Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature]: Replace pull default SKR policy from github with MAA Service Discovery API and Policy template #24601

Open
praenubilus opened this issue Apr 10, 2024 · 1 comment · May be fixed by #24807
Open

[Feature]: Replace pull default SKR policy from github with MAA Service Discovery API and Policy template #24601

praenubilus opened this issue Apr 10, 2024 · 1 comment · May be fixed by #24807
Assignees
@BethanyZhou
Labels
feature-request This issue requires a new behavior in the product in order be resolved. Tracking We will track status and follow internally

Comments

@praenubilus
Copy link

praenubilus commented Apr 10, 2024
edited

Description of the new feature

Today default CVM SKR Policy is pull from a public Github repo
https://raw.githubusercontent.com/Azure/confidential-computing-cvm/main/cvm_deployment/key/skr-policy.json
. This will hit performance issue with the expanding default policy file and also raising security concerns.

We have decided to replace the current implementation with MAA Service Discovery API to get regional default provider and fill it in the template as following:

{
    "anyOf": [
        {
            "allOf": [
                {
                    "claim": "x-ms-compliance-status",
                    "equals": "azure-compliant-cvm"
                }
            ],
            "authority": "{regional-maa-endpoint}"
        }
    ],
    "version": "1.0.0"
}

The service discovery API from MAA:

GET https://management.azure.com/subscriptions/{your_subscription}/providers/Microsoft.Attestation/Locations/{your_location}/defaultProvider?api-version=2020-10-01

Here is a reference application in Azure Powershell for default provider by location

This REST API is call to ARM, so all that's required is an Azure subscription and an identity (e.g., user, service principal, MSI identity, etc.) with RBAC permissions to access that subscription's resources.

The current implementation in the repo:

azure-powershell/src/KeyVault/KeyVault/Commands/Key/AddAzureKeyVaultKey.cs

Line 77 in 37badb2

private const string DefaultCVMPolicyUrl = "https://raw.githubusercontent.com/Azure/confidential-computing-cvm/main/cvm_deployment/key/skr-policy.json";

Proposed implementation details (optional)

For mooncake, Fairfax, USNAT and USSec the API part
/subscriptions/{your_subscription}/providers/Microsoft.Attestation/Locations/{your_location}/defaultProvider?api-version=2020-10-01
remain the same. But the arm endpoint https://management.azure.com/ will be different (see below),
@praenubilus praenubilus added feature-request This issue requires a new behavior in the product in order be resolved. needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Apr 10, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Apr 10, 2024
@BethanyZhou BethanyZhou added the Tracking We will track status and follow internally label Apr 22, 2024
@BethanyZhou BethanyZhou self-assigned this Apr 22, 2024
@BethanyZhou
Copy link
Contributor

Adding announcement for this change: #24674

@BethanyZhou BethanyZhou linked a pull request May 9, 2024 that will close this issue
[KeyVault] Switch the location of skr policy from github to maa endpoint #24807
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BethanyZhou BethanyZhou

Labels
feature-request This issue requires a new behavior in the product in order be resolved. Tracking We will track status and follow internally
Projects
None yet
Milestone
No milestone
2 participants
@praenubilus @BethanyZhou