You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/attestation/policy-version-1-0.md
+3-8Lines changed: 3 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,8 +19,6 @@ This article introduces the workings of the attestation service and the policy e
19
19
20
20
The minimum version of the policy supported by the service is version 1.0.
21
21
22
-
:::image type="content" source="./media/maa-policy-version-10.png" alt-text="A diagram showing Azure attestation using policy version 1.0":::
23
-
24
22
The attestation service flow is as follows:
25
23
- The platform sends the attestation evidence in the attest call to the attestation service.
26
24
- The attestation service parses the evidence and creates a list of claims that is then used in the attestation evaluation. These claims are logically categorized as incoming claims sets.
@@ -30,12 +28,9 @@ For Policy version 1.0:
30
28
31
29
The policy has three segments, as seen above:
32
30
33
-
**version**: The version is the version number of the grammar that is followed.
34
-
version=1.0
35
-
36
-
**authorizationrules**: A collection of claim rules that will be checked first, to determine if attestation should proceed to issuancerules. This section should be used to filter out calls that don’t require the issuancerules to be applied. No claims can be issued from this section to the response token. These rules can be used to fail attestation.
37
-
38
-
**issuancerules**: A collection of claim rules that will be evaluated to add information to the attestation result as defined in the policy. The claim rules apply in the order they are defined and are also optional. A collection of claim rules that will be evaluated to add information to the attestation result as defined in the policy. The claim rules apply in the order they are defined and are also optional. These rules can be used to add to the outgoing claim set and the response token, these rules cannot be used to fail attestation.
31
+
-**version**: The version is the version number of the grammar that is followed.
32
+
-**authorizationrules**: A collection of claim rules that will be checked first, to determine if attestation should proceed to issuancerules. This section should be used to filter out calls that don’t require the issuancerules to be applied. No claims can be issued from this section to the response token. These rules can be used to fail attestation.
33
+
-**issuancerules**: A collection of claim rules that will be evaluated to add information to the attestation result as defined in the policy. The claim rules apply in the order they are defined and are also optional. A collection of claim rules that will be evaluated to add information to the attestation result as defined in the policy. The claim rules apply in the order they are defined and are also optional. These rules can be used to add to the outgoing claim set and the response token, these rules cannot be used to fail attestation.
39
34
40
35
List of claims supported by policy version 1.0 as part of the incoming claims.
Copy file name to clipboardExpand all lines: articles/attestation/policy-version-1-1.md
+4-7Lines changed: 4 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,8 +17,6 @@ This article introduces the workings of the attestation service and the policy e
17
17
18
18
## Policy version 1.1
19
19
20
-
:::image type="content" source="./media/maa-policy-version-11.png" alt-text="A diagram showing Azure attestation using policy version 1.1":::
21
-
22
20
The attestation flow is as follows:
23
21
- The platform sends the attestation evidence in the attest call to the attestation service.
24
22
- The attestation service parses the evidence and creates a list of claims that is then used during rule evaluation. The claims are logically categorized as incoming claims sets.
@@ -28,11 +26,10 @@ The attestation flow is as follows:
28
26
For Policy version 1.1:
29
27
The policy has four segments, as seen above:
30
28
31
-
**version**: The version is the version number of the grammar that is followed.
32
-
version=1.1
33
-
**configurationrules**: During policy evaluation, sometimes it may be required to control the behavior of the policy engine itself. This is where configuration rules can be used to indicate to the policy evaluation engine how to handle some claims in the evaluation.
34
-
**authorizationrules**: A collection of claim rules that will be checked first, to determine if attestation should proceed to issuancerules. This section should be used to filter out calls that don’t require the issuancerules to be applied. No claims can be issued from this section to the response token. These rules can be used to fail attestation.
35
-
**issuancerules**: A collection of claim rules that will be evaluated to add information to the attestation result as defined in the policy. The claim rules apply in the defined order and are also optional. These rules can also be used to add to the outgoing claim set and the response token, however these rules cannot be used to fail attestation.
29
+
-**version**: The version is the version number of the grammar that is followed.
30
+
-**configurationrules**: During policy evaluation, sometimes it may be required to control the behavior of the policy engine itself. This is where configuration rules can be used to indicate to the policy evaluation engine how to handle some claims in the evaluation.
31
+
-**authorizationrules**: A collection of claim rules that will be checked first, to determine if attestation should proceed to issuancerules. This section should be used to filter out calls that don’t require the issuancerules to be applied. No claims can be issued from this section to the response token. These rules can be used to fail attestation.
32
+
-**issuancerules**: A collection of claim rules that will be evaluated to add information to the attestation result as defined in the policy. The claim rules apply in the defined order and are also optional. These rules can also be used to add to the outgoing claim set and the response token, however these rules cannot be used to fail attestation.
36
33
37
34
The following **configurationrules** are available to the policy author.
Copy file name to clipboardExpand all lines: articles/attestation/policy-version-1-2.md
+4-6Lines changed: 4 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,19 +17,17 @@ This article introduces the workings of the attestation service and the policy e
17
17
18
18
## Policy Version 1.2
19
19
20
-
:::image type="content" source="./media/maa-policy-version-12.png" alt-text="A diagram showing Azure attestation using policy version 1.2":::
21
-
22
20
The attestation flow is as follows:
23
21
- The platform sends the attestation evidence in the attest call to the attestation service.
24
22
- The attestation service parses the evidence and creates a list of claims that is then used in the attestation evaluation. The evidence is also parsed and maintained as a JSON format, which is used to provide a broader set of measurements to the policy writer. These claims are logically categorized as incoming claims sets.
25
23
- The attestation policy uploaded by the owner of the attestation service instance is then used to evaluate and issue claims to the response. The policy writer can now use JmesPath based queries to search in the evidence to create their own claims and subsequent claim rules. During the evaluation, configuration rules can also be used to indicate to the policy evaluation engine how to handle certain claims.
26
24
27
25
Policy version 1.2 has four segments:
28
26
29
-
**version:** The version is the version number of the grammar.
30
-
**configurationrules:** During policy evaluation, sometimes it may be required to control the behavior of the policy engine itself. Configuration rules can be used to indicate to the policy evaluation engine how to handle some claims in the evaluation.
31
-
**authorizationrules:** A collection of claim rules that will be checked first, to determine if attestation should continue to issuancerules. This section should be used to filter out calls that don’t require the issuancerules to be applied. No claims can be issued from this section to the response token. These rules can be used to fail attestation.
32
-
**issuancerules:** A collection of claim rules that will be evaluated to add information to the attestation result as defined in the policy. The claim rules apply in the order they're defined and are also optional. A collection of claim rules that will be evaluated to add information to the attestation result as defined in the policy. The claim rules apply in the order they are defined and are also optional. These rules can be used to add to the outgoing claim set and the response token, these rules can't be used to fail attestation.
27
+
-**version:** The version is the version number of the grammar.
28
+
-**configurationrules:** During policy evaluation, sometimes it may be required to control the behavior of the policy engine itself. Configuration rules can be used to indicate to the policy evaluation engine how to handle some claims in the evaluation.
29
+
-**authorizationrules:** A collection of claim rules that will be checked first, to determine if attestation should continue to issuancerules. This section should be used to filter out calls that don’t require the issuancerules to be applied. No claims can be issued from this section to the response token. These rules can be used to fail attestation.
30
+
-**issuancerules:** A collection of claim rules that will be evaluated to add information to the attestation result as defined in the policy. The claim rules apply in the order they're defined and are also optional. A collection of claim rules that will be evaluated to add information to the attestation result as defined in the policy. The claim rules apply in the order they are defined and are also optional. These rules can be used to add to the outgoing claim set and the response token, these rules can't be used to fail attestation.
33
31
34
32
The following **configurationrules** are available to the policy author.
Copy file name to clipboardExpand all lines: articles/attestation/tpm-attestation-concepts.md
+2-4Lines changed: 2 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
1
---
2
-
title: TPM Attestation overview
2
+
title: Azure Attestation TPM attestation overview
3
3
description: TPM Attestation overview
4
4
services: attestation
5
5
author: prsriva
@@ -10,7 +10,7 @@ ms.author: prsriva
10
10
ms.custom: TPM Attestation overview complete
11
11
---
12
12
13
-
# Trusted Platform Module(TPM) Attestation
13
+
# Trusted Platform Module(TPM) Attestation
14
14
15
15
Devices with a TPM, can rely on attestation to prove that boot integrity isn't compromised along with using the measured boot to detect early boot feature states. A growing number of device types, bootloaders and boot stack attacks require an attestation solution to evolve accordingly. An attested state of a device is driven by the attestation policy used to verify the contents on the platform evidence. This document provides an overview of TPM attestation and capabilities supported by MAA.
16
16
@@ -38,8 +38,6 @@ Validate the measurements made during the boot using the Azure Attestation servi
38
38
- Relying parties can perform an attestation against the Azure Attestation service, which can be used to validate measurements made during the boot process.
39
39
- A relying party can then rely on the attestation statement to gate access to resources or other actions.
Conceptually, TPM attestation can be visualized as above, where the relying party applies Azure Attestation service to verify the platform(s) integrity and any violation of promises, providing the confidence to run workloads or provide access to resources.
0 commit comments