Update virtual-machines-overview.md #127823
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixed a typo in the Azure disk encryption section (it's no longer "new" in my opinion). Fixed the wording for Confidential computing to be more technicall accurate
Contributor
|
@AlecFernandez : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
Contributor
|
Learn Build status updates of commit 93dd317: ✅ Validation status: passed
For more details, please refer to the build report. |
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR updates the virtual machines security documentation to remove outdated language and improve technical accuracy. The changes focus on the Azure Disk Encryption and Confidential Computing sections.
- Removed "new" descriptor from Azure Disk Encryption capability description
- Revised Confidential Computing section for better technical accuracy regarding data protection and TEE behavior
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ## Confidential Computing | ||
|
|
||
| While confidential computing is not technically part of virtual machine security, the topic of virtual machine security belongs to the higher-level subject of "compute" security. Confidential computing belongs within the category of "compute" security. | ||
| Confidential computing ensures that when data is protected against tampering and exfiltration even when it is resident in memory for processing. The data in memory is protected inside a Trusted Execution Environment https://en.wikipedia.org/wiki/Trusted_execution_environment (TEE - also known as an enclave), an example of which is shown in the figure below. |
There was a problem hiding this comment.
Missing 'is' after 'data' - should read 'when data is protected' for grammatical correctness.
Suggested change
| Confidential computing ensures that when data is protected against tampering and exfiltration even when it is resident in memory for processing. The data in memory is protected inside a Trusted Execution Environment https://en.wikipedia.org/wiki/Trusted_execution_environment (TEE - also known as an enclave), an example of which is shown in the figure below. | |
| Confidential computing ensures that data is protected against tampering and exfiltration, even when it is resident in memory for processing. The data in memory is protected inside a Trusted Execution Environment https://en.wikipedia.org/wiki/Trusted_execution_environment (TEE - also known as an enclave), an example of which is shown in the figure below. |
| ## Confidential Computing | ||
|
|
||
| While confidential computing is not technically part of virtual machine security, the topic of virtual machine security belongs to the higher-level subject of "compute" security. Confidential computing belongs within the category of "compute" security. | ||
| Confidential computing ensures that when data is protected against tampering and exfiltration even when it is resident in memory for processing. The data in memory is protected inside a Trusted Execution Environment https://en.wikipedia.org/wiki/Trusted_execution_environment (TEE - also known as an enclave), an example of which is shown in the figure below. |
There was a problem hiding this comment.
The Wikipedia URL should be formatted as a proper markdown link for consistency with other links in the document, e.g., [Trusted Execution Environment](https://en.wikipedia.org/wiki/Trusted_execution_environment).
Suggested change
| Confidential computing ensures that when data is protected against tampering and exfiltration even when it is resident in memory for processing. The data in memory is protected inside a Trusted Execution Environment https://en.wikipedia.org/wiki/Trusted_execution_environment (TEE - also known as an enclave), an example of which is shown in the figure below. | |
| Confidential computing ensures that when data is protected against tampering and exfiltration even when it is resident in memory for processing. The data in memory is protected inside a [Trusted Execution Environment](https://en.wikipedia.org/wiki/Trusted_execution_environment) (TEE - also known as an enclave), an example of which is shown in the figure below. |
| Confidential computing ensures that when data is "in the clear," which is required for efficient processing, the data is protected inside a Trusted Execution Environment https://en.wikipedia.org/wiki/Trusted_execution_environment (TEE - also known as an enclave), an example of which is shown in the figure below. | ||
|
|
||
| TEEs ensure there is no way to view data or the operations inside from the outside, even with a debugger. They even ensure that only authorized code is permitted to access data. If the code is altered or tampered, the operations are denied and the environment disabled. The TEE enforces these protections throughout the execution of code within it. | ||
| TEEs help to ensure there is no way to view data or alter the operations inside a TEE from the outside, even by an Azure operator with a debugger. They even ensure that only authorized code is permitted to access data. If the code is altered, the operations can be detected and denied and the environment disabled. The TEE enforces these protections throughout the execution of code within it. |
There was a problem hiding this comment.
Grammatical issue: 'denied and the environment disabled' should be 'denied and the environment can be disabled' or 'denied, and the environment is disabled' for parallel structure with 'detected'.
Suggested change
| TEEs help to ensure there is no way to view data or alter the operations inside a TEE from the outside, even by an Azure operator with a debugger. They even ensure that only authorized code is permitted to access data. If the code is altered, the operations can be detected and denied and the environment disabled. The TEE enforces these protections throughout the execution of code within it. | |
| TEEs help to ensure there is no way to view data or alter the operations inside a TEE from the outside, even by an Azure operator with a debugger. They even ensure that only authorized code is permitted to access data. If the code is altered, the operations can be detected and denied, and the environment can be disabled. The TEE enforces these protections throughout the execution of code within it. |
Contributor
|
Can you review the proposed changes? IMPORTANT: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
prmerger-automator
bot
added
the
aq-pr-triaged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixed a typo in the Azure disk encryption section (it's no longer "new" in my opinion).
Fixed the wording for Confidential computing to be more technicall accurate