Home
DocumentationTutorials

Attesting a buckypaper VM

This tutorial is aimed at creating attestation for confidential VMs.

Create a template

The first step will be to create a template for VM. You can refer to the "Create a Buckypaper VMs template" tutorial for a better understanding of how to do this.

Create a namespace

The second step will be to create a namespace. This is a mandatory requirement for creating attestation. You can learn how to create and use namespaces in the documentation.

Register new workload

POST http://localhost:8200/v1/auth/ratls/attestation/create

For more detailed information on creating attestation, you can refer to the documentation.

Body

Name
Type
Description

template

string

f05d8808-547a-4e9a-9843-07c3f55b7e67

namespace

string

education

webhook

string

http://localhost:3000/webhook

Headers

Name
Value

X-Vault-Token

Response

{
    "request_id": "0bde6eee-f55b-e9a5-e1ba-7a382c6a0d50",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": {
        "instance": "77255d88-754c-42a3-954f-58fb86bf48a5"
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
}

Create a VM

At this stage, we will create an Azure VM from the DC2as_v5 family with the Ubuntu 20_04-lts-cvm operating system version, as it supports confidential VMs.

When creating the VM, you should also include cloud-init. The configuration for cloud-init is shown below.

ENV
Description
Value

ENCLAIVE_PROTOCOL

sev-snp

ENCLAIVE_SOURCE

The provider name that we specified during the measurement creation.

azure

ENCLAIVE_INSTANCE

The "instance" field that we obtained during the attestation creation.

77255d88-754c-42a3-954f-58fb86bf48a5

ENCLAIVE_RESOURCE

Virtual machine name

azure-vm

ENCLAIVE_NITRIDE

Nitride URL

http://localhost:8200

ENCLAIVE_KEYSTORE

Vault URL

http://localhost:8200

#cloud-config
runcmd:
  - |
    set -eu

    export ENCLAIVE_PROTOCOL=sev-snp
    export ENCLAIVE_SOURCE=azure
    export ENCLAIVE_INSTANCE=77255d88-754c-42a3-954f-58fb86bf48a5
    export ENCLAIVE_RESOURCE=azure-vm
    export ENCLAIVE_NITRIDE=http://localhost:8200
    export ENCLAIVE_KEYSTORE=http://localhost:8200
    
    if [ -x "$(command -v curl)" ];then
      COMMAND="wget -q -O"
    elif [ -v "$(command -v wget)" ];then
      COMMAND="curl -s -o"
    else
      echo "Not installed: curl|wget"
      exit 1
    fi
    
    $COMMAND client "$ENCLAIVE_NITRIDE/static/enclaivelet"
    
    chmod +x client
    ./client

Once all the steps have been completed, the result of the attestation will be sent to the webhook you specified when creating the attestation. Below is an example of what is sent to the webhook. Ensure that the webhook accepts the HTTP POST method.

{
  "Success": true,
  "Message": "success",
  "Instance": "77255d88-754c-42a3-954f-58fb86bf48a5",
  "Resource": "azure-vm",
  "Quote": "eyJWZXJzaWlE9PSJ9fQ=="
}

Last updated