How to use Azure Attestation Service ?

Nitish 61 Reputation points
2022-02-01T23:39:20.507+00:00

Here are the more specific questions about using Microsoft Azure Attestation Service which I would like to clear about.

  1. Is there any documentation about examples of Attestation Policy, Attestation policy signer certificates for Confidential VMs based on AMD SEV-SNP ?
  2. Can I use the default attestation policy when performing attestation of Confidential VM (AMD SEV-SNP) ?
  3. If I need to create custom policy what is the correct type of Attestation for a Confidential VM based on AMD SEV-SNP ? (TPM ?) and also Is there a documentation available to know about the proper syntax to write a custom Attestation policy for a confidential VM (SEV-SNP) ?
  4. In this document, https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview#attestation-and-tpm
    how can the VM send an attestation request to Azure Attestation Service to properly boot up ?
  5. During the confidential VM boot up on Azure, does the platform attestation happen automatically or is there a need for us/VM owner to validate any certificates/keys ?
  6. How to request for an attestation report from a running Confidential VM after it's boot up using Azure Portal ?

Thank you.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,070 questions
0 comments No comments
{count} votes

Accepted answer
  1. srbhatta-MSFT 8,546 Reputation points Microsoft Employee
    2022-02-02T19:08:28.457+00:00

    Hi @Nitish ,

    Thank you for reaching out to Microsoft QnA Platform. Happy to answer your question. I checked internally and here are the responses to your queries.

    1. Is there any documentation about examples of Attestation Policy, Attestation policy signer certificates for Confidential VMs based on AMD SEV-SNP ?
      -Not currently. However, documentation describing attestation flows and policies will be made available when the product reaches General Availability.
    2. Can I use the default attestation policy when performing attestation of Confidential VM (AMD SEV-SNP) ?
      -Attestation for Confidential VMs (based on AMD SEV-SNP) will be exposed to all customers in General Availability. At that point, customers will be able to use a default attestation policy, or their own.
    3. If I need to create custom policy what is the correct type of Attestation for a Confidential VM based on AMD SEV-SNP ? (TPM ?) and also Is there a documentation available to know about the proper syntax to write a custom Attestation policy for a confidential VM (SEV-SNP) ?
      -Documentation describing attestation policies will be made available when the product reaches General Availability. Creating a custom policy will be optional and, in most cases, unnecessary.
    4. In this document, https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview#attestation-and-tpm, how can the VM send an attestation request to Azure Attestation Service to properly boot up ?
      -During Confidential VM boot, the cloud operating system on the hosting server collects an attestation report signed by the AMD processor and sends it to Microsoft Azure Attestation service for validation. This validation, signed by the attestation service, is then passed to the key vault service which validates its authenticity (i.e. created by Microsoft Azure Attestation service) and uses it to release the key which is necessary for the Confidential VM to decrypt and boot on the hosting server.
    5. During the confidential VM boot up on Azure, does the platform attestation happen automatically or is there a need for us/VM owner to validate any certificates/keys ?
      -Platform attestation occurs automatically as part of the boot flow using a default policy that is maintained by Azure. Customers do not need to validate any keys or certificates. Once in General Availability, Azure will expose the same functionality to customers, who can optionally decide to attest their confidential VMs once they have booted.
    6. How to request for an attestation report from a running Confidential VM after it's boot up using Azure Portal?
      -This will be documented when the product is in General Availability. In a nutshell, we will be providing an open-source library which collects the report from within the VM. Customers can integrate this library into new or existing security workflows.

    I hope this answers your queries.

    Please don't forget to "Accept as Answer" and "Upvote" if you think my response was helpful, so that it can help others in the community looking for help on similar queries.


0 additional answers

Sort by: Most helpful