Merge pull request #300974 from PatAltimore/patricka-freshness2

Freshness review

Author: JamesJBarnett

articles/iot-edge/iot-edge-for-linux-on-windows-security.md

@@ -3,7 +3,7 @@ title: Azure IoT Edge for Linux on Windows security
 description: Overview of the Azure IoT Edge for Linux on Windows security framework and the different security premises that are enabled by default or optional. 
 author: PatAltimore
 ms.author: patricka
-ms.date: 06/04/2024
+ms.date: 06/06/2025
 ms.topic: concept-article
 ms.service: azure-iot-edge
 ms.custom: linux-related-content
@@ -14,25 +14,25 @@ services: iot-edge
 
 [!INCLUDE [iot-edge-version-all-supported](includes/iot-edge-version-all-supported.md)]
 
-Azure IoT Edge for Linux on Windows benefits from all the security offerings from running on a Windows Client/Server host and ensures all the extra components keep the same security premises. This article provides information about the different security premises that are enabled by default, and some of the optional premises the user may enable.
+Azure IoT Edge for Linux on Windows uses all the security features of a Windows client or server host and makes sure all extra components follow the same security principles. This article explains the different security principles that are enabled by default, and some optional principles you can enable.
 
 ## Virtual machine security
 
-The IoT Edge for Linux (EFLOW) curated virtual machine is based on [Microsoft CBL-Mariner](https://github.com/microsoft/CBL-Mariner). CBL-Mariner is an internal Linux distribution for Microsoft's cloud infrastructure and edge products and services. CBL-Mariner is designed to provide a consistent platform for these devices and services and  enhances Microsoft's ability to stay current on Linux updates. For more information, see [CBL-Mariner security](https://github.com/microsoft/CBL-Mariner/blob/1.0/SECURITY.md). 
+The IoT Edge for Linux (EFLOW) curated virtual machine is based on [Microsoft CBL-Mariner](https://github.com/microsoft/CBL-Mariner). CBL-Mariner is an internal Linux distribution for Microsoft's cloud infrastructure, edge products, and services. CBL-Mariner provides a consistent platform for these devices and services, and it helps Microsoft stay current on Linux updates. For more information, see [CBL-Mariner security](https://github.com/microsoft/CBL-Mariner/blob/1.0/SECURITY.md). 
 
-The EFLOW virtual machine is built on a four-point comprehensive security platform:
+The EFLOW virtual machine uses a four-point comprehensive security platform:
 1. Servicing updates
 1. Read-only root filesystem
 1. Firewall lockdown
 1. DM-Verity
 
 ### Servicing updates
-When security vulnerabilities arise, CBL-Mariner makes the latest security patches and fixes available for being serviced through ELOW monthly updates. The virtual machine has no package manager, so it's not possible to manually download and install RPM packages. All updates to the virtual machine are installed using EFLOW A/B update mechanism. For more information on EFLOW updates, see [Update IoT Edge for Linux on Windows](./iot-edge-for-linux-on-windows-updates.md)
+When security vulnerabilities arise, CBL-Mariner provides the latest security patches and fixes through EFLOW monthly updates. The virtual machine doesn't have a package manager, so you can't manually download or install RPM packages. EFLOW installs all updates to the virtual machine using the A/B update mechanism. For more information on EFLOW updates, see [Update IoT Edge for Linux on Windows](./iot-edge-for-linux-on-windows-updates.md).
 
 ### Read-only root filesystem
-The EFLOW virtual machine is made up of two main partitions *rootfs*, and *data*. The rootFS-A or rootFS-B partitions are interchangeable and one of the two is mounted as a read-only filesystem at `/`, which means that no changes are allowed on files stored inside this partition. On the other hand, the *data* partition mounted under `/var` is readable and writeable, allowing the user to modify the content inside the partition. The data stored on this partition isn't manipulated by the update process and hence won't be modified across updates.
+The EFLOW virtual machine has two main partitions: *rootfs* and *data*. The rootFS-A or rootFS-B partitions are interchangeable, and one is mounted as a read-only filesystem at `/`, so you can't change files in this partition. The *data* partition, mounted under `/var`, is readable and writable, so you can change its content. The update process doesn't change the data stored in this partition, so it isn't modified across updates.
 
-Because you may need write access to `/etc`, `/home`, `/root`, `/var` for specific use cases, write access for these directories is done by overlaying them onto our data partition specifically to the directory `/var/.eflow/overlays`. The end result of this is that users can write anything to the previous mentioned directories. For more information about overlays, see [*overlayfs*](https://docs.kernel.org/filesystems/overlayfs.html).
+Because you might need write access to `/etc`, `/home`, `/root`, and `/var` for specific use cases, EFLOW overlays these directories onto the data partition at `/var/.eflow/overlays` to provide write access. This setup lets you write to these directories. For more information about overlays, see [*overlayfs*](https://docs.kernel.org/filesystems/overlayfs.html).
 
 [![EFLOW CR partition layout](./media/iot-edge-for-linux-on-windows-security/eflow-cr-partition-layout.png)](./media/iot-edge-for-linux-on-windows-security/eflow-cr-partition-layout.png#lightbox)
 
@@ -45,14 +45,14 @@ Because you may need write access to `/etc`, `/home`, `/root`, `/var` for specif
 | BootB | 192 MB | Contains the bootloader for B partition |
 | RootFS B | 4 GB | One of two active/passive partitions holding the root file system |
 | Log | 1 GB or 6 GB | Logs specific partition mounted under /logs |
-| Data | 2 GB to 2 TB | Stateful partition for storing persistent data across updates. Expandable according to the deployment configuration |
+| Data | 2 GB to 2 TB | Stateful partition for storing persistent data across updates. Expandable according to the deployment configuration. |
 
 >[!NOTE]
->The partition layout represents the logical disk size and does not indicate the physical space the virtual machine will occupy on the host OS disk.
+>The partition layout represents the logical disk size and doesn't indicate the physical space the virtual machine uses on the host OS disk.
 
 ### Firewall
 
-By default, the EFLOW virtual machine uses [*iptables*](https://git.netfilter.org/) utility for firewall configurations. *Iptables* is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. The default implementation only allows incoming traffic on port 22 (SSH service) and blocks the traffic otherwise. You can check the *iptables* configuration with the following steps:
+By default, the EFLOW virtual machine uses the [*iptables*](https://git.netfilter.org/) utility for firewall configurations. *Iptables* sets up, maintains, and inspects the tables of IP packet filter rules in the Linux kernel. The default implementation lets incoming traffic on port 22 (SSH service) and blocks other traffic. Check the *iptables* configuration with the following steps:
 
 1. Open an elevated PowerShell session
 1. Connect to the EFLOW virtual machine
@@ -68,27 +68,27 @@ By default, the EFLOW virtual machine uses [*iptables*](https://git.netfilter.or
 
 ### Verified boot
 
-The EFLOW virtual machine supports **Verified boot** through the included *device-mapper-verity (dm-verity)* kernel feature, which provides transparent integrity checking of block devices. *dm-verity* helps prevent persistent rootkits that can hold onto root privileges and compromise devices. This feature assures the virtual machine base software image it's the same and it wasn't altered. The virtual machine uses the *dm-verity* feature to check specific block device, the underlying storage layer of the file system, and determine if it matches its expected configuration.
+The EFLOW virtual machine supports **Verified boot** through the included *device-mapper-verity (dm-verity)* kernel feature, which provides transparent integrity checking of block devices. *dm-verity* helps prevent persistent rootkits that can hold onto root privileges and compromise devices. This feature ensures the virtual machine base software image is the same and isn't altered. The virtual machine uses the *dm-verity* feature to check a specific block device, the underlying storage layer of the file system, and see if it matches its expected configuration.
 
-By default, this feature is disabled in the virtual machine and can be turned on or off. For more information, see [dm-verity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html#).
+By default, this feature is disabled in the virtual machine, but you can turn it on or off. For more information, see [dm-verity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html#).
 
 ## Trusted platform module (TPM)
 [Trusted platform module (TPM)](/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM.
 
-The EFLOW virtual machine doesn't support vTPM. However, the user can enable/disable the TPM passthrough feature that allows the EFLOW virtual machine to use the Windows host OS TPM. This enables two main scenarios:
-* Use TPM technology for IoT Edge device provisioning using Device Provision Service (DPS). For more information, see [Create and provision an IoT Edge for Linux on Windows device at scale by using a TPM](./how-to-provision-devices-at-scale-linux-on-windows-tpm.md).
-* Read-only access to cryptographic keys stored inside the TPM. For more information, see [Set-EflowVmFeature to enable TPM passthrough](./reference-iot-edge-for-linux-on-windows-functions.md#set-eflowvmfeature).
+The EFLOW virtual machine doesn't support vTPM. However, you can enable or disable the TPM passthrough feature, which lets the EFLOW virtual machine use the Windows host OS TPM. This lets you do two main scenarios:
+* Use TPM technology for IoT Edge device provisioning with Device Provision Service (DPS). For more information, see [Create and provision an IoT Edge for Linux on Windows device at scale by using a TPM](./how-to-provision-devices-at-scale-linux-on-windows-tpm.md).
+* Read-only access to cryptographic keys stored in the TPM. For more information, see [Set-EflowVmFeature to enable TPM passthrough](./reference-iot-edge-for-linux-on-windows-functions.md#set-eflowvmfeature).
 
 
 ## Secure host & virtual machine communication
-EFLOW provides multiple ways to interact with the virtual machine by exposing a rich PowerShell module implementation. For more information, see [PowerShell functions for IoT Edge for Linux on Windows](./reference-iot-edge-for-linux-on-windows-functions.md#set-eflowvmfeature). This module requires an elevated session to run, and it's signed using a Microsoft Corporation certificate.
+EFLOW lets you interact with the virtual machine using a PowerShell module. For more information, see [PowerShell functions for IoT Edge for Linux on Windows](./reference-iot-edge-for-linux-on-windows-functions.md#set-eflowvmfeature). This module needs an elevated session to run, and it's signed with a Microsoft Corporation certificate.
 
-All communications between the Windows host operating system and the EFLOW virtual machine required by the PowerShell cmdlets are done using an SSH channel. By default, the virtual machine SSH service won't allow authentication via username and password, and it's limited to certificate authentication. The certificate is created during EFLOW deployment process, and is unique for each EFLOW installation. Furthermore, to prevent SSH brute force attacks, the virtual machine blocks an IP address if it attempts more than three connections per minute to SSH service. 
+All communication between the Windows host operating system and the EFLOW virtual machine that PowerShell cmdlets need uses an SSH channel. By default, the virtual machine SSH service doesn't let you authenticate with a username and password, and only allows certificate authentication. The certificate is created during the EFLOW deployment process and is unique for each EFLOW installation. To help prevent SSH brute force attacks, the virtual machine blocks an IP address if it tries more than three connections per minute to the SSH service.
 
-In the EFLOW Continuous Release (CR) version, we introduced a change in the transport channel used to establish the SSH connection. Originally, SSH service runs on TCP port 22, which can be accessed by all external devices in the same network using a TCP socket to that specific port. For security reasons, EFLOW CR runs the SSH service over Hyper-V sockets instead of normal TCP sockets. All communication over Hyper-V sockets runs between the Windows host OS and the EFLOW virtual machine, without using networking. This limits the access of the SSH service, restricting connections to only the Windows host OS. For more information, see [Hyper-V sockets](/virtualization/hyper-v-on-windows/user-guide/make-integration-service).
+In the EFLOW Continuous Release (CR) version, the transport channel for the SSH connection changes. Originally, the SSH service runs on TCP port 22, which any external device on the same network can access using a TCP socket. For security, EFLOW CR runs the SSH service over Hyper-V sockets instead of regular TCP sockets. All communication over Hyper-V sockets stays between the Windows host OS and the EFLOW virtual machine, without using networking. This setup limits SSH service access by restricting connections to only the Windows host OS. For more information, see [Hyper-V sockets](/virtualization/hyper-v-on-windows/user-guide/make-integration-service).
 
 ## Next steps
 
 Read more about [Windows IoT security premises](/windows/iot/iot-enterprise/os-features/security)
 
-Stay up-to-date with the latest [IoT Edge for Linux on Windows updates](./iot-edge-for-linux-on-windows-updates.md).
+Stay up to date with the latest [IoT Edge for Linux on Windows updates](./iot-edge-for-linux-on-windows-updates.md).