Rd 1013 enclave

README.md

@@ -4,35 +4,32 @@
 maintain Confidential VM instances.
 Tower integrates with a long list of Cloud Service Providers (CSPs), private and bare-metal infrastructure to provide 
 governance of the resources defining your Trusted Execution Environment (TEE).
-It implements Infrastructure-as-Code (IaC) and SecDevOps methodologies to provide integrity and state of the art security
-to your workloads runtime.
+
+It implements Infrastructure-as-Code (IaC) and SecDevOps best-practices to provide integrity and state of the art security to your workloads runtime.
 
 ## 🌟 Features
 - 🤹 **Confidential VM Orchestration**: Deploy confidential VMs on AMD SEV-SNP and Intel TDX platforms.
+- 🔬 **Hardware & Environment Verification**: Integrate with [CanaryBit Inspector](https://www.canarybit.eu/confidential-cloud-inspector/) to support Remote Attestation of deployed confidential VMs. (* Requires a CanaryBit account)
 - 🛠 **Extensible Configuration**: Configure your confidential VM using available configuration options or write your own.
 - ⚖️ **No lock-in**: Support for multiple hardware platforms and virtualisation software.
-- 🔬 **Attestation verification support**: Integrates with [Inspector](https://www.canarybit.eu/confidential-cloud-inspector/) 
-to support remote attestation of deployed confidential VMs. Contact hi@canarybit.eu to learn more about CanaryBit's solution for remote attestation of confidential VMs.
 
 ## 🧩 Integrations
 - **Galaxy server**: Support for the [Galaxy project](https://github.com/galaxyproject) for data-intensive computation.
-- **Write your own**: Simple to crate new integrations using the [cloud-init-generator](https://github.com/canarybit/tower/tree/main/extensions/cloud-init-generator)
-
+- **Write your own**: Simple to create new integrations with custom `cloud-init` configurations.
+  
 ## 🛠️ How It Works
 1. **Clone** the repository to get the configurations.
 2. **Configure** the cloud-init script fine-tune your target setup.
 3. **Run** the Terraform scripts for your target Cloud Service Provider.  
 4. **Need help?** Check the examples to help you get started.
 
-
 ## 🧱 Requirements
 - [Terraform](https://developer.hashicorp.com/terraform) or [OpenTofu](https://opentofu.org/docs/intro/install/) installed;
-- Credentials to access your favourite Cloud Service Provider;
-- An SSH key to access Confidential VM instances.
+- Credentials to access your target Cloud Service Provider;
+- A SSH RSA keypair to access Confidential VM instances.
 
 ## 📖 Documentation
-For setup instructions, API references, and usage examples, see the documentation:
-🔗 [Documentation Link](https://docs.confidentialcloud.io/tower/)
+For setup instructions, API references, and usage examples, read the [technical documentation](https://docs.confidentialcloud.io/tower/).
 
 ## 🏀 Use Cases
 - 🤖 **Confidential AI**: Train models in a secure environment to protect intellectual property at all times.
@@ -44,23 +41,32 @@ For setup instructions, API references, and usage examples, see the documentatio
 ## 💪 Contributing
 Contributions are welcome! Please check the [CONTRIBUTING.md](CONTRIBUTING.md) for details on how to get started.
 
-## 📑 License
-Tower is licensed under the **Apache-2.0 License**. See the [LICENSE](LICENSE) file for more details.
-The Standard version contains the Terraform/OpenTofu configurations for deploying Confidential VMs in **Public Clouds**.
-Currently Tower supports the following platforms and public cloud providers:
+## 🎟️ Licences
+
+Tower is a Freemium service: basic features are free for Public Cloud setups while additional features, such as Remote Attestation and On-prem support, are offered via a paid subscription.
+
+### 🔰 Standard
+The [Apache-2.0 License](LICENSE) *free* version contains the Terraform/OpenTofu configurations for deploying Confidential VMs in **Public Clouds**.
 
-| Cloud Platform  | AMD SEV-SNP | Intel TDX |
-|-----------------| ------- |------- |
-| [AWS](/aws)     | yes    | upcoming    |
-| [Azure](/azure) | yes    | upcoming    |
-| [GCP](/gcp)     | yes    | yes    |
+Currently, Tower supports the following platforms and public cloud providers:
+
+| Cloud Platform          | AMD SEV-SNP | Intel TDX   |
+|-------------------------| ----------- |------------ |
+| [AWS](/modules/aws)     | yes         | upcoming    |
+| [Azure](/modules/azure) | yes         | upcoming    |
+| [GCP](/modules/gcp)     | yes         | yes         |
 
 ### 💎 Premium
 The Premium version contains the Terraform configurations for deploying Confidential VMs **on-premise** and for **bare-metal** setups.
-Currently Tower supports the following virtualisation plaftorms:
+
+Currently, Tower supports the following virtualisation plaftorms:
 
 - [Libvirt/Qemu/KVM](https://libvirt.org/)
 - [Proxmox](https://www.proxmox.com/)
 - [VMware vSphere 9.0](https://www.vmware.com/products/cloud-infrastructure/vsphere)
 
-Reach out to [hi@canarybit.eu](mailto:hi@canarybit.eu) if you want to use Tower to deploy confidential VMs in on-prem deployments (that requires the Premium version).
+
+## 🎟️ Contacts
+Reach us out at [hi@canarybit.eu](mailto:hi@canarybit.eu) for more information.
+
+/ The CanaryBit Team

commons/cloud-init.yml → cloud-init/default.yml

@@ -1,11 +1,11 @@
 #cloud-config
 users:
   - default
-  - name: <USERNAME>
+  - name: ${USERNAME}
     sudo: false
     shell: /bin/bash
     ssh_authorized_keys:
-      - <YOUR_SSH_RSA_KEY>
+      - ${SSH_PUBKEY}
 
 timezone: UTC
 locale: "en_US.UTF-8"

cloud-init/remote-attestation.yml

@@ -0,0 +1,65 @@
+#cloud-config
+users:
+  - default
+  - name: ${USERNAME}
+    groups: [canarybit]
+    sudo: false
+    shell: /bin/bash
+    ssh_authorized_keys:
+      - ${SSH_PUBKEY}
+
+timezone: UTC
+locale: "en_US.UTF-8"
+
+package_update: true
+package_upgrade: true
+package_reboot_if_required: true
+packages:
+  - libtss2-dev
+  - jq
+
+write_files:
+  - path: /etc/environment
+    append: true
+    content: |
+      CB_TOKENS=${CB_TOKENS}
+      CBCLIENT_LOG_LEVEL=info
+      CBCLIENT_INSPECTOR_URL=${CBINSPECTOR_URL}
+      CBCLIENT_ENVIRONMENTS=${CC_ENVIRONMENTS}
+
+  - path: /etc/udev/rules.d/61-canarybit-udev.rules
+    owner: root:root
+    content: |
+      # Custom udev rules for CanaryBit attestation client
+      # SNP on non-Hyper-V guest
+      # Preserves OWNER="root", gives the group "canarybit" ownership and read access
+      KERNEL=="sev-guest",MODE="0640",GROUP="canarybit"
+      # SNP on Hyper-V guest
+      # Preserves OWNER="tss" and MODE="0660", gives the group "canarybit" ownership and read/write access
+      KERNEL=="tpmrm0",MODE="0660",GROUP="canarybit"
+
+  - path: /home/${USERNAME}/signing-key.pem
+    owner: ${USERNAME}:${USERNAME}
+    defer: true
+    permissions: '0600'
+    content: | 
+      ${SIGNING_KEY}
+
+  - path: /home/${USERNAME}/launch-cbclient.sh
+    owner: ${USERNAME}:${USERNAME}
+    defer: true
+    permissions: '0755'
+    content: |
+      #!/bin/bash
+      #############################
+      # FETCH & RUN THE CBCLIENT
+      #############################
+      curl -fsSL https://canarybit-public-binaries.s3.eu-west-1.amazonaws.com/cb-cli/${CBCLI_V}/cb-x86_64-unknown-linux-gnu -o cb; chmod +x cb
+      ./cb download cbclient ${CBCLIENT_V}/cbclient; chmod +x cbclient
+      ./cbclient attestation --token $(./cb login inspector) --key signing-key.pem 2> cbclient-logs.txt
+
+runcmd:
+  - udevadm trigger
+  - su -c '/home/${USERNAME}/launch-cbclient.sh' - ${USERNAME}
+
+final_message: "==========   TOWER SETUP COMPLETED IN $UPTIME secs    =========="

examples/single.tf

@@ -0,0 +1,67 @@
+terraform {
+  required_version = ">= 1.0"
+  required_providers {
+    // Use only the required provider
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.5"
+    }
+    azurerm = {
+      source = "hashicorp/azurerm"
+      version = ">= 4.0.1"
+    }
+    google = {
+      source = "hashicorp/google"
+      version = "~> 6.8.0"
+    }
+  }
+}
+
+// Use only the required provider
+provider "aws" {}
+provider "azurerm" {
+  features { } 
+}
+provider "gcp" {}
+
+// =====================
+//  Tower Arguments
+// =====================
+
+variable "cb_login" {
+  description = "Enter your CanaryBit Authentication token."
+  type = string
+}
+
+// =====================
+//  Confidential VM (CVM)
+// =====================
+module "confidential-vm" {
+  source = "canarybit/tower/canarybit/<SUB_MODULE>" // <SUB_MODULE>: aws, azure, gcp
+  cb_auth = var.cb_login
+
+  // Azure deployments only, remove otherwise!
+  az_resource_group_name = "<RESOURCE_GROUP_NAME>" 
+
+  // Confidential VM
+  cvm_name = "demo-cvm"
+  cvm_ssh_enabled = true
+  cvm_ssh_pubkey = "~/.ssh/id_rsa.pub"
+
+  // Remote Attestation
+  remote_attestation = {
+    cc_environments = "snp"
+  }
+}
+
+// =====================
+//  Print CVM info
+// =====================
+output "cvm-info" {
+  value = module.confidential-vm.cvm-info
+}
+
+output "cvm_cloud_init" {
+  value = module.confidential-vm.cloud-init
+  sensitive = true
+}