General Questions
What Is QingTian Enclave?
QingTian Enclave provides an isolated and highly-constrained environment where you can deploy your security-sensitive applications to reduce the attack surface area.
What Are the Advantages of QingTian Enclave?
QingTian Enclave allows you to create isolated compute environments from general ECSs to process your highly sensitive data.
QingTian Enclave instances are completely independent VMs and have no persistent storage, interactive access, or external networking. They communicate with your ECSs through a secure local channel.
When Should I Use QingTian Enclave?
When you process security-sensitive data and want the data to be isolated from users, applications, or third-party libraries, you can use QingTian Enclave to provide an independent, isolated environment for your data processing.
You can develop and run various applications in QingTian Enclave, such as personal privacy information processing, proprietary code and algorithm operation, and multi-party computation.
How Do I Get Started with QingTian Enclave?
You can refer to Getting Started with QingTian Enclave to start your journey with QingTian Enclave.
What Is vCPU and Memory Isolation?
vCPU and memory isolation prevents users, applications, and third-party libraries on the parent instance from directly accessing the vCPUs and memory of QingTian Enclave instances. You can use the QingTian CLI (qt CLI) to boot a QingTian Enclave instance with isolated vCPUs and memory. For details, see QingTian CLI (qt CLI).
How Are vCPUs and Memory of QingTian Enclave Instances Isolated from its Parent Instance?
QingTian Enclave uses the verified vCPU-based technology for isolation, combined with the unique design of the QingTian architecture and a root of trust based on Huawei-developed iNIC. The QingTian Hypervisor, which is developed and designed by Huawei Cloud, can divide physical resources on a server into partitions. It discards all unnecessary functions compared with other virtualization technologies. QingTian Enclave extends the isolation capabilities of the QingTian Hypervisor to protect and isolate the vCPUs and memory allocated to QingTian Enclave instances from that of the parent instance, creating isolated execution environments.
Which Instance Types Support QingTian Enclave?
Currently, C7t ECSs support the QingTian Enclave feature.
What Is an Attestation Document?
An attestation document is used to verify the reliability measurement results of QingTian Enclave instances. An attestation document is generated by the QingTian Hypervisor. It includes the platform Configuration Register (PCR) list, the QingTian Public Key Infrastructure (PKI) certificate chain, cryptographic algorithm declaration, and user-defined data for the QingTian Enclave application.
The attestation document is signed by the Huawei Cloud QingTian Attestation PKI. Huawei Cloud Key Management Service (KMS) has built-in attestation support for QingTian Enclave instances. You can use the Huawei Cloud KMS APIs included in the QingTian Enclave SDK to perform KMS options, such as decryption, random number generation, and encryption in QingTian Enclave instances based on the attestation document. KMS can ingest attestation documents from QingTian Enclave instances and validates the measurements in the attestation documents against these specified in the IAM policies to determine whether QingTian Enclave instances can access KMS APIs.
What Is the Root of Trust of QingTian Enclave's Attestation Document and How Can I Verify It?
The attestation document is signed by the Huawei Cloud QingTian Attestation PKI. You can download the QingTian Enclave's root certificate at https://qingtian-enclave.obs.myhuaweicloud.com/huawei_qingtian-enclaves_root-G1.zip. For details about how to verify the document signature, see Document Signature Verification.
How Is QingTian Enclave Billed?
Currently, QingTian Enclave is free, and you only need to pay for the ECSs you purchase.
Why Does the Isolation Command (systemctl start qt-enclave-env) Fail?
During system runtime, fragmented memory is inevitably generated. As a result, continuous huge pages cannot be obtained during service isolation.
In this case, run systemctl status qt-enclave-env to check whether the error log contains allocating hugepages error.
If the error log contains allocating hugepages error, the number of available continuous huge pages provided by the system is less than the expected number ($wanted_mem_num).
You can use either of the following solutions to handle this issue:
- Solution 1:
- Check the maximum number of available continuous huge pages ($free_mem_num) provided by the system.
cat /sys/devices/system/node/node0/hugepages/hugepages-1048576kB/free_hugepages
- Modify the /etc/qingtian/enclave/qt-enclave-env.conf configuration file to ensure that the value of memory_mib is less than the value of $free_mem_num multiplied by 1024.
vim /etc/qingtian/enclave/qt-enclave-env.conf
To prevent memory fragmentation caused by repeated executions of the isolation command, you are advised to execute the resource isolation command immediately after the system is started.
- Check the maximum number of available continuous huge pages ($free_mem_num) provided by the system.
- Solution 2:
- Modify the /etc/default/grub file.
vim /etc/default/grub
Add default_hugepagesz=1G hugepagesz=1G hugepages=$wanted_mem_num to the Linux command line parameter GRUB_CMDLINE_LINUX in the GRUB file.
- Apply the modification.
- Restart the VM and check the number of available huge pages again.
- Modify the /etc/default/grub file.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
