|
| 1 | +--- |
| 2 | +title: Custom TCB baseline enforcement for Azure Attestation users |
| 3 | +description: Custom TCB baseline enforcement for Azure Attestation users |
| 4 | +services: attestation |
| 5 | +author: msmbaldwin |
| 6 | +ms.service: attestation |
| 7 | +ms.topic: overview |
| 8 | +ms.date: 11/30/2022 |
| 9 | +ms.author: mbaldwin |
| 10 | + |
| 11 | + |
| 12 | +--- |
| 13 | + |
| 14 | +# Custom TCB baseline enforcement for SGX attestation |
| 15 | + |
| 16 | + |
| 17 | +Microsoft Azure Attestation is a unified solution for attesting different types of Trusted Execution Environments (TEEs) such as [Intel® Software Guard Extensions](https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html) (SGX) enclaves. While attesting SGX enclaves, Azure Attestation validates the evidence against Azure default Trusted Computing Base (TCB) baseline. The default TCB baseline is provided by an Azure service named [Trusted Hardware Identity Management](/azure/security/fundamentals/trusted-hardware-identity-management) (THIM) and includes collateral fetched from Intel like certificate revocation lists (CRLs), Intel certificates, Trusted Computing Base (TCB) information and Quoting Enclave identity (QEID). The default TCB baseline from THIM lags the latest baseline offered by Intel and is expected to remain at tcbEvaluationDataNumber 10. |
| 18 | + |
| 19 | +The custom TCB baseline enforcement feature in Azure Attestation will enable you to perform SGX attestation against a desired TCB baseline, as opposed to the Azure default TCB baseline which is applied across [Azure Confidential Computing](/solutions/confidential-compute/) (ACC) fleet today. |
| 20 | + |
| 21 | +## Why use custom TCB baseline enforcement feature? |
| 22 | + |
| 23 | +We recommend Azure Attestation users to use the custom TCB baseline enforcement feature for performing SGX attestation. The feature will be helpful in the following scenarios: |
| 24 | + |
| 25 | +**To perform SGX attestation against newer TCB offered by Intel** – Security conscious customers can perform timely roll out of platform software (PSW) updates as recommended by Intel and use the custom baseline enforcement feature to perform their SGX attestation against the newer TCB versions supported by Intel |
| 26 | + |
| 27 | +**To perform platform software (PSW) updates at your own cadence** – Customers who prefer to update PSW at their own cadence, can use custom baseline enforcement feature to perform SGX attestation against the older TCB baseline, until the PSW updates are rolled out |
| 28 | + |
| 29 | +## Default TCB baseline used by Azure Attestation when no custom TCB baseline is configured by users |
| 30 | + |
| 31 | +``` |
| 32 | +TCB identifier: “azuredefault” |
| 33 | +TCB evaluation data number": "10" |
| 34 | +Tcb release date: "2020-11-11T00:00:00" |
| 35 | +Minimum PSW Linux version: "2.9" |
| 36 | +Minimum PSW Windows version: "2.7.101.2" |
| 37 | +``` |
| 38 | + |
| 39 | +## TCB baselines available in Azure which can be configured as custom TCB baseline |
| 40 | +``` |
| 41 | + TCB identifier: "11" |
| 42 | + TCB evaluation data number": "11" |
| 43 | + TCB release date: "2021-06-09T00:00:00" |
| 44 | + Minimum PSW Linux version: "2.13.3", |
| 45 | + Minimum PSW Windows version: "2.13.100.2" |
| 46 | +
|
| 47 | + TCB identifier: "10" |
| 48 | + TCB evaluation data number: "10" |
| 49 | + Tcb release date: "2020-11-11T00:00:00" |
| 50 | + Minimum PSW Linux version: "2.9", |
| 51 | + Minimum PSW Windows version: "2.7.101.2" |
| 52 | +``` |
| 53 | + |
| 54 | +## How to configure an attestation policy with custom TCB baseline using Azure portal experience |
| 55 | + |
| 56 | + |
| 57 | +## Key considerations: |
| 58 | +- It is always recommended to install the latest PSW version supported by Intel and configure attestation policy with the latest TCB identifier available in Azure |
| 59 | +- If the PSW version of ACC node is lower than the minimum PSW version of the TCB baseline configured in SGX attestation policy, attestation scenarios will fail |
| 60 | +- If the PSW version of ACC node is greater than or equal to the minimum PSW version of the TCB baseline configured in SGX attestation policy, attestation scenarios will pass |
| 61 | +- For customers who do not configure a custom TCB baseline in attestation policy, attestation will be performed against the Azure default TCB baseline |
| 62 | +- For customers using an attestation policy without configurationrules section, attestation will be performed against the Azure default TCB baseline |
| 63 | + |
| 64 | + |
0 commit comments