SYSTEM Cited by 2 sources

AWS Nitro

Definition

AWS Nitro is the family of dedicated hardware (offload cards + security chip) + lightweight hypervisor that underpins modern EC2. Nitro moves networking, storage, and (eventually) device-virtualization off the general-purpose Xen hypervisor onto dedicated hardware pipelines, freeing customer CPU and collapsing several layers of in-kernel queueing.

Why it exists (from the systems/aws-ebs lens)

Per Marc Olson's 2024 retrospective, a major motivation from the EBS side was queue reduction in the IO path. Under Xen, a single IO traversed: instance block device queue → Xen ring → dom0 kernel block device queue → EBS client network queue. Loopback isolation showed these layers interfering with each other — classic concepts/noisy-neighbor compounding. Nitro's hardware pipelines remove multiple of those layers.

Rollout narrated in the EBS post

1. First Nitro card — networking. VPC processing (software-defined network) moved out of the Xen dom0 kernel into a dedicated hardware pipeline. CPU cycles no longer stolen from customer instances to drive network traffic; Xen used its ability to pass a virtual PCI device directly to the instance.
2. Second Nitro card — EBS storage. Same playbook for block IO. Even without full passthrough, offloading interrupt-driven work cut hypervisor CPU time per IO and introduced dedicated interrupt processing. This card also handled EBS encrypted volumes at line rate with key material kept separate from the hypervisor — hardening encryption against hypervisor compromise.
3. Later — full device passthrough and the systems/aws-nitro-ssd custom SSDs extended the offload story all the way to the media.

Also the density substrate for Lambda

In the AWS Lambda PR/FAQ retrospective, Nitro and systems/firecracker are framed as the pair that converted Lambda from single-tenant EC2 (the launch isolation posture) to thousands of micro-VMs per bare-metal instance. Different entry point, same design family: move the general-purpose hypervisor out of the hot path; push the remaining isolation boundary into dedicated code/hardware.

Related

• systems/aws-ebs — primary storage customer of the second Nitro card.
• systems/firecracker — micro-VM monitor that lives on top of the Nitro substrate.
• systems/srd — transport protocol that Nitro hardware offloads for storage traffic.
• concepts/hardware-offload — the design principle that Nitro instantiates.

Seen in

• sources/2024-08-22-allthingsdistributed-continuous-reinvention-block-storage-at-aws — IO-path + EBS + encryption offload; second card as EBS's density unlock.
• sources/2024-11-15-allthingsdistributed-aws-lambda-prfaq-after-10-years — isolation path from single-tenant EC2 → Firecracker micro-VMs on Nitro.