From b7fd6a2e3a1e30dba77fa46ddb74c4763f38e6f0 Mon Sep 17 00:00:00 2001 From: Moritz Eckert Date: Mon, 22 Jan 2024 15:53:14 +0100 Subject: [PATCH] Apply suggestions from code review Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> --- docs/docs/getting-started/marketplaces.md | 3 ++- docs/docs/overview/clouds.md | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/docs/getting-started/marketplaces.md b/docs/docs/getting-started/marketplaces.md index 8e730ce1f..62fcff5b6 100644 --- a/docs/docs/getting-started/marketplaces.md +++ b/docs/docs/getting-started/marketplaces.md @@ -6,7 +6,8 @@ This document explains how to run Constellation with the dynamically billed clou ## Azure -On Azure, Constellation has a private marketplace plan. Please [contact us](https://www.edgeless.systems/enterprise-support/) directly to gain access. +On Azure, Constellation has a private marketplace plan. Please [contact us](https://www.edgeless.systems/enterprise-support/) to gain access. + To use a marketplace image, you need to accept the marketplace image's terms once for your subscription with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest): ```bash diff --git a/docs/docs/overview/clouds.md b/docs/docs/overview/clouds.md index c01491297..8cc42a990 100644 --- a/docs/docs/overview/clouds.md +++ b/docs/docs/overview/clouds.md @@ -5,7 +5,7 @@ What works on which cloud? Currently, Confidential VMs (CVMs) are available in v For Constellation, the ideal environment provides the following: 1. Ability to run arbitrary software and images inside CVMs -2. CVMs based on AMD SEV-SNP (available in EPYC CPUs since the Milan generation) or, Intel TDX (available in Xeon CPUs since the Sapphire Rapids generation) +2. CVMs based on AMD SEV-SNP (available in EPYC CPUs since the Milan generation) or Intel TDX (available in Xeon CPUs since the Sapphire Rapids generation) 3. Ability for CVM guests to obtain raw hardware attestation statements 4. Reviewable, open-source firmware inside CVMs 5. Capability of the firmware to attest the integrity of the code it passes control to, e.g., with an embedded virtual TPM (vTPM) @@ -27,7 +27,7 @@ The following table summarizes the state of features for different infrastructur With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview), Azure provides the best foundations for Constellation. Regarding (3), Azure provides direct access to remote-attestation statements. The firmware runs in an isolated domain inside the CVM and exposes a vTPM (5), but it's closed source (4). -On SEV-SNP Azure leverages VM Privilege Level (VMPL) isolation for the separation of firmware and the rest of the VM, on TDX they leverage TD partitioning. +On SEV-SNP, Azure uses VM Privilege Level (VMPL) isolation for the separation of firmware and the rest of the VM; on TDX, they use TD partitioning. This firmware is signed by Azure. The signature is reflected in the remote-attestation statements of CVMs. Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB).