CanaryBit Tower

Orchestrate Trusted Execution Environments (TEE).

CanaryBit Tower is a Confidential Computing resources orchestration service. It helps end-users to deploy secure processing environments and provides control over configuration drifts.

Requirements

• A CanaryBit account only if Attestation add-on is enabled!

• Terraform or OpenTofu installed

• CLI access to your cloud platform (e.g Azure CLI, AWS CLI, etc...)

Infrastructure Providers

Public Clouds

The below configurations are free to use under the Apache-2.0 licence.

• Azure

  ---

  Infrastructure as Code (IaC) configuration for Azure Confidential VMs

  GitHub

• AWS

  ---

  Infrastructure as Code (IaC) configuration for AWS Confidential VMs

  GitHub

• GCP

  ---

  Infrastructure as Code (IaC) configuration for in GCP Confidential VMs

  GitHub

On-Premise

A Premium License is required for the following configurations.

• VMware

  ---

  Infrastructure as Code (IaC) configuration for VMware Confidential VMs

  Contact us!

• Proxmox

  ---

  Infrastructure as Code (IaC) configuration for Proxmox Confidential VMs

  Contact us!

• Openshift

  ---

  Infrastructure as Code (IaC) configuration for Openshift Confidential VMs/Nodes

  Contact us!

• Libvirt/KVM

  ---

  Infrastructure as Code (IaC) configuration for Baremetal Confidential VMs

  Contact us!

Deployment Configuration

Standard

The provided configuration performs the following steps on the selected infrastructure provider:

1. deploy Confidential VMs and required virtual resources (e.g. networks)
2. apply cloud security best-practices (e.g. password login disabled).

3. inject a cloud-init file at booting time ensuring the Confidential VM configuration is robust e.g. a separate user is used (e.g. cbuser), OS and packages are updated:

   cloud-init.yml:

   #cloud-config
   users:
   - default
   - name: cbuser
       sudo: false
       shell: /bin/bash
       ssh_authorized_keys:
       - ssh-rsa <CBUSER_PUB_KEY>
   
   timezone: UTC
   locale: "en_US.UTF-8"
   
   package_update: true
   package_upgrade: true
   package_reboot_if_required: true
   

CanaryBit Attestation

CanaryBit Attestation service can be easily added as part of the CanaryBit Tower configuration to verify the correctness of a Confidential VM, once the resource is correclty deployed on the preferred infrastructure provider.

In addition to the standard configuration, the cloud-init file will:

1. create a Manifest file containing execution details such as:

   • the supported hardware environment to verify;
   • the custom policies

2. create the canarybit user-group and assign it to the user (e.g. cbuser), limiting its root permissions;

3. collect information about the current executiont environment;
4. download & run the CanaryBit Inspector client (cbclient) applying the custom Policies;
5. return the final CanaryBit report upon a successful verification process. Logs and reports are also available for external logging & auditing services.

CanaryBit Tower comes with a cloud-init generator to ensure the right configuration is deployed.