[Docs] Update Azure Confidential Compute VM deployment description

vahldiek · Dmitrii Kuvaiskii · commit fcb8a6529a42 · 2020-09-30T23:18:01.000-07:00
diff --git a/Documentation/cloud-deployment.rst b/Documentation/cloud-deployment.rst
@@ -18,11 +18,7 @@ Azure confidential computing VMs
 generally available and provide access to VMs with Intel SGX enabled in `DCsv2
 VM instances
 <https://docs.microsoft.com/en-us/azure/virtual-machines/dcv2-series>`__. The
-description below uses a VM running Ubuntu 18.04 with a the preinstalled `Intel
-SGX DCAP driver
-<https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/LD_1.22>`__
-(version ``LD_1.22``). To use a different Intel SGX driver, please follow the
-instructions to uninstall the driver.
+description below uses a VM running Ubuntu 18.04.
 
 Prerequisites
 ^^^^^^^^^^^^^
@@ -33,6 +29,10 @@ Update and install the required packages for Graphene::
    sudo apt install -y build-essential autoconf gawk bison python3-protobuf \
                        libprotobuf-c-dev protobuf-c-compiler libcurl4 python3
 
+Graphene requires the kernel to support FSGSBASE x86 instructions. Older Azure
+Confidential Compute VMs may not contain the required kernel patches and need to
+be updated.
+
 Building
 ^^^^^^^^
 
@@ -42,40 +42,20 @@ Building
        cd graphene
        git submodule update --init -- Pal/src/host/Linux-SGX/sgx-driver/
 
-#. Prepare the signing keys and Graphene kernel driver::
+#. Prepare the signing keys::
 
        openssl genrsa -3 -out enclave-key.pem 3072
        cp enclave-key.pem Pal/src/host/Linux-SGX/signer
-       cd Pal/src/host/Linux-SGX/sgx-driver
-       ISGX_DRIVER_PATH=/usr/src/linux-azure-headers-`uname -r`/arch/x86/ make
-       # WARNING: read "Security Implications" section before running this command
-       sudo insmod gsgx.ko
-       cd -
 
 #. Build Graphene::
 
-       ISGX_DRIVER_PATH=/usr/src/linux-azure-headers-`uname -r`/arch/x86/ make SGX=1
+       ISGX_DRIVER_PATH=/usr/src/linux-headers-`uname -r`/arch/x86/ make SGX=1
 
 #. Build and run :program:`helloworld`::
 
        cd LibOS/shim/test/native
        make SGX=1 sgx-tokens
-       SGX=1 ./pal_loader helloworld
-
-
-Security implications
-^^^^^^^^^^^^^^^^^^^^^
-
-Note that this guide assumes that you deploy Graphene on an untrusted cloud VM.
-One step in this guide significantly weakens the security of the cloud VM's
-Linux kernel: ``sudo insmod gsgx.ko`` introduces a local privilege escalation
-vulnerability. This kernel module enables the FSGSBASE processor feature
-without proper enabling in the host Linux kernel. Please refer to the
-documentation under ``Pal/src/host/Linux-SGX/sgx-driver`` for more information.
-
-This step is a temporary workaround and will not be required in the future
-(starting from Linux 5.9). Be aware that the current guide must not be used to
-set up production environments.
+       SGX=1 ../../../../Runtime/pal_loader helloworld
 
 Azure Kubernetes Services (AKS)
 -------------------------------
