Sync updates from vinfnet/main#30
Merged
Merged
Conversation
Add visual-attestation-demo-v2 (ACI, no SKR) and azure-voting-app (AKS SEV-SNP)
- Add -WelcomeSecret parameter to Build-SealedArtifacts.ps1 for encrypting user-supplied secrets into sealed bundle - Secrets are encrypted using AES-256-GCM with the bundle DEK (Data Encryption Key) - Stored as JSON envelope in welcome.txt within sealed-data.enc - Runtime fallback: derive release_policy_sha256 from AKV key metadata when env var unavailable - App decryption: decode_welcome_secret() in app.py uses AESGCM to decrypt after attestation - UI: New 'Secret payload decrypted after attestation' section shows encrypted form, key, policy hash, and plaintext - Deploy script: Fix Azure CLI response-consumption error using New-AzResourceGroupDeployment fallback - Comprehensive README section documents: * How -WelcomeSecret works (build → encrypt → seal → attest → decrypt) * Cryptographic chain and protection layers (AES-256-GCM + RSA-HSM + SKR + CCE binding) * Real-world examples: API credentials, feature flags, DB secrets, compliance markers * CLI examples for interactive and non-interactive usage - Template: Add RELEASE_POLICY_SHA256 to container environment - All changes ensure plaintext never leaves TEE; disclosure only post-attestation
…alidation - Document SHA-256 checksum verification gate (mandatory before deploy) - Explain what .sig cosign signatures are (audit trail, not enforced) - Clarify cryptographic bindings vs signature-based validation - Add protection layers table showing defense-in-depth - Document MANIFEST.json as artifact inventory and source of truth - Help operators understand what gets checked and why
- Change -Prefix parameter default from 'sgall' to 'sealaci' in Build-SealedArtifacts.ps1 - Update help text to reflect new default - Update README quick-start example to show sealaci default - Allows operators to use ./Build-SealedArtifacts.ps1 -Build without specifying prefix - Users can still override with -Prefix if needed for custom naming
- Add CSS classes for visual distinction of three key sections: * .section-sealed (blue): core sealed data metadata * .section-files (amber): decrypted files list with size/hash * .section-secret (green): secret payload post-attestation - Apply distinct left border colors and padding for better visual hierarchy - Include dark mode support with appropriate color schemes - Update README to document the UI improvements and section purposes - Improves clarity and readability of attestation results and decrypted data
… installation guidance - Add Test-OptionalTools function that checks for cosign, syft, trivy availability - Display prominent warning with installation links if any are missing - Offer user choice to continue with placeholders or abort - Include installation instructions for Chocolatey, scoop, Homebrew, and direct downloads - Call check at start of Invoke-Build before any artifact generation - Provides operators clear path to generate real signatures, SBOMs, and scan reports
Sealed container updates: WelcomeSecret flow, UI clarity, docs, and deploy fixes
- Add Test-PrerequisitesInstalled() function to validate PowerShell 7.0+, required Az modules - Function checks for optional tools (Azure CLI, git) and provides installation guidance - Displays status with green checkmarks for installed prereqs, exits with error guidance if missing - Add Prerequisites section to README covering environment, permissions, regional requirements, authentication
- Add Quickstart section with side-by-side Intel TDX and AMD SEV-SNP examples - Include copy-paste ready commands for common scenarios (basic, Windows, larger VMs, production-grade, advanced, smoketest) - Specify recommended regions and SKU families for each isolation type - Position Quickstart before detailed Examples section for easy discoverability
- Change prod-tdx to prodtdx in TDX production example - Change prod-snp to prodsnp in SEV-SNP production example - Simplifies and standardizes example basename values
- Add retry + fallback URL logic for attest-win.zip download inside Windows CVM - Query GitHub release API for browser_download_url fallback - Validate downloaded archive exists and is non-empty before extract - Detect download/attest errors in run-command output and fail instead of printing false success
- Add retry loop for attest-lin.zip download - Add GitHub API fallback browser_download_url discovery - Validate non-empty zip and require unzip tool - Add Linux error signatures to outer attestation failure detection
- harden Windows and Linux in-VM attestation downloads with retries - use curl/native fallback patterns that tolerate transient NAT warm-up - verify NAT gateway attachment and fall back to Azure CLI when Az.Network does not persist association - fail fast on VM deployment errors instead of continuing into attestation - validated AMD SEV-SNP and Intel TDX attestation end-to-end
- wait for newly created VM to reach running state before proceeding - retry transient ResourceNotFound errors from Invoke-AzVMRunCommand - reduce false failures during early TDX/SEV provisioning windows
- add-validation-to-commit.ps1: Appends CVM validation results to commit messages - post-validation-comment.ps1: Runs 4-way validation and posts results as GitHub PR comment - post-push.ps1: Git post-push hook to trigger validation comment posting after push - Install-PreCommitHook.ps1: Updated to install pre-commit, pre-push, and post-push hooks with unified setup These scripts enable: - Automatic validation after push (posts results to GitHub PR) - Manual commit message annotation with validation status - One-command hook installation for teammates via ./scripts/Install-PreCommitHook.ps1
- post validation results to PR comments from pre-push hook - remove commit-message validation annotation flow - remove unsupported post-push hook wiring - keep GitHub Actions checks to secret scan + syntax/parameter validation only - disable cloud CVM matrix CI until service principal is available
Fix CVM attestation reliability and NAT egress validation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Sync latest confidential-computing updates from
vinfnet/mainintoAzure-Samples/main.This PR brings over recent CVM validation, attestation, workflow, and documentation improvements that are already validated in the fork.