Code360 powered by Coding Ninjas X Naukri.com. Code360 powered by Coding Ninjas X Naukri.com
Last Updated: Mar 27, 2024

Advance Concepts of Confidential VM

Leveraging ChatGPT - GenAI as a Microsoft Data Expert
Speaker
Prerita Agarwal
Data Specialist @
23 Jul, 2024 @ 01:30 PM

Introduction

Confidential Computing is the use of hardware-based Trusted Execution Environments to safeguard(TEE) data in use. TEEs are safe and isolated environments that protect programs and data from unwanted access or change while they are in operation. The Confidential Computing Consortium defines this security standard.

A Confidential VM is a Compute Engine VM that ensures your data and applications remain secret and secured while in use. You may utilize a Confidential VM as part of your security strategy to prevent sensitive data or workloads from being exposed during processing.

Let us understand some advanced concepts of these Confidential VMs in depth.

Enforcing organization policy constraints

You may verify that all VM resources produced across your organization are Confidential VM instances by implementing the following Confidential Computing organization policy constraint.

Before you Start

You must have a role with the necessary rights to alter organizational policy constraints. To establish or amend organizational policies, you must have at least the Organization Policy Administrator role.

Enable the constraint

  1. Click the project selector menu at the top of the Google Cloud console. Select the organization to which you wish to apply the constraint in the project selector.
  2. Open Organization policies: Click the Navigation menu, then IAM & Admin, and finally Organization Policies.
  3. In the list of organizational policies, choose Restrict Non-Confidential Computing. (It's probably best to start by filtering the list by policy name.)Click Editon the Policy Details page for Restrict Non-Confidential Computing.
     
  1. Select Customize under Applies to.
  2. Under Policy enforcement, select whether to integrate your new policy setting with that of a parent organization (Merge with parent) or to replace the current policy setting while ignoring the parent (Replace).
  3. Then, under Policy values, choose Custom, and under Policy type, select Deny. This option guarantees that all new VM instances produced in this organization are Confidential VM instances.
  4. Add the supported API service names you wish to apply this policy on to the Custom values field. The policy description includes a list of supported services. For instance, type compute.googleapis.com to make this policy applicable to the creation of new virtual machine instances. Click New policy value to insert more than one API service.
  5. By selecting Set recommendation, you may optionally add a recommendation remark to this policy in the console. When you've finished, click Save.

If you've done everything correctly, the Policy details screen for Restrict Non-Confidential Computing should look like this. Under Denied, take note of the service API name.

 

You have indicated that all new VM instances shall be Confidential VM instances by denying the "Restrict Non-Confidential Computing" organization policy.

Disable the constraint

  1. Click the project selector menu at the top of the Google Cloud console. Select the organization to which you wish to apply the constraint in the project selector.
  2. Open Organization policies: Click the Navigation menu, then IAM & Admin, and finally Organization Policies.
  3. In the list of organizational policies, choose Restrict Non-Confidential Computing. (It's probably best to start by filtering the list by policy name.)
  4. Click Editon the Policy Details page for Restrict Non-Confidential Computing.
  5. Select Allow all under Policy values, then click Save.
Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job
Bootcamp

Using your own Linux image

This section describes the prerequisites and recommendations for creating a Confidential VM instance using a custom Linux image. It extends the regular procedure for using custom pictures with Compute Engine instances.

Considerations

When developing a custom image for establishing a Confidential VM, keep the following prerequisites and recommendations in mind.

AMD Secure Encrypted Virtualization (SEV)-related Linux kernel patches

It is advised that you use kernel version 5.4 or later and enable the following parameters.

  • CONFIG_AMD_MEM_ENCRYPT
  • CONFIG_NET_VENDOR_GOOGLE
  • CONFIG_PCI_MSI
  • CONFIG_GVE
  • CONFIG_SWIOTLB

Compute Engine virtual network interface (gVNIC) device driver

Version 1.01 or later is required.

NVM Express (NVMe) interface

For both persistent disks (PDs) and attached SSDs, the NVMe interface must be available during guest OS boot. To mount the root directory, the kernel and initramfs image (if used) must have the NVMe driver module.

Timeout errors

If you are getting timeout errors when performing I/O operations on NVMe devices, consider raising the timeout parameter.

SEV_CAPABLE tag

The image must include the SEV CAPABLE guest OS feature tag in order to create a confidential VM instance.

Validating instances using Cloud Monitoring

Integrity monitoring

Integrity monitoring is a Shielded VM and Confidential VM capability that assists you in understanding and making choices about the condition of your VM instances.

Enable integrity monitoring

In new Confidential VM instances, integrity monitoring is enabled by default.

View integrity reports

In Cloud Monitoring, you may see integrity reports and trigger alerts for integrity failures. Cloud Logging allows you to examine the specifics of integrity monitoring data.

View launch attestation report events

Confidential VM creates a one-of-a-kind sort of integrity validation event known as a launch attestation report event. A launch attestation report event is created as part of the integrity validation events for an AMD Secure Encrypted Virtualization (SEV)-based Confidential VM every time it boots.

To access the launch attestation report event from the integrity report, follow these steps:

  1. Navigate to the VM instances page in the Google Cloud console.
  2. To view the VM instance details page, choose the Confidential VM instance name.
  3. Click Cloud Logging under Logs.
  4. The integrity report is filled with integrity validation events when logging begins.
    The image below depicts a typical integrity report:
     

 

Search for the string sevLaunchAttestationReportEvent.

About launch attestation report events

The events in the launch attestation report confirm whether a VM is an AMD SEV-based Confidential VM. A launch attestation report event includes the following details:

  • integrityEvaluationPassed: The outcome of a Virtual Machine Monitor integrity check on the measurement produced by AMD SEV.
  • sevPolicy: This VM has the AMD SEV policy bits set; policy bits are set upon Confidential VM launch to enforce constraints such as whether debug mode is enabled.

The screenshot below depicts a typical launch attestation report event:

 

Related security technologies

You may also use Secure Boot and Measured Boot, both of which use Shielded VM.

Secure Boot

By checking the digital signature of all boot components and terminating the boot process if signature verification fails, Secure Boot helps ensure that the Confidential VM instance's system only runs authentic software. Firmware authenticated and confirmed by Google's Certificate Authority serves as the foundation for Secure Boot, which verifies your VM's identity and confirms that it is part of the project and region you choose.

By default, Secure Boot is disabled.

Measured Boot

Measured Boot is enabled by a Confidential VM's Virtual Trusted Platform Module (vTPM) and helps protect the Confidential VM against unauthorized alterations. Measured Boot checks the bootloader, kernel, and boot drivers of a Confidential VM instance for integrity.

PCR[0] (a platform control register) is modified with SEV value during Measured Boot of a Confidential VM instance.

In new Confidential VM instances, Measured Boot is enabled by default.

Viewing supported images

This section explains how to see and list the operating system images supported by Confidential VM.

List supported images

To make public images more discoverable, Confidential VM supports them with the SEV_CAPABLE guest OS feature tag.

The SEV_CAPABLE guest OS feature tag may be used to filter Confidential VM-supported images.

Shielded Container Optimized OS (COS)

gcloud compute images list --filter="guestOsFeatures[].type:(SEV_CAPABLE)" \
  --project cos-cloud \
  --no-standard-images;

Ubuntu Linux

gcloud compute images list --filter="guestOsFeatures[].type:(SEV_CAPABLE)" \
  --project ubuntu-os-cloud \
  --no-standard-images;

View image details

To display information on a specific image, use the zones describe subcommand, as shown here, changing the IMAGE_NAME placeholder with the image's name and the IMAGE_PROJECT_NAME placeholder with the image's project name:

gcloud compute images describe IMAGE_NAME \
  --project IMAGE_PROJECT_NAME;

Frequently Asked Questions

What are organizational policies?

An organizational policy is a set of constraints. As the organization policy administrator, you establish an organization policy and apply it to organizations, folders, and projects to impose limits on that resource and its children.

What is GCP policy?

A policy is a grouping of bindings. A binding is a contract that ties one or more participants or principals to a single duty. User accounts, service accounts, Google groups, and domains are all examples of principals (such as G Suite). A role is a specified set of permissions; each role can be either an IAM preset role or a bespoke role generated by the user.

Which images can be installed in the GCP VM?

You can utilize one of the following picture types: Google, open source communities, and third-party suppliers produce and manage public photos. All Google Cloud projects have access to these pictures by default and may use them to generate instances. Custom pictures are only available for your Cloud project.

Conclusion

In this article, we have extensively discussed some advanced concepts of Confidential VM and confidential computing. Our discussion mainly focused on enforcing organization policies, validating instances using cloud monitoring, and viewing supported images.

We hope this blog has helped you enhance your Google cloud knowledge. To learn more about Google cloud concepts, refer to our articles on All about GCP Certifications: Google Cloud Platform | Coding Ninjas Blog.  

Also read - AMD vs Intel

Refer to our guided paths on the Coding Ninjas Studio platform to learn more about DSA, DBMS, Competitive Programming, Python, Java, JavaScript, etc. 

Refer to the links problemstop 100 SQL problemsresources, and mock tests to enhance your knowledge.

For placement preparations, visit interview experiences and interview bundle.

Do upvote our blog to help other ninjas grow. Happy Coding!
An image that displays a thankyou message from coding ninjas.

Topics covered
1.
Introduction
2.
Enforcing organization policy constraints
2.1.
Before you Start
2.2.
Enable the constraint
2.3.
Disable the constraint
3.
Using your own Linux image
3.1.
Considerations
3.1.1.
AMD Secure Encrypted Virtualization (SEV)-related Linux kernel patches
3.1.2.
Compute Engine virtual network interface (gVNIC) device driver
3.1.3.
NVM Express (NVMe) interface
3.1.4.
SEV_CAPABLE tag
4.
Validating instances using Cloud Monitoring
4.1.
Integrity monitoring
4.1.1.
Enable integrity monitoring
4.1.2.
View integrity reports
4.1.3.
View launch attestation report events
4.1.4.
About launch attestation report events
4.2.
Related security technologies
4.2.1.
Secure Boot
4.2.2.
Measured Boot
5.
Viewing supported images
5.1.
List supported images
5.1.1.
Shielded Container Optimized OS (COS)
5.1.2.
Ubuntu Linux
5.2.
View image details
6.
Frequently Asked Questions
6.1.
What are organizational policies?
6.2.
What is GCP policy?
6.3.
Which images can be installed in the GCP VM?
7.
Conclusion