Build Dependencies for SEV-SNP VM: az-dcap

[Camelron]

Hello,

I'm digging into the ansible scripts for installing dev dependencies and trying to refactor it for the OS image I am most familiar with (Mariner aka AzureLinux).

Regarding the az-dcap component, https://github.com/microsoft/CCF/blob/main/getting_started/setup_vm/app-dev.yml#L19, do we need this for the SEV-SNP platform? If not, is there an analogous component for SEV-based enclaves?

[achamayou]

Hi @Camelron,

az-dcap-client is used to fetch SGX collateral when running in Azure, there is no analogous dependency for SEV-SNP, CCF reaches out to the Azure endpoints directly or gets it from env vars where available (ACI).

It's also not necessary to verify SGX quotes on SGX because CCF bundles collateral with attestation, so even in a mixed network (during a migration), it shouldn't be needed.

[Camelron]

Ah, I didn't realize you responded so quickly. Thanks!

[Camelron]

If you don't mind some follow-up questions:

How are the integrity of the 'instances' in the network verified when running on SEV-SNP systems? Do they need to be brought up in confidential VMs?

[achamayou]

@Camelron integrity is verified through attestation at join time, and so we require that it captures the whole startup state (VM image, client code running, mounts if they exist etc), which Confidential Containers do. We don't support other ways to run on SEV-SNP at the moment, but if they provided equivalent attestation coverage, we would certainly be interested.

Your questions are very welcome, we would like to explore running on Mariner once we've transitioned fully to SEV-SNP, but as we still need to support SGX for now we try to keep as much commonality between targets and we are stuck with Ubuntu 20.04 as a result.