feat(vm-samples): Intel TDX support, Confidential OS disk encryption docs, JWT decode fix#28
Merged
Conversation
…JWT decode fix BuildRandomCVM.ps1: - Auto-detect AMD SEV-SNP vs Intel TDX from VM SKU; pick matching cvm-attestation-tools config - Run latest attest-lin/attest-win release inside the VM and decode the MAA JWT (jq on Linux, ConvertFrom-Json on Windows) - Pre-flight checks: reject Intel SGX SKUs; verify SKU availability and vCPU quota in target region before creating any resources - Windows: relax $ErrorActionPreference for attest.exe (writes INFO to stderr), widen Out-String, anchor JWT regex to 'eyJ' so interleaved Python log lines don't corrupt the token - 10x60s retry loop around Invoke-AzVMRunCommand to absorb post-provision 409 Conflict Docs: - vm-samples/README.md: new 'What is Confidential OS disk encryption with CMK?' section, pre-flight checks, TDX examples, manual cross-platform attest snippets, aka.ms/accdocs links - README.md: refreshed VM Samples entry to call out TDX + Confidential OS disk encryption + new attestation flow; linked TDX What's New row to vm-samples/README.md - WindowsAttest.ps1: deprecation banner pointing at Azure/cvm-attestation-tools Validated end-to-end with smoketest deploys (Ubuntu + Windows TDX in westeurope, SNP in northeurope/westeurope).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates
BuildRandomCVM.ps1and supporting docs to support Intel TDX alongside AMD SEV-SNP, run the modern Azure/cvm-attestation-toolsattestflow inside the freshly deployed CVM, and decode the returned MAA JWT cross-platform.Changes
BuildRandomCVM.ps1DCa*/ECa*) vs Intel TDX (DCe*/ECe*) from the VM SKU and pick the matchingconfig_snp.json/config_tdx.json.attest-lin.zip/attest-win.ziprelease inside the VM viaInvoke-AzVMRunCommandand decode the MAA JWT (header + payload + key claims) usingjqon Linux and built-inConvertFrom-Jsonon Windows.$ErrorActionPreferencearoundattest.exe(it writes INFO logs to stderr), widenOut-Stringto 16384 cols, and anchor the JWT regex toeyJso interleaved Python log lines can't corrupt the captured token.Invoke-AzVMRunCommandto absorb the transient 409 Conflict the run-command extension can return immediately after VM provisioning (especially on TDX).Docs
vm-samples/README.md: new "What is Confidential OS disk encryption with CMK?" section with comparison table, pre-flight checks subsection, Intel TDX examples, manual cross-platform attest snippets, andaka.ms/accdocslinks throughout.README.md: refreshed VM Samples entry to call out TDX + Confidential OS disk encryption + new attestation flow; linked the TDX What's New row to/vm-samples/README.md.WindowsAttest.ps1: deprecation banner pointing atAzure/cvm-attestation-tools.Validation
End-to-end smoketest deploys (deploy + in-VM attestation + JWT decode + auto-cleanup):
tdxvm/azure-compliant-cvmtdxvm/azure-compliant-cvmsevsnpvm/azure-compliant-cvm