General availability of Trusted Launch support for DCsv3/DCdsv3 VMs
Published Jul 28 2022 08:00 AM 5,049 Views

Inside The Emerging Enterprise Security Revolution

With organizations deploying infrastructure of increasing complexity in the cloud to meet data-management obligations, demand is growing for solutions that provide comprehensive defense against sophisticated cyber-attacks and social engineering exploits. Conventional encryption strategies provide protection for data while stored on disk or in transit over the network but ignore data in use while being processed in a CPU or GPU. 

 

Trusted Execution Environment (TEE) enclaves present an exciting opportunity to rethink existing approaches to security and data integrity for something that’s far simpler and safer. Integrating a TEE enclave ad-hoc, while technically feasible, it is sub-optimal for most enterprises. With all new hardware-based security paradigm is now just a few clicks away in Azure with DCsv3 virtual machines providing support for Intel® SGX.

 

DCsv3 VMs which are now generally available has six times the CPU cores of the previous generation and 12 times the memory. They also feature 1500 times the Enclave Page Cache (EPC) memory as compared to the previous generation which, together allows you to leverage the power of Intel® SGX technology on workloads that are much larger.

 

Trusted Launch

Cloud infrastructure running critical applications constantly encounter advanced and persistent security threats. An attempt to defend against these threats begin with a system to verify the integrity of infrastructure components. Concerted effort in this direction has resulted in a range of new security measures that together form the basis of “trusted launch”, encompassing Secure Boot and virtual trusted platform module (vTPM).

 

Trusted Launch support for DC series

Today, we are announcing Trusted Launch support for DCsv3/DCdsv3 VMs. Customers can now select “Trusted Launch” as the security type, to enable secure boot and vTPM.

TL.png
 

Create DCsv3 virtual machine with Trusted Launch

There are different ways to create DCsv3 virtual machine with “Trusted Launch” feature auto enabled on Azure.

 

Using the Azure az CLI:

 

The Azure az CLI is a command line tool that allows you to use same commands on all supported platforms: Windows, Linux, or Mac. The following example shows how to use the az command to create a DCsv3 virtual machine with “Trusted Launch” auto enabled.

 

az group create \
	--name "acc-secureboot-rg" \
	--location eastus2
az vm create \
	--resource-group acc-secureboot-rg \
	--name acc-secureboot-vm \
	--image Canonical:0001-com-ubuntu-server-focal:20_04-lts-gen2:latest \
	--public-ip-sku Standard \
	--admin-username accadmin \
	--generate-ssh-keys \
	--security-type TrustedLaunch \
	--enable-secure-boot $true \
	--enable-vtpm $true \
	--size Standard_DC1s_v3

 

 
Using the Azure Portal

If you prefer using a graphical user interface, the same provisioning can be done directly on the Azure portal.  This method supports custom templates for added flexibility in deployment. 

 

After logging into Microsoft Azure portal, click “Azure virtual machine”

 

SCN-3.png

 

 

Choose “Trusted launch virtual machines” for the security type parameter. 

 

SCN-2.png

 

Select “Configure Security features” and then enable Secure Boot and vTPM. 

Finally, click “create”.

 

Custom Template

Custom templates are JSON files that define the resources you need to deploy for your solution using the Azure Portal GUI. To understand the concepts associated with deploying and managing your Azure solutions with custom templates, see template deployment overview

 

Configure the securityProfile section under the VM Deployment section as follows:

 

"securityProfile": {
    "uefiSettings": {
        "secureBootEnabled": "true",
        "vTPMEnabled": "true"
    },
   "securityType": "TrustedLaunch"
}

 

 

Wrap Up:

Once a virtual machine is created using one of the above methods, you can verify whether secure boot is enabled using any of the following methods.

 
Azure portal:

SCN-1.png

 
Using the mokutil command within the VM you created.

 

ssh accadmin@public-ipaddress
sudo su -
mokutil --sb-state

 

 

The output should show “SecureBoot enabled.” Please note that you should use the same values you used during VM creation for “accadmin” and “public-ipaddress” on the mokutil command.

 
Windows

Connect to the VM using remote desktop and then run msinfo32.exe. In the right pane, check that the Secure Boot State is ON.

 

Resources:

1 Comment
Co-Authors
Version history
Last update:
‎Jul 29 2022 04:15 PM
Updated by: