# huawei-qingtian **Repository Path**: HuaweiCloudDeveloper/huawei-qingtian ## Basic Information - **Project Name**: huawei-qingtian - **Description**: Qingtian Enclaves service is a feature of Qingtian architecture in Huawei Cloud, which provides an isolated execution environment, named enclave, inside a Huawei ECS instance. - **Primary Language**: C - **License**: Apache-2.0 - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 7 - **Forks**: 9 - **Created**: 2022-12-01 - **Last Updated**: 2025-12-31 ## Categories & Tags **Categories**: cloud **Tags**: None ## README # Qingtian Enclaves This repository presents the necessary components used to deliver the Qingtian Enclaves service for customers in Huawei Cloud. Qingtian Enclaves service is a feature of Qingtian architecture in Huawei Cloud, which provides an isolated execution environment, named enclave, inside a Huawei ECS instance. Enclaves are isolated and highly constrained virtual machines without persistent storage, interactive access, or external networking. There is only a secure local socket connection channel between an enclave and its parent instance. The resources of the enclave, such as vCPUs and memory, are separated from its parent instance and the Qingtian Hypervisor ensures that its parent instance has no permission to access these vCPUs and memory. Any process, application, or user (even root or admin) of the parent instance can not access the codes and data inside the enclave. Thus you can protect your security-sensitive codes and data using Qingtian Enclaves. Qingtian Enclaves also provides attestation support while integrating with Huawei Key Management Service. It allows you to verify an enclave's identity and expected codes running inside it. You can also customize the security policy for your specific IAM users according to enclaves' PCRs. ## Requirements There are some requirements while using Qingtian Enclaves: - Parent instance requirements: - Linux operating system only - A Qingtian-based virtual machine with enclave supports - Configured with more than `2 vCPUs` - Have `2 free vCPUs` and `512M free memory` left at least for launching an enclave - Qingtian Enclaves requirements: - Linux operating system only - Configured with at least `128M memory` and not less than 4 times the size of the enclave eif image file - Supports `512M memory` if the `hugepage_size` is configured as `2M` and `256G memory` if the `hugepage_size` is configured as `1G` - Configured with an even number of `vCPUs` and less than `62` - All `memory` and `vCPUs` should come from one NUMA node in the parent instance and the number of the enclave's `vCPUs` should be less than the number of `vCPUs` in one NUMA node `- 2` - The relationship between Qingtian Enclaves and its parent instance - It supports launching multi-Qingtian enclaves per parent instance - Qingtian enclaves can not be running while its parent instance is stopped or terminated - It is not allowed to launch an enclave and terminate it at the same time in one parent instance - The enclave should run in its dedicated `CPUs`, and other `CPUs` particularly `CPU0` should be left in the parent instance - An enclave is not allowed to share the same core with its parent instance while using hyper-threading respectively ## Components information This repository contains the following components: - `enclave` : involved all components running inside the Qingtian enclave - `enclave/init` : the first application while launching an enclave. - `enclave/qtsm` : the tools used for connecting with Qingtian Secure Module(QTSM) device to process the attestation and PCR query - `enclave/qtsm-sdk-c` : a set of `library` helping users to develop their own Enclave Apps - `qingtian-tool` : a command line to manage the Qingtian Enclave's lifecycle. - `qingtian-tool/qt-proxy` : a network proxy running in its parent instance - `virtio-qtbox` : a virtual PCI device in the parent instance that allows the parent instance to allocate the resource for its enclaves You can get some details about each component in its own `README.md`. ## License This project is licensed under the Apache-2.0 License. ## Contribution We are grateful to the community for contributing potential security issues discovery, bugfixes and improvements. Read CONTRIBUTION.md to learn how you can take part in improving the Qingtian Enclaves project.