Collaborating Groups and Shared Workflow - AMD SEV-SNP Applications

1.0 Introduction

This article describes the steps to create collaborating groups in Fortanix Armor Identity and Access Management (IAM) for Advanced Micro Devices (AMD) Secure Encrypted Virtualization (SEV) - Secure Nested Paging (SNP) application in Confidential Computing Manager (CCM) and run the application on AMD SEV-SNP.

A Collaborating Group in Fortanix CCM represents a collaboration established between two Fortanix Armor IAM groups that belong to different Fortanix Armor accounts. Through this collaboration, the participating groups can securely share selected resources and work together on common workflows. 

This document explains the end-to-end collaboration process, including creating collaborating groups, sharing collaboration tokens, building shared workflows, approving workflows, and managing collaboration lifecycle events.

2.0 Collaborating Groups for AMD SEV Applications

A Fortanix Armor IAM collaborating group is created when groups from different Fortanix Armor accounts establish a collaboration. Through this collaboration, the groups can share resources and participate together in workflows.

In a collaborating setup:

• One group acts as the consumer group and initiates the collaboration.

• One group acts as the publisher group and participates by contributing permitted resources.

The collaboration is represented and managed through shared workflows, which enforce controlled interaction, approval sequencing, and access restrictions between participating groups.

This article describes collaboration between two Fortanix Armor IAM groups from different Fortanix Armor accounts using a workflow that includes an AMD SEV-SNP application. In this example, one group acts as the consumer group and another group acts as the publisher group.

NOTE

In AMD SEV-SNP shared workflows, only application sharing is supported. Shared datasets are not supported with workflows configured to use the shared AMD SEV-SNP application node type.

3.0 Create Consumer Group (Enterprise)

This section describes how to create a consumer group that participates in a workflow collaboration with a publisher group.

A Consumer Group is created by an enterprise that wants to run a proprietary model on-premises.

In this example, a consumer group is created in a Fortanix Armor account and initiates collaboration with a publisher group using a shared Fortanix CCM workflow. The consumer group adds an AMD SEV-ANP placeholder application to the workflow, enabling the publisher group to contribute the application to the shared workflow.

Perform the following steps to create a consumer group for workflow-based collaboration:

1. Log in to Fortanix Armor and create a new account, for example, DemoA, or log in to an existing account. For more information on how to log in and create a new Fortanix Armor account, refer to Getting Started with Fortanix Armor.

2. On the Available Solutions page, select Identity and Access Management.

3. In the IAM left navigation panel, click Groups, and then on the GROUPS tab, click ADD GROUP to create the consumer group.

4. In the Create group dialog box:

   1. Name: Enter a group name. For example, DemoA-Group1.

   2. Add description: Click this to add a description, if needed.

   3. Labels: Add one or more Key-Value labels to the group

5. Click CREATE GROUP to add a new consumer group.

4.0 Create Publisher Group (Model Owner)

This section describes how to create a publisher group that participates in workflow collaboration with a consumer group.

A Publisher Group is established by the model owner to securely share their application (proprietary model) with enterprises without disclosing the model, model weights, or other configurations.

In this example, a publisher group is created in a different Fortanix Armor account and contributes the application to a shared workflow initiated by the consumer group.

NOTE

To collaborate with resources in the consumer group, you must create an additional group in a different Fortanix Armor account, as collaboration between groups within the same account is not supported.

Perform the following steps:

1. Create two new Fortanix Armor accounts, for example, DemoB and DemoC, or log in to an existing account. For more information on how to log in and create a new Fortanix Armor account, refer to Getting Started with Fortanix Armor.

2. Repeat Steps 2 to 5 in Section 3.0: Create Consumer Group in Fortanix Armor, to create the two new publisher groups, for example, DemoB-Group2 and DemoC-Group3.

4.1 Create Application

Perform the following steps to add an ACI application: 

1. From the Armor Solutions drop down menu on the top navigation bar, click Confidential Computing Manager to open the CCM user interface (UI).

2. In the CCM UI left navigation panel, click Applications, and then on the ACTIVE APPLICTIONS tab, click ADD APPLICATION to add a new application.

3. In the Add Application form, select  AMD SEV-SNP, and then click NEXT to proceed to create an application.

   NOTE

   Ensure to select the Consumer group created in Section 3.0: Create Consumer Group.

For more information on how to create an AMD SEV-SNP application, refer to Add Applications.

The application is added for approval and appears on the  ACTIVE APPLICATIONS list.

For more information on how to create an AMD SEV-SNP application image, refer to Create Application Build.

4.2 Create Application Configuration

Once the application build is created, create an application configuration to associate the image with a group and enable its participation in the workflow.

Perform the following steps to create an application configuration:

1. Go to the CONFIGURATION tab and then click ADD CONFIGURATION to add a new configuration. 

   

2. In the Add Application Configuration form:  

   1. Select Add new configuration.

   2. Configuration name: Enter a name for the configuration.

   3. Group: Select the required group from the drop down menu to associate the configuration with that group. For example, DemoB-Group2.

   4. Description (optional): Enter a description for the configuration.

   5. Build: Select the application build for which the configuration will be created.

   6. Ports: Keep this field empty.

   7. Label Details: Add any meaningful key value pair to identify your application configuration.

   8. Configuration items: Keep this field empty.  

3. Click ADD CONFIGURATION to save the configuration.

5.0 Generate Collaboration Token

To initiate collaboration, a consumer group must authenticate itself to a publisher group. Without authentication, a publisher group could receive unsolicited or spam collaboration requests from another consumer group. To prevent this, the publisher group administrator generates a “collaboration token”, which serves as proof of identity for collaboration requests.

When a consumer group requests collaboration, it includes the collaboration token provided by the publisher group in the request. The publisher group then verifies the token and authenticates the consumer group before allowing the collaboration to proceed.

Perform the following steps to generate the collaboration token in Fortanix Armor IAM:

1. Go to the detailed view of DemoB-Group2 in the DemoB account.

2. Click COLLABORATE to generate a new collaboration token.

   

3. In the Collaborate dialog box, click GENERATE TOKEN to generate the token.

4. Once the token is generated, click COPY to copy the collaboration token.  

5. You must share this collaboration token with the consumer group administrator to enable collaboration. The method used to share the collaboration token is outside the scope of this guide.

6. Click Show previous tokens to view the previously generated tokens.

6.0 Create Collaborating Group

This section explains the collaboration process between the consumer group and the publisher group using the collaboration token shared by the publisher group.

Perform the following steps to create a collaborating group for workflow collaboration:

1. Open the detailed view of the consumer group, for example, DemoA-Group1, in the DemoA account.

2. Click ACCEPT TOKEN.

   

3. In the Accept token dialog box, paste the collaboration token shared by the publisher group in Section 5.0: Generate Collaboration Token.

4. Click PROCEED to initiate the collaboration request.

5. Navigate to Groups and select the COLLABORATION GROUPS tab.

6. On the CONSUMER tab, verify that the consumer group DemoA-Group1 appears associated with the publisher group DemoB-Group2.

   

7. In the Status column, observe that the collaboration request is in Pending state.

   NOTE

   The publisher group must accept the collaboration request before collaboration can begin.

8. Go to the publisher group (DemoB-Group2) and navigate to the COLLABORATION GROUPS tab.

9. On the PUBLISHER tab, verify that DemoB-Group2 shows an association request from DemoA-Group1.

10. Click the overflow menu for the publisher group row and click Accept to approve the collaboration request.

11. Verify that the collaboration status updates to Accepted in the publisher group view.

    

12. Return to the consumer group account (DemoA) and confirm that the collaboration status for the consumer group (DemoA-Group1) also shows Accepted.

    

7.0 Create Shared Workflow

After creating the collaborating groups, the consumer group administrator initiates collaboration by creating a shared workflow.

In the shared workflow, the consumer group administrator creates placeholder node. Each placeholder node is assigned to a specific publisher group, and only administrators of that publisher group can populate the placeholder nodes assigned to them.

Perform the following steps as a consumer group administrator to create a shared workflow:

1. In the CCM UI left navigation panel, click the Workflows menu item in the DemoA account.

2. On the Workflows page, click ADD WORKFLOW to create a new workflow.

3. In the Add workflow form:

   1. Name: Enter a name for the workflow.

   2. Group: Select the consumer group (DemoA-Group1) for the shared workflow.

   3. Click ADD WORKFLOW to create the shared workflow.

4. On the workflow canvas, add the application that belongs to the consumer group, DemoA-Group1 created in Section 3.1: Create Application in Fortanix CCM.

5. Click SAVE DRAFT to save the workflow.

Saving the workflow as a draft makes it available to the publisher group, allowing the administrator of the assigned publisher group to access the draft workflow in its respective account and populate the placeholder node assigned to it.

7.1 Fill the Placeholder Nodes with Actual Data

After the consumer group creates the shared workflow and assigns placeholder nodes, members of the publisher groups populate the placeholder nodes with their own resources.

Each publisher group can update only the placeholder node assigned to its group. Publisher group administrators cannot add, remove, or modify other nodes in the workflow.

Perform the following steps as a publisher group administrator:

1. Log in to the DemoB account and click the Workflows menu item in the CCM UI left navigation panel.

2. On the Workflows page, click the Draft menu item. The draft shared workflow created by the consumer group appears in the list.

3. Select the workflow and locate the placeholder node assigned to the publisher group DemoB-Group2.

4. Click the placeholder node to add the application.
   In the APPLICATION form, select the AMD SEV-SNP application image that was automatically created in Section 4.1: Create Application.

5. Click SAVE DRAFT to save the updated shared workflow.

After the publisher group populates its assigned placeholder node, the shared workflow is complete and ready for approval.

7.2 Request Approval to Create Approved Workflow

After the publisher group fills its assigned placeholder nodes, the shared workflow is ready for approval.

The publisher group must review and approve the workflow before the consumer group can complete the approval process.

NOTE

The consumer group cannot approve the workflow until the publisher group approves it. This ensures that the publisher group explicitly consents to the sharing of data.

Perform the following steps to request and approve the shared workflow:

1. Log in to the DemoA account as a consumer group administrator.

2. In the CCM UI left navigation panel, click the Workflows menu item.

3. Click the Draft menu item and select the shared workflow for which you want to request approval.

4. Click SAVE AND REQUEST APPROVAL to send the approval request to all the publisher groups.

   A confirmation dialog appears. Click REQUEST APPROVAL to submit the approval request to the publisher groups.

   The workflow moves to the Pending state.

5. Go to the Pending tab to view workflows awaiting approval.

6. Log in to the DemoB account as a publisher group administrator. Navigate to the Workflows menu item and click the Pending menu item.

7. Select the shared workflow from the list and click VIEW REQUEST for the shared workflow.

8. In the APPROVAL REQUEST FOR CREATING WORKFLOW dialog box, click APPROVE.

9. After the publisher group approves the workflow, log in to the DemoA account as the consumer group administrator and approve the workflow to complete the approval process.

10. The workflow now appears in the Approved tab.

    NOTE

    After a shared workflow reaches the Approved state, it cannot be modified. To make changes, edit the workflow to create a new version using EDIT WORKFLOW. After approval, the new version replaces the previous one.

7.3 Run the Shared Workflow

Only the consumer group administrator, who owns the workflow, can run a shared workflow.

The members of the publisher groups cannot run the workflow.

Perform the following steps to run the workflow:

1. Click the workflow application and copy the Runtime configuration hash from the APPLICATION dialog box. This value is used for APPCONFIG_ID parameter.  

2. Extract the VM image files.

3. Modify the following launch_cvm.sh script, and add the APPCONFIG_ID value copied in Step 1.

   NOTE

   Ensure that the launch_cvm.sh script has all the required variables

   # before running - (IMAGE, KERNEL, BIOS, MANAGER_ENDPOINT, JOIN_TOKEN, ALT_NAMES_ARR, 
   # CPU_TYPE and NUM_CPUS). If above parameters are not populated in the script then 
   # this is standard template generated without any input parameters. In this case please 
   # fill in these parameters and run the script.
   (
   set -x
   modprobe kvm
   modprobe vfio-pci
   # Model provider's artifacts locations and configurations - These are measured artifacts
   # .qcow2 file
   IMAGE="cvm-image-latest.qcow2"
   # .efi file
   KERNEL="cvm-image-latest.efi"
   # OVMF.fd file
   BIOS="OVMF.amdsev.fd"
   # NVIDIA IT's configuration
   # Other config parameters
   CPU_TYPE=EPYC-v4
   NUM_CPUS=2
   ALT_NAMES="fortanix.com"
   APPCONFIG_ID="9b3f89c28ba7be6fccde70e7a37b97ae73c7cccab955ebbee9261a3991bc0b62"
   #Hardware Settings
   NVIDIA_GPU=45:00.0
   MEM=16 #in GBs
   FWDPORT=9899
   doecho=true
   docc=true
   dogpu=true
   while getopts "nexp:" flag
   do
           case ${flag} in
                   n) dogpu=false;;
                   e) doecho=true;;
                   x) docc=false;;
                   p) FWDPORT=${OPTARG};;
           esac
   done
   NVIDIA_GPU=$(lspci -d 10de: | awk '/NVIDIA/{print $1}')
   NVIDIA_PASSTHROUGH=$(lspci -n -s $NVIDIA_GPU | awk -F: '{print $4}' | awk '{print $1}')
   if [ "$doecho" = true ]; then
            echo 10de $NVIDIA_PASSTHROUGH > /sys/bus/pci/drivers/vfio-pci/new_id
   fi
   if [ "$docc" = true ]; then
           USE_HCC=true
   fi
   if [ "$dogpu" = true ]; then
           USE_GPU=true
   fi
   qemu-system-x86_64 \
           -machine memory-encryption=sev0,vmport=off \
           -object memory-backend-memfd,id=ram1,size=16G,share=true,prealloc=false -machine memory-backend=ram1 \
           -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,kernel-hashes=on \
           -enable-kvm -nographic -no-reboot \
           -cpu ${CPU_TYPE} -machine q35 -smp ${NUM_CPUS},maxcpus=31 -m ${MEM}G,slots=2,maxmem=512G \
           -bios ${BIOS} \
           -drive file=${IMAGE},if=virtio,id=disk0,format=qcow2,readonly=on \
           -kernel ${KERNEL} \
           -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic,romfile= \
           -netdev user,id=vmnic,hostfwd=tcp::2223-:22,hostfwd=tcp::80-:8000 \
           -object iommufd,id=iommufd0 \
           -device pcie-root-port,id=pci.1,bus=pcie.0 \
           -device vfio-pci,host=${NVIDIA_GPU},bus=pci.1,iommufd=iommufd0,romfile= \
           -fw_cfg name=opt/ovmf/X-PciMmio64Mb,string=262144 \
           -fw_cfg name=opt/com.fortanix/app_cert_alt_names,string=${ALT_NAMES} \
           -fw_cfg name=opt/com.fortanix/appconfig_id,string=${APPCONFIG_ID} \
           -device vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid=8
   )

4. Run the following command to launch the VM:

   sudo ./launch_cvm.sh

   This will start the AMD SEV-SNP application and trigger the Fortanix Attestation Client.

5. The Publisher (Model Owner) navigates to the application details view to confirm that:

   1. The build is deployed in Fortanix CCM.

   2. The audit log contains a successful REQUEST_APP_CERTIFICATE event, indicating that the application certificate was generated.

      

6. The Consumer (Enterprise) navigates to the Tasks page to confirm that:

   

NOTE

The audit logs are available in the log tool configured by the Publisher and Consumer.

8.0 Manage Tokens

8.1 Revoke Token

A collaboration token can be revoked by a publisher group administrator.

Revoking a collaborating token does not affect existing active collaborations between the publisher group and consumer group that were established using that token. Any existing shared workflows continue to function as expected.

8.2 Revoke Status

Perform the following steps to revoke a collaboration between a consumer group and a publisher group:

1. Navigate to the COLLABORATION GROUPS page.

2. Locate the collaboration entry you want to revoke.

3. Click the overflow menu for the corresponding row and select Revoke from the drop down menu to revoke the collaboration.

You can revoke the collaboration from either the consumer group or the publisher group.

After you revoke the collaboration, the shared workflow cannot progress, and collaboration between the groups stops.