azurecontainerstpm

Can Azure Containers use vTPM, Secure Boot and Attestation Mechanisms or is a VM necessary?


One of the benefits of containers is to reduce the overhead of creating a hypervisor and VM.

Azure supports a virtual Trusted Platform Module (vTPM) per https://learn.microsoft.com/en-us/azure/virtual-machines/generation-2.

One of the benefits of this feature is secure boot, trusted launch and attestation mechanisms per https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal2.

My question is, do users need to create a VM if they are just using containers? Can containers be used without a VM? Can those containers also have access to vTPM?


Solution

  • No unfortunately.

    Use of a vTPM for measured / trusted boot and run time attestation on a virtual machine is possible due to the isolation it has from the host OS. When you watch the boot of a vm, you can see it has its own bootloader and runs seperate from host via a hypervisor. A container on the other hand is simply a process that is forked from an existing process running on the host OS. There is very little separation between the container and the host (which is why escapes are possible). This is why namespaces are required, to provide a separation from the host and the container itself (e.g. without a user namespace, creating a user in a container would create the user on the host itself).