Azure Confidential VM Setup - Linux

1.0 Introduction

This article describes the procedure for configuring a Fortanix Confidential Computing Manager (CCM) deployment to work with an Azure Confidential Virtual Machine (CVM) in Linux-based environment.

The setup includes creating a Linux CVM in the Azure portal and preparing the attestation configuration required to register and validate the workload in Fortanix CCM.

2.0 Prerequisites

Before you begin, ensure the following requirements are met:

• You have access to an active Azure subscription and permissions to create and manage Confidential Virtual Machines in the Azure portal.

• You have determined which PCR indexes (such as PCR0, PCR1, PCR7, and so on) your attestation policy should validate.

2.1 Azure CVM Requirements

Azure Confidential VMs provide hardware-based memory encryption and attestation. Your VM image must be compatible with Azure’s confidential computing requirements while also enforcing strong OS-level security.

• Hardware Requirements:

  • VM SKU: You must use an Azure Confidential Computing VM family that supports AMD SEV-SNP technology and includes an “a” in the VM size. Supported families include DCasv5, ECasv5 series, or NCCasv5.

  • Generation: Generation 2 VM images are mandatory.

  • Boot Architecture: The Azure CVMs must use Unified Extensible Firmware Interface (UEFI) boot. Legacy Basic Input/Output System (BIOS) boot is not supported.

• Security Features: The following features are hardware-enforced and must be validated for the Azure CVM:

  • Secure Boot is enabled.

  • Virtual Trusted Platform Module (vTPM) is enabled.

  Refer to the following Microsoft Azure documentation for instructions on enabling these features:

  • Create a confidential VM with the Azure CLI for Azure confidential computing

  • Create a custom image for Azure confidential VMs

• OS Requirements: The Fortanix Attestation Client supports Linux - Ubuntu 24.04 LTS.

2.2 Image Requirements

Ensure the Azure CVM image meets the following requirements:

• The operating system (OS) image must be immutable, with no package updates or runtime modifications.

• All interactive access must be disabled, including:

  • No SSH (do not install openssh-server)

  • Locked root account

  • Disable console logins (mask getty services)

• The image must contain only the components necessary to run the intended software.

• Minimal internet access: only signed and verified files must be downloaded during image build or runtime.

• A Unified Kernel Image (UKI) must be used to maintain a trusted, secure boot chain.

• Only the required packages and dependencies must be installed.

• The root filesystem (/) must be mounted as read-only.

• TPM tooling must be included for attestation and measurement collection.

• dm-verity must be enabled to verify filesystem integrity.

• Only signed and verified files must be downloaded and used during image creation and runtime.

• Mutual TLS (mTLS) must be used for authenticated and encryption communication.

• SELinux or AppArmor must be enabled to enforce mandatory access controls.

3.0 Fortanix Azure CVM Setup

This section describes the steps to deploy a Confidential Virtual Machine (CVM) in the Azure portal.

Perform the following steps:

1. Log in to the Azure portal using https://portal.azure.com/.

2. In the left navigation panel, select Virtual machines and click + Create.

3. From the Create drop down menu, select the Virtual machine option.

4. On the Basics tab, configure the required details:

   1. Subscription: Select the required Azure subscription.

      1. Resource group: Select an existing resource group or create a new one. For example, demo-vm_group.

   2. Instance details:

      1. Virtual machine name: Enter a unique name for your CVM instance in Azure.

      2. Region: Select a region that supports Confidential Computing workloads. Azure CVM options appear only in supported regions.

      3. Availability options: Select the availability configuration based on redundancy requirements. For example, no redundancy or availability zones.

      4. Zone options: Select Self-selected zone.

      5. Availability zone: Select the appropriate zone.

      6. Security type: Select Confidential virtual machines to enable a hardware-based trusted execution environment.

      7. Image: Select Ubuntu Server 24.04 LTS (Confidential VM) – x64 Gen2 to support Azure CVM deployment for Linux OS.

      8. VM architecture: Select x64 processor architecture .

      9. Run with Azure Spot discount (Optional): Enables reduced cost and non-production deployments. This is not recommended for workloads requiring guaranteed uptime.

      10. Size: Select the VM size as Standard_DC4as_v5 – 4 vCPUs, 16 GiB memory for Linux OS.

   3. Authentication account:

      1. Authentication type: Select SSH public key or Password-based authentication to access the VM.

      2. Username: Enter the administrator username used to access the VM.

      3. SSH public key source: Select Generate new key pair to create and store a new SSH key pair.

      4. SSH Key Type: Select the RSA SSH Format option for secure access.

      5. Key pair name: Enter a name for the generated SSH key pair.

   4. Inbound port rules:

      1. Public inbound ports: Select Allow selected ports to allow controlled public network access.

      2. Select inbound ports: Select SSH (22) to allow remote access to the VM.

         NOTE

         This will allow all IP addresses to access your virtual machine.

5. Click Review + create at the bottom of the screen.

   

6. Once validation completes successfully, click Create to create the Azure CVM.

7. After creating the VM, connect to it using SSH to generate the PCR values required for attestation.

4.0 Install Dependencies

The attestation client requires Trusted Platform Module (TPM) communication libraries and OpenSSL to read platform measurements and submit attestation evidence.

Run the following command to refresh the package lists:

sudo apt update && sudo apt upgrade

Run the following command to install all required dependencies on the VM created in the previous section:

sudo apt-get install -y tpm2-tools

4.1 Dependency Details

The following table lists the required system libraries and services needed for TPM access and secure attestation execution:

5.0 Determine PCR Values

After the Azure CVM is successfully deployed, retrieve the PCR values for the required indexes for attestation. Any single PCR value or a combination of multiple PCR values can be used when defining the image policy, depending on the security requirements.

Use one of the following methods to generate the PCR values for Linux OS:

Option 1: Generate PCR values using one of the following tools:

• systemd-measure

• systemd-pcrlock

Option 2: Run the following command to collect PCR values directly from the deployed Azure CVM:

sudo tpm2_pcrread sha256

Copy the required PCR values and use them during image configuration in Fortanix CCM.

Once the PCR values are available, create the image for the CVM application. For more information on creating an image for the Azure CVM application, refer to Create an Image.