Azure Confidential Computing - Max Fang's Notes

# Azure Confidential Computing Links: [[Azure]] ## See also ### - [[Azure SGX]] - Dev notes and resources ## General - Instance types: - DCsv2-series - DCsv3 and DCdsv3-series (in public preview) - Portal: [portal.azure.com](https://portal.azure.com/) ## [Docs](https://docs.microsoft.com/en-us/azure/confidential-computing/) - [Build with SGX enclaves](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-computing-enclaves) - [Application enclave development](https://docs.microsoft.com/en-us/azure/confidential-computing/application-development) - [Quickstart: Create Intel SGX VM in the Azure portal](https://docs.microsoft.com/en-us/azure/confidential-computing/quick-create-portal) - [Open Source Solutions to Build Enclave Applications](https://docs.microsoft.com/en-us/azure/confidential-computing/enclave-development-oss#oe-sdk) - The Open Enclave (OE) Software Development Kit (SDK) - EGo Software Development Kit - Intel SGX Software Development Kit - Confidential Consortium Framework (CCF) - *The Confidential Consortium Framework (CCF) is an example of a distributed blockchain framework. The CCF is built on top of Azure confidential computing. Spearheaded by Microsoft Research, this framework uses the power of trusted execution environments (TEEs) to create a network of remote enclaves for attestation. Nodes can run on top of Azure Intel SGX virtual machines and take advantage of the enclave infrastructure. Through attestation protocols, users of the blockchain can verify the integrity of one CCF node, and effective verify the entire network.* ## [Attestation Docs](https://docs.microsoft.com/en-us/azure/attestation/overview) - [Basic Concepts](https://docs.microsoft.com/en-us/azure/attestation/basic-concepts) - [How to author an attestation policy](https://docs.microsoft.com/en-us/azure/attestation/author-sign-policy) - [Quickstart: Set up Azure Attestation with Azure PowerShell](https://docs.microsoft.com/en-us/azure/attestation/quickstart-powershell) - [Quickstart: Set up Azure Attestation with Azure CLI](https://docs.microsoft.com/en-us/azure/attestation/quickstart-azure-cli) - [Code samples](https://docs.microsoft.com/en-us/samples/browse/?expanded=azure&terms=attestation) - [Go remote attestation sample using Microsoft Azure Attestation](https://github.com/edgelesssys/ego/tree/master/samples/azure_attestation) (uses [[EGo]]) - (GitHub repo) [Azure Data Center Attestation Primitives (DCAP) Client](https://github.com/microsoft/Azure-DCAP-Client) - This library serves as a quoting data provider plugin for the Intel SGX Data Center Attestation Primitives (DCAP). Specifically, the Intel DCAP library will search out and load provider plugins, such as the Azure DCAP Client. This provider plugin is then used to fetch certain data files, such as platform certificates, TCB structures, and revocation lists. - The Azure DCAP Client fetches artifacts from an Azure-internal caching service. The purpose of this cache is to ensure that all Azure hosts always have the correct data available and local within the Azure cloud. - The data serviced by the Azure cache are all Intel-originating, and are rooted to Intel CAs. The cache serves simply to ensure that there are no external dependencies on Intel for workloads running on Azure infrastructure. ## [Main page](https://azure.microsoft.com/en-us/solutions/confidential-compute/) ### Used by [[Signal]], [[MobileCoin]] ![[Screen Shot 2022-03-21 at 11.14.58 PM.png]] ## [Azure Attestation Overview](https://docs.microsoft.com/en-us/azure/attestation/overview) ### Azure supports attestation for: - SGX enclaves - Open Enclave - Trusted Platform Modules (TPM) - Azure Confidential VMs based on [[AMD SEV]] (!!) ### SGX enclave attestation [Intel® Software Guard Extensions](https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html) (SGX) refers to hardware-grade isolation, which is supported on certain Intel CPUs models. SGX enables code to run in sanitized compartments known as SGX enclaves. Access and memory permissions are then managed by hardware to ensure a minimal attack surface with proper isolation. Client applications can be designed to take advantage of SGX enclaves by delegating security-sensitive tasks to take place inside those enclaves. Such applications can then make use of Azure Attestation to routinely establish trust in the enclave and its ability to access sensitive data. Intel® Xeon® Scalable processors only support [ECDSA-based attestation solutions](https://software.intel.com/content/www/us/en/develop/topics/software-guard-extensions/attestation-services.html#Elliptic%20Curve%20Digital%20Signature%20Algorithm%20(ECDSA)%20Attestation) for remotely attesting SGX enclaves. Utilizing ECDSA based attestation model, Azure Attestation supports validation of Intel® Xeon® E3 processors and Intel® Xeon® Scalable processor-based server platforms. ### Open Enclave attestation [Open Enclave](https://openenclave.io/sdk/) (OE) is a collection of libraries targeted at creating a single unified enclaving abstraction for developers to build TEE-based applications. It offers a universal secure app model that minimizes platform specificities. Microsoft views it as an essential stepping-stone toward democratizing hardware-based enclave technologies such as SGX and increasing their uptake on Azure. OE standardizes specific requirements for verification of an enclave evidence. This qualifies OE as a highly fitting attestation consumer of Azure Attestation. ### TPM attestation [Trusted Platform Modules (TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-overview) based attestation is critical to provide proof of a platforms’ state. TPM acts as the root of trust and the security coprocessor to provide cryptographic validity to the measurements(evidence). Devices with a TPM, can rely on attestation to prove that boot integrity is not compromised along with using the claims to detect feature states enablement’s during boot. Client applications can be designed to take advantage of TPM attestation by delegating security-sensitive tasks to only take place after a platform has been validated to be secure. Such applications can then make use of Azure Attestation to routinely establish trust in the platform and its ability to access sensitive data. ### Azure Confidential VM attestation Azure [Confidential VM](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview) (CVM) is based on [AMD processors with SEV-SNP technology](https://docs.microsoft.com/en-us/azure/confidential-computing/virtual-machine-solutions-amd) and aims to improve VM security posture by removing trust in host, hypervisor and Cloud Service Provider (CSP). To achieve this, CVM offers VM OS disk encryption option with platform-managed keys and binds the disk encryption keys to the virtual machine's TPM. When a CVM boots up, SNP report containing the guest VM firmware measurements will be sent to Azure Attestation. The service validates the measurements and issues an attestation token that is used to release keys from [Managed-HSM](https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/overview) or [Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts). These keys are used to decrypt the vTPM state of the guest VM, unlock the OS disk and start the CVM. The attestation and key release process is performed automatically on each CVM boot, and the process ensures the CVM boots up only upon successful attestation of the hardware. ### Azure Attestation can run in a TEE Azure Attestation is critical to Confidential Computing scenarios, as it performs the following actions: - Verifies if the enclave evidence is valid. - Evaluates the enclave evidence against a customer-defined policy. - Manages and stores tenant-specific policies. - Generates and signs a token that is used by relying parties to interact with the enclave. Azure Attestation is built to run in two types of environments: - Azure Attestation running in an SGX enabled TEE. - Azure Attestation running in a non-TEE. Azure Attestation customers have expressed a requirement for Microsoft to be operationally out of trusted computing base (TCB). This is to prevent Microsoft entities such as VM admins, host admins, and Microsoft developers from modifying attestation requests, policies, and Azure Attestation-issued tokens. Azure Attestation is also built to run in TEE, where features of Azure Attestation like quote validation, token generation, and token signing are moved into an SGX enclave. ### Why use Azure Attestation Azure Attestation is the preferred choice for attesting TEEs as it offers the following benefits: - Unified framework for attesting multiple environments such as TPMs, SGX enclaves and VBS enclaves - Allows creation of custom attestation providers and configuration of policies to restrict token generation - Offers [regional shared providers](https://docs.microsoft.com/en-us/azure/attestation/basic-concepts#regional-shared-provider) which can attest with no configuration from users - Protects its data while-in use with implementation in an SGX enclave - Highly available service