Merge pull request #5 from cc-api/update

Add deployment guide for Azure TD

README.md

@@ -39,8 +39,7 @@ and quote (report).
 There are 2 options creating a confidential cluster.
 
 - Create a few confidential VMs (CVMs) and deploy Kubernetes within them. The CVMs can be on local hosts if you have supported hardware. The CVMs can also be applied from CSP.
-The document [single_node_gcp.md](./deployment/single_node_gcp.md) shows how to apply for a TD on Google Cloud TDX Preview and start a Kubernetes cluster in the single
-confidential node.
+The document [csp_cvm.md](./deployment/csp_cvm.md) shows how to apply for a TD on Google Cloud or Azure and start a Kubernetes cluster in the single confidential node.
 - Create [Confidential GKE node](https://cloud.google.com/blog/products/identity-security/announcing-general-availability-of-confidential-gke-nodes) on Google cloud.
 
 

deployment/single_node_gcp.md → deployment/csp_cvm.md

@@ -1,15 +1,18 @@
-# Deployment Guide on GCP CVM
+# Deployment Guide on CSP CVM
 
-This guide introduces how to create a Intel TDX confidential VM (TD) on [Google cloud](https://cloud.google.com/?hl=en). Furthermore, it demonstrates how to create a Kubernetes cluster on the single CVM.
+This guide introduces how to create a Intel TDX confidential VM (TD) on [Google cloud](https://cloud.google.com/?hl=en)
+and [Azure](https://portal.azure.com/#home). Furthermore, it demonstrates how to collect measurement and create a Kubernetes cluster on the single CVM.
 
-## Prerequisite
+## Create CVM on Google Cloud Platform
+
+### Prerequisite
 
 1. Make sure you have account on Google cloud. 
 2. Follow steps of [Before you begin](https://cloud.google.com/confidential-computing/confidential-vm/docs/create-a-confidential-vm-instance#before_you_begin) to prepare Google Cloud project, enable billing and install `gcloud CLI`.
 
 __NOTE: When running `gcloud init` to set default region and zone. Set default region to `us-central1`, set default zone to `us-central1-a`, or `us-central1-b`, or `us-central1-c` as they are [supported zone](https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations#supported-zones) for TDX.__
 
-## Create Google Cloud CVM
+### Create TD
 
 Google Cloud doesn't support to create TD via UI console right now. Below steps will help you create TD instances via REST API. Find more details in the [document](https://cloud.google.com/confidential-computing/confidential-vm/docs/create-a-confidential-vm-instance#create-instance).
 
@@ -76,23 +79,77 @@ Host td
 $ ssh td
 ```
 
+## Create CVM on Azure
+
+### Prerequisite
+
+1. Make sure you have account on Azure. 
+2. [Create a resource group](https://portal.azure.com/#create/Microsoft.ResourceGroup) or using an existing resource group.
+
+### Create TD
+
+Create TD via Azure portal following the [guide](https://learn.microsoft.com/en-us/azure/confidential-computing/quick-create-confidential-vm-portal).
+
+__NOTE:__
+
+- `Region`: choose a region amoung `West Europe`, `Central US`, `East US 2` and `North Europe` for Intel TDX. Please find more details at [DCesv5 and DCedsv5-series VMs](https://learn.microsoft.com/en-us/azure/virtual-machines/dcesv5-dcedsv5-series) and [ECesv5 and ECedsv5-series VMs](https://learn.microsoft.com/en-us/azure/virtual-machines/ecesv5-ecedsv5-series)._
+
+- `Authentication type`: You can choose either `SSH public key` or `Password`. If `SSH public key` is chosen, a private key will be downloaded later for SSH connectivity.
+
+- `Inbound port rules`: Set `Public inbound ports` to `None` or it will fail to review the request. The network settings can update later.
+
+
+### Connect TD
+
+After the TD is created successfully, click the VM name and go to its overview. Click `Connect` and `Request access` for your local machine IP. Then click `Check access` and make sure it's accessible. Please see below diagram.
+
+![](../docs/azure-connect.png)
+
+At this point, you should be able to ssh the TD using a ssh tool, such as `Putty`.
+
+
+If you are behind a proxy, click `Network settings`. Click `Create port rule` - `Inbound port rule`. 
+- Input your proxy external IP to the `Source IP addresses/CIDR ranges`.
+- Input your VM's private IP ad `Destination IP addresses/CIDR ranges`. 
+
+Please see other fields in below diagram.
+
+![](../docs/azure-rule.png)
+
+Add below section to `~/.ssh/config`.
+```
+$ vi ~/.ssh/config
+Host td
+    HostName <Replace with external IP of the TD>
+    User <ssh username>
+    Port 22
+    PreferredAuthentications publickey
+    IdentityFile <Replace with path of ssh private key>
+    ProxyCommand connect-proxy -S <Replace with your proxy>:1080 %h %p
+
+$ ssh td
+```
+
 ## Gather Measurement, Event log and Quote
 
-[CC Trusted API](https://github.com/cc-api/cc-trusted-api) and [VMSDK](https://github.com/cc-api/cc-trusted-vmsdk) supports to gather measurement, event logs for the TD via vTPM. Getting quote via vTPM will be supported later. 
+### Get measurement
+
+[CC Trusted API](https://github.com/cc-api/cc-trusted-api) and [VMSDK](https://github.com/cc-api/cc-trusted-vmsdk) supports to gather measurement, event logs for the TD via vTPM. 
 
 Please refer to the [steps](https://github.com/cc-api/cc-trusted-vmsdk) to check the measurement and event logs via vTPM.
 
-Please run below steps in the TD to get quote using Intel [ITA client](https://github.com/intel/trustauthority-client-for-go/tree/gcp-tdx-preview/tdx-cli).
+### Get Quote
 
- - Follow the [guide](https://cloud.google.com/confidential-computing/confidential-vm/docs/attestation#intel_tdx_on_ubuntu) to enable `tdx_guest` module. 
+VMSDK has not supported getting quote yet. Please run below steps in the TD to get quote using [Intel ITA client for GCP](https://github.com/intel/trustauthority-client-for-go/tree/gcp-tdx-preview/tdx-cli) or [Intel ITA client for Azure](https://github.com/intel/trustauthority-client-for-go/tree/azure-tdx-preview/tdx-cli).
 
- - Reboot the TD to make sure the module is loaded.
+#### GCP TD
 
- - Get quote via ITA client.
+1. Follow the [guide](https://cloud.google.com/confidential-computing/confidential-vm/docs/attestation#intel_tdx_on_ubuntu) to enable `tdx_guest` module. Reboot the TD to make sure the module is loaded.
+
+2. Get quote via ITA client.
 
   ```
   $ curl -L https://github.com/intel/trustauthority-client-for-go/releases/download/v1.2.1/trustauthority-cli-gcp-v1.2.1.tar.gz -o trustauthority-cli.tar.gz
-
   $ tar xvf trustauthority-cli.tar.gz
 
   $ sudo apt install build-essential
@@ -101,6 +158,17 @@ Please run below steps in the TD to get quote using Intel [ITA client](https://g
   $ sudo ./trustauthority-cli quote
   ```
 
+#### Azure TD
+
+1. Follow the [guide](https://cloud.google.com/confidential-computing/confidential-vm/docs/attestation#intel_tdx_on_ubuntu) to enable `tdx_guest` module. Reboot the TD to make sure the module is loaded.
+
+2. Get quote via ITA client. Find more details at [here](https://github.com/intel/trustauthority-client-for-go/blob/azure-tdx-preview/tdx-cli/README.md)
+
+  ```
+  $ sudo apt-get update
+  $ curl -sL https://raw.githubusercontent.com/intel/trustauthority-client-for-go/main/release/install-tdx-cli-azure.sh | sudo bash -
+  $ sudo trustauthority-cli quote
+  ```
 
 ## Install Kubernetes
 
@@ -122,5 +190,5 @@ Check node status with below command. You can see current node status is ready.
 ```
 $ kubectl get node
 NAME     STATUS   ROLES                  AGE   VERSION
-td-005   Ready    control-plane,master   4s    v1.29.4+k3s1
+td       Ready    control-plane,master   4s    v1.29.4+k3s1
 ```