Merge pull request #235266 from pkhandavilli/patch-1

v-regandowner · web-flow · commit 5ae0992f5c2a · 2023-04-20T18:00:33.000-04:00
Attestation concepts for confidential ACI
diff --git a/articles/container-instances/TOC.yml b/articles/container-instances/TOC.yml
@@ -77,6 +77,8 @@
     href: container-instances-virtual-network-concepts.md
   - name: Confidential container groups
     href: container-instances-confidential-overview.md
+  - name: Attestation in Confidential container 
+    href: confidential-containers-attestation-concepts.md 
 - name: How-to guides
   items:
   - name: Deploy
diff --git a/articles/container-instances/confidential-containers-attestation-concepts.md b/articles/container-instances/confidential-containers-attestation-concepts.md
@@ -0,0 +1,104 @@
+---
+title: Attestation in Confidential containers on Azure Containers Instances 
+description: full attestation of container groups in confidential containers on Azure Container Instances  
+ms.topic: conceptual
+ms.author: tomcassidy
+author: pkhandavilli
+ms.service: container-instances
+services: container-instances
+ms.date: 04/20/2023
+---
+
+# What is attestation?
+
+Attestation is an essential part of confidential computing and appears in the definition by the Confidential Computing Consortium “Confidential Computing is the protection of data in use by performing computation in a hardware-based, attested Trusted Execution Environment."
+
+According to the [Remote ATtestation procedureS (RATS) Architecture](https://www.ietf.org/rfc/rfc9334.html) In remote attestation, “one peer (the "Attester") produces believable information about itself ("Evidence") to enable a remote peer (the "Relying Party") to decide whether to consider that Attester a trustworthy peer. Remote attestation procedures are facilitated by an additional vital party (the "Verifier").” In simpler terms, attestation is a way of proving that a computer system is trustworthy. 
+
+In Confidential Containers on ACI you can use an attestation token to verify that the container group
+
+- Is running on confidential computing hardware. In this case AMD SEV-SNP.
+- Is running on an Azure compliant utility VM.
+- Is enforcing the expected confidential computing enforcement policy (cce) that was generated using [tooling](https://github.com/Azure/azure-cli-extensions/blob/main/src/confcom/azext_confcom/README.md).
+
+## Full attestation in confidential containers on Azure Container Instances 
+
+Expanding upon this concept of attestation. Full attestation captures all the components that are part of the Trusted Execution Environment that is remotely verifiable. To achieve full attestation, in Confidential Containers, we have introduced the notion of a cce policy, which defines a set of rules, which is enforced in the utility VM. The security policy is encoded in the attestation report as an SHA-256 digest stored in the HostData attribute, as provided to the PSP by the host operating system during the VM boot-up. This means that the security policy enforced by the utility VM is immutable throughout the lifetime of the utility VM.
+
+The exhaustive list of attributes that are part of the SEV-SNP attestation can be found [here](https://www.amd.com/system/files/TechDocs/SEV-SNP%20PSP%20API%20Specification.pdf).
+
+Some important fields to consider in an attestation token returned by [Microsoft Azure Attestation ( MAA )](../attestation/overview.md) 
+
+| Claim                     | Sample value                                                | Description |
+|---------------------------|-------------------------------------------------------------|-------------|
+| x-ms-attestation-type     | sevsnpvm                                                    | String value that describes the attestation type. For example, in this scenario sevsnp hardware |
+| x-ms-compliance-status    | azure-compliant-uvm                                         | Compliance status of the utility VM that runs the container group. |
+| x-ms-sevsnpvm-hostdata    | 670fff86714a650a49b58fadc1e90fedae0eb32dd51e34931c1e7a1839c08f6f | Hash of the cce policy that was generated during deployment. |
+| x-ms-sevsnpvm-is-debuggable | false                                                     | Flag to indicate whether the underlying hardware is running in debug mode |
+
+## Sample attestation token generated by MAA
+
+```json
+{
+  "header": {
+    "alg": "RS256",
+    "jku": "https://sharedeus2.eus2.test.attest.azure.net/certs",
+    "kid": "3bdCYJabzfhISFtb3J8yuEESZwufV7hhh08N3ZflAuE=",
+    "typ": "JWT"
+  },
+  "payload": {
+    "exp": 1680259997,
+    "iat": 1680231197,
+    "iss": "https://sharedeus2.eus2.test.attest.azure.net",
+    "jti": "d288fef5880b1501ea70be1b9366840fd56f74e666a23224d6de113133cbd8d5",
+    "nbf": 1680231197,
+    "nonce": "3413764049005270139",
+    "x-ms-attestation-type": "sevsnpvm",
+    "x-ms-compliance-status": "azure-compliant-uvm",
+    "x-ms-policy-hash": "9NY0VnTQ-IiBriBplVUpFbczcDaEBUwsiFYAzHu_gco",
+    "x-ms-runtime": {
+      "keys": [
+        {
+          "e": "AQAB",
+          "key_ops": [
+            "encrypt"
+          ],
+          "kid": "Nvhfuq2cCIOAB8XR4Xi9Pr0NP_9CeMzWQGtW_HALz_w",
+          "kty": "RSA",
+          "n": "v965SRmyp8zbG5eNFuDCmmiSeaHpujG2bC_keLSuzvDMLO1WyrUJveaa5bzMoO0pA46pXkmbqHisozVzpiNDLCo6d3z4TrGMeFPf2APIMu-RSrzN56qvHVyIr5caWfHWk-FMRDwAefyNYRHkdYYkgmFK44hhUdtlCAKEv5UQpFZjvh4iI9jVBdGYMyBaKQLhjI5WIh-QG6Za5sSuOCFMnmuyuvN5DflpLFz595Ss-EoBIY-Nil6lCtvcGgR-IbjUYHAOs5ajamTzgeO8kx3VCE9HcyKmyUZsiyiF6IDRp2Bpy3NHTjIz7tmkpTHx7tHnRtlfE2FUv0B6i_QYl_ZA5Q"
+        }
+      ]
+    },
+    "x-ms-sevsnpvm-authorkeydigest": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+    "x-ms-sevsnpvm-bootloader-svn": 3,
+    "x-ms-sevsnpvm-familyId": "01000000000000000000000000000000",
+    "x-ms-sevsnpvm-guestsvn": 2,
+    "x-ms-sevsnpvm-hostdata": "670fff86714a650a49b58fadc1e90fedae0eb32dd51e34931c1e7a1839c08f6f",
+    "x-ms-sevsnpvm-idkeydigest": "cf7e12541981e6cafd150b5236785f4364850e2c4963825f9ab1d8091040aea0964bb9a8835f966bdc174d9ad53b4582",
+    "x-ms-sevsnpvm-imageId": "02000000000000000000000000000000",
+    "x-ms-sevsnpvm-is-debuggable": false,
+    "x-ms-sevsnpvm-launchmeasurement": "a1e1a4b64e8de5c664ceee069010441f74cf039065b5b847e82b9d1a7629aaf33d5591c6b18cee48a4dde481aa88d0fb",
+    "x-ms-sevsnpvm-microcode-svn": 115,
+    "x-ms-sevsnpvm-migration-allowed": false,
+    "x-ms-sevsnpvm-reportdata": "7ab000a323b3c873f5b81bbe584e7c1a26bcf40dc27e00f8e0d144b1ed2d14f10000000000000000000000000000000000000000000000000000000000000000",
+    "x-ms-sevsnpvm-reportid": "a489c8578fb2f54d895fc8d000a85b2ff4855c015e4fb7216495c4dba4598345",
+    "x-ms-sevsnpvm-smt-allowed": true,
+    "x-ms-sevsnpvm-snpfw-svn": 8,
+    "x-ms-sevsnpvm-tee-svn": 0,
+    "x-ms-sevsnpvm-uvm-endorsement": {
+      "x-ms-sevsnpvm-guestsvn": "100",
+      "x-ms-sevsnpvm-launchmeasurement": "a1e1a4b64e8de5c664ceee069010441f74cf039065b5b847e82b9d1a7629aaf33d5591c6b18cee48a4dde481aa88d0fb"
+    },
+    "x-ms-sevsnpvm-vmpl": 0,
+    "x-ms-ver": "1.0"
+  }
+}
+```
+## Generating an attestation token 
+
+We have open-sourced sidecar container implementations that provide an easy rest interface to get a raw SNP (Secure Nested Paging) report produced by the hardware or a MAA token. The sidecar is available at this [repository](https://github.com/microsoft/confidential-sidecar-containers) and can be deployed with your container group. 
+
+## Next steps
+
+- [Learn how to use attestation to release a secret to your container group](../confidential-computing/skr-flow-confidential-containers-azure-container-instance.md)
+- [Deploy a confidential container group with Azure Resource Manager](./container-instances-tutorial-deploy-confidential-containers-cce-arm.md)
