Peform vTPM attestation programatically on Azure

Question

Peform vTPM attestation programatically on Azure

Karthik Jayaraman 1

I am trying to invoke Attest APIs (https://learn.microsoft.com/en-us/rest/api/attestation/attestation/attest-tpm?tabs=HTTP) on a Azure VM with vTPM enabled.

I followed this article and have created the following:

Azure Attestation Service in my subscription
A new policy for TPM attestation
Client with Attestation Reader role
A Ubuntu 20.04.5 instance with vTPM enabled (secure-boot disabled)

With all the pre-requisites setup, I am wondering if its possible for me to call Attestation APIs and perform attestation on-demand using the Attestation client libraries ?

OR, if the attestation is performed only by Azure automatically (the article does not indicate this), is it possible to read and verify the attestation results auto-triggered by Azure ? My objective is to see if I can create a client driven way to attest / verify attestation.

vipullag-MSFT 26,492 Reputation points Moderator

2023-01-02T06:41:15.197+00:00

@Karthik Jayaraman

Firstly, apologies for the delay in responding here. I am checking with internal team on this. Will update here once I hear back.
Karthik Jayaraman 1 Reputation point

2023-01-02T19:11:53.163+00:00

@vipullag-MSFT Additional question:

We are not able to find the right scope to be assigned our client application that will let the client invoke POST to /attest/Tpm to do the attestation. The only scopes we see wrt attestation are the ones related to attestation provider.

Is it possible to programmatically (REST API / SDK / CLI) to do the TPM attestation on-demand from a Azure VM with vTPM enabled ?
vipullag-MSFT 26,492 Reputation points Moderator

2023-01-04T09:12:54.627+00:00

@Karthik Jayaraman

I guess you are mixing scenarios. The steps you are trying to take are for hardware TPM attestation, but your environment seems to be using a Trusted launch VM with a virtual TPM.

To perform vTPM attestation, the VM must be either a Trusted Launch VM, or Confidential VM. The library to do this can be found here. The library can be used vTPM in either Trusted Launch VM or Confidential VM.

Hope this helps.
Karthik Jayaraman 1 Reputation point

2023-01-04T10:39:32.03+00:00
@vipullag-MSFT I have a couple of follow up questions:

If I create a trusted launch VM / Confidential VM, will I be able to perform vTPM attestation via Rest APIs ? Can you point me to the documentation to do that ?

Will I be able to use Python libs to do this ? Also, will I be able to do it on-demand (and not only at the VM boot / startup).
Karthik Jayaraman 1 Reputation point

2023-01-05T15:19:34.1+00:00

Hi @vipullag-MSFT Thank you for the prompt response.

I will take a look at the related library. But, is there a REST API that we can use to do the vTPM attestation ? Also, can we use the library / REST API on-demand to perform attestation ?

1 answer

Your answer

vipullag-MSFT 26,492 Reputation points Moderator

2023-01-02T06:41:15.197+00:00

@Karthik Jayaraman

Firstly, apologies for the delay in responding here. I am checking with internal team on this. Will update here once I hear back.
Karthik Jayaraman 1 Reputation point

2023-01-02T19:11:53.163+00:00

@vipullag-MSFT Additional question:

We are not able to find the right scope to be assigned our client application that will let the client invoke POST to /attest/Tpm to do the attestation. The only scopes we see wrt attestation are the ones related to attestation provider.

Is it possible to programmatically (REST API / SDK / CLI) to do the TPM attestation on-demand from a Azure VM with vTPM enabled ?
vipullag-MSFT 26,492 Reputation points Moderator

2023-01-04T09:12:54.627+00:00

@Karthik Jayaraman

I guess you are mixing scenarios. The steps you are trying to take are for hardware TPM attestation, but your environment seems to be using a Trusted launch VM with a virtual TPM.

To perform vTPM attestation, the VM must be either a Trusted Launch VM, or Confidential VM. The library to do this can be found here. The library can be used vTPM in either Trusted Launch VM or Confidential VM.

Hope this helps.
Karthik Jayaraman 1 Reputation point

2023-01-04T10:39:32.03+00:00

@vipullag-MSFT I have a couple of follow up questions:

If I create a trusted launch VM / Confidential VM, will I be able to perform vTPM attestation via Rest APIs ? Can you point me to the documentation to do that ?

Will I be able to use Python libs to do this ? Also, will I be able to do it on-demand (and not only at the VM boot / startup).
Karthik Jayaraman 1 Reputation point

2023-01-05T15:19:34.1+00:00

Hi @vipullag-MSFT Thank you for the prompt response.

I will take a look at the related library. But, is there a REST API that we can use to do the vTPM attestation ? Also, can we use the library / REST API on-demand to perform attestation ?

Answer 1

vipullag-MSFT 26,492 Moderator

@karthik jayaraman Please check this Python web API/Rest Interface to this attestation library. You can as well implement the same to achieve the goal of rest attestation API/Rest Interface confidential-container-samples/cvm-python-app-remoteattest at main · Azure-Samples/confidential-container-samples (github.com). Its build as a container but can as well work with direct deployments.

Share via

Peform vTPM attestation programatically on Azure

1 answer

Your answer