Enroll a Compute Node Using AWS Nitro on Amazon Linux

1.0 Introduction

This article describes how to enroll a compute node using AWS Nitro on an Amazon Linux platform in Fortanix Confidential Computing Manager (CCM).

2.0 Configure the Environment

2.1 Create a Virtual Machine

Perform the following steps to create a new virtual machine (VM):

1. Log in to Amazon Web Services (AWS).

2. Navigate to EC2 → Instances → Launch Instances and enter the required name and tags for the VM.

3. Select the Amazon Linux 2023 AMI machine image.

   

4. Instance Type: Select a required instance that supports AWS Nitro Enclaves. The c5a.xlarge instance type is the minimum supported configuration. For more information, refer to the AWS Nitro Enclaves requirements documentation.

   

5. Key pair (login): Click Create a new Key pair. The key pair is used to securely connect to the VM.

   

6. Configure storage: Configure the required storage size. The default storage size is 8 GB. You can increase the storage size if required.

   

7. Expand the Advanced Details section, and then select Enable under Nitro Enclave settings.

   

8. Configure the remaining parameters as required and then launch the instance.

2.2 Install the Nitro Driver and Utilities

To install the Nitro Enclaves CLI and related utilities, follow the instructions for Amazon Linux 2023 in AWS official documentation.

NOTE

The number of vCPUs and memory allocated to Nitro Enclaves are defined in the allocator service configuration file located at:

/etc/nitro_enclaves/allocator.yaml 

3.0 Enroll Node using AWS Nitro on Amazon Linux

2.1 Amazon Nitro Node Agent

Ensure to download the Amazon Nitro Node Agent Installer from here.  

Perform the following steps to enroll the Amazon Nitro Agent compute node:

1. Run the following commands to extract the contents of the Node-Agent-installer.tar.gz package and open the folder:

   tar -zxvf Node-Agent-Installer.tar.gz
   cd em-agent-installer

2. Open the INSTALLER_README.md file containing the steps to enroll the compute node in Fortanix CCM.

   

3. Run the following command to execute the installer.sh script:

   sudo bash installer.sh <join-token>

   Where, <join-token> is the token copied from Fortanix CCM. For more information, refer to Section 4.0: Generate a Join Token.

   NOTE

   For Fortanix CCM on-premises SGX deployments, update the EM_HOST_NAME setting in the /etc/em-agent/em-agent.conf file from ccm.fortanix.com to api.armor.onprem.fortanix.net, and then restart the em-agent using the following command:

   sudo systemctl restart em-agent-nitro

4.0 Generate a Join Token

Perform the following steps to generate a join token in Fortanix CCM:

1. Log in to Fortanix Armor Platform. For more information, Getting Started with Fortanix Armor.

2. Navigate to the Fortanix CCM user interface (UI).  For more information, refer to Fortanix Armor Solutions.

3. In the CCM UI left navigation panel, click Infrastructure → COMPUTE NODES → AWS Nitro Enclaves, and then click ADD NODE.

   

4. In the Enroll Compute Node window, click COPY to copy the Join Token. This Join Token is used by the compute node to authenticate itself.

4.0 Validate the Enrolled Compute Node

After the compute node is successfully enrolled, it appears in the COMPUTE NODES overview table in Fortanix CCM.

Perform the following steps to debug the em-agent service:

1. Run the following command to view the logs:

   journalctl -xe | grep em-agent

2. Run the following command to view the status of the em-agent service or check the system logs directly:

   systemctl status em-agent-nitro