--- title: "Azure Confidential VM Attestation - Linux" slug: "azure-cvm-attestation-guide-linux" updated: 2026-05-25T09:36:16Z published: 2026-05-25T09:36:16Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Azure Confidential VM Attestation - Linux ## 1.0 Introduction This article describes the procedure for completing the attestation workflow for an Azure Confidential Virtual Machine (CVM) using Fortanix Confidential Computing Manager (CCM) in **Linux**-based environments. After configuring the application and image in Fortanix CCM and registering the required Platform Configuration Register (PCR) values, the Azure CVM must run the Fortanix Attestation Client for Linux to establish trust and register itself as an approved compute instance. ## 2.0 Prerequisites Before proceeding, ensure the following: - Ensure to download the Fortanix Azure CVM Attestation Client binary from [*here*](https://fortanix.zendesk.com/hc/en-us/articles/46157910024084-Fortanix-CCM-Attestation-Client-Linux). - The Azure CVM has been deployed and is accessible. - A Fortanix CCM application and its associated image have been created and approved. - PCR values collected from the Azure CVM environment have been mapped to the image in Fortanix CCM. *For more information on creating Azure VMs and performing PCR extraction, refer to*[*Azure Confidential VM Setup - Linux*](/v1/docs/azure-confidential-vm-setup-linux)*.* - Network access exists between the Azure CVM and Fortanix CCM endpoint. - You have access to the following configuration values: - Fortanix CCM tenant URL - Join token > [!NOTE] > NOTE > > Attestation cannot proceed if the application image has not been approved in Fortanix CCM. ## 3.0 Configure Execution Permissions Before configuring permissions, run the following command to make the `azure-cvm-attestation-client` file executable: ```bash chmod +x ./ccm_attestation_client_azure_cvm_linux ``` The attestation client can run either as root or as a restricted user, depending on system configuration. **Option 1: Run as root** No additional configuration is required. **Option 2: Run as non-root** Run the following command to verify whether TPM devices are readable by non-root users: ```bash stat -c%G /dev/tpmrm0 ``` If the output indicates the resource belongs to the `tss` group, run the following command to add the current user to this group: ```bash sudo usermod -aG tss $USER ``` > [!NOTE] > NOTE > > Log in again to apply the updated group membership. ## 4.0 Configure Environment Variables The Fortanix Attestation Client uses the following environment variables: > [!NOTE] > NOTE > > The `JOIN_TOKEN` is mandatory. Without it, the node will not register with Fortanix CCM. | Environment Variable | Default Value | Description | | --- | --- | --- | | `RUST_LOG` | `ERROR` | Set to `DEBUG` to enable verbose logging. | | `RUST_BACKTRACE` | `0` | Set to `1` to enable panic backtraces. | | `MANAGER_ENDPOINT` | https://ccm.fortanix.com | Fortanix CCM service endpoint for attestation requests. | | `JOIN_TOKEN` | `unset` | Must be set to the join token generated in Fortanix CCM. | Example configuration: ```bash export RUST_LOG=debug export MANAGER_ENDPOINT=https://ccm. fortanix.com export JOIN_TOKEN=cccccbrenhlrinntnlhubfuulnbfnnchrltbvcchbelc ``` ## 5.0 Generate Join Token from Fortanix CCM Perform the following steps to generate a Join Token from Fortanix CCM and register the node. 1. Log in to [https://ccm.fortanix.com](https://ccm.fortanix.com/). 2. Click the **Infrastructure**→ **Compute Nodes** menu item, and then click **+ ADD NODE**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (3638)(3).png) **Figure 1: Enroll Compute Node** 3. In the**ENROLL COMPUTE NODE** window, a Join Token will be generated in the text box for "**Get a join token to register a compute node**". This Join Token is used by the compute node to authenticate itself. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (3639)(1).png) **Figure 2: Join token generated** 4. Click **COPY**to copy the Join Token. ## 6.0 Run the Attestation Client Run the following command to execute the attestation client: ```bash sudo -E ./ccm_attestation_client_azure_cvm_linux ``` > [!NOTE] > NOTE > > You can also set the environment variables and run the attestation client through a script. Example script: `test.sh` ```bash export RUST_LOG=debug export MANAGER_ENDPOINT=https://ccm.fortanix.com   export JOIN_TOKEN= sudo -E ./ccm_attestation_client_azure_cvm_linux ``` Run the script using the following command: ```bash bash test.sh ``` The above script sets the environment variables. The attestation process begins automatically. During this time, the client collects platform evidence, verifies signatures, and submits measurements to Fortanix CCM. The process may take several minutes, depending on the compute environment and network conditions. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/CVM Linux- 5.png) **Figure 3: Evidence and certificate are fetched** > [!NOTE] > NOTE > > Running the attestation client multiple times for the same build generates a new certificate each time. This allows users to obtain new certificates when previous ones expire. ## 7.0 Verify Attestation Status in Fortanix CCM After the attestation client has completed execution, verify the attestation result in Fortanix CCM by confirming that the attestation certificate is available for download. Perform the following steps to download the certificate: 1. Log in to Fortanix CCM. 2. Navigate to **Applications** → **CVM Application** → **IMAGES** tab. 3. Click the overflow menu ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2558)(1).png) next to the image entry and select **VIEW CERTIFICATE**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/CVM Linux- 7.png) **Figure 4: View certificates** 4. Download the certificate and verify its validity. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/CVM Linux- 8.png) **Figure 5: Download the certificate** Attestation is considered successful when the attestation certificate appears and is available for download. This confirms that the hardware measurements match the PCR values configured for the image.