4K@0xd0001000:6
[ 0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
[ 0.000000] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
[ 0.000000] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
This patch set supports x86_64 as well as aarch64 Nitro Enclaves.
Virtio-vsock communication with the Enclave is handled directly through the
parent's virtio-vsock device.
Alex
Alexander Graf (10):
scripts/update-linux-headers: Add Nitro Enclaves header
linux-headers: Add nitro_enclaves.h
accel: Add Nitro Enclaves accelerator
hw/nitro/nitro-serial-vsock: Nitro Enclaves vsock console
hw/nitro: Introduce Nitro Enclave Heartbeat device
target/arm/cpu64: Allow -host for nitro
hw/nitro: Add nitro machine
hw/core/eif: Move definitions to header
hw/nitro: Enable direct kernel boot
docs: Add Nitro Enclaves documentation
MAINTAINERS | 12 +
accel/Kconfig | 3 +
accel/meson.build | 1 +
accel/nitro/meson.build | 3 +
accel/nitro/nitro-accel.c | 334 ++++++++++++++++
accel/nitro/trace-events | 6 +
accel/nitro/trace.h | 2 +
accel/stubs/meson.build | 1 +
accel/stubs/nitro-stub.c | 11 +
docs/system/confidential-guest-support.rst | 1 +
docs/system/index.rst | 1 +
docs/system/nitro.rst | 114 ++++++
hw/Kconfig | 1 +
hw/core/eif.c | 38 --
hw/core/eif.h | 41 ++
hw/meson.build | 1 +
hw/nitro/Kconfig | 14 +
hw/nitro/heartbeat.c | 118 ++++++
hw/nitro/machine.c | 297 +++++++++++++++
hw/nitro/meson.build | 3 +
hw/nitro/serial-vsock.c | 155 ++++++++
hw/nitro/trace-events | 8 +
hw/nitro/trace.h | 1 +
include/hw/nitro/heartbeat.h | 25 ++
include/hw/nitro/machine.h | 20 +
include/hw/nitro/serial-vsock.h | 26 ++
.../standard-headers/linux/nitro_enclaves.h | 359 ++++++++++++++++++
include/system/hw_accel.h | 1 +
include/system/nitro-accel.h | 25 ++
meson.build | 12 +
meson_options.txt | 2 +
qemu-options.hx | 8 +-
scripts/meson-buildoptions.sh | 3 +
scripts/update-linux-headers.sh | 1 +
target/arm/cpu64.c | 8 +
35 files changed, 1614 insertions(+), 42 deletions(-)
create mode 100644 accel/nitro/meson.build
create mode 100644 accel/nitro/nitro-accel.c
create mode 100644 accel/nitro/trace-events
create mode 100644 accel/nitro/trace.h
create mode 100644 accel/stubs/nitro-stub.c
create mode 100644 docs/system/nitro.rst
create mode 100644 hw/nitro/Kconfig
create mode 100644 hw/nitro/heartbeat.c
create mode 100644 hw/nitro/machine.c
create mode 100644 hw/nitro/meson.build
create mode 100644 hw/nitro/serial-vsock.c
create mode 100644 hw/nitro/trace-events
create mode 100644 hw/nitro/trace.h
create mode 100644 include/hw/nitro/heartbeat.h
create mode 100644 include/hw/nitro/machine.h
create mode 100644 include/hw/nitro/serial-vsock.h
create mode 100644 include/standard-headers/linux/nitro_enclaves.h
create mode 100644 include/system/nitro-accel.h
--
2.47.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
next reply other threads:[~2026-02-18 1:52 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-18 1:51 Alexander Graf [this message]
2026-02-18 1:51 ` [PATCH 01/10] scripts/update-linux-headers: Add Nitro Enclaves header Alexander Graf
2026-02-18 1:51 ` [PATCH 02/10] linux-headers: Add nitro_enclaves.h Alexander Graf
2026-02-18 1:51 ` [PATCH 03/10] accel: Add Nitro Enclaves accelerator Alexander Graf
2026-02-24 10:22 ` Paolo Bonzini
2026-02-24 23:16 ` Alexander Graf
2026-02-18 1:51 ` [PATCH 04/10] hw/nitro/nitro-serial-vsock: Nitro Enclaves vsock console Alexander Graf
2026-02-18 1:51 ` [PATCH 05/10] hw/nitro: Introduce Nitro Enclave Heartbeat device Alexander Graf
2026-02-18 1:51 ` [PATCH 06/10] target/arm/cpu64: Allow -host for nitro Alexander Graf
2026-02-18 1:51 ` [PATCH 07/10] hw/nitro: Add nitro machine Alexander Graf
2026-02-18 3:27 ` Mohamed Mediouni
2026-02-18 9:20 ` Alexander Graf
2026-02-20 14:59 ` Michael S. Tsirkin
2026-02-20 15:07 ` Alexander Graf
2026-02-18 1:51 ` [PATCH 08/10] hw/core/eif: Move definitions to header Alexander Graf
2026-02-18 15:12 ` Dorjoy Chowdhury
2026-02-18 1:51 ` [PATCH 09/10] hw/nitro: Enable direct kernel boot Alexander Graf
2026-02-18 1:51 ` [PATCH 10/10] docs: Add Nitro Enclaves documentation Alexander Graf
2026-02-24 10:26 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260218015151.4052-1-graf@amazon.com \
--to=graf@amazon.com \
--cc=alex.bennee@linaro.org \
--cc=berrange@redhat.com \
--cc=cohuck@redhat.com \
--cc=dorjoychy111@gmail.com \
--cc=marcandre.lureau@redhat.com \
--cc=mknaust@amazon.com \
--cc=mst@redhat.com \
--cc=nh-open-source@amazon.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@linaro.org \
--cc=pierrick.bouvier@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=tfanelli@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.