Integrating with Intel® Tiber™ Trust Services and Intel TDX for Confidential Computing
Caution
This feature is a technical preview for evaluation in non-production environments. Details and functionality are subject to change.
Confidential Computing is a cloud computing technology that can isolate and protect data on Confidential Virtual Machines (CVMs), or Trusted Domains (TDs), while it is being processed by the application, to protect it from a broad range of software attacks. Confidential computing ensures that all data operations are executed within a Trusted Execution Environment.
Confidential Computing provisioning requires Intel® Tiber™ Trust Services (ITTS), to attest the CVMs, or TDs, and create a Trusted Execution Environment around them. ITTS is a verifier in a remote attestation application architecture. In Remote Attestation procedures, one peer (the "Attester"), produces cryptographic information about itself ("Evidence") to enable a remote peer (the "Relying Party") to decide whether or not to consider that Attester a trustworthy peer. In this case, CipherTrust Manager is the Relying Party.
CTE-U and CipherTrust Manager manage the attestation process to provision confidential computing on VMs running on CTE-U agents to provide End-To-End Data Protection. The role for CTE-U in this confidential computing model is to gather the evidence and provide that to CipherTrust Manager to have it attested for by ITTS. If attestation fails, CTE-U does not prevent access to the encrypted data that it guards.
Requirements & Specifications
System | Description |
---|---|
Attestation Authority | Intel® Tiber™ Trust Services (ITTS) |
Agent Requirements Minimum versions listed. Subsequent versions also valid. |
|
CipherTrust Manager Minimum Version | 2.18 |
CTE-U Minimum Version | 10.4.0 |
Prerequisites
-
Install CipherTrust Manager v2.18, or a subsequent version, on a virtual or physical system.
-
Obtain a valid account for Microsoft Azure.
-
Obtain an Intel® Tiber™ Trust Services account.
-
Install and configure Microsoft Authenticator on your mobile phone.
Note
For the purposes of this documentation, we have documented use of Microsoft Authenticator as the Multi-Factor Authentication (MFA) program. You can use any MFA application with the portal. See How to Add Additional Authentication Methods to set up and use an alternative MFA provider.
Provision a TDX machine from Microsoft Azure
TDX is the remote attestation service.
-
Login to the Azure Portal.
-
Open Microsoft Authenticator to obtain an authorization code.
-
Enter that Microsoft Authenticator code in the dialog on the Azure Portal page.
-
From the home page of the Azure portal, click Create Resource.
-
Click Virtual Machine > Create and follow the on-screen instructions to create a VM.
Field Name Value Security Type Confidential virtual machine OS Image Ubuntu Server 22.04 LTS (Confidential VM) -x64 Gen 2 VM architecture x64 Size Standard DC4eds_v5 or larger Note
Secure boot is enabled by default. You can disable it once
confidential VM security type
is selected. A link appears for configuring the security features. Toggle the option forEnable secure boot
to disable it. -
Click Review & Create.
Validate TDX machine
-
List the contents for
/dev/tpm
, type:Result
-
Verify that Intel TDX is activated, type:
Result
-
Verify that the TPM (Trusted Platform Module) is valid, type:
Result
Reference Information
Install the Trusted Platform Module tools on your Agent VM
-
Download the Trusted Platform Module (TPM) tools, type:
-
Install the Trusted Platform Module (TPM) tools on the CTE-U agent, type:
Creating Keys and Policies in the Intel Portal
-
Open Microsoft Authenticator on your mobile phone. The login requests an authentication code from Microsoft Authenticator to access the site.
-
Login to the Intel Portal.
-
Create an Attestation API key. You can associate it with either a simple policy, or one with an MRTD (Measurement of Trust Domain) value.
-
In the navigation bar on the left, click Manage Policies.
-
Click Add a Policy. Follow the on-screen instructions for creating a policy.
Field Name Value Attestation Type TDX Attestation Policy Type Appraisal policy with an MRTD value. Simple Policy
-
To find the TDX MRTD value, on the CTE-U agent, type:
-
To find the TDX MRSEAM value, on the CTE-U agent, type:
-
Add the policy that you created in the previous step to your API key.
-
-
Create an Admin API Key.
-
In the navigation bar on the left, click Admin API Keys.
-
Select the View icon (
) for the API key that you want to copy.
-
Select the Copy icon (
). The API key is copied to your system memory.
-
Alternatively, to create a new API key, click Delete/Regenerate API Key.
-
Use the API key with the Trust Services CTL CLI utility to manage admins and users.
-
Reference Information
To learn how to create an Intel Trust Services policy, consult the following Intel documentation:
CipherTrust Manager Requirements
Create an Attestation Authority Connection
Provisioning Confidential Computing on CTE-U clients requires one admin connection (connection with administrator privileges) and one non-admin connection (connection without administrator privileges). The admin connection is necessary to retrieve the policies from the Attestation Authority. CipherTrust Manager uses the connection details to communicate with ITTS for agent attestation when a request is received from the agent.
To create the Attestation Authority connections:
-
Log on to CipherTrust Manager.
-
In the left nav-bar, click Access Management > Connections.
-
Select + Add Connection.
-
In the Select Connection Type, click More.
-
From the Select Connection dropdown, select Attestation Authority and click Next.
-
In the General Info section, enter the Name and Description for the connection and click Next.
-
In Configure Connection, create an Admin User Connection by selecting from the following options. Choose European or US for your URLs based on which URL is valid for your account:
Field Name Value Description URL for API method https://api.trustauthority.intel.com
URL for connecting to the Attestation Authority. Base European URL https://portal.eu.trustauthority.intel.com
Base URL for the Attestation Authority. Base U.S. URL https://portal.trustauthority.intel.com
Base URL for the Attestation Authority. API Key Provide either the Admin API key or the Attestation API key created in ITTS to establish the connection with the Attestation Authority. Base API European URL https://api.eu.trustauthority.intel.com
Base URL for API connection. Base API U.S. URL https://api.trustauthority.intel.com
Base URL for API connection. -
Select Admin User to create a connection with administrator privileges. Click Next.
-
In Add Products section, select the CTE-U checkbox.
-
Click Add Connection.
-
Repeat these steps to create the Attestation connection. Do not select Admin User in step 8.
Note
In CipherTrust Manager, select Access Management > Connections, click the ellipsis (...) to View, Edit, or Delete the connections..
Create a Global Client Profile
Create a Client Profile to associate with the Attestation Authority connection.
-
In the CipherTrust Manager dashboard, click Access Management > Client Profiles > Add Client Profile.
-
Enter Profile Name and Description.
-
Select CA Type: Local or External.
-
Select the respective Local or External CA in Select <CA Type> CA.
-
Enter the Certificate Duration (in days) for which the CA certificate remains active.
-
Expand the CONFIDENTIAL COMPUTING section and add the following details:
Field Name Value Description Attestation Authority Identifier Intel Trust Authority (ITTS) Attestation Type TDX Attestation Attestation Connection Select a non-admin connection Admin Connection Select an admin connection Note: Admin and non-admin type connections should belong to the same Attestion Authority. Policy Type Appraisal policy These policies are fetched from the Attestation Authority server. You can select appraisal policies. Policy Names <policy_names>
Select one or more policies from the drop-down menu. Cloud Provider Azure -
Click Add/Update Client Profile.
Create a Registration Token
Create a registration token on the CipherTrust Manager. You must have administrator privileges to create registration tokens.
-
Log on to the CipherTrust Manager GUI as administrator.
-
In the left pane, click Access Management > Registration Tokens.
-
On the right, click Add Registration Token. The Create New Registration Token wizard displays.
-
Click Begin to start token creation. The Configure Token screen displays.
-
(Optional) Specify a Name Prefix for the client name. This prefix is used to construct names for clients whose names are not specified during registration with the CipherTrust Manager using this token.
-
If the name prefix is specified as
ks_client
, client names will be constructed asks_client#
; for example,ks_client1
,ks_client2
,ks_client3
, and so on. However, if a client's name is specified during registration, this name prefix is not used for that client. -
If the name prefix is not specified, the CipherTrust Manager will construct a random name for clients.
-
-
Set the Token lifetime. You must include a time unit with it such as:
Token Lifetime Span Value 10 m 10 minutes 10 h 10 hours 10 d 10 days unlimited Never expires -
Specify Client Capacity. This is the maximum number of clients that can be registered using this registration token. The default capacity is
100
clients. -
Select Add Profile and add the client profile that you just created.
-
Click Create Token. The Create Token screen displays the generated registration token in ASCII and Base64 encoding. CipherTrust Manager accepts the registration token in ASCII format only.
-
Click Copy next to the token to save the copied token. Use this token when registering and migrating clients.
Install and Register CTE-U with a Confidential Computing Azure VM
Install CTE-U
-
Log on to the host where you will install the CTE UserSpace Agent as
root
. You cannot install the CTE-U Agent withoutroot
access. -
Copy or mount the installation file to the host system.
-
Install CTE UserSpace, type
Example
Caution
CTE-U does not support customer paths for Ubuntu installation. You must use the default path.
Register CTE-U
-
The install script installs the CTE-U Agent software, and any missing dependencies, in either
/opt/vormetric
or your custom installation directory (excluding Ubuntu), and then prompts you to register the CTE UserSpace Agent with a key manager by running/opt/vormetric/DataSecurityExpert/agent/vmd/bin/register_host
. -
Enter Y to continue with the registration process. The install script prompts you to enter the host name or IP address of the CipherTrust Manager with which you want to register CTE-U.
-
Enter the client host name when prompted.
-
Enter the CipherTrust Manager registration token, profile name, host group and host description. If you omit the profile name, CipherTrust Manager associates the default client profile with this client.
-
CTE-U finishes the installation and registration process.
Reference Information
Validate Confidential Computing on the CTE-U Agent for Attestation
-
Verify that your CTE-U agent is capable of confidential computing, type:
Result if validation succeeds
Result if validation fails
In the UI, CipherTrust Manager displays the term warning in the status column and displays a banner message indicating that the Agent failed attestation.
-
If using a policy with an MRTD value, validate that the MRTD value in the policy and on the Agent are the same, type:
It should be the same value as the MRTD value on this file:
Confidential Computing Policies
There are no special CTE-U policies for Confidential Computing. Create standard and LDT policies as usual.
Confidential Computing GuardPoints
There are no special GuardPoints for Confidential Computing. Create GuardPoints as usual.