edit pass: confidential-computing-articles

paulth1 · paulth1 · commit 895b4728ad92 · 2025-04-25T14:55:25.000-07:00
diff --git a/articles/confidential-computing/overview-azure-products.md b/articles/confidential-computing/overview-azure-products.md
@@ -19,7 +19,7 @@ Azure provides the broadest support for hardened technologies such as [AMD SEV-S
 
 - Confidential VMs that use AMD SEV-SNP. [DCasv5](/azure/virtual-machines/dcasv5-dcadsv5-series) and [ECasv5](/azure/virtual-machines/ecasv5-ecadsv5-series) enable rehosting of existing workloads and help to protect data from cloud operators with VM-level confidentiality. [DCasv6 and ECasv6](https://techcommunity.microsoft.com/blog/azureconfidentialcomputingblog/preview-new-dcasv6-and-ecasv6-confidential-vms-based-on-4th-generation-amd-epyc%E2%84%A2/4303752) confidential VMs based on fourth-generation AMD EPYC processors are currently in gated preview and offer enhanced performance.
 - Confidential VMs that use Intel TDX. [DCesv5](/azure/virtual-machines/dcasv5-dcadsv5-series) and [ECesv5](/azure/virtual-machines/ecasv5-ecadsv5-series) enable rehosting of existing workloads and help to protect data from cloud operators with VM-level confidentiality.
-- Confidential VMs with graphics processing units (GPUs). [NCCadsH100v5](/azure/virtual-machines/sizes/gpu-accelerated/nccadsh100v5-series) confidential VMs come with a GPU and help to ensure data security and privacy while boosting AI and machine learning tasks. These confidential VMs use linked CPU and GPU TEEs to [protect sensitive data in the CPU and a GPU to accelerate computations](https://techcommunity.microsoft.com/blog/azureconfidentialcomputingblog/general-availability-azure-confidential-vms-with-nvidia-h100-tensor-core-gpus/4242644). They're ideal for organizations that need to protect data from cloud operators and use high-performance computing.
+- Confidential VMs with graphics processing units (GPUs). [NCCadsH100v5](/azure/virtual-machines/sizes/gpu-accelerated/nccadsh100v5-series) confidential VMs come with a GPU and help to ensure data security and privacy while boosting AI and machine learning tasks. These confidential VMs use linked CPU and GPU Trusted Execution Environments (TEEs) to [protect sensitive data in the CPU and a GPU to accelerate computations](https://techcommunity.microsoft.com/blog/azureconfidentialcomputingblog/general-availability-azure-confidential-vms-with-nvidia-h100-tensor-core-gpus/4242644). They're ideal for organizations that need to protect data from cloud operators and use high-performance computing.
 - VMs with application enclaves that use Intel SGX. [DCsv2](/azure/virtual-machines/dcv2-series), [DCsv3, and DCdsv3](/azure/virtual-machines/dcv3-series) enable organizations to create hardware enclaves. These secure enclaves help to protect VMs from cloud operators and an organization's own VM admins.
 - [Confidential VM Azure Kubernetes Service (AKS) worker nodes](/azure/confidential-computing/confidential-node-pool-aks) that allow rehosting of containers to AKS clusters. Worker nodes based on AMD SEV-SNP hardware help to protect data from cloud operators with worker-node level confidentiality and provide the configuration flexibility of AKS.
 - [Confidential containers on Azure Container Instances](/azure/container-instances/container-instances-confidential-overview) that allow rehosting of containers to the serverless container instances that run on AMD SEV-SNP hardware. Confidential containers support container-level integrity and attestation via [confidential computing enforcement (CCE) policies](/azure/container-instances/container-instances-confidential-overview#confidential-computing-enforcement-policies). These policies prescribe the components that are allowed to run within the container group. The container runtime enforces the policy. This policy helps to protect data from the cloud operator and internal threat actors with container-level confidentiality.
@@ -35,7 +35,7 @@ Azure offers various platform as a service (PaaS), software as a service (SaaS),
 - [Azure Databricks](https://www.databricks.com/blog/announcing-general-availability-azure-databricks-support-azure-confidential-computing-acc) helps you bring more security and increased confidentiality to your Databricks lakehouse by using confidential VMs.
 - [Azure Virtual Desktop](../virtual-desktop/deploy-azure-virtual-desktop.md?tabs=portal) ensures that a user's virtual desktop is encrypted in memory, protected in use, and backed by hardware root of trust.
 - [Azure Key Vault Managed HSM](/azure/key-vault/managed-hsm/) is fully managed and highly available. Use this single-tenant, standards-compliant cloud service to safeguard cryptographic keys for your cloud applications by using FIPS 140-2 Level 3 validated hardware security modules (HSMs).
-- [Azure Attestation](/azure/attestation/overview) is a remote attestation service for validating the trustworthiness of multiple Trusted Execution Environments (TEEs) and verifying the integrity of the binaries that run inside the TEEs.
+- [Azure Attestation](/azure/attestation/overview) is a remote attestation service for validating the trustworthiness of multiple TEEs and verifying the integrity of the binaries that run inside the TEEs.
 - [Azure confidential ledger](/azure/confidential-ledger/overview) is a tamper-proof register for storing sensitive data for record keeping and auditing or for data transparency in multiparty scenarios. It offers Write-Once-Read-Many guarantees, which make data nonerasable and nonmodifiable. The service is built on the Microsoft Research [Confidential Consortium Framework](https://www.microsoft.com/research/project/confidential-consortium-framework/).
 - [Always Encrypted with secure enclaves in Azure SQL](/sql/relational-databases/security/encryption/always-encrypted-enclaves). The confidentiality of sensitive data is protected from malware and high-privileged unauthorized users by running SQL queries directly inside a TEE.
 
diff --git a/articles/confidential-computing/secret-key-management.md b/articles/confidential-computing/secret-key-management.md
@@ -1,6 +1,6 @@
 ---
-title: Secret and key management in Azure confidential computing
-description: Understanding how confidential computing handles secrets and keys
+title: Secret and Key Management in Azure Confidential Computing
+description: This article helps you to understand how confidential computing handles secrets and keys.
 author: vinfnet
 ms.author: sgallagher
 ms.service: azure
@@ -9,16 +9,16 @@ ms.date: 06/09/2023
 ms.custom: template-concept
 ms.subservice: confidential-computing
 ---
-# Secrets and Key Management
+# Secrets and key management
 
-Confidential computing provides advanced capabilities for protecting secrets and keys whilst they are in-use to enhance the security posture of an application.
+Confidential computing provides advanced capabilities for protecting secrets and keys while they're in use to enhance the security posture of an application.
 
-Confidential computing enabled services use keys managed by the [hardware root of trust](trusted-compute-base.md#hardware-root-of-trust) to inform [Attestation](attestation.md) services and encrypt and decrypt data inside the Trusted Execution Environment ([TEE](trusted-execution-environment.md)).
+Confidential computing-enabled services use keys managed by the [hardware root of trust](trusted-compute-base.md#hardware-root-of-trust) to inform [attestation](attestation.md) services and encrypt and decrypt data inside the Trusted Execution Environment ([TEE](trusted-execution-environment.md)).
 
-This is a key part of protection for Confidential virtual machines (CVM) and many other services built upon CVMs like [confidential node pools on AKS](confidential-node-pool-aks.md) or data services that support confidential SKUs like Azure Data Explorer.
+Keys are an important part of protection for confidential virtual machines (CVMs) and many other services built on CVMs like [confidential node pools on Azure Kubernetes Service](confidential-node-pool-aks.md) or data services that support confidential products like Azure Data Explorer.
 
-For example, systems can be configured so that keys are only released once code has proven (via Attestation) that it is executing inside a TEE - this is known as [Secure Key Release (SKR)](concept-skr-attestation.md) - this powerful feature is useful for applications that need to read encrypted data from Azure blob storage into a TEE where it can be securely decrypted and processed in the clear.
+For example, you can configure systems so that keys are released only after the code proves (via attestation) that it's executing inside a TEE. This behavior is known as [secure key release](concept-skr-attestation.md). This powerful feature is useful for applications that need to read encrypted data from Azure Blob Storage into a TEE where it can be securely decrypted and processed in the clear.
 
-CVMs rely on virtual Trusted Platform Modules (vTPM) you can read more about this in [Virtual TPMs in Azure](virtual-tpms-in-azure-confidential-vm.md)
+CVMs rely on virtual Trusted Platform Modules (vTPMs). You can read more about this technology in [Virtual TPMs in Azure](virtual-tpms-in-azure-confidential-vm.md).
 
-The [Azure Managed HSM](/azure/key-vault/managed-hsm/overview) offering is [built on Confidential Computing technologies](/azure/key-vault/managed-hsm/managed-hsm-technical-details) and can be used to enhance access control of secrets & keys for an application.
+The [Azure Key Vault Managed HSM](/azure/key-vault/managed-hsm/overview) offering is [built on confidential computing technologies](/azure/key-vault/managed-hsm/managed-hsm-technical-details). You can use it to enhance access control of the secrets and keys for an application.
diff --git a/articles/confidential-computing/trusted-compute-base.md b/articles/confidential-computing/trusted-compute-base.md
@@ -1,6 +1,6 @@
 ---
-title: Trusted compute base (TCB) in Azure confidential computing
-description: Understanding what the TCB is and what it includes
+title: Trusted Computing Base (TCB) in Azure Confidential Computing
+description: This article helps you to understand what the TCB is and what it includes.
 author: vinfnet
 ms.author: sgallagher
 ms.service: azure
@@ -9,39 +9,34 @@ ms.date: 06/09/2023
 ms.custom: template-concept
 ms.subservice: confidential-computing
 ---
-# Trusted Compute Base
+# Trusted Computing Base
 
-The Trusted Computing Base (TCB) refers to all of a system's hardware, firmware, and software components that provide a secure environment. The components inside the TCB are considered "critical." If one component inside the TCB is compromised, the entire system's security may be jeopardized. A lower TCB means higher security. There's less risk of exposure to various vulnerabilities, malware, attacks, and malicious people.
+Trusted Computing Base (TCB) refers to all of a system's hardware, firmware, and software components that provide a secure environment. The components inside the TCB are considered critical. If one component inside the TCB is compromised, the entire system's security might be jeopardized. A lower TCB means higher security. There's less risk of exposure to various vulnerabilities, malware, attacks, and malicious people.
 
+The following diagram shows what's "inside" and "outside" of the TCB. The workload and data that the customer operator manages is inside the TCB. The elements managed by the cloud provider (Azure) are outside of the TCB.
 
-The following diagram shows what is "in" and what is "outside' of the trusted compute base. The workload and data that the customer operator manages is inside the TCB, and the elements managed by the cloud provider (Microsoft Azure) are outside. 
+:::image type="content" source="./media/trusted-compute-base/azure-confidential-computing-zero-trust-architecture.jpg" alt-text="Diagram that shows the Trusted Computing Base concept.":::
 
+## Hardware root of trust
 
-:::image type="content" source="./media/trusted-compute-base/azure-confidential-computing-zero-trust-architecture.jpg" alt-text="Diagram showing the Trusted Compute Base (TCB) concept.":::
+The root of trust is the hardware that's trusted to attest (validate) that the customer workload is using confidential computing. Hardware vendors generate and validate the cryptographic proofs.
 
+## Confidential computing workload
 
-## Hardware Root of Trust
+The customer workload, encapsulated inside a Trusted Execution Environment (TEE), includes the parts of the solution that are fully under control and trusted by the customer. The confidential computing workload is opaque to everything outside of the TCB by using encryption.
 
-The root of trust is the hardware that is trusted to attest (validate) that the customer workload is using confidential computing through the generation and validation of cryptographic proofs provided by hardware vendors.
+## Host OS, hypervisor, BIOS, and device drivers
 
-## Confidential Computing Workload (TCB)
+These elements have no visibility of the workload inside the TCB because it's encrypted. The host OS, BIOS, hypervisor, and device drivers are under the control of the cloud provider and inaccessible by the customer. Conversely, they can see the customer workload only in encrypted form.
 
-The customer workload, encapsulated inside a Trusted Execution Environment (TEE) includes the parts of the solution that are fully under control and trusted by the customer. The confidential computing workload is opaque to everything outside of the TCB using encryption.
+## Mapping TCB to different TEEs
 
-## Host OS, Hypervisor, BIOS, Device drivers
+Depending on the confidential computing technology in use, the TCB can vary to meet different customer demands for confidentiality and ease of adoption.
 
-These elements have no visibility of the workload inside the TCB because it encrypted. Host OS, BIOS etc. are under the control of the cloud provider and inaccessible by the customer and conversely they can only see the customer workload in encrypted form.
+Confidential virtual machines (CVMs) that use the AMD SEV-SNP (and, in future, Intel Trust Domain Extensions) technologies can run an entire VM inside the TEE to support rehosting scenarios of existing workloads. In this case, the guest OS is also inside the TCB.
 
-## Mapping TCB to different Trusted Execution Environments (TEE)
-
-Depending on the Confidential Computing technology in-use, the TCB can vary to cater to different customer demands for confidentiality and ease of adoption.
-
-Confidential Virtual Machines (CVM) using the AMD SEV-SNP (and, in future Intel TDX) technologies can run an entire virtual machine inside the TEE to support lift & shift scenarios of existing workloads, in this case, the guest OS is also inside the TCB.
-
-Container compute offerings are built upon Confidential Virtual Machines and offer a variety of TCB scenarios from whole AKS nodes to individual containers when using Azure Container Instances (ACI).
-
-Intel SGX can offer the most granular TCB definition down to individual code functions but requires applications to be developed using specific SDKs to use confidential capabilities. 
-
-:::image type="content" source="./media/trusted-compute-base/app-enclave-vs-virtual-machine.jpg " alt-text="Diagram showing the Trusted Compute Base (TCB) concept mapped to Intel SGX and AMD SEV-SNP Trusted Execution Environments":::
+Container compute offerings are built on CVMs. They offer various TCB scenarios from whole Azure Kubernetes Service nodes to individual containers when Azure Container Instances are used.
 
+Intel Software Guard Extensions (SGX) can offer the most granular TCB definition down to individual code functions, but it requires applications to be developed by using specific SDKs to use confidential capabilities.
 
+:::image type="content" source="./media/trusted-compute-base/app-enclave-vs-virtual-machine.jpg " alt-text="Diagram that shows the TCB concept mapped to Intel SGX and AMD SEV-SNP Trusted Execution Environments.":::
diff --git a/articles/confidential-computing/trusted-execution-environment.md b/articles/confidential-computing/trusted-execution-environment.md
@@ -1,6 +1,6 @@
 ---
 title: Trusted Execution Environment (TEE)
-description: Understanding what the TEE is and what it includes.
+description: This article helps you to understand what the TEE is and what it includes.
 author: vinfnet
 ms.author: sgallagher
 ms.service: azure
@@ -17,7 +17,7 @@ When you use a Trusted Execution Environment (TEE), you protect your code and da
 
 A Trusted Execution Environment is a segregated area of memory and CPU that's protected from the rest of the CPU by using encryption. Any code outside that environment can't read or tamper with the data in the TEE. Authorized code can manipulate the data inside the TEE.
 
-Code that executes inside the TEE is processed in the clear, but it's visible in encrypted form only when anything outside tries to access it. This protection is managed by the platform security processor embedded inside the CPU die.
+Code that executes inside the TEE is processed in the clear, but it's visible in encrypted form only when anything outside tries to access it. The platform security processor embedded inside the CPU die manages this protection.
 
 :::image type="content" source="./media/trusted-compute-base/app-enclave-vs-virtual-machine.jpg " alt-text="Diagram that shows the trusted compute base concept mapped to Intel SGX and AMD SEV-SNP Trusted Execution Environments.":::
 
@@ -27,7 +27,7 @@ The rehosting offering uses [AMD SEV-SNP (general availability)](virtual-machine
 
 The enclave-based offering provides CPU features that allow customer code to use [Intel Software Guard Extensions (SGX)](virtual-machine-solutions-sgx.md) to create a protected memory region called Encrypted Protected Cache within a VM. Customers can run sensitive workloads with strong data protection and privacy guarantees. Azure confidential computing introduced the first enclave-based offering in 2020. Customer applications need to be specifically developed to take advantage of this data protection model.
 
-Both of these underlying technologies are used to deliver [confidential infrastructure as a service (IaaS) and platform as a service (PaaS)](overview-azure-products.md) cloud computing models in the Azure platform. making it simple for customers to adopt confidential computing in their solutions.
+Both of these underlying technologies are used to deliver [confidential infrastructure as a service (IaaS) and platform as a service (PaaS)](overview-azure-products.md) cloud computing models in the Azure platform, which makes it simple for customers to adopt confidential computing in their solutions.
 
 New graphics processing unit (GPU) designs also support a TEE capability. You can securely combine GPUs with CPU TEE solutions like confidential VMs, such as the [NVIDIA offering currently in preview](https://azure.microsoft.com/blog/azure-confidential-computing-with-nvidia-gpus-for-trustworthy-ai/), to deliver trustworthy AI.
 
diff --git a/articles/confidential-computing/use-cases-scenarios.md b/articles/confidential-computing/use-cases-scenarios.md
@@ -123,7 +123,7 @@ The attestation service returns cryptographically signed details from the hardwa
 
 Even though the security level provided by Azure is quickly becoming one of the top drivers for cloud computing adoption, customers trust their providers to different extents. Customers ask for:
 
-- Minimal hardware, software, and operational trusted computing bases (TCBs) for sensitive workloads.
+- Minimal hardware, software, and operational Trusted Computing Bases (TCBs) for sensitive workloads.
 - Technical enforcement rather than only business policies and processes.
 - Transparency about the guarantees, residual risks, and mitigations that they get.
 
