What is locked down inside this container?
+-
+
- No interactive access. The CCE policy denies
exec_in_container,exec_external, signals, stdio access, runtime logging, and stack dumping.az container execwill fail.
+ - Read-only root filesystem. The only writable mount is an in-memory tmpfs at
/run/sealed.
+ - Signed image, pinned digest, single layer. The CCE policy is bound to one immutable image digest; the SKR release policy is in turn bound to the SHA-256 of the CCE policy via the SEV-SNP
HOST_DATAfield.
+ - Sealed data bundle. Application data ships encrypted inside the image (
artifacts/sealed-data.enc); the AES-256-GCM key is only released by Azure Key Vault after MAA verifies this container is running on genuine AMD SEV-SNP hardware with the expected CCE policy.
+ - Non-root. Runs as
sealed:sealed(uid 10001) withno_new_privileges.
+
Hardware attestation
+Generate a fresh AMD SEV-SNP report against /dev/sev-guest, post it to MAA, and inspect the returned JWT.
+ + +
+ +Sealed data status
+Metadata only — the unsealed bytes never leave the tmpfs.
++ + +
+ +