What Is Azure Attestation and How Does It Work

Azure Attestation is a service that helps you verify the integrity and authenticity of your Azure resources, such as virtual machines and storage accounts.

It works by using a trusted platform module (TPM) to create a unique identifier for each resource, which is then stored in a secure database.

This identifier, known as an attestation report, can be used to verify the resource's integrity and authenticity.

Azure Attestation is designed to provide an additional layer of security for your Azure resources, helping to prevent tampering and unauthorized access.

The Azure Attestation service provides four major families of functionality in its preview SDK.

One of the key features is SGX and TPM enclave attestation. This process validates evidence collected from a trusted execution environment to ensure it meets the Azure baseline and customer-defined policies.

Attestation Policy management is another significant feature, allowing customers to manage their attestation policies. This includes the management of certificates.

The service also supports MAA Attestation Token signing certificate discovery and validation. This feature is crucial for ensuring the integrity of the attestation process.

Azure Attestation runs in two separate modes: "Isolated" and "AAD". In "Isolated" mode, customers need to provide additional information beyond their authentication credentials to verify their authorization.

Each region supports a "shared" instance, which can be used to attest SGX enclaves against the Azure baseline. However, TPM attestation is not available in the shared instance.

Here are the four major families of functionality provided by the Azure Attestation service:

Microsoft invests more than $1 billion annually on cybersecurity research and development, demonstrating their commitment to security and compliance. This investment is a significant factor in the robust security features of Azure Attestation.

More than 3,500 security experts are employed by Microsoft, dedicated to data security and privacy. This team of experts is crucial in ensuring the security and compliance of Azure Attestation.

Azure Attestation services are available at no additional cost, making it an attractive option for organizations looking to enhance their security and compliance.

Here are the key features of Azure Attestation that contribute to its security and compliance:

Microsoft invests more than $1 billion annually on cybersecurity research and development. This significant investment is a testament to the company's commitment to creating secure and reliable products.

We employ more than 3,500 security experts who are dedicated to data security and privacy. These experts work tirelessly to ensure that Microsoft's products and services meet the highest standards of security.

Azure Attestation services are available at no additional cost. This means that customers can take advantage of comprehensive attestation services without incurring any extra expenses.

Here are some key benefits of Azure Attestation's built-in security and compliance features:

Data exchanges are a crucial aspect of security and compliance, and understanding how they work can help you navigate complex systems.

Attestation is a process where an Attester conveys its Evidence to a Verifier for Appraisal, and the Relying Party receives the Attestation Result from the Verifier. This process can be likened to real-life examples involving passports and background checks.

The Passport Model and Background-Check Model are two reference models used to describe the attestation process. In the Passport Model, citizens assume the role of Attesters, while passport-issuing agencies take on the role of Verifiers. The passport itself represents an Attestation Result.

Failures may occur if Evidence or Attestation Results do not meet the Appraisal Policies or if Verifiers are inaccessible. In the Background-Check Model, information flows through a few distinct stages: the Attester provides Evidence to the Relying Party, which then transmits this Evidence to the Verifier.

The Verifier evaluates the Evidence against its Appraisal Policy and produces an Attestation Result. This Attestation Result is then communicated back to the Relying Party. The Relying Party assesses the Attestation Result based on its specific Appraisal Policy.

The Relying Party does not process the Evidence itself; instead, it sits between the Attester and Relying Party. To optimize efficiency, the RFC recommends aligning the format of the Attestation Result with the pre-existing serialization format supported by the Relying Party.

Azure Attestation verifies the identity and security posture of a platform before you interact with it, producing an attestation token for claims-based applications.

This service supports attestation of trusted platform modules (TPMs) and trusted execution environments (TEEs) like Intel Software Guard Extensions (SGX) and virtualization-based security (VBS) enclaves.

Attestation of multiple platforms like TEEs and TPMs is supported, giving you flexibility in your security setup.

Custom attestation providers can be configured for fine-grained control and enforce user-defined policies, allowing you to tailor your security to your specific needs.

Default attestation providers simplify attestation without the need for additional configuration, making it easier to get started with Azure Attestation.

Azure Confidential VM (CVM) is based on AMD processors with SEV-SNP technology, offering VM OS disk encryption with platform-managed keys or customer-managed keys.

The CVM binds the disk encryption keys to the virtual machine's TPM, ensuring that the keys are secure and only accessible to authorized parties.

When a CVM boots up, the SNP report containing the guest VM firmware measurements is sent to Azure Attestation, which validates the measurements and issues an attestation token.

This attestation token is used to release keys from Managed-HSM or Azure Key Vault, which are then used to decrypt the vTPM state of the guest VM, unlock the OS disk, and start the CVM.

The attestation and key release process is performed automatically on each CVM boot, ensuring that the CVM boots up only upon successful attestation of the hardware.

Azure Confidential Containers is based on AMD processors with SEV-SNP technology, offering the ability to run groups of containers in an SEV-SNP protected trusted execution environment.

This trusted execution environment isolates the group of containers from the container management control plane and other running containers, providing an additional layer of security.

Business Continuity and Disaster Recovery (BCDR) support is a crucial aspect of Azure Attestation's security features. It ensures that your service remains available even in the face of significant availability issues or disaster events in a region.

Clusters deployed in two regions operate independently under normal circumstances. This means that if one region experiences a fault or outage, the other region can take over seamlessly.

Azure Attestation BCDR provides seamless failover, which means customers don't need to take any extra steps to recover. This is a significant advantage, as it minimizes downtime and ensures business continuity.

Here's what happens during a failover:

This means that customers can continue to work on data plane operations with the original URI corresponding to the primary region. This is a key benefit of Azure Attestation's BCDR support, as it allows customers to maintain business continuity even in the face of regional outages.

Azure Attestation operates within three distinct trust models: Shared, Azure AD (AAD) authorization, and Isolated. Each model defines the authorization model for attestation providers in terms of creating and updating appraisal policies.

In the Shared trust model, customers are not required to create an instance of the provider, but they can still perform attestation operations. However, they cannot update policy settings.

The AAD trust model requires customers to create an instance of the provider, and it uses Azure's Role-Based Access Control (RBAC) for authorization decisions related to policy management. Attestation policies can be cryptographically signed or remain unsigned under this model.

Isolated mode, on the other hand, also requires customers to create an instance of the provider and allows for more advanced attestation operations, including policy management and signed policies.

Here's a summary of the key differences between the three trust models:

Policy Management is crucial in Azure Attestation, ensuring that each attestation service instance has a policy applied to it which defines additional criteria.

Each policy is instanced on a per-attestation type basis, with the AttestationType parameter defining the type to retrieve. You can use the set_policy method to retrieve the attestation policy from the service.

Azure Attestation evaluates the platform evidence against your policies to ensure that the binaries running inside the platform haven’t been tampered with by external entities. If your attestation provider allows signed policies, Azure Attestation will use your signer certificates to validate the signed policies and authenticate the users.

Here are the two properties provided in the PolicyResult that can be used to verify that the service received the policy document:

In Azure, you can simplify attestation with a default provider that's easily accessible without configuration.

This default provider is available for all Azure Active Directory (Azure AD) users, making it a convenient option.

You can access a default provider in your Azure region for attestation services, eliminating the need for configuration.

This feature is a great time-saver, allowing you to quickly get started with attestation without any hassle.

Default providers are available for all Azure AD users, so you can take advantage of this feature regardless of your user type.

Policy management is a critical aspect of Azure Attestation, allowing you to define and enforce customized attestation policies.

Each attestation service instance has a policy applied to it, which defines additional criteria that the customer has defined. This policy is instanced on a per-attestation type basis, and the AttestationType parameter defines the type to retrieve.

You can retrieve the attestation policy from the service using the get_policy method, which is also known as the set_policy method. This method retrieves the attestation policy from the service.

Here's a summary of the policy management options:

You can also use the set_policy method to set a signing certificate and private key to validate that the caller is authorized to modify policy on the attestation instance. If the service instance is running in AAD mode, then the signing certificate and key are optional.

To get started with policy management, you'll need to have a few things in place. First and foremost, you'll need an Azure subscription. This will give you access to all the necessary tools and services to manage your policies effectively.

You can sign up for a free trial or use your Visual Studio Subscription benefits to create an account if you don't already have one. This will get you started with the Azure platform.

You'll also need an existing Azure Attestation Instance, or you can use the "shared provider" available in each Azure region. If you need to create an Azure Attestation service instance, you can use the Azure Portal or Azure CLI.

Here are the specific requirements in a concise list:

File hashes are a crucial aspect of policy management, ensuring the integrity and authenticity of files. They provide a digital fingerprint that can be used to verify the file's contents.

SHA256 hashes are widely used and considered secure, as seen in the example of the azure-security-attestation-1.0.0.zip file, which has a SHA256 hash of 0bf814db4225d418b3332f2226537142849c0a45a638a5da380fd3f7c241a2da.

The file azure_security_attestation-1.0.0-py2.py3-none-any.whl has a SHA256 hash of 9a1042cdc2f3fc20a2e006f3541b3b32666c284fb2427ddb900cf8e0e786dd3f.

Here are the hash algorithms and their corresponding hash digests for the two files:

These hash digests can be used to verify the integrity of the files, ensuring they have not been tampered with or corrupted during transmission.

The Azure Attestation client library for Python is a powerful tool that allows you to verify the trustworthiness of a platform and integrity of the binaries running inside it.

This library is specifically designed for the Microsoft Azure Attestation (MAA) service, which supports attestation of platforms backed by Trusted Platform Modules (TPMs) and Trusted Execution Environments (TEEs) like Intel Software Guard Extensions (SGX) enclaves and Virtualization-based Security (VBS) enclaves.

You can create a client instance at any uri endpoint with the library, which is a crucial step in using Azure Attestation.

The library has been thoroughly tested with Python versions 2.7, 3.6 to 3.9, ensuring that you can use it with your preferred version of Python.

To get started with the Azure Attestation client library, you'll need to install it from PyPI, which is a straightforward process that you can complete in just a few steps.

When you're working with Azure Attestation, you'll likely run into some issues that need troubleshooting. Most Attestation service operations will raise exceptions defined in Azure Core.

These exceptions are designed to be helpful, with specific error codes that can guide you towards a solution. Many of these errors are even recoverable, which is a relief.

To get the most out of Azure Attestation, it's essential to understand how to handle these exceptions. The attestation service APIs will throw a HttpResponseError on failure, so be prepared to catch and handle these errors.

For more in-depth troubleshooting information, you can check out the additional resources available for the MAA service.

Runtime and Init Data is a crucial aspect of the attestation process.

The Azure Attestation service validates the first 32 bytes of the report_data field in the SGX Quote/OE Report/OE Evidence against the SHA256 hash of the runtime_data provided by the caller to the attest API.

You can configure the SGX enclave being attested using InitTime data.

InitTime data is not supported on Azure DCsv2-Series virtual machines.

Troubleshooting can be a real challenge, especially when working with complex systems like the Attestation service. Most Attestation service operations will raise exceptions defined in Azure Core.

These exceptions are designed to be helpful, providing you with useful error codes that can aid in recovery. Many of these errors are recoverable, which means you can often fix the issue without too much hassle.

The attestation service APIs will throw a HttpResponseError on failure, giving you a clear indication of what went wrong. This error message can be a lifesaver when troubleshooting.

Additional troubleshooting information for the MAA service can be found in the provided link, so be sure to check it out if you're having trouble.

Azure Attestation offers a unified framework for attesting multiple environments such as TPMs, SGX enclaves, and VBS enclaves.

This comprehensive approach allows you to create custom attestation providers and configure policies to restrict token generation.

For instance, you can use Azure Attestation to protect data while it's in use with implementation in an SGX enclave or Confidential Virtual Machine based on AMD SEV-SNP.

This is particularly useful for applications that require high levels of security and confidentiality.

Azure Attestation is a highly available service, ensuring that your attestation needs are always met.

Here are some key use cases for Azure Attestation: