{"id":18303112,"url":"https://github.com/monzo/aws-nitro-util","last_synced_at":"2025-04-05T14:31:51.428Z","repository":{"id":243895072,"uuid":"756923656","full_name":"monzo/aws-nitro-util","owner":"monzo","description":"Utilities to reproducibly build images for AWS Nitro Enclaves","archived":false,"fork":false,"pushed_at":"2024-09-26T12:29:46.000Z","size":1105,"stargazers_count":29,"open_issues_count":0,"forks_count":4,"subscribers_count":12,"default_branch":"master","last_synced_at":"2025-03-21T06:33:22.904Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Nix","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/monzo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-02-13T15:16:01.000Z","updated_at":"2025-03-10T08:57:26.000Z","dependencies_parsed_at":"2024-08-29T09:56:48.129Z","dependency_job_id":"251ee167-08c5-442b-9176-ec8059c76016","html_url":"https://github.com/monzo/aws-nitro-util","commit_stats":null,"previous_names":["monzo/aws-nitro-util"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monzo%2Faws-nitro-util","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monzo%2Faws-nitro-util/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monzo%2Faws-nitro-util/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monzo%2Faws-nitro-util/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/monzo","download_url":"https://codeload.github.com/monzo/aws-nitro-util/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247352661,"owners_count":20925309,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-05T15:24:12.727Z","updated_at":"2025-04-05T14:31:46.299Z","avatar_url":"https://github.com/monzo.png","language":"Nix","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Nitro utilities\n\nThis repo contains a Nix flake with some helpers to reproducibly build AWS Nitro Enclave image files.\n\nYou can think of it as an alternative to `nitro-cli build-enclave` for building EIFs. The idea is to:\n- have  a more secure EIF-building process, by having the tool that builds them also be bit-by-bit reproducible, thus reducing the surface for supply-chain attacks as well as removing some implicit trust on AWS.\n- remove the dependency on containers completely, while still allowing their use\n- give users complete control over their enclave images, providing additional options like BYOK (Bring Your Own Kernel)\n- easily build EIFs on systems other than Amazon Linux, including M1+ Macs (e.g, it's possible to build an x86_64 Linux EIF on an ARM Mac)\n\n\n\u003e We wrote [a blog post](https://monzo.com/blog/securing-our-software-supply-chain-better-with-reproducible-builds-for)\n\u003e about our motivation for building this tooling at Monzo. We recommend you read it if you use AWS Nitro Enclaves\n\u003e and you are wondering why you might want to use it.\n\u003e We also recommend [this other excellent blog post](https://blog.trailofbits.com/2024/02/16/a-few-notes-on-aws-nitro-enclaves-images-and-attestation) to learn more about the EIF Nitro image format in general.\n\n\nThe tradeoffs between using this repo and AWS' `nitro-cli` are:\n\n| Feature                      | `nitro-cli build-enclave`                                                                                                                                                                                                             | monzo/aws-nitro-util                                                                                |\n|------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|\n| EIF userspace input          | Docker container                                                                                                                                                                                                                      | plain files, including nix packages and unpacked OCI images                                         |\n| EIF bootstrap input          | pre-compiled kernel binary provided by AWS                                                                                                                                                                                            | use pre-compiled kernel by AWS or bring your own kernel (see [example](./examples/README.md))       |\n| dependencies                 | Docker, linuxkit fork, [aws/aws-nitro-enclaves-image-format](https://github.com/aws/aws-nitro-enclaves-image-format/)                                                                                                                 | Nix, [aws/aws-nitro-enclaves-image-format](https://github.com/aws/aws-nitro-enclaves-image-format/) |\n| Source-reproducible          | no, uses pre-compiled blobs provided by AWS                                                                                                                                                                                           | yes, can be built entirely from source                                                              |\n| Bit-by-bit reproducible EIFs | no, EIFs are timestamped                                                                                                                                                                                                              | yes, building the same EIF will result in the same SHA256                                           |\n| cross-architecture EIFs      | yes, if you provide a container for the right architecture                                                                                                                                                                            | yes, if you provide binaries for the right architecture                                             |\n| OS*                          | [Amazon Linux](https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-cli-install.html) unless you [compile `nitro-cli` from source](https://github.com/aws/aws-nitro-enclaves-cli/tree/main/docs) for other Linux. No MacOS. | any Linux or MacOS with a Nix installation                                                          |\n\n(*): OS for building EIFs. Note that \n- to make EIFs on a Mac, you have to be able to cross-compile the userspace binaries from Darwin to Linux\n- even if you make an EIF on a Mac, it can still only run on Linux.\n\n## Examples\n\nYou can find examples in [`examples/`](./examples/README.md).\n\nNote that you need to install [Nix](https://nixos.org/) and [enable flakes](https://nixos.wiki/wiki/Flakes) to use this repo.\n\n## Design\n\nmonzo/aws-nitro-util compiles a CLI from [aws/aws-nitro-enclaves-image-format](https://github.com/aws/aws-nitro-enclaves-image-format/) (which allows building an EIF from a specific file structure) and of Nix utilities to reproducibly build AWS' tooling, the EIF, and its dependencies.\n\nA typical EIF build would look like the following:\n\n```mermaid\n%%{init: {\"flowchart\": {\"htmlLabels\": false}} }%%\n\ngraph TD\n\tstyle yourRepo stroke:#C802E5\n\tstyle yourRepo stroke-width:4\n\n\tstyle initBin stroke:#018E01\n\tstyle initBin stroke-width:4\n\n\tstyle nsm stroke:#9B6201\n\tstyle nsm stroke-width:4\n\n\tstyle kernel stroke:#9B6201\n\tstyle kernel stroke-width:4\n\n\n\n\tsubgraph The internet\n\t\teifFormatRepo(\"📦 github repo \\n aws/ \\n aws-nitro-enclaves-\\nimage-format\")\n\t\tnitroCliRepo(\"📦 github repo \\n aws/ \\n aws-nitro-enclaves-\\n cli\")\n\t\tbootstrapRepo(\"📦 github repo \\n aws/ \\n aws-nitro-enclaves-\\nsdk-bootstrap\")\n\t\tyourRepo(\"your source code \\n or OCI image\")\n\tend\n\tinitBin(\"init \\n compiled init.c \\n (or bring your own)\")\n\teifCli(\"📦 eif_build CLI \\n\")\n\tnsm(\"nsm.ko \\n compiled Nitro \\n kernel module \\n (or bring your own)\")\n\n    subgraph PCR1\n        kernel(\"Kernel binary \\n (or bring your own)\")\n        sysInit(\"system-initramfs \\n (app-agnositc) \\n PCR1\")\n\tend\n    userInit(\"user-initramfs \\n (app-specific)\\n PCR2\")\n\t\n\trootfs(\"rootfs \\n folder containing \\n filesystem \\n (eg, compiled main.go)\")\n\n\tdoEif((\"package \\n EIF...\"))\n\tdoSysInit((\"package sys \\n initramfs...\"))\n\tdoUserInit((\"package user \\n initramfs...\"))\n\t\n\tyourRepo --\u003e|compile \\n from source|main(\"main \\n compiled \\n binary\")\n\tmain --\u003e rootfs\n\tbootstrapRepo --\u003e|compile \\nfrom source|initBin\n\n\tnitroCliRepo -.-\u003e|has under blobs/|nsm\n\tnitroCliRepo -.-\u003e|has under blobs/|kernel\n\n\trootfs --\u003e doUserInit\n\tdoUserInit==\u003e userInit\n\n\tinitBin ---\u003edoSysInit\n\tnsm--\u003edoSysInit\n\tdoSysInit ==\u003e sysInit\n\n\teifFormatRepo ---\u003e |compile \\n from source|eifCli\n\teifCli --\u003edoEif\n\tkernel --\u003edoEif\n\tsysInit ==\u003edoEif\n\tuserInit ==\u003edoEif\n\n\n\tdoEif --\u003eeif(\"image.eif \\n enclave image\")\n\tdoEif --\u003epcr(\"pcr.json \\n PCR signatures\")\n```\n\n- Pink outline: your build input (what will run on the enclave after it boots)\n- Green outline: by AWS, compiled from source\n- Brown outline: by AWS, downloaded trusted binary (that you can choose to replace with your own)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmonzo%2Faws-nitro-util","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmonzo%2Faws-nitro-util","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmonzo%2Faws-nitro-util/lists"}