Attestation in Confidential containers on Azure Container Instances

Attestation is an essential part of confidential computing and appears in the definition by the Confidential Computing Consortium “Confidential Computing is the protection of data in use by performing computation in a hardware-based, attested Trusted Execution Environment."

According to the Remote ATtestation procedureS (RATS) Architecture In remote attestation, “one peer (the "Attester") produces believable information about itself ("Evidence") to enable a remote peer (the "Relying Party") to decide whether to consider that Attester a trustworthy peer. Remote attestation procedures are facilitated by an additional vital party (the "Verifier").” In simpler terms, attestation is a way of proving that a computer system is trustworthy.

In Confidential Containers on ACI you can use an attestation token to verify that the container group

  • Is running on confidential computing hardware. In this case AMD SEV-SNP.
  • Is running on an Azure compliant utility VM.
  • Is enforcing the expected confidential computing enforcement (CCE) policy that was generated using tooling.

Full attestation

Expanding upon this concept of attestation. Full attestation captures all the components that are part of the Trusted Execution Environment that is remotely verifiable. To achieve full attestation, in Confidential Containers, we have introduced the notion of a CCE policy, which defines a set of rules, which is enforced in the utility VM. The security policy is encoded in the attestation report as an SHA-256 digest stored in the HostData attribute, as provided to the AMD SEV-SNP hardware by the host operating system during the VM boot-up. This means that the security policy enforced by the utility VM is immutable throughout the lifetime of the utility VM.

The exhaustive list of attributes that are part of the SEV-SNP attestation can be found here.

Some important fields to consider in an attestation token returned by Microsoft Azure Attestation ( MAA )

Claim Sample value Description
x-ms-attestation-type sevsnpvm String value that describes the attestation type. For example, in this scenario sevsnp hardware
x-ms-compliance-status azure-compliant-uvm Compliance status of the utility VM that runs the container group.
x-ms-sevsnpvm-hostdata 670fff86714a650a49b58fadc1e90fedae0eb32dd51e34931c1e7a1839c08f6f Hash of the CCE policy that was generated using tooling during deployment.
x-ms-sevsnpvm-is-debuggable false Flag to indicate whether the underlying hardware is running in debug mode

Sample attestation token generated by MAA

{
  "header": {
    "alg": "RS256",
    "jku": "https://sharedeus2.eus2.test.attest.azure.net/certs",
    "kid": "3bdCYJabzfhISFtb3J8yuEESZwufV7hhh08N3ZflAuE=",
    "typ": "JWT"
  },
  "payload": {
    "exp": 1680259997,
    "iat": 1680231197,
    "iss": "https://sharedeus2.eus2.test.attest.azure.net",
    "jti": "d288fef5880b1501ea70be1b9366840fd56f74e666a23224d6de113133cbd8d5",
    "nbf": 1680231197,
    "nonce": "3413764049005270139",
    "x-ms-attestation-type": "sevsnpvm",
    "x-ms-compliance-status": "azure-compliant-uvm",
    "x-ms-policy-hash": "9NY0VnTQ-IiBriBplVUpFbczcDaEBUwsiFYAzHu_gco",
    "x-ms-runtime": {
      "keys": [
        {
          "e": "AQAB",
          "key_ops": [
            "encrypt"
          ],
          "kid": "Nvhfuq2cCIOAB8XR4Xi9Pr0NP_9CeMzWQGtW_HALz_w",
          "kty": "RSA",
          "n": "v965SRmyp8zbG5eNFuDCmmiSeaHpujG2bC_keLSuzvDMLO1WyrUJveaa5bzMoO0pA46pXkmbqHisozVzpiNDLCo6d3z4TrGMeFPf2APIMu-RSrzN56qvHVyIr5caWfHWk-FMRDwAefyNYRHkdYYkgmFK44hhUdtlCAKEv5UQpFZjvh4iI9jVBdGYMyBaKQLhjI5WIh-QG6Za5sSuOCFMnmuyuvN5DflpLFz595Ss-EoBIY-Nil6lCtvcGgR-IbjUYHAOs5ajamTzgeO8kx3VCE9HcyKmyUZsiyiF6IDRp2Bpy3NHTjIz7tmkpTHx7tHnRtlfE2FUv0B6i_QYl_ZA5Q"
        }
      ]
    },
    "x-ms-sevsnpvm-authorkeydigest": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
    "x-ms-sevsnpvm-bootloader-svn": 3,
    "x-ms-sevsnpvm-familyId": "01000000000000000000000000000000",
    "x-ms-sevsnpvm-guestsvn": 2,
    "x-ms-sevsnpvm-hostdata": "670fff86714a650a49b58fadc1e90fedae0eb32dd51e34931c1e7a1839c08f6f",
    "x-ms-sevsnpvm-idkeydigest": "cf7e12541981e6cafd150b5236785f4364850e2c4963825f9ab1d8091040aea0964bb9a8835f966bdc174d9ad53b4582",
    "x-ms-sevsnpvm-imageId": "02000000000000000000000000000000",
    "x-ms-sevsnpvm-is-debuggable": false,
    "x-ms-sevsnpvm-launchmeasurement": "a1e1a4b64e8de5c664ceee069010441f74cf039065b5b847e82b9d1a7629aaf33d5591c6b18cee48a4dde481aa88d0fb",
    "x-ms-sevsnpvm-microcode-svn": 115,
    "x-ms-sevsnpvm-migration-allowed": false,
    "x-ms-sevsnpvm-reportdata": "7ab000a323b3c873f5b81bbe584e7c1a26bcf40dc27e00f8e0d144b1ed2d14f10000000000000000000000000000000000000000000000000000000000000000",
    "x-ms-sevsnpvm-reportid": "a489c8578fb2f54d895fc8d000a85b2ff4855c015e4fb7216495c4dba4598345",
    "x-ms-sevsnpvm-smt-allowed": true,
    "x-ms-sevsnpvm-snpfw-svn": 8,
    "x-ms-sevsnpvm-tee-svn": 0,
    "x-ms-sevsnpvm-uvm-endorsement": {
      "x-ms-sevsnpvm-guestsvn": "100",
      "x-ms-sevsnpvm-launchmeasurement": "a1e1a4b64e8de5c664ceee069010441f74cf039065b5b847e82b9d1a7629aaf33d5591c6b18cee48a4dde481aa88d0fb"
    },
    "x-ms-sevsnpvm-vmpl": 0,
    "x-ms-ver": "1.0"
  }
}

Generating an attestation token

We have open-sourced sidecar container implementations that provide an easy rest interface to get a raw SNP (Secure Nested Paging) report produced by the hardware or a MAA token. The sidecar is available at this repository and can be deployed with your container group.

Next steps