Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

docs: update clouds and marketplaces

Browse Source 
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
This commit is contained in:
Moritz Eckert 2024-01-24 09:57:35 +01:00 committed by GitHub
parent ad5ff6e1bb
commit da26daeb49
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 56 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
dev-docs/workflows/marketplace-images.md
View File

@ -1,36 +0,0 @@
# Using Marketplace Images in Constellation
This document explains the steps a user needs to take to run Constellation with dynamic billing via the cloud marketplaces.
## AWS
Marketplace Images on AWS are not available yet.
## Azure
On Azure, to use a marketplace image, ensure that the subscription has accepted the agreement to use marketplace images:
```bash
az vm image terms accept --publisher edgelesssystems --offer constellation --plan constellation
```
Then, set the VMs to use the marketplace image in the `constellation-conf.yaml` file:
```bash
yq eval -i ".provider.azure.useMarketplaceImage = true" constellation-conf.yaml
```
And ensure that the cluster uses a release image (i.e. `.image=vX.Y.Z` in the `constellation-conf.yaml` file). Afterwards, proceed with the cluster creation as usual.
## GCP
On GCP, to use a marketplace image, ensure that the account is entitled to use marketplace images by Edgeless Systems
by accepting the terms through the [web portal](https://console.cloud.google.com/marketplace/vm/config/edgeless-systems-public/constellation).
Then, set the VMs to use the marketplace image in the `constellation-conf.yaml` file:
```bash
yq eval -i ".provider.gcp.useMarketplaceImage = true" constellation-conf.yaml
```
And ensure that the cluster uses a release image (i.e. `.image=vX.Y.Z` in the `constellation-conf.yaml` file). Afterwards, proceed with the cluster creation as usual.

39
docs/docs/getting-started/marketplaces.md Normal file
View File

@ -0,0 +1,39 @@
# Using Constellation via Cloud Marketplaces
Constellation is available through the Marketplaces of Azure and GCP. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/).
This document explains how to run Constellation with the dynamically billed cloud marketplace images.
## Azure
On Azure, Constellation has a private marketplace plan. Please [contact us](https://www.edgeless.systems/enterprise-support/) to gain access.
To use a marketplace image, you need to accept the marketplace image's terms once for your subscription with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest):
```bash
az vm image terms accept --publisher edgelesssystems --offer constellation --plan constellation
```
Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md):
```bash
yq eval -i ".provider.azure.useMarketplaceImage = true" constellation-conf.yaml
```
Ensure that the cluster uses an official release image version (i.e., `.image=vX.Y.Z` in the `constellation-conf.yaml` file).
From there, you can proceed with the [cluster creation](../workflows/create.md) as usual.
## GCP
On GCP, to use a marketplace image, ensure that the account is entitled to use marketplace images by Edgeless Systems by accepting the terms through the [web portal](https://console.cloud.google.com/marketplace/vm/config/edgeless-systems-public/constellation).
Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md):
```bash
yq eval -i ".provider.gcp.useMarketplaceImage = true" constellation-conf.yaml
```
Ensure that the cluster uses an official release image version (i.e., `.image=vX.Y.Z` in the `constellation-conf.yaml` file).
From there, you can proceed with the [cluster creation](../workflows/create.md) as usual.

20
docs/docs/overview/clouds.md
View File

@ -5,7 +5,7 @@ What works on which cloud? Currently, Confidential VMs (CVMs) are available in v
For Constellation, the ideal environment provides the following:
1. Ability to run arbitrary software and images inside CVMs
2. CVMs based on AMD SEV-SNP (available in EPYC CPUs since the Milan generation) or, in the future, Intel TDX (available in Xeon CPUs from the Sapphire Rapids generation onward)
2. CVMs based on AMD SEV-SNP (available in EPYC CPUs since the Milan generation) or Intel TDX (available in Xeon CPUs since the Sapphire Rapids generation)
3. Ability for CVM guests to obtain raw hardware attestation statements
4. Reviewable, open-source firmware inside CVMs
5. Capability of the firmware to attest the integrity of the code it passes control to, e.g., with an embedded virtual TPM (vTPM)
@ -19,27 +19,31 @@ The following table summarizes the state of features for different infrastructur
| **1. Custom images** | Yes | Yes | Yes | Yes |
| **2. SEV-SNP or TDX** | Yes | Yes | Yes | Depends on kernel/HV |
| **3. Raw guest attestation** | Yes | Yes | Yes | Depends on kernel/HV |
| **4. Reviewable firmware** | No* | No | Yes | Depends on kernel/HV |
| **4. Reviewable firmware** | No | No | Yes | Depends on kernel/HV |
| **5. Confidential measured boot** | Yes | No | No | Depends on kernel/HV |
## Microsoft Azure
With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview), Azure provides the best foundations for Constellation.
Regarding (3), Azure provides direct access to remote-attestation statements.
The CVM firmware running in VM Privilege Level (VMPL) 0 provides a vTPM (5), but it's closed source (4).
The firmware runs in an isolated domain inside the CVM and exposes a vTPM (5), but it's closed source (4).
On SEV-SNP, Azure uses VM Privilege Level (VMPL) isolation for the separation of firmware and the rest of the VM; on TDX, they use TD partitioning.
This firmware is signed by Azure.
The signature is reflected in the remote-attestation statements of CVMs.
Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB).
\* Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confidential-computing/azure-confidential-vms-using-sev-snp-dcasv5-ecasv5-are-now/ba-p/3573747) the *limited preview* of CVMs with customizable firmware. With this CVM type, (4) switches from *No* to *Yes*. Constellation will support customizable firmware on Azure in the future.
## Google Cloud Platform (GCP)
The [CVMs Generally Available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled.
CVMs with SEV-SNP enabled are currently in [private preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
However, regarding (4), the CVMs still include closed-source firmware.
CVMs with SEV-SNP enabled are currently in [public preview](https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor.
Hence, the hypervisor is currently part of Constellation's TCB.
Regarding (4), the CVMs still include closed-source firmware.
Intel and Google have [collaborated](https://cloud.google.com/blog/products/identity-security/rsa-google-intel-confidential-computing-more-secure) to enhance the security of TDX, and have recently [revealed](https://venturebeat.com/security/intel-launches-confidential-computing-solution-for-virtual-machines/) their plans to make TDX compatible with Google Cloud.
In the past, Intel and Google have [collaborated](https://cloud.google.com/blog/products/identity-security/rsa-google-intel-confidential-computing-more-secure) to enhance the security of TDX.
Recently, Google has announced a [private preview for TDX](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense?hl=en).
With TDX on Google, Constellation has a similar TCB and attestation flow as with the current SEV-SNP offering.
## Amazon Web Services (AWS)

5
docs/sidebars.js
View File

@ -96,6 +96,11 @@ const sidebars = {
label: 'First steps (local)',
id: 'getting-started/first-steps-local',
},
{
type: 'doc',
label: 'Cloud Marketplaces',
id: 'getting-started/marketplaces',
},
{
type: 'category',
label: 'Examples',