Document Details

Skr Flow Confidential Vm Sev Snp
Home / Scan 2 / Skr Flow Confidential Vm Sev Snp
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Bias Types:
⚠️ powershell_heavy
⚠️ windows_first
⚠️ windows_tools
⚠️ missing_linux_example
Summary:
The documentation demonstrates a moderate Windows bias. While it provides both Linux and Windows instructions for the guest attestation client, the primary scripting example for performing the key release operation is a PowerShell script, which is more natural for Windows users. The script includes some Linux handling, but it is written in PowerShell, which is not a default or common shell on most Linux distributions. Additionally, references to tools like PowerShell cmdlets (e.g., Get-AzSubscription, Get-AzADUser) and .NET classes for certificate handling are prominent, and there are no equivalent Bash or Python examples for Linux users. The documentation often mentions Windows tools or patterns first or exclusively, and Linux alternatives are sometimes only referenced in passing or as an afterthought.
Recommendations:
  • Provide a full Bash (or Python) script example for performing the key release operation on Linux, including obtaining the attestation token, fetching the managed identity token, and making the HTTP request to Key Vault.
  • When referencing how to obtain object IDs or tenant IDs, include both PowerShell and Azure CLI commands, and present them in parallel or with equal prominence.
  • For certificate validation and JWT decoding, provide Linux-native alternatives (e.g., using OpenSSL, jq, or Python scripts) alongside PowerShell/.NET examples.
  • Ensure that all code samples and instructions are available for both Windows and Linux, and avoid assuming PowerShell is available on Linux unless explicitly stated and installation instructions are provided.
  • Where possible, present Linux and Windows instructions in parallel tabs or sections, rather than listing Windows first or exclusively.
GitHub Create pull request

Scan History

Date Scan ID Status Bias Status
2025-08-17 00:01 #83 in_progress ✅ Clean
2025-07-13 21:37 #48 completed ✅ Clean
2025-07-09 13:09 #3 cancelled ✅ Clean
2025-07-08 04:23 #2 cancelled ❌ Biased

Flagged Code Snippets

#Requires -Version 7 #Requires -RunAsAdministrator #Requires -PSEdition Core <# .SYNOPSIS Perform Secure Key Release operation in Azure Key Vault, provided this script is running inside an Azure Confidential Virtual Machine. .DESCRIPTION Perform Secure Key Release operation in Azure Key Vault, provided this script is running inside an Azure Confidential Virtual Machine. The release key operation is applicable to all key types. The target key must be marked exportable. This operation requires the keys/release permission. .PARAMETER -AttestationTenant Provide the attestation instance base URI, for example https://mytenant.attest.azure.net. .PARAMETER -VaultBaseUrl Provide the vault name, for example https://myvault.vault.azure.net. .PARAMETER -KeyName Provide the name of the key to get. .PARAMETER -KeyName Provide the version parameter to retrieve a specific version of a key. .INPUTS None. .OUTPUTS System.Management.Automation.PSObject .EXAMPLE PS C:\> .\Invoke-SecureKeyRelease.ps1 -AttestationTenant "https://sharedweu.weu.attest.azure.net" -VaultBaseUrl "https://mykeyvault.vault.azure.net/" -KeyName "mykey" -KeyVersion "e473cd4c66224d16870bbe2eb4c58078" #> param ( [Parameter(Mandatory = $true)] [string] $AttestationTenant, [Parameter(Mandatory = $true)] [string] $VaultBaseUrl, [Parameter(Mandatory = $true)] [string] $KeyName, [Parameter(Mandatory = $false)] [string] $KeyVersion ) # Check if AttestationClient* exists. $fileExists = Test-Path -Path "AttestationClient*" if (!$fileExists) { throw "AttestationClient binary not found. Please download it from 'https://github.com/Azure/confidential-computing-cvm-guest-attestation'." } $cmd = $null if ($isLinux) { $cmd = "sudo ./AttestationClient -a $attestationTenant -o token" } elseif ($isWindows) { $cmd = "./AttestationClientApp.exe -a $attestationTenant -o token" } $attestedPlatformReportJwt = Invoke-Expression -Command $cmd if (!$attestedPlatformReportJwt.StartsWith("eyJ")) { throw "AttestationClient failed to get an attested platform report." } ## Get access token from IMDS for Key Vault $imdsUrl = 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net' $kvTokenResponse = Invoke-WebRequest -Uri $imdsUrl -Headers @{Metadata = "true" } if ($kvTokenResponse.StatusCode -ne 200) { throw "Unable to get access token. Ensure Azure Managed Identity is enabled." } $kvAccessToken = ($kvTokenResponse.Content | ConvertFrom-Json).access_token # Perform release key operation if ([string]::IsNullOrEmpty($keyVersion)) { $kvReleaseKeyUrl = "{0}/keys/{1}/release?api-version=7.3" -f $vaultBaseUrl, $keyName } else { $kvReleaseKeyUrl = "{0}/keys/{1}/{2}/release?api-version=7.3" -f $vaultBaseUrl, $keyName, $keyVersion } $kvReleaseKeyHeaders = @{ Authorization = "Bearer $kvAccessToken" 'Content-Type' = 'application/json' } $kvReleaseKeyBody = @{ target = $attestedPlatformReportJwt } $kvReleaseKeyResponse = Invoke-WebRequest -Method POST -Uri $kvReleaseKeyUrl -Headers $kvReleaseKeyHeaders -Body ($kvReleaseKeyBody | ConvertTo-Json) if ($kvReleaseKeyResponse.StatusCode -ne 200) { Write-Error -Message "Unable to perform release key operation." Write-Error -Message $kvReleaseKeyResponse.Content } else { $kvReleaseKeyResponse.Content | ConvertFrom-Json }
@description('Required. Specifies the Azure location where the key vault should be created.') param location string = resourceGroup().location @description('Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet.') param tenantId string = subscription().tenantId resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = { name: 'mykeyvault' location: location properties: { tenantId: tenantId sku: { name: 'premium' family: 'A' } } }
@description('Required. Specifies the object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Get it by using Get-AzADUser or Get-AzADServicePrincipal cmdlets.') param objectId string resource keyVaultCvmAccessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2022-07-01' = { parent: keyVault name: 'add' properties: { accessPolicies: [ { objectId: objectId tenantId: tenantId permissions: { keys: [ 'release' ] } } ] } }
$certBase64 = "MIIIfDCCBmSgA..XQ==" $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]([System.Convert]::FromBase64String($certBase64)) $cert | Format-List * # NotAfter : 9/18/2023 6:14:06 PM # NotBefore : 9/23/2022 6:14:06 PM # ... # Issuer : CN=Microsoft Azure TLS Issuing CA 06, O=Microsoft Corporation, C=US # Subject : CN=vault.azure.net, O=Microsoft Corporation, L=Redmond, S=WA, C=US