(预览版)在现有虚拟机规模集上启用受信任启动

适用于:✔️ Linux VM ✔️ Windows VM ✔️ 虚拟机规模集统一

Azure 虚拟机规模集支持通过升级到“受信任启动”安全类型,在现有统一规模集 VM 上启用受信任的启动。

受信任启动会在 Azure 第 2 代虚拟机和规模集上启用基础计算安全性,帮助它们防范高级和持久性攻击技术,例如启动工具包和根工具包。 它通过组合规模集上的安全启动、vTPM 和启动完整性监视等基础结构技术来完成此目标。

限制

先决条件

在现有规模集统一上启用受信任启动

本部分介绍如何使用 ARM 模板在现有虚拟机规模集上启用受信任启动的步骤。

对现有 ARM 模板部署代码进行以下修改。 有关完整的模板,请参阅“快速入门受信任启动规模集 ARM 模板”。

重要

受信任的启动安全类型适用于规模集 apiVersion 2020-12-01 或更高版本。 确保在升级之前正确设置 API 版本。

  1. OS 映像:更新对 Gen2 受信任启动支持的 OS 映像的 OS 映像引用。 如果使用 Azure Compute Gallery OS 映像,请确保源 Gen2 映像具有 TrustedLaunchSupported 安全类型。

    "storageProfile": { 
            "osDisk": { 
                "createOption": "FromImage", 
                "caching": "ReadWrite" 
            }, 
            "imageReference": { 
                "publisher": "MicrosoftWindowsServer", 
                "offer": "WindowsServer", 
                "sku": "2022-datacenter-azure-edition", 
                "version": "latest" 
            } 
    }
    
  2. (可选)规模集大小:如果受信任启动安全配置不支持当前大小系列,请修改规模集大小。

        "sku": { 
            "name": "Standard_D2s_v3", 
            "tier": "Standard", 
            "capacity": "[parameters('instanceCount')]" 
        } 
    
  3. 安全配置文件:在 virtualMachineProfile 下添加 securityProfile 块以启用受信任启动安全配置。

    注意

    建议的设置:vTPMtruesecureBoot:如果操作系统上使用任何未签名的自定义驱动程序或内核,则应将 truesecureBoot 设置为 false

    "securityProfile": { 
        "securityType": "TrustedLaunch", 
        "uefiSettings": { 
          "secureBootEnabled": true, 
          "vTpmEnabled": true
        } 
    }
    
  4. (建议)来宾证明扩展:为规模集资源添加来宾证明 (GA) 扩展,从而为规模集启用启动完整性监视

    重要

    来宾证明扩展需要将 secureBoot vTPM 设置为 true

    { 
        "condition": "[and(parameters('vTPM'), parameters('secureBoot'))]", 
        "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", 
        "apiVersion": "2022-03-01", 
        "name": "[format('{0}/{1}', parameters('vmssName'), GuestAttestation)]", 
        "location": "[parameters('location')]", 
        "properties": { 
          "publisher": "Microsoft.Azure.Security.WindowsAttestation", 
          "type": "GuestAttestation", 
          "typeHandlerVersion": "1.0", 
          "autoUpgradeMinorVersion": true, 
          "enableAutomaticUpgrade": true, 
          "settings": { 
            "AttestationConfig": { 
              "MaaSettings": { 
                "maaEndpoint": "[substring('emptystring', 0, 0)]", 
                "maaTenantName": "GuestAttestation" 
              } 
            } 
          } 
        }, 
        "dependsOn": [ 
          "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmssName'))]" 
        ] 
    } 
    

    扩展发布者的名称:

    OS 类型 扩展发布者名称
    Windows Microsoft.Azure.Security.WindowsAttestation
    Linux Microsoft.Azure.Security.LinuxAttestation
  5. 查看对模板所做的更改。

    展开以查看完整的 ARM 模板示例,该模板支持将现有规模集升级到受信任启动和回滚(如果需要)。
    {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "vmSku": {
          "type": "string",
          "defaultValue": "Standard_D2s_v3",
          "metadata": {
            "description": "Size of VMs in the VM Scale Set."
          }
        },
        "sku": {
          "type": "string",
          "defaultValue": "2022-datacenter-azure-edition",
          "allowedValues": [
            "2022-datacenter-azure-edition"
          ],
          "metadata": {
            "description": "The Windows version for the VM. This will pick a fully patched image of this given Windows version."
          }
        },
        "vmssName": {
          "type": "string",
          "maxLength": 61,
          "metadata": {
            "description": "String used as a base for naming resources. Must be 3-61 characters in length and globally unique across Azure. A hash is prepended to this string for some resources, and resource-specific information is appended."
          }
        },
        "instanceCount": {
          "type": "int",
          "defaultValue": 2,
          "maxValue": 100,
          "minValue": 1,
          "metadata": {
            "description": "Number of VM instances (100 or less)."
          }
        },
        "adminUsername": {
          "type": "string",
          "metadata": {
            "description": "Admin username on all VMs."
          }
        },
        "adminPassword": {
          "type": "securestring",
          "metadata": {
            "description": "Admin password on all VMs."
          }
        },
        "location": {
          "type": "string",
          "defaultValue": "[resourceGroup().location]",
          "metadata": {
            "description": "Location for all resources."
          }
        },
        "publicIpName": {
          "type": "string",
          "defaultValue": "myPublicIP",
          "metadata": {
            "description": "Name for the Public IP used to access the virtual machine Scale set."
          }
        },
        "publicIPAllocationMethod": {
          "type": "string",
          "defaultValue": "Static",
          "allowedValues": [
            "Dynamic",
            "Static"
          ],
          "metadata": {
            "description": "Allocation method for the Public IP used to access the virtual machine set."
          }
        },
        "publicIpSku": {
          "type": "string",
          "defaultValue": "Standard",
          "allowedValues": [
            "Basic",
            "Standard"
          ],
          "metadata": {
            "description": "SKU for the Public IP used to access the virtual machine Scale set."
          }
        },
        "dnsLabelPrefix": {
          "type": "string",
          "defaultValue": "[toLower(format('{0}-{1}', parameters('vmssName'), uniqueString(resourceGroup().id)))]",
          "metadata": {
            "description": "Unique DNS Name for the Public IP used to access the virtual machine Scale set."
          }
        },
        "healthExtensionProtocol": {
          "type": "string",
          "defaultValue": "TCP",
          "allowedValues": [
            "TCP",
            "HTTP",
            "HTTPS"
          ]
        },
        "healthExtensionPort": {
          "type": "int",
          "defaultValue": 3389
        },
        "healthExtensionRequestPath": {
          "type": "string",
          "defaultValue": "/"
        },
        "overprovision": {
          "type": "bool",
          "defaultValue": false
        },
        "upgradePolicy": {
          "type": "string",
          "defaultValue": "Manual",
          "allowedValues": [
            "Manual",
            "Rolling",
            "Automatic"
          ]
        },
        "maxBatchInstancePercent": {
          "type": "int",
          "defaultValue": 20
        },
        "maxUnhealthyInstancePercent": {
          "type": "int",
          "defaultValue": 20
        },
        "maxUnhealthyUpgradedInstancePercent": {
          "type": "int",
          "defaultValue": 20
        },
        "pauseTimeBetweenBatches": {
          "type": "string",
          "defaultValue": "PT5S"
        },
        "securityType": {
          "type": "string",
          "defaultValue": "TrustedLaunch",
          "allowedValues": [
            "Standard",
            "TrustedLaunch"
          ],
          "metadata": {
            "description": "Security Type of the Virtual Machine."
          }
        },
        "encryptionAtHost": {
            "type": "bool",
            "defaultValue": false,
            "metadata": {
                "description": "This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine or virtual machine Scale set. This will enable the encryption for all the disks including Resource/Temp disk at host itself. The default behavior is: The Encryption at host will be disabled unless this property is set to true for the resource."
            }
        }
      },
      "variables": {
        "namingInfix": "[toLower(substring(format('{0}{1}', parameters('vmssName'), uniqueString(resourceGroup().id)), 0, 9))]",
        "addressPrefix": "10.0.0.0/16",
        "subnetPrefix": "10.0.0.0/24",
        "virtualNetworkName": "[format('{0}vnet', variables('namingInfix'))]",
        "subnetName": "[format('{0}subnet', variables('namingInfix'))]",
        "loadBalancerName": "[format('{0}lb', variables('namingInfix'))]",
        "natPoolName": "[format('{0}natpool', variables('namingInfix'))]",
        "bePoolName": "[format('{0}bepool', variables('namingInfix'))]",
        "natStartPort": 50000,
        "natEndPort": 50119,
        "natBackendPort": 3389,
        "nicName": "[format('{0}nic', variables('namingInfix'))]",
        "ipConfigName": "[format('{0}ipconfig', variables('namingInfix'))]",
        "imageReference": {
          "2022-datacenter-azure-edition": {
            "publisher": "MicrosoftWindowsServer",
            "offer": "WindowsServer",
            "sku": "[parameters('sku')]",
            "version": "latest"
          }
        },
        "extensionName": "GuestAttestation",
        "extensionPublisher": "Microsoft.Azure.Security.WindowsAttestation",
        "extensionVersion": "1.0",
        "maaTenantName": "GuestAttestation",
        "maaEndpoint": "[substring('emptyString', 0, 0)]",
        "uefiSettingsJson": {
            "secureBootEnabled": true,
            "vTpmEnabled": true
        },
        "rollingUpgradeJson": {
          "maxBatchInstancePercent": "[parameters('maxBatchInstancePercent')]",
          "maxUnhealthyInstancePercent": "[parameters('maxUnhealthyInstancePercent')]",
          "maxUnhealthyUpgradedInstancePercent": "[parameters('maxUnhealthyUpgradedInstancePercent')]",
          "pauseTimeBetweenBatches": "[parameters('pauseTimeBetweenBatches')]"
        }
      },
      "resources": [
        {
          "type": "Microsoft.Network/virtualNetworks",
          "apiVersion": "2022-05-01",
          "name": "[variables('virtualNetworkName')]",
          "location": "[parameters('location')]",
          "properties": {
            "addressSpace": {
              "addressPrefixes": [
                "[variables('addressPrefix')]"
              ]
            },
            "subnets": [
              {
                "name": "[variables('subnetName')]",
                "properties": {
                  "addressPrefix": "[variables('subnetPrefix')]"
                }
              }
            ]
          }
        },
        {
          "type": "Microsoft.Network/publicIPAddresses",
          "apiVersion": "2022-05-01",
          "name": "[parameters('publicIpName')]",
          "location": "[parameters('location')]",
          "sku": {
            "name": "[parameters('publicIpSku')]"
          },
          "properties": {
            "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]",
            "dnsSettings": {
              "domainNameLabel": "[parameters('dnsLabelPrefix')]"
            }
          }
        },
        {
          "type": "Microsoft.Network/loadBalancers",
          "apiVersion": "2022-05-01",
          "name": "[variables('loadBalancerName')]",
          "location": "[parameters('location')]",
          "sku": {
            "name": "[parameters('publicIpSku')]",
            "tier": "Regional"
          },
          "properties": {
            "frontendIPConfigurations": [
              {
                "name": "LoadBalancerFrontEnd",
                "properties": {
                  "publicIPAddress": {
                    "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpName'))]"
                  }
                }
              }
            ],
            "backendAddressPools": [
              {
                "name": "[variables('bePoolName')]"
              }
            ],
            "inboundNatPools": [
              {
                "name": "[variables('natPoolName')]",
                "properties": {
                  "frontendIPConfiguration": {
                    "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', variables('loadBalancerName'), 'loadBalancerFrontEnd')]"
                  },
                  "protocol": "Tcp",
                  "frontendPortRangeStart": "[variables('natStartPort')]",
                  "frontendPortRangeEnd": "[variables('natEndPort')]",
                  "backendPort": "[variables('natBackendPort')]"
                }
              }
            ]
          },
          "dependsOn": [
            "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpName'))]"
          ]
        },
        {
          "type": "Microsoft.Compute/virtualMachineScaleSets",
          "apiVersion": "2022-03-01",
          "name": "[parameters('vmssName')]",
          "location": "[parameters('location')]",
          "sku": {
            "name": "[parameters('vmSku')]",
            "tier": "Standard",
            "capacity": "[parameters('instanceCount')]"
          },
          "properties": {
            "virtualMachineProfile": {
              "storageProfile": {
                "osDisk": {
                  "createOption": "FromImage",
                  "caching": "ReadWrite"
                },
                "imageReference": "[variables('imageReference')[parameters('sku')]]"
              },
              "osProfile": {
                "computerNamePrefix": "[variables('namingInfix')]",
                "adminUsername": "[parameters('adminUsername')]",
                "adminPassword": "[parameters('adminPassword')]"
              },
              "securityProfile": {
                  "encryptionAtHost": "[parameters('encryptionAtHost')]",
                  "securityType": "[parameters('securityType')]",
                  "uefiSettings": "[if(equals(parameters('securityType'), 'TrustedLaunch'), variables('uefiSettingsJson'), null())]"
                  
              },
              "networkProfile": {
                "networkInterfaceConfigurations": [
                  {
                    "name": "[variables('nicName')]",
                    "properties": {
                      "primary": true,
                      "ipConfigurations": [
                        {
                          "name": "[variables('ipConfigName')]",
                          "properties": {
                            "subnet": {
                              "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]"
                            },
                            "loadBalancerBackendAddressPools": [
                              {
                                "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('loadBalancerName'), variables('bePoolName'))]"
                              }
                            ],
                            "loadBalancerInboundNatPools": [
                              {
                                "id": "[resourceId('Microsoft.Network/loadBalancers/inboundNatPools', variables('loadBalancerName'), variables('natPoolName'))]"
                              }
                            ]
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "extensionProfile": {
                "extensions": [
                  {
                    "name": "HealthExtension",
                    "properties": {
                      "publisher": "Microsoft.ManagedServices",
                      "type": "ApplicationHealthWindows",
                      "typeHandlerVersion": "1.0",
                      "autoUpgradeMinorVersion": false,
                      "settings": {
                        "protocol": "[parameters('healthExtensionProtocol')]",
                        "port": "[parameters('healthExtensionPort')]",
                        "requestPath": "[if(equals(parameters('healthExtensionProtocol'), 'TCP'), null(), parameters('healthExtensionRequestPath'))]"
                      }
                    }
                  }
                ]
              },
              "diagnosticsProfile": {
                "bootDiagnostics": {
                  "enabled": true
                }
              }
            },
            "orchestrationMode": "Uniform",
            "overprovision": "[parameters('overprovision')]",
            "upgradePolicy": {
              "mode": "[parameters('upgradePolicy')]",
              "rollingUpgradePolicy": "[if(equals(parameters('upgradePolicy'), 'Rolling'), variables('rollingUpgradeJson'), null())]",
              "automaticOSUpgradePolicy": {
                "enableAutomaticOSUpgrade": true
              }
            }
          },
          "dependsOn": [
            "[resourceId('Microsoft.Network/loadBalancers', variables('loadBalancerName'))]",
            "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]"
          ]
        },
        {
          "condition": "[and(equals(parameters('securityType'), 'TrustedLaunch'), and(equals(variables('uefiSettingsJson').secureBootEnabled, true()), equals(variables('uefiSettingsJson').vTpmEnabled, true())))]",
          "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
          "apiVersion": "2022-03-01",
          "name": "[format('{0}/{1}', parameters('vmssName'), variables('extensionName'))]",
          "location": "[parameters('location')]",
          "properties": {
            "publisher": "[variables('extensionPublisher')]",
            "type": "[variables('extensionName')]",
            "typeHandlerVersion": "[variables('extensionVersion')]",
            "autoUpgradeMinorVersion": true,
            "enableAutomaticUpgrade": true,
            "settings": {
              "AttestationConfig": {
                "MaaSettings": {
                  "maaEndpoint": "[variables('maaEndpoint')]",
                  "maaTenantName": "[variables('maaTenantName')]"
                }
              }
            }
          },
          "dependsOn": [
            "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmssName'))]"
          ]
        }
      ]
    }
    
  6. 执行 ARM 模板部署。

    $resourceGroupName = "myResourceGroup"
    $parameterFile = "folderPathToFile\parameters.json"
    $templateFile = "folderPathToFile\template.json"
    
    New-AzResourceGroupDeployment `
        -ResourceGroupName $resourceGroupName `
        -TemplateFile $templateFile -TemplateParameterFile $parameterFile
    
  7. 验证部署是否成功。 使用 Azure 门户检查规模集统一的安全类型和 UEFI 设置。 查看“概述”页中的“安全类型”部分。

    规模集的受信任启动属性的屏幕截图。

  8. 如果规模集统一升级模式设置为 Manual,请手动更新 VM 实例。

    $resourceGroupName = "myResourceGroup"
    $vmssName = "VMScaleSet001"
    Update-AzVmssInstance -ResourceGroupName $resourceGroupName -VMScaleSetName $vmssName -InstanceId "0"
    

回滚

若要将“受信任启动”的更改回滚到以前的已知良好配置,需要将规模集的 securityType 设置为“标准”

若要将“受信任启动”的更改回滚到以前的已知良好配置,请将 securityProfile 设置为“标准”,如下所示。 (可选)还可以还原其他参数更改 - OS 映像、VM 大小,并重复在现有规模集上启用受信任启动所述的步骤 5-8

"securityProfile": {
    "securityType": "Standard",
    "uefiSettings": "[null()]"
}

后续步骤

(推荐)升级后启用启动完整性监视,以使用 Microsoft Defender for Cloud 监视 VM 的运行状况。

详细了解受信任启动并查看常见问题解答