What Is QingTian Enclave?

QingTian Enclave instances are secure and isolated virtual machines (VMs) using the QingTian architecture. The instance that has the ownership of QingTian Enclave instances is called the parent instance. QingTian Enclave instances are completely independent VMs and have no persistent storage, interactive access, or external networking. They communicate with the parent instance through a secure local channel, which is called vsock. Even the root user of the parent instance cannot access or SSH into QingTian Enclave instances.
The QingTian Hypervisor isolates the vCPUs and memory of QingTian Enclave instances from the parent instance to provide an isolated environment and greatly reduce the attack surface area. QingTian Enclave helps you protect sensitive core data and applications and enhance the security of your services in QingTian Enclave.
QingTian Enclave also supports attestation that allows you to verify the identity of QingTian Enclave instances. Huawei Cloud Key Management Service (KMS) provides built-in support for attestation to only allow applications in specific QingTian Enclave instances to be able to call KMS APIs for sensitive data processing.

Click to enlarge

QingTian Enclave instances have the following constraints.

Name	Constraints
Parent instance (primary VM)	At least two vCPUs and 512 MiB of memory are required. Only the Linux OS is supported.
QingTian Enclave instances (secondary VMs)	BMSs do not support QingTian Enclave. Only the Linux OS is supported. The memory must be at least 128 MiB and cannot be less than four times the size of the QingTian Enclave Image File (EIF) to launch a QingTian Enclave instance. If 2 MiB hugepages are configured in the configuration file to launch a QingTian Enclave instance, the maximum memory allowed is 512 MiB. If 1 GiB hugepages are configured in the configuration file to launch a QingTian Enclave instance, the maximum memory allowed is 256 GiB. All vCPUs and memory allocated to QingTian Enclave instances must come from the same NUMA node. The number of the vCPUs must be an even number and cannot exceed the number of vCPUs per NUMA node on the parent instance minus 2. The total number of vCPUs cannot exceed 62. Applications running inside QingTian Enclave instances need to be packaged with the OS (kernel, ramdisk, and init) into a QingTian Enclave Image File (EIF).

Name

Constraints

Parent instance (primary VM)

QingTian Enclave instances (secondary VMs)

BMSs do not support QingTian Enclave.
Only the Linux OS is supported.
The memory must be at least 128 MiB and cannot be less than four times the size of the QingTian Enclave Image File (EIF) to launch a QingTian Enclave instance.
If 2 MiB hugepages are configured in the configuration file to launch a QingTian Enclave instance, the maximum memory allowed is 512 MiB.
If 1 GiB hugepages are configured in the configuration file to launch a QingTian Enclave instance, the maximum memory allowed is 256 GiB.
All vCPUs and memory allocated to QingTian Enclave instances must come from the same NUMA node.
The number of the vCPUs must be an even number and cannot exceed the number of vCPUs per NUMA node on the parent instance minus 2. The total number of vCPUs cannot exceed 62.
Applications running inside QingTian Enclave instances need to be packaged with the OS (kernel, ramdisk, and init) into a QingTian Enclave Image File (EIF).

For details about isolating vCPUs and memory, see Resource Isolation.

The relationship between QingTian Enclave instances and their parent instance are as follows:

A maximum of two QingTian Enclave instances can be created from a parent instance.
QingTian Enclaves instances cannot share the same physical core with their parent instance.
QingTian Enclave instances are running only when the parent instance is running. If the parent instance is stopped or terminated, QingTian Enclave instances are also stopped or terminated.
Resources (vCPUs and memory) of QingTian Enclave instances come from the parent instance. The memory range must be a continuous physical range aligned by 2 MiB/1 GiB.

You also need to note the following:

The parent instance that supports QingTian Enclave is C7t.
QingTian Enclave is available in the following regions: CN North-Beijing4, CN East-Shanghai1, and CN South-Guangzhou.
If your services running in the QingTian Enclave instances are terminated unexpectedly, you need to manually run the services again.
By default, 1 GiB hugepages are configured for QingTian Enclave instances, with 1 GiB of memory and 2 vCPUs.

QingTian Enclave is free during the open beta test (OBT). You only need to pay for the ECSs you purchase.

QingTian Enclave integrates with the following Huawei Cloud services:

KMS
Key Management Service (KMS) is a core service provided by Huawei Cloud Data Encryption Workshop (DEW). KMS is a highly available cloud service that helps users to create, store, manage, and audit keys. KMS uses Hardware Security Modules (HSMs) to protect keys and can be integrated with multiple Huawei Cloud services. Additionally, you can develop customized encryption applications using KMS.
IAM
The Identity and Access Management (IAM) provides permissions management to securely manage access to your Huawei Cloud services and resources.

Parent topic: QingTian Enclave Overview