Merge pull request #223862 from mssindhurid/main

custom baseline changes

Author: Maggiemouse1

articles/attestation/basic-concepts.md

@@ -26,34 +26,6 @@ Below are some basic concepts related to Microsoft Azure Attestation.
 
 Attestation provider belongs to Azure resource provider named Microsoft.Attestation. The resource provider is a service endpoint that provides Azure Attestation REST contract and is deployed using [Azure Resource Manager](../azure-resource-manager/management/overview.md). Each attestation provider honors a specific, discoverable policy. Attestation providers get created with a default policy for each attestation type (note that VBS enclave has no default policy). See [examples of an attestation policy](policy-examples.md) for more details on the default policy for SGX.
 
-### Regional shared provider
-
-Azure Attestation provides a regional shared provider in every available region. Customers can choose to use the regional shared provider for attestation, or create their own providers with custom policies. The shared providers are accessible by any Azure AD user and the policy associated with it cannot be altered.
-
-| Region | Attest Uri | 
-|--|--|
-| East US | `https://sharedeus.eus.attest.azure.net` | 
-| West US | `https://sharedwus.wus.attest.azure.net` | 
-| UK South | `https://shareduks.uks.attest.azure.net` | 
-| UK West| `https://sharedukw.ukw.attest.azure.net	` | 
-| Canada East | `https://sharedcae.cae.attest.azure.net` | 
-| Canada Central | `https://sharedcac.cac.attest.azure.net` | 
-| North Europe | `https://sharedneu.neu.attest.azure.net` | 
-| West Europe| `https://sharedweu.weu.attest.azure.net` | 
-| US East 2 | `https://sharedeus2.eus2.attest.azure.net` | 
-| Central US | `https://sharedcus.cus.attest.azure.net` |
-| North Central US | `https://sharedncus.ncus.attest.azure.net` | 
-| South Central US | `https://sharedscus.scus.attest.azure.net` | 
-| Australia East | `https://sharedeau.eau.attest.azure.net` | 
-| Australia SouthEast | `https://sharedsau.sau.attest.azure.net` |
-| South East Asia | `https://sharedsasia.sasia.attest.azure.net` | 
-| Japan East | `https://sharedjpe.jpe.attest.azure.net` |
-| Switzerland North | `https://sharedswn.swn.attest.azure.net` |
-| US Gov Virginia | `https://sharedugv.ugv.attest.azure.us` | 
-| US Gov Arizona | `https://shareduga.uga.attest.azure.us` | 
-| Central US EUAP | `https://sharedcuse.cuse.attest.azure.net` |
-| East US2 EUAP | `https://sharedeus2e.eus2e.attest.azure.net` |
-
 ## Attestation request
 
 Attestation request is a serialized JSON object sent by client application to attestation provider. 

articles/attestation/custom-tcb-baseline-enforcement.md

@@ -13,19 +13,19 @@ ms.author: mbaldwin
 
 # Custom TCB baseline enforcement for SGX attestation
 
-Microsoft Azure Attestation is a unified solution for attesting different types of Trusted Execution Environments (TEEs) such as [Intel® Software Guard Extensions](https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html) (SGX) enclaves. While attesting SGX enclaves, Azure Attestation validates the evidence against Azure default Trusted Computing Base (TCB) baseline. The default TCB baseline is provided by an Azure service named [Trusted Hardware Identity Management](../security/fundamentals/trusted-hardware-identity-management.md) (THIM) and includes collateral fetched from Intel like certificate revocation lists (CRLs), Intel certificates, Trusted Computing Base (TCB) information and Quoting Enclave identity (QEID).  The default TCB baseline from THIM lags the latest baseline offered by Intel and is expected to remain at tcbEvaluationDataNumber 10. 
+Microsoft Azure Attestation is a unified solution for attesting different types of Trusted Execution Environments (TEEs) such as [Intel® Software Guard Extensions](https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html) (SGX) enclaves. While attesting SGX enclaves, Azure Attestation validates the evidence against Azure default Trusted Computing Base (TCB) baseline. The default TCB baseline is provided by an Azure service named [Trusted Hardware Identity Management](/azure/security/fundamentals/trusted-hardware-identity-management) (THIM) and includes collateral fetched from Intel like certificate revocation lists (CRLs), Intel certificates, Trusted Computing Base (TCB) information and Quoting Enclave identity (QEID). The default TCB baseline from THIM might lag the latest baseline offered by Intel. This is to prevent any attestation failure scenarios for ACC customers who require more time for patching platform software (PSW) updates.
 
-The custom TCB baseline enforcement feature in Azure Attestation will enable you to perform SGX attestation against a desired TCB baseline, as opposed to the Azure default TCB baseline which is applied across [Azure Confidential Computing](../confidential-computing/index.yml) (ACC) fleet today.
+The custom TCB baseline enforcement feature in Azure Attestation will empower you to perform SGX attestation against a desired TCB baseline. It is always recommended for [Azure Confidential Computing](/azure/confidential-computing/overview) (ACC) SGX customers to install the latest PSW version supported by Intel and configure their SGX attestation policy with the latest TCB baseline supported by Azure.
 
 ## Why use custom TCB baseline enforcement feature?
 
 We recommend Azure Attestation users to use the custom TCB baseline enforcement feature for performing SGX attestation. The feature will be helpful in the following scenarios:
 
-**To perform SGX attestation against newer TCB offered by Intel** – Security conscious customers can perform timely roll out of platform software (PSW) updates as recommended by Intel and use the custom baseline enforcement feature to perform their SGX attestation against the newer TCB versions supported by Intel 
+**To perform SGX attestation against a newer TCB offered by Intel** – Customers can perform timely roll out of platform software (PSW) updates as recommended by Intel and use the custom baseline enforcement feature to perform their SGX attestation against the newer TCB versions supported by Intel 
 
 **To perform platform software (PSW) updates at your own cadence** – Customers who prefer to update PSW at their own cadence, can use custom baseline enforcement feature to perform SGX attestation against the older TCB baseline, until the PSW updates are rolled out
 
-## Default TCB baseline used by Azure Attestation when no custom TCB baseline is configured by users
+## Default TCB baseline currently referred by Azure Attestation when no custom TCB baseline is configured by users
 
 ```
 TCB identifier: “azuredefault”
@@ -109,8 +109,7 @@ c:[type=="x-ms-attestation-type"] => issue(type="tee", value=c.value);
 ```
 
 ## Key considerations:
-- It is always recommended to install the latest PSW version supported by Intel and configure attestation policy with the latest TCB identifier available in Azure
 - If the PSW version of ACC node is lower than the minimum PSW version of the TCB baseline configured in SGX attestation policy, attestation scenarios will fail
 - If the PSW version of ACC node is greater than or equal to the minimum PSW version of the TCB baseline configured in SGX attestation policy, attestation scenarios will pass
 - For customers who do not configure a custom TCB baseline in attestation policy, attestation will be performed against the Azure default TCB baseline
-- For customers using an attestation policy without configurationrules section, attestation will be performed against the Azure default TCB baseline
+- For customers using an attestation policy without configurationrules section, attestation will be performed against the Azure default TCB baseline

articles/attestation/overview.md

@@ -71,7 +71,6 @@ Azure Attestation is the preferred choice for attesting TEEs as it offers the fo
 
 - Unified framework for attesting multiple environments such as TPMs, SGX enclaves and VBS enclaves 
 - Allows creation of custom attestation providers and configuration of policies to restrict token generation
-- Offers [regional shared providers](basic-concepts.md#regional-shared-provider) which can attest with no configuration from users
 - Protects its data while-in use with implementation in an SGX enclave
 - Highly available service