tidy-up

Author: vinfnet

articles/confidential-computing/TOC.yml

@@ -31,9 +31,9 @@
   expanded: true
   items:
   - name: Multi-party and cleanroom collaboration
-    href: multi-party-data.md #multi-party-collaboration # new #p1
-  - name: It's the future #maybe change link to a page that references the below, and explains why it's the future
-    href: https://azure.microsoft.com/blog/key-foundations-for-protecting-your-data-with-azure-confidential-computing/ # New, house-view.. why is it the future - x-links to a lot of MarkRus material tying it back to strategic direction/vision
+    href: multi-party-data.md 
+  - name: It's the future 
+    href: https://azure.microsoft.com/blog/key-foundations-for-protecting-your-data-with-azure-confidential-computing/
   - name: Confidential AI
     href: confidential-ai.md
 - name: How do I get it? # HOW?
@@ -154,10 +154,6 @@
   - name: Confidential services
     expanded: true
     items:
-    - name: SQL Always Encrypted with secure enclaves # x-link to SQL docs #done
-      href: /sql/relational-databases/security/encryption/configure-always-encrypted-enclaves
-    - name: SQL on confidential virtual machines #done
-      href: /azure/azure-sql/virtual-machines/windows/sql-vm-create-confidential-vm-how-to
     - name: Confidential VMs for Azure Databricks
       href: https://techcommunity.microsoft.com/t5/azure-confidential-computing/confidential-vm-option-for-azure-databricks-preview/ba-p/3827982#:~:text=Azure%20Databricks%20now%20supports%20using%20Confidential%20computing%20VM,Azure%20Databricks%20workload%20securely%20%26%20confidentially%20on%20Azure
     - name: Confidential VMs for Azure Data Explorer (preview) #done
@@ -166,6 +162,10 @@
       href: /azure/virtual-desktop/whats-new#confidential-virtual-machines-and-trusted-launch-virtual-machines-are-now-generally-available-in-azure-virtual-desktop
     - name: Azure confidential ledger #done
       href: /azure/confidential-ledger/overview
+    - name: SQL on confidential virtual machines #done
+      href: /azure/azure-sql/virtual-machines/windows/sql-vm-create-confidential-vm-how-to
+    - name: SQL Always Encrypted with secure enclaves # x-link to SQL docs #done
+      href: /sql/relational-databases/security/encryption/configure-always-encrypted-enclaves
   - name: Partner Solutions
     items:
     - name: Overview

articles/confidential-computing/trusted-compute-base.md

@@ -22,24 +22,24 @@ The following diagram shows what is "in" and what is "outside' of the trusted co
 
 ## Hardware Root of Trust
 
-The root of trust is the hardware that is trusted to attest (validate) that the customer workload is using confidential computing through the generation of cryptographic proofs.
+The root of trust is the hardware that is trusted to attest (validate) that the customer workload is using confidential computing through the generation and validation of cryptographic proofs provided by hardware vendors.
 
 ## Confidential Computing Workload (TCB)
 
 The customer workload, encapsulated inside a Trusted Execution Environment (TEE) includes the parts of the solution that are fully under control and trusted by the customer. The confidential computing workload is opaque to everything outside of the TCB using encryption.
 
 ## Host OS, Hypervisor, BIOS, Device drivers
 
-These elements have no visibility of the workload inside the TCB because it encrypted. Host OS, BIOS etc. are under the control of the cloud provider and inaccessible by the customer.
+These elements have no visibility of the workload inside the TCB because it encrypted. Host OS, BIOS etc. are under the control of the cloud provider and inaccessible by the customer and conversely they can only see the customer workload in encrypted form.
 
 ## Mapping TCB to different Trusted Execution Environments (TEE)
 
 Depending on the Confidential Computing technology in-use, the TCB can vary to cater to different customer demands for confidentiality and ease of adoption.
 
-Intel SGX, for example offers the most granular TCB definition down to individual code functions but requires applications to be written using specific APIs to use confidential capabilities. 
-
 Confidential Virtual Machines (CVM) using the AMD SEV-SNP (and, in future Intel TDX) technologies can run an entire virtual machine inside the TEE to support lift & shift scenarios of existing workloads, in this case, the guest OS is also inside the TCB.
 
+Intel SGX, for example offers the most granular TCB definition down to individual code functions but requires applications to be developed using specific SDKs to use confidential capabilities. 
+
 :::image type="content" source="./media/trusted-compute-base/app-enclave-vs-virtual-machine.jpg " alt-text="Diagram showing the Trusted Compute Base (TCB) concept mapped to Intel SGX and AMD SEV-SNP Trusted Execution Environments":::
 
 

articles/confidential-computing/trusted-execution-environment.md

@@ -19,20 +19,20 @@ Code executing inside the TEE is processed in the clear but is only visible in e
 
 :::image type="content" source="./media/trusted-compute-base/app-enclave-vs-virtual-machine.jpg " alt-text="Image showing the Trusted Compute Base (TCB) concept mapped to Intel SGX and AMD SEV-SNP Trusted Execution Environments":::
 
-Azure confidential computing has two offerings: one for enclave-based workloads and one for lift and shift workloads.
+Azure confidential computing has two offerings: one for lift and shift workloads and enclave-based workloads for custom developed applications.
 
-The enclave-based offering uses [Intel Software Guard Extensions (SGX)](virtual-machine-solutions-sgx.md) to create a protected memory region called Encrypted Protected Cache (EPC) within a VM. This allows customers to run sensitive workloads with strong data protection and privacy guarantees. Azure Confidential computing launched the first enclave-based offering in 2020. 
+The lift and shift offering uses [AMD SEV-SNP (GA)](virtual-machine-options.md) or [Intel TDX (preview)](tdx-confidential-vm-overview.md) to encrypt the entire memory of a VM. This allows customers to migrate their existing workloads to Azure confidential computing without any code changes or performance degradation and supports both virtual machine and container workloads.
 
-The lift and shift offering uses [AMD SEV-SNP (GA)](virtual-machine-options.md) or [Intel TDX (preview)](tdx-confidential-vm-overview.md) to encrypt the entire memory of a VM. This allows customers to migrate their existing workloads to Azure confidential Compute without any code changes or performance degradation.
+The enclave-based offering provides CPU features that allows customer code to use [Intel Software Guard Extensions (SGX)](virtual-machine-solutions-sgx.md) to create a protected memory region called Encrypted Protected Cache (EPC) within a VM. This allows customers to run sensitive workloads with strong data protection and privacy guarantees. Azure Confidential computing launched the first enclave-based offering in 2020. Customer applications need to be specifically developed to take advantage of this data protection model.
 
-Many of these underlying technologies are used to deliver [confidential IaaS and PaaS services](overview-azure-products.md) in the Azure platform making it simple for customers to adopt confidential computing in their solutions.
+Both of these underlying technologies are used to deliver [confidential IaaS and PaaS services](overview-azure-products.md) in the Azure platform making it simple for customers to adopt confidential computing in their solutions.
 
 New GPU designs also support a TEE capability and can be securely combined with CPU TEE solutions such as confidential virtual machines, such as the [NVIDIA offering currently in preview](https://azure.microsoft.com/blog/azure-confidential-computing-with-nvidia-gpus-for-trustworthy-ai/) to deliver trustworthy AI.
 
 Technical details on how the TEE is implemented across different Azure hardware is available as follows:
 
 AMD SEV-SNP Confidential Virtual Machines (https://www.amd.com/en/developer/sev.html) <p>
-Intel SGX enabled Virtual Machines (https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html)<p>
 Intel TDX Virtual Machines (https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-domain-extensions.html)<p>
 NVIDIA Hardware (https://www.nvidia.com/en-gb/data-center/h100/)<p>
+Intel SGX enabled Virtual Machines (https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html)<p>