Update confidential-vm-faq.yml

Acrolynx score

Author: michamcr

articles/confidential-computing/confidential-vm-faq.yml

@@ -19,12 +19,12 @@ sections:
       - question: |
           What are confidential VMs?
         answer: |
-          Confidential VMs are IaaS VMs for tenants with especially high security and confidentiality requirements. Confidential VMs offer access to the following technologies and benefits: 
-            -	Encryption for "data in use”, including the processor state and the virtual machine’s memory. Keys are generated by the processor and never leave it.
-            -	Host attestation to verify the full health and compliance of the server before initializing a confidential VM.
-            -	Encryption of "data at rest." A Hardware Security Module (HSM) can be used to guard the keys, which the tenant exclusively owns.
+          Confidential VMs are an IaaS solution for tenants with high security and confidentiality requirements. Confidential VMs offer:
+            -	Encryption for "data in use”, including the processor state and the virtual machine’s memory. The keys are generated by the processor and never leave it.
+            -	Host attestation helps you verify the full health and compliance of the server before data processing begins.
+            -	Hardware Security Module (HSM) can be attached to guard the keys of confidential VM disks, which the tenant exclusively owns.
             -	New UEFI boot architecture supporting the guest OS for enhanced security settings and capabilities.
-            -	A dedicated virtual instance of a Trusted Platform Module (TPM). Certifies the health of the VM and provides hardened key management functions. Supports use cases such as BitLocker.
+            -	A dedicated virtual Trusted Platform Module (TPM) certifies the health of the VM, provides hardened key management, and supports usecases such as BitLocker.
           
       - question: |
           Why should I use confidential VMs?
@@ -34,21 +34,21 @@ sections:
           Unlike other approaches and solutions, you don't have to adapt your existing workloads to fit the platform's technical needs.
 
       - question: |
-          What are AMD SEV-SNP technologies and how do they relate to Azure confidential VMs?
+          What is AMD SEV-SNP, and how does it relate to Azure confidential VMs?
         answer: |
-          AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) technology offers multiple protections. 
-          For example, memory encryption, unique CPU keys, encryption for the processor register state, strong integrity protection, firmware rollback prevention, side channel hardening, and restrictions on interrupt and exceptions behavior. 
+          SEV-SNP stands for Secure Encrypted Virtualization-Secure Nested Paging. It a Trusted Execution Environment (TEE) technology provided by AMD and offers multiple protections:
+          For example, memory encryption, unique CPU keys, encryption for the processor register state, integrity protection, firmware rollback prevention, side channel hardening, and restrictions on interrupt and exceptions behavior. 
           Collectively, AMD SEV technologies harden guest protections to deny hypervisor and other host management code access to VM memory and state. 
-          Confidential VMs combine AMD SEV-SNP with Azure technologies such as full-disk encryption and [Azure Key Vault Managed HSM](../key-vault/managed-hsm/overview.md). 
+          Confidential VMs leverages AMD SEV-SNP with Azure technologies such as full-disk encryption and [Azure Key Vault Managed HSM](../key-vault/managed-hsm/overview.md). 
           You can encrypt data in use, in transit, and at rest with keys that you control. 
-          With built-in [Azure Attestation](https://azure.microsoft.com/services/azure-attestation/) capabilities, you can independently establish trust in the security, health and underlying infrastructure of your confidential VMs.
+          With built-in [Azure Attestation](https://azure.microsoft.com/services/azure-attestation/) capabilities, you can independently establish trust in the security, health, and underlying infrastructure of your confidential VMs.
       
       - question: |
-          What are Intel TDX technologies and how do they relate to Azure confidential VMs?
+          What is Intel TDX technologies and how do they relate to Azure confidential VMs?
         answer: |
-          Intel Trust Domain Extensions (Intel TDX) offers multiple protections. 
-          Intel TDX uses hardware extensions for managing and encrypting memory and protects both the confidentiality and integrity of the TD CPU state.
-          Additionally, Intel TDX helps to harden the virtualized environment by denying the hypervisor, other host management code and administrators access to the VM memory and state.
+          Intel TDX stands for Intel Trust Domain Extensions (Intel TDX) It a Trusted Execution Environment (TEE) technology provided by Intel and offers multiple protections:
+          Intel TDX uses hardware extensions for managing and encrypting memory and protects both the confidentiality and integrity of the CPU state.
+          Additionally, Intel TDX helps to harden the virtualized environment by denying the hypervisor, other host management code, and administrators access to the VM memory and state.
           Confidential VMs combine Intel TDX with Azure technologies such as full-disk encryption and [Azure Key Vault Managed HSM](../key-vault/managed-hsm/overview.md). 
           You can encrypt data in use, in transit, and at rest with keys that you control. 
      
@@ -57,8 +57,8 @@ sections:
         answer: |
           Azure VMs already offer industry leading security and protection against other tenants and malicious intruders. 
           Azure confidential VMs augment these protections by using hardware-based TEEs such as AMD SEV-SNP and Intel TDX to cryptographically isolate and protect your data confidentiality and integrity.
-          No host admins, nor services (including the Azure hypervisor) can directly view or modify the memory or CPU state of your VM. 
-          Moreover, with full attestation capability, full OS disk encryption and hardware-protected virtual Trusted Platform Modules, confidential VM persistent state is protected such that neither your private keys, nor the contents of your memory are ever exposed to the hosting environment.
+          No host admins, or host services (including the Azure hypervisor) can directly view or modify the memory or CPU state of your confidential VM. 
+          Moreover, with full attestation capability, full OS disk encryption, and hardware-protected virtual Trusted Platform Modules, the persistent state is protected such that your private keys, and the contents of your memory are not exposed to the hosting environment unencrypted.
 
       - question: |
           Are the virtual disks attached to confidential VMs automatically protected?
@@ -95,9 +95,10 @@ sections:
       - question: |
           Can I perform attestation for my Intel-based confidential VMs?
         answer: |
-          Azure confidential VMs on Intel TDX have the option of including attestation as part of their boot phase. The process is opaque to the user and takes place in the cloud operating system with the Microsoft Azure Attestation and Azure Key Vault services.
-          Support for in-guest [attestation](guest-attestation-confidential-vms.md) will be available via the vTPM. You can use to validate the entire stack from the hardware platform to the guest application layer. The functionality exists on AMD SEV-SNP today and will be released for Intel TDX. Today, only in-guest platform attestation is available for Intel TDX. This allows you to verify that your VM is running on Intel TDX hardware. To access the feature, visit our [preview branch](https://github.com/Azure/confidential-computing-cvm-guest-attestation/tree/tdx-preview).
+          Azure confidential VMs using Intel TDX can be attested transparently as part of the boot flow to ensure the platform is compliant and up-to-date. The process is opaque to the user and takes place using Microsoft Azure Attestation and Azure Key Vault.
+          If you would like to go further to perform checks post-boot, in-guest platform attestation is available. This allows you to verify that your VM is running on genuine Intel TDX. To access the feature, visit our [preview branch](https://github.com/Azure/confidential-computing-cvm-guest-attestation/tree/tdx-preview).
           Additionally, we support [Intel® Trust Authority](https://www.intel.com/content/www/us/en/security/trust-authority.html) for enterprises seeking operator independent attestation.
+          Support for full in-guest [attestation](guest-attestation-confidential-vms.md), similar to AMD SEV-SNP is coming soon. This allows organizations to go deeper, and validate further aspects, even down to the guest application layer. 
 
       - question: |
           Do all OS images work with confidential VMs?
@@ -131,12 +132,12 @@ sections:
           No. After you've created a confidential VM, you can't deactivate or reactivate full-disk encryption. Create a new confidential VM instead.
 
       - question: |
-          Can I control more aspects of the Trusted Computing Base to enforce operator independent key management, attestation and disk encryption?
+          Can I control more aspects of the Trusted Computing Base to enforce operator independent key management, attestation, and disk encryption?
         answer: |
           Developers seeking further "separation of duties" for TCB services from the cloud service provider should use security type "NonPersistedTPM". 
           - This experience is only available as part of the Intel TDX public preview. Organizations that use it, or provide services with it are in control of the TCB and the responsibilities that come along with it. 
-          - This experience bypasses the native Azure services, allowing you to bring your own disk encryption, key management and attestation solution. 
-          - Each VM still has a vTPM, which should be used to retrieve hardware evidence, however the vTPM state is not persisted through reboots, meaning this solution is excellent for ephemeral workloads and organizations wanting decoupling from the cloud service provider.
+          - This experience bypasses the native Azure services, allowing you to bring your own disk encryption, key management, and attestation solution. 
+          - Each VM still has a vTPM, which should be used to retrieve hardware evidence, however the vTPM state isn't persisted through reboots, meaning this solution is excellent for ephemeral workloads and organizations wanting decoupling from the cloud service provider.
 
       - question: |
           Can I convert a non-confidential VM into a confidential VM?
@@ -148,7 +149,7 @@ sections:
         answer: |
           Yes, converting from one confidential VM to another confidential VM is allowed on both DCasv5/ECasv5 and DCesv5/ECesv5 in the regions that they share.
           If you're using a Windows image, make sure you have all the most recent updates.
-          If you're using a Ubuntu Linux image, make sure you're using the Ubuntu 22.04 LTS confidential image with the minimum kernel version `6.2.0-1011-azure`.
+          If you're using an Ubuntu Linux image, make sure you're using the Ubuntu 22.04 LTS confidential image with the minimum kernel version `6.2.0-1011-azure`.
 
       - question: |
           Why can't I find DCasv5/ECasv5 or DCesv5/ECesv5 VMs in the Azure portal size selector?