docs: update azure firmware with openhcl (#3473)

Co-authored-by: Thomas Tendyck <[email protected]>
edgelesssys · Nov 11, 2024 · 1c5fe3f · 1c5fe3f
1 parent 36024f2
commit 1c5fe3f
Show file tree

Hide file tree

Showing 22 changed files with 34 additions and 21 deletions.
diff --git a/docs/docs/overview/clouds.md b/docs/docs/overview/clouds.md
@@ -19,7 +19,7 @@ The following table summarizes the state of features for different infrastructur
 | **1. Custom images**              | Yes     | Yes       | Yes     | Yes          | Yes                  |
 | **2. SEV-SNP or TDX**             | Yes     | Yes       | Yes     | No           | Depends on kernel/HV |
 | **3. Raw guest attestation**      | Yes     | Yes       | Yes     | No           | Depends on kernel/HV |
-| **4. Reviewable firmware**        | Yes     | No        | No      | No           | Depends on kernel/HV |
+| **4. Reviewable firmware**        | Yes     | No*       | No      | No           | Depends on kernel/HV |
 | **5. Confidential measured boot** | No      | Yes       | No      | No           | Depends on kernel/HV |
 
 ## Amazon Web Services (AWS)
@@ -40,6 +40,8 @@ This firmware is signed by Azure.
 The signature is reflected in the attestation statements of CVMs.
 Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB).
 
+\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future.
+
 ## Google Cloud Platform (GCP)
 
 The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#technologies) are based on AMD SEV-ES or SEV-SNP.

diff --git a/docs/styles/config/vocabularies/edgeless/accept.txt b/docs/styles/config/vocabularies/edgeless/accept.txt
@@ -53,6 +53,7 @@ Mbps
 MicroK8s
 namespace
 Nginx
+paravisor
 PCR
 plaintext
 proxied

diff --git a/docs/versioned_docs/version-2.0/overview/clouds.md b/docs/versioned_docs/version-2.0/overview/clouds.md
@@ -24,7 +24,7 @@ The following table summarizes the state of features for different infrastructur
 
 With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview), Azure provides the best foundations for Constellation. Regarding (3), Azure provides direct access to remote-attestation statements. However, regarding (4), the standard CVMs still include closed-source firmware running in VM Privilege Level (VMPL) 0. This firmware is signed by Azure. The signature is reflected in the remote-attestation statements of CVMs. Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB).
 
-Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confidential-computing/azure-confidential-vms-using-sev-snp-dcasv5-ecasv5-are-now/ba-p/3573747) the *limited preview* of CVMs with customizable firmware. With this CVM type, (4) switches from *No* to *Yes*. Constellation will support customizable firmware on Azure in the future.
+\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future.
 
 ## Google Cloud Platform (GCP)
 

diff --git a/docs/versioned_docs/version-2.1/overview/clouds.md b/docs/versioned_docs/version-2.1/overview/clouds.md
@@ -24,7 +24,7 @@ The following table summarizes the state of features for different infrastructur
 
 With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview), Azure provides the best foundations for Constellation. Regarding (3), Azure provides direct access to remote-attestation statements. However, regarding (4), the standard CVMs still include closed-source firmware running in VM Privilege Level (VMPL) 0. This firmware is signed by Azure. The signature is reflected in the remote-attestation statements of CVMs. Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB).
 
-Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confidential-computing/azure-confidential-vms-using-sev-snp-dcasv5-ecasv5-are-now/ba-p/3573747) the *limited preview* of CVMs with customizable firmware. With this CVM type, (4) switches from *No* to *Yes*. Constellation will support customizable firmware on Azure in the future.
+\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future.
 
 ## Google Cloud Platform (GCP)
 

diff --git a/docs/versioned_docs/version-2.10/overview/clouds.md b/docs/versioned_docs/version-2.10/overview/clouds.md
@@ -31,7 +31,7 @@ This firmware is signed by Azure.
 The signature is reflected in the remote-attestation statements of CVMs.
 Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB).
 
-\* Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confidential-computing/azure-confidential-vms-using-sev-snp-dcasv5-ecasv5-are-now/ba-p/3573747) the *limited preview* of CVMs with customizable firmware. With this CVM type, (4) switches from *No* to *Yes*. Constellation will support customizable firmware on Azure in the future.
+\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future.
 
 ## Google Cloud Platform (GCP)
 

diff --git a/docs/versioned_docs/version-2.11/overview/clouds.md b/docs/versioned_docs/version-2.11/overview/clouds.md
@@ -31,7 +31,7 @@ This firmware is signed by Azure.
 The signature is reflected in the remote-attestation statements of CVMs.
 Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB).
 
-\* Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confidential-computing/azure-confidential-vms-using-sev-snp-dcasv5-ecasv5-are-now/ba-p/3573747) the *limited preview* of CVMs with customizable firmware. With this CVM type, (4) switches from *No* to *Yes*. Constellation will support customizable firmware on Azure in the future.
+\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future.
 
 ## Google Cloud Platform (GCP)
 

diff --git a/docs/versioned_docs/version-2.12/overview/clouds.md b/docs/versioned_docs/version-2.12/overview/clouds.md
@@ -31,7 +31,7 @@ This firmware is signed by Azure.
 The signature is reflected in the remote-attestation statements of CVMs.
 Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB).
 
-\* Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confidential-computing/azure-confidential-vms-using-sev-snp-dcasv5-ecasv5-are-now/ba-p/3573747) the *limited preview* of CVMs with customizable firmware. With this CVM type, (4) switches from *No* to *Yes*. Constellation will support customizable firmware on Azure in the future.
+\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future.
 
 ## Google Cloud Platform (GCP)
 

diff --git a/docs/versioned_docs/version-2.13/overview/clouds.md b/docs/versioned_docs/version-2.13/overview/clouds.md
@@ -31,7 +31,7 @@ This firmware is signed by Azure.
 The signature is reflected in the remote-attestation statements of CVMs.
 Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB).
 
-\* Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confidential-computing/azure-confidential-vms-using-sev-snp-dcasv5-ecasv5-are-now/ba-p/3573747) the *limited preview* of CVMs with customizable firmware. With this CVM type, (4) switches from *No* to *Yes*. Constellation will support customizable firmware on Azure in the future.
+\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future.
 
 ## Google Cloud Platform (GCP)
 

diff --git a/docs/versioned_docs/version-2.14/overview/clouds.md b/docs/versioned_docs/version-2.14/overview/clouds.md
@@ -31,7 +31,7 @@ This firmware is signed by Azure.
 The signature is reflected in the remote-attestation statements of CVMs.
 Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB).
 
-\* Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confidential-computing/azure-confidential-vms-using-sev-snp-dcasv5-ecasv5-are-now/ba-p/3573747) the *limited preview* of CVMs with customizable firmware. With this CVM type, (4) switches from *No* to *Yes*. Constellation will support customizable firmware on Azure in the future.
+\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future.
 
 ## Google Cloud Platform (GCP)
 

diff --git a/docs/versioned_docs/version-2.15/overview/clouds.md b/docs/versioned_docs/version-2.15/overview/clouds.md
@@ -19,7 +19,7 @@ The following table summarizes the state of features for different infrastructur
 | **1. Custom images**              | Yes       | Yes     | Yes     | Yes                  |
 | **2. SEV-SNP or TDX**             | Yes       | Yes     | Yes     | Depends on kernel/HV |
 | **3. Raw guest attestation**      | Yes       | Yes     | Yes     | Depends on kernel/HV |
-| **4. Reviewable firmware**        | No        | No      | Yes     | Depends on kernel/HV |
+| **4. Reviewable firmware**        | No*       | No      | Yes     | Depends on kernel/HV |
 | **5. Confidential measured boot** | Yes       | No      | No      | Depends on kernel/HV |
 
 ## Microsoft Azure
@@ -32,6 +32,8 @@ This firmware is signed by Azure.
 The signature is reflected in the remote-attestation statements of CVMs.
 Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB).
 
+\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future.
+
 ## Google Cloud Platform (GCP)
 
 The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled.

diff --git a/docs/versioned_docs/version-2.16/overview/clouds.md b/docs/versioned_docs/version-2.16/overview/clouds.md
@@ -19,7 +19,7 @@ The following table summarizes the state of features for different infrastructur
 | **1. Custom images**              | Yes       | Yes     | Yes     | Yes          | Yes                  |
 | **2. SEV-SNP or TDX**             | Yes       | Yes     | Yes     | No           | Depends on kernel/HV |
 | **3. Raw guest attestation**      | Yes       | Yes     | Yes     | No           | Depends on kernel/HV |
-| **4. Reviewable firmware**        | No        | No      | Yes     | No           | Depends on kernel/HV |
+| **4. Reviewable firmware**        | No*       | No      | Yes     | No           | Depends on kernel/HV |
 | **5. Confidential measured boot** | Yes       | No      | No      | No           | Depends on kernel/HV |
 
 ## Microsoft Azure
@@ -32,6 +32,8 @@ This firmware is signed by Azure.
 The signature is reflected in the remote-attestation statements of CVMs.
 Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB).
 
+\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future.
+
 ## Google Cloud Platform (GCP)
 
 The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled.

diff --git a/docs/versioned_docs/version-2.17/overview/clouds.md b/docs/versioned_docs/version-2.17/overview/clouds.md
@@ -19,7 +19,7 @@ The following table summarizes the state of features for different infrastructur
 | **1. Custom images**              | Yes     | Yes       | Yes     | Yes          | Yes                  |
 | **2. SEV-SNP or TDX**             | Yes     | Yes       | Yes     | No           | Depends on kernel/HV |
 | **3. Raw guest attestation**      | Yes     | Yes       | Yes     | No           | Depends on kernel/HV |
-| **4. Reviewable firmware**        | Yes     | No        | No      | No           | Depends on kernel/HV |
+| **4. Reviewable firmware**        | Yes     | No*       | No      | No           | Depends on kernel/HV |
 | **5. Confidential measured boot** | No      | Yes       | No      | No           | Depends on kernel/HV |
 
 ## Amazon Web Services (AWS)
@@ -40,6 +40,8 @@ This firmware is signed by Azure.
 The signature is reflected in the attestation statements of CVMs.
 Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB).
 
+\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future.
+
 ## Google Cloud Platform (GCP)
 
 The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#technologies) are based on AMD SEV-ES or SEV-SNP.

diff --git a/docs/versioned_docs/version-2.18/overview/clouds.md b/docs/versioned_docs/version-2.18/overview/clouds.md
@@ -19,7 +19,7 @@ The following table summarizes the state of features for different infrastructur
 | **1. Custom images**              | Yes     | Yes       | Yes     | Yes          | Yes                  |
 | **2. SEV-SNP or TDX**             | Yes     | Yes       | Yes     | No           | Depends on kernel/HV |
 | **3. Raw guest attestation**      | Yes     | Yes       | Yes     | No           | Depends on kernel/HV |
-| **4. Reviewable firmware**        | Yes     | No        | No      | No           | Depends on kernel/HV |
+| **4. Reviewable firmware**        | Yes     | No*       | No      | No           | Depends on kernel/HV |
 | **5. Confidential measured boot** | No      | Yes       | No      | No           | Depends on kernel/HV |
 
 ## Amazon Web Services (AWS)
@@ -40,6 +40,8 @@ This firmware is signed by Azure.
 The signature is reflected in the attestation statements of CVMs.
 Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB).
 
+\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future.
+
 ## Google Cloud Platform (GCP)
 
 The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#technologies) are based on AMD SEV-ES or SEV-SNP.

diff --git a/docs/versioned_docs/version-2.19/overview/clouds.md b/docs/versioned_docs/version-2.19/overview/clouds.md
@@ -19,7 +19,7 @@ The following table summarizes the state of features for different infrastructur
 | **1. Custom images**              | Yes     | Yes       | Yes     | Yes          | Yes                  |
 | **2. SEV-SNP or TDX**             | Yes     | Yes       | Yes     | No           | Depends on kernel/HV |
 | **3. Raw guest attestation**      | Yes     | Yes       | Yes     | No           | Depends on kernel/HV |
-| **4. Reviewable firmware**        | Yes     | No        | No      | No           | Depends on kernel/HV |
+| **4. Reviewable firmware**        | Yes     | No*       | No      | No           | Depends on kernel/HV |
 | **5. Confidential measured boot** | No      | Yes       | No      | No           | Depends on kernel/HV |
 
 ## Amazon Web Services (AWS)
@@ -40,6 +40,8 @@ This firmware is signed by Azure.
 The signature is reflected in the attestation statements of CVMs.
 Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB).
 
+\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future.
+
 ## Google Cloud Platform (GCP)
 
 The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#technologies) are based on AMD SEV-ES or SEV-SNP.

diff --git a/docs/versioned_docs/version-2.2/overview/clouds.md b/docs/versioned_docs/version-2.2/overview/clouds.md
@@ -24,7 +24,7 @@ The following table summarizes the state of features for different infrastructur
 
 With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview), Azure provides the best foundations for Constellation. Regarding (3), Azure provides direct access to remote-attestation statements. However, regarding (4), the standard CVMs still include closed-source firmware running in VM Privilege Level (VMPL) 0. This firmware is signed by Azure. The signature is reflected in the remote-attestation statements of CVMs. Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB).
 
-Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confidential-computing/azure-confidential-vms-using-sev-snp-dcasv5-ecasv5-are-now/ba-p/3573747) the *limited preview* of CVMs with customizable firmware. With this CVM type, (4) switches from *No* to *Yes*. Constellation will support customizable firmware on Azure in the future.
+\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future.
 
 ## Google Cloud Platform (GCP)