Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Confidential Compute CLI Change Request - VM OS Disk / Disk Encryption Set Create #22200

Closed
AjKundnani opened this issue Apr 27, 2022 · 17 comments
Assignees
Labels
Auto-Assign Auto assign by bot Compute az vm/vmss/image/disk/snapshot feature-request

Comments

@AjKundnani
Copy link

AjKundnani commented Apr 27, 2022

Is your feature request related to a problem? Please describe

No, feature request to add new parameter and add values into existing parameters for following commands to support Confidential VM - Planned GA by end of June CY22:

Feature is to support customers with:

  • creating Disk Encryption Set which will support Confidential VM Creation using customer encryption keys.
  • creating managed OS Disk for Confidential VM with flexibility to choose between Platform keys and customer-managed keys.

Describe the solution you'd like

Existing Parameter

az disk create

Customer to use az disk create command with parameter --security-type to set Security Type. For confidential VM Additional accepted security type should be ConfidentialVM_DiskEncryptedWithCustomerKey, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey

Post change, following values will be accepted:

SecurityType
TrustedLaunch
ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey
ConfidentialVM_DiskEncryptedWithPlatformKey
ConfidentialVM_DiskEncryptedWithCustomerKey

az disk-encryption-set create

Customer to use az disk-encryption-set create command with parameter --encryption-type to set Encryption type. For confidential VM, additional accepted encryption type should be ConfidentialVmEncryptedWithCustomerKey

Post change, following values will be accepted:

EncryptionType
EncryptionAtRestWithPlatformKey
EncryptionAtRestWithCustomerKey
EncryptionAtRestWithPlatformAndCustomerKeys
ConfidentialVmEncryptedWithCustomerKey

New Parameter

--secure-vm-disk-encryption-set (az disk create)

New Parameter --secure-vm-disk-encryption-set for command az disk create:

  • Allows customer to provide ARM ID for Disk Encryption Set created with ConfidentialVmEncryptedWithCustomerKey encryption type. This will allow customer to use Customer Managed Key (CMK) encryption.
  • Mandatory and required only when --security-type is set to ConfidentialVM_DiskEncryptedWithCustomerKey

End to End Usage

Scenario 1 - Managed OS Disk Create

  1. Store Disk Encryption Set ID in variable:

    diskEncryptionSetId=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [id] -o tsv)

  2. Create Virtual Machine Disk with ConfidentialVM_DiskEncryptedWithCustomerKey Security Type

    az disk create --name $diskName -g $rgName \
        --hyper-v-generation V2 --os-type Windows \
        --security-type ConfidentialVM_DiskEncryptedWithCustomerKey \
        --secure-vm-disk-encryption-set $diskEncryptionSetId \
        --image-reference "MicrosoftWindowsServer:WindowsServer:2019-datacenter-gensecond:latest"
    

Scenario 2 - Disk Encryption Set Create

  1. Create New key vault with premium SKU

    KeyVault="myKeyVault"
    az keyvault create --name $KeyVault --resource-group $rgName --location $region --sku Premium --enable-purge-protection 
    
  2. Create RSA-HSM Key with key release policy

    $KeyName = <name of key>
    $KeySize = 3072
    az keyvault key create --vault-name $KeyVault --name $KeyName --ops wrapKey unwrapkey --kty RSA-HSM --size $KeySize --exportable true --policy "@.\skr-policy.json"
    
  3. Query Key-vault key required for Disk Encryption Set

    keyUrl=$(az keyvault key show -n $keyName --vault-name $keyVaultName --query [key.kid] -o tsv)

  4. Create Disk Encryption Set

    az disk-encryption-set create -n $diskEncryptionSetName \
        -g $rgName -l $location \
        --key-url $keyUrl --encryption-type "ConfidentialVmEncryptedWithCustomerKey"
    
  5. Assign Access to Disk Encryption Set

    desIdentity=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [identity.principalId] -o tsv)
    
    az keyvault set-policy -n $KeyVault \
    -g $rgName \
    --object-id $desIdentity \
    --key-permissions wrapkey unwrapkey get
    

Describe alternatives you've considered

Not Applicable, new product feature request.

Additional context

Related to #22199

Request for Confidential VM - Planned GA by end of June CY22

Additional Checks

  • User provides value for --hyper-v-generation as V2 when --security-type parameter is used. If not, help message to be printed - SecurityType value for parameter --security-type is supported with --hyper-v-generation set to v2., where SecurityType value will be replaced by value passed for parameter --security-type.
  • When parameter --security-type is used, supported create options for disk are FromImage, Import, ImportSecure, UploadPreparedSecure. Empty is not supported.
  • ARM URI of Disk Encryption Set ID provided for new parameter --secure-vm-disk-encryption-set should have encryption type set to ConfidentialVmEncryptedWithCustomerKey.

Contacts

Role Contact
Main developer contacts (emails + github aliases) Abhishek Verma (AZURE) [email protected], Anshul Solanki [email protected]
PM contact (email + github alias) Ajay Kundnani [email protected]
Other people who should attend a design review (email) Run Cai [email protected], Deepak J V [email protected]
@ghost ghost added the Compute az vm/vmss/image/disk/snapshot label Apr 27, 2022
@ghost ghost added this to the Backlog milestone Apr 27, 2022
@ghost ghost assigned zhoxing-ms Apr 27, 2022
@ghost ghost added Auto-Assign Auto assign by bot KeyVault az keyvault labels Apr 27, 2022
@ghost ghost assigned evelyn-ys Apr 27, 2022
@yonzhan
Copy link
Collaborator

yonzhan commented Apr 27, 2022

Compute

@yonzhan yonzhan added feature-request and removed KeyVault az keyvault labels Apr 27, 2022
@AjKundnani
Copy link
Author

@zhoxing-ms - Updated Disk encryption set scenario with key vault key creation commands as well.

@cxznmhdcxz
Copy link
Member

Hi @AjKundnani , after supporting the arguments in CLI, I could create a DES with ConfidentialVmEncryptedWithCustomerKey as described in Scenario 2. Then I tried Scenario 1 with the DES just created, and returned this error:

{
  "error": {
    "code": "InvalidParameter",
    "message": "SecurityType 'ConfidentialVM_DiskEncryptedWithCustomerKey' is not supported by given image.",
    "target": "securityProfile.securityType"
  }
}

So could you please provide an image that would support ConfidentialVM_DiskEncryptedWithCustomerKey?

@AjKundnani
Copy link
Author

@cxznmhdcxz - if you can try with image 2019-datacenter-cvm or 2022-datacenter-cvm under offer windows-cvm

@zhoxing-ms
Copy link
Contributor

Mandatory and required only when --security-type is set to ConfidentialVM_DiskEncryptedWithCustomerKey.
Allows customer to provide ARM ID for Disk Encryption Set created with ConfidentialVmEncryptedWithCustomerKey encryption type. This will allow customer to use Customer Managed Key (CMK) encryption.
ARM URI of Disk Encryption Set ID provided for new parameter --securevm-disk-encryption-set should have encryption type set to ConfidentialVmEncryptedWithCustomerKey.

@AjKundnani These sentences mean that the --securevm-disk-encryption-set must be passed in when parameter --security-type is ConfidentialVM_DiskEncryptedWithCustomerKey, and --securevm-disk-encryption-set can only be passed in when parameter --security-type is ConfidentialVM_DiskEncryptedWithCustomerKey, right?

@AjKundnani
Copy link
Author

Mandatory and required only when --security-type is set to ConfidentialVM_DiskEncryptedWithCustomerKey.
Allows customer to provide ARM ID for Disk Encryption Set created with ConfidentialVmEncryptedWithCustomerKey encryption type. This will allow customer to use Customer Managed Key (CMK) encryption.
ARM URI of Disk Encryption Set ID provided for new parameter --securevm-disk-encryption-set should have encryption type set to ConfidentialVmEncryptedWithCustomerKey.

@AjKundnani These sentences mean that the --securevm-disk-encryption-set must be passed in when parameter --security-type is ConfidentialVM_DiskEncryptedWithCustomerKey, and --securevm-disk-encryption-set can only be passed in when parameter --security-type is ConfidentialVM_DiskEncryptedWithCustomerKey, right?

@zhoxing-ms - Right, --sercurevm-disk-encryption-set only required when --security-type is set to ConfidentialVM_DiskEncryptedWithCustomerKey else its not needed.

@AjKundnani
Copy link
Author

Updated request to reflect --secure-vm-disk-encryption-set as parameter name.

@zhoxing-ms
Copy link
Contributor

--security-type should be ConfidentialVM_* ONLY if --hyper-v-generation is set to V2

@AjKundnani When --hyper-v-generation is V2, --security-type can only be ConfidentialVM_* or other values can also be supported?

@AjKundnani
Copy link
Author

--security-type should be ConfidentialVM_* ONLY if --hyper-v-generation is set to V2

@AjKundnani When --hyper-v-generation is V2, --security-type can only be ConfidentialVM_* or other values can also be supported?

@zhoxing-ms - I've simplified the statement in request, any value of --security-type parameter needs --hyper-v-generation set to V2

@zhoxing-ms
Copy link
Contributor

zhoxing-ms commented Jun 28, 2022

--hyper-v-generation is set to V2 when --security-type parameter is used.
any value of --security-type parameter needs --hyper-v-generation set to V2

@AjKundnani Do you mean that when the user passes in the --security-type parameter, CLI needs to set --hyper-v-generation to V2?

I think a better solution may be to verify that users must input --hyper-v-generation as V2 when using --security-type.
Otherwise, users may be confused because the --hyper-v-generation parameters they passed in will be modified by CLI without their knowledge.

In addition, please note that since the --hyper-v-generation and --security-type parameters are pre-existing parameters, no matter which solution we use above, it will lead to breaking change!

@AjKundnani
Copy link
Author

AjKundnani commented Jun 28, 2022

--hyper-v-generation is set to V2 when --security-type parameter is used.
any value of --security-type parameter needs --hyper-v-generation set to V2

@AjKundnani Do you mean that when the user passes in the --security-type parameter, CLI needs to set --hyper-v-generation to V2?

I think a better solution may be to verify that users must input --hyper-v-generation as V2 when using --security-type. Otherwise, users may be confused because the --hyper-v-generation parameters they passed in will be modified by CLI without their knowledge.

In addition, please note that since the --hyper-v-generation and --security-type parameters are pre-existing parameters, no matter which solution we use above, it will lead to breaking change!
@zhoxing-ms :

  1. --hyper-v-generation is user input, if we can validate that user has input V2 as value along with --security-type, that should help.
  2. No change to existing parameter of --hyper-v-generation, only adding values to enum for parameter --security-type.
  3. In present release, if --security-type of TrustedLaunch is passed without --hyper-v-generation set to V2, it should generate error, we need to map same to additional enum values requested for parameter --security-type

@zhoxing-ms
Copy link
Contributor

zhoxing-ms commented Jun 28, 2022

@AjKundnani In current official CLI, if users pass in the --security-type parameter but do not pass in --hyper-v-generation parameter or specify the --hyper-v-generation parameter as V1, will the REST service raise an error at present?
If so, there is no breaking change. Otherwise, it will block this usage so as to cause breaking change

@AjKundnani
Copy link
Author

AjKundnani commented Jun 28, 2022

@AjKundnani In current official CLI, if users pass in the --security-type parameter but do not pass in --hyper-v-generation parameter or specify the --hyper-v-generation parameter as V1, will the REST service raise an error at present? If so, there is no breaking change. Otherwise, it will block this usage so as to cause breaking change

@zhoxing-ms : Below is the current behavior for --security-type TrustedLaunch, if we can retain same behavior for new values please:

  1. It checks for CreateOption if image reference is not passed, Error (BadRequest) Security Type 'TrustedLaunch' is not supported for CreateOption 'Empty'. Supported create options are FromImage, Import, ImportSecure, UploadPreparedSecure.
  2. After adding image reference, it checks for size, if less than 128GB, it throws error (ResizeDiskError) The disk/snapshot resource with id https://md-txp1chwkmhw1.z20.blob.storage.azure.net/ghgfvpxvrqx4/abcd cannot be resized down. Reducing disk/snapshot size is not supported in Azure to prevent data loss. If you do need to reduce the size of the disk, please create new snapshot/disks with the appropriate size. More information is available at https://aka.ms/AzureDisksFAQ.
  3. After passing image reference and size 128GB, without specifying parameter --hyper-v-generation, the disk is created with --hyper-v-generation set to V2
  4. Adding parameter --hyper-v-generation with value V2, same result as step 3 above.
  5. Adding parameter --hyper-v-generation with value V1, it creates the disk with Hyper-V generation v1, this shouldnt occur but to avoid breaking change, please do not add this check at present, if we can add a help message stating Security Type value for parameter --security-type is supported with --hyper-v-generation V2. (where Security type value can be replaced with value end user passed), and during next breaking change release we can add this check, if that will be ok?

@zhoxing-ms
Copy link
Contributor

@AjKundnani Out of curiosity, I would like to ask why we need to limit the parameter --hyper-v-generation to V2 even the --hyper-v-generation V1 and --security-type can be used at the same time to create a disk successfully?

@zhoxing-ms
Copy link
Contributor

zhoxing-ms commented Jun 28, 2022

@AjKundnani In order to avoid breaking change, I suggest that we can state this limitation in the help message first. And when users use the --security-type parameter, if they do not use the --hyper-v-generation parameter or they specify the --hyper-v-generation parameter as V1, CLI will only print a warning log to prompt them that they should specify the --hyper-v-generation parameter as V2 when using the --security-type parameter
As for adding verification, we can wait for the next breaking change window (Ignite Event), and then you can submit a new feature request to remind us to add verification for --hyper-v-generation parameter
What do you think of this solution?

@AjKundnani
Copy link
Author

@AjKundnani In order to avoid breaking change, I suggest that we can state this limitation in the help message first. And when users use the --security-type parameter, if they do not use the --hyper-v-generation parameter or they specify the --hyper-v-generation parameter as V1, CLI will only print a warning log to prompt them that they should specify the --hyper-v-generation parameter as V2 when using the --security-type parameter As for adding verification, we can wait for the next breaking change window (Ignite Event), and then you can submit a new feature request to remind us to add verification for --hyper-v-generation parameter What do you think of this solution?

  • In case user does not specifies --hyper-v-generation parameter, as it is auto-setting itself to V2 in current release, we can skip the warning log.
  • In case user specifies value V1 for --hyper-v-generation parameter, if CLI can print warning log, that'll be good, prompt should be non-interactive.
  • Yes, will submit new request to add verification in sprint close to Ignite event.

@zhoxing-ms
Copy link
Contributor

  • In case user does not specifies --hyper-v-generation parameter, as it is auto-setting itself to V2 in current release, we can skip the warning log.

@AjKundnani Please note that the default value of the --hyper-v-generation parameter is set to V1 in the CLI. code link
Are you sure that the V2 disk will be created if users do not specify --hyper-v-generation parameter? If so, could you please you provide me with the debug log?

  • In case user specifies value V1 for --hyper-v-generation parameter, if CLI can print warning log, that'll be good, prompt should be non-interactive.

Yes, the warning log is non-interactive and will not block users' automation scenarios.

  • Yes, will submit new request to add verification in sprint close to Ignite event.

OK, thanks much for your active help!

@yonzhan yonzhan closed this as completed Jul 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Auto-Assign Auto assign by bot Compute az vm/vmss/image/disk/snapshot feature-request
Projects
None yet
Development

No branches or pull requests

5 participants