diff --git a/modules/ROOT/pages/provisioning-azure.adoc b/modules/ROOT/pages/provisioning-azure.adoc index 06f7757b..68be67e7 100644 --- a/modules/ROOT/pages/provisioning-azure.adoc +++ b/modules/ROOT/pages/provisioning-azure.adoc @@ -83,3 +83,104 @@ az vm create -n "${az_vm_name}" -g "${az_resource_group}" --image "${az_image_na ---- ssh core@ ---- + +== Launching a Confidential VM instance + +Note: For an overview about confidential VMs on Azure see https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview[confidential VM overview]. + +To launch a confidential VM, we need to build image that supports confidential VMs using https://learn.microsoft.com/en-us/azure/virtual-machines/azure-compute-gallery[Azure Compute Gallery]. + +. Example create gallery image that supports confidence +[source, bash] +---- +gallery_name="mygallery" +gallery_image_definition="mygallery-def" +gallery_image_version="1.0.0" + +# Create an image gallery +az sig create --resource-group "${az_resource_group}" --gallery-name "${gallery_name}" + +# Create a gallery image definition +az sig image-definition create \ + --resource-group "${az_resource_group}" \ + --gallery-name "${gallery_name}" \ + --gallery-image-definition "${gallery_image_definition}" \ + --publisher azure \ + --offer example \ + --sku standard \ + --features SecurityType=ConfidentialVmSupported \ + --os-type Linux \ + --hyper-v-generation V2 + +# get the source VHD URI of OS disk +os_vhd_storage_account=$(az storage account list -g ${az_resource_group} | jq -r .[].id) + +# Create a new image version +az sig image-version create \ + --resource-group "${az_resource_group}" \ + --gallery-name "${gallery_name}" \ + --gallery-image-definition "${gallery_image_definition}" \ + --gallery-image-version "${gallery_image_version}" \ + --os-vhd-storage-account "${os_vhd_storage_account}" \ + --os-vhd-uri https://${az_storage_account}.blob.core.windows.net/${az_container}/${az_image_blob} + +gallery_image_id=$(az sig image-version show --gallery-image-definition "${gallery_image_definition}" --gallery-image-version "${gallery_image_version}" --gallery-name "${gallery_name}" --resource-group $az_resource_group | jq -r .id) +---- + +To launch a confidential FCOS instance specify the confidential compute type, and a related https://learn.microsoft.com/en-us/azure/confidential-computing/virtual-machine-options[machine type] that supports confidential compute. + +From the command-line, use `--security-type ConfidentialVM` and `--size`. + +. Example launching a Confidential VM instance +[source, bash] +---- +vm_name="my-fcos-cvm" +ignition_path="./config.ign" + +# Specify the size that supports confidence +vm_size="Standard_DC2as_v5" + +# Create VM using generated Gallery image +az vm create \ + --name "${vm_name}" \ + --resource-group $az_resource_group \ + --size "${vm_size}" \ + --image "${gallery_image_id}" \ + --admin-username core \ + --generate-ssh-keys \ + --custom-data "$(cat ${ignition_path})" \ + --enable-vtpm true \ + --public-ip-sku Standard \ + --security-type ConfidentialVM \ + --os-disk-security-encryption-type VMGuestStateOnly \ + --enable-secure-boot true +---- + +Note: We pass parameter `--enable-secure-boot true` to enable the secure boot, to disable secure boot should update the value to `false`. + +. Example Confidential VM Boot Verification +[source, bash] +---- +ssh core@ +# Confirm the VM is using `AMD SEV-SNP` confidential type +sudo systemd-detect-virt --cvm +sev-snp + +# Confirm the VM is using `Intel TDX` confidential type +sudo systemd-detect-virt --cvm +tdx +---- + +Note: Another way to confirm is looking at "Group B" and see that it ends with 2 (`HV_ISOLATION_TYPE_SNP`), or ends with 3 (`HV_ISOLATION_TYPE_TDX`). + +. Example Confidential VM Boot Verification by checking "Isolation Config" +[source, bash] +---- +# `AMD SEV-SNP` confidential type +dmesg | grep "Hyper-V: Isolation Config" +[ 0.000000] Hyper-V: Isolation Config: Group A 0x1, Group B 0xba2 + +# `Intel TDX` confidential type +dmesg | grep "Hyper-V: Isolation Config" +[ 0.000000] Hyper-V: Isolation Config: Group A 0x1, Group B 0xbe3 +---- \ No newline at end of file