Attestation Configuration

Attestation configuration options are available through the anjuna-policy-manager-server CLI, which comes bundled with the Anjuna Policy Manager installer.

Azure SEV-SNP Trusted ID Key Digests

When an Anjuna Confidential Container based on AMD’s SEV-SNP technology is launched on Azure, the Hypervisor leverages the SEV-SNP Platform Security Processor (PSP) firmware to securely configure and launch a Confidential VM.

As part of the launch process, a unique and signed ID block is assigned to the VM by the Hypervisor. The private key used to sign this ID block is private to Azure. The ID_KEY_DIGEST is a SHA-384 hash of the corresponding public key and is advertised by the Attestation Report to help with downstream verification of the VM’s integrity. The PSP firmware validates this ID block signature to finalize the VM launch.

The Anjuna Policy Manager uses this ID_KEY_DIGEST data to verify whether an Attestation Report was created by a trusted Confidential VM in Azure. The Anjuna Policy Manager internal configuration maintains a list of ID_KEY_DIGEST values that are known at the time of the release of a specific version of the Anjuna Policy Manager. When a new ID_KEY_DIGEST value is shared by Azure, Anjuna will include it in the next release of the Anjuna Policy Manager.

To account for future key rotations from Azure and to ensure 24/7 operations for Anjuna Confidential Containers, the list of ID Key Digests trusted by the Anjuna Policy Manager can be extended without the need to upgrade the Anjuna Policy Manager to a newer version.

The Anjuna Support team will preemptively notify customers about upcoming Azure ID Key rotations and any new ID_KEY_DIGEST values.

The following command can be used to update the existing Anjuna Policy Manager with the new ID_KEY_DIGEST value:

anjuna-policy-manager-server write "auth/apm/config" azcvm-trusted-id-key-digests="<value>"

Where <value> can be replaced with the SHA-384 digest of a new public key, e.g.:

0356215882a825279a85b300b0b742931d113bf7e32dde2e50ffde7ec743ca491ecdd7f336dc28a6e0b2bb57af7a44a3

The command also accepts a list of values with the following format:

anjuna-policy-manager-server write "auth/apm/config" \
  azcvm-trusted-id-key-digests="<value 1>" \
  azcvm-trusted-id-key-digests="<value 2>"