Skip to content
This repository was archived by the owner on Mar 24, 2026. It is now read-only.

Add Azure support to DataPlane Libraries#11

Open
Brandr0id wants to merge 1 commit into
privacysandbox:mainfrom
Brandr0id:azure_support_dataplane_shared
Open

Add Azure support to DataPlane Libraries#11
Brandr0id wants to merge 1 commit into
privacysandbox:mainfrom
Brandr0id:azure_support_dataplane_shared

Conversation

@Brandr0id

Copy link
Copy Markdown

Co-authored-by: Dominic Ayre dominicayre@microsoft.com
Co-authored-by: Joe Powell joepowell@microsoft.com
Co-authored-by: Kapil Vaswani kapilv@microsoft.com
Co-authored-by: Ken Gordon Ken.Gordon@microsoft.com
Co-authored-by: Mahati Chamarthy mahati.chamarthy@microsoft.com
Co-authored-by: Ronny Bjones ronny.bjones@microsoft.com

This is an updated version of #1 with a complete/functioning Azure data plane support to enable B&A, KV, or KMS service usage/hosting in the Azure Cloud.


New feature: Add Azure support

This pull request introduces support for Azure KMS and attestation services.

  • azure_kms_client_provider_utils.cc: Added utility functions for key management, including key generation, wrapping, unwrapping, and PEM conversion.
  • azure_kms_client_provider.cc: Implemented the Azure KMS client provider with methods for decryption and session token handling.
  • fake_report.cc: Added a fake attestation report for testing purposes.

Co-authored-by: Dominic Ayre <dominicayre@microsoft.com>
Co-authored-by: Joe Powell <joepowell@microsoft.com>
Co-authored-by: Kapil Vaswani <kapilv@microsoft.com>
Co-authored-by: Ken Gordon <Ken.Gordon@microsoft.com>
Co-authored-by: Mahati Chamarthy <mahati.chamarthy@microsoft.com>
Co-authored-by: Ronny Bjones <ronny.bjones@microsoft.com>

----
New feature: Add Azure support

This pull request introduces support for Azure KMS and attestation services.
- `azure_kms_client_provider_utils.cc`: Added utility functions for key management, including key generation, wrapping, unwrapping, and PEM conversion.
- `azure_kms_client_provider.cc`: Implemented the Azure KMS client provider with methods for decryption and session token handling.
- `fake_report.cc`: Added a fake attestation report for testing purposes.
@Brandr0id Brandr0id requested a review from a team as a code owner November 18, 2024 22:50
@Brandr0id

Copy link
Copy Markdown
Author

@chatterjee-priyanka the original PR for adding data-plane support for Azure (PR: #1) has been active for ~11mo+ with no comments, feedback, or other action. It's our understanding that regardless of KMS implementation the underlying core attestation for the host OS in the cloud environment and communication (CPIO) aspects shared in the dataplane code which B&A and KV services leverage would largely be required to deploy container images in Azure.

This PR updates the original PR with the latest code from our Azure R&D and security teams to ensure meaningful attestation and reports when operating on Azure Confidential Compute instances. While we understand some aspects might need to slightly adjust depending on a KMS deployment the bulk of this code would still be useful and helps integrate core Azure primitives/concepts from the teams directly familiar with them and their security concerns. This will also unblock integrations in the B&A/KV services to allow building and sustainable development with Azure in mind similar to GCP and AWS.

Can you please help review/merge this code or provide meaningful feedback as to the challenges or limitations regarding supporting Azure in the dataplane library given a fully functional/complete implementation. We are happy to iterate quickly and address code review feedback to help land this.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant