Do you think IIT Guwahati certified course can help you in your career?
Introduction
Confidential Computing is the use of hardware-based Trusted Execution Environments to safeguard(TEE) data in use. TEEs are safe and isolated environments that protect programs and data from unwanted access or change while they are in operation. The Confidential Computing Consortium defines this security standard.
A Confidential VM is a Compute Engine VM that ensures your data and applications remain secret and secured while in use. You may utilize a Confidential VM as part of your security strategy to prevent sensitive data or workloads from being exposed during processing.
Let us understand some advanced concepts of these Confidential VMs in depth.
Enforcing organization policy constraints
You may verify that all VM resources produced across your organization are Confidential VM instances by implementing the following Confidential Computing organization policy constraint.
Before you Start
You must have a role with the necessary rights to alter organizational policy constraints. To establish or amend organizational policies, you must have at least the Organization Policy Administrator role.
Enable the constraint
Click the project selector menu at the top of the Google Cloud console. Select the organization to which you wish to apply the constraint in the project selector.
Open Organization policies: Click the Navigation menu, then IAM & Admin, and finally Organization Policies.
In the list of organizational policies, choose Restrict Non-Confidential Computing. (It's probably best to start by filtering the list by policy name.)Click Editon the Policy Details page for Restrict Non-Confidential Computing.
Select Customize under Applies to.
Under Policy enforcement, select whether to integrate your new policy setting with that of a parent organization (Merge with parent) or to replace the current policy setting while ignoring the parent (Replace).
Then, under Policy values, choose Custom, and under Policy type, select Deny. This option guarantees that all new VM instances produced in this organization are Confidential VM instances.
Add the supported API service names you wish to apply this policy on to the Custom values field. The policy description includes a list of supported services. For instance, type compute.googleapis.com to make this policy applicable to the creation of new virtual machine instances. Click New policy value to insert more than one API service.
By selecting Set recommendation, you may optionally add a recommendation remark to this policy in the console. When you've finished, click Save.
If you've done everything correctly, the Policy details screen for Restrict Non-Confidential Computing should look like this. Under Denied, take note of the service API name.
You have indicated that all new VM instances shall be Confidential VM instances by denying the "Restrict Non-Confidential Computing" organization policy.
Disable the constraint
Click the project selector menu at the top of the Google Cloud console. Select the organization to which you wish to apply the constraint in the project selector.
Open Organization policies: Click the Navigation menu, then IAM & Admin, and finally Organization Policies.
In the list of organizational policies, choose Restrict Non-Confidential Computing. (It's probably best to start by filtering the list by policy name.)
Click Editon the Policy Details page for Restrict Non-Confidential Computing.
Select Allow all under Policy values, then click Save.
Using your own Linux image
This section describes the prerequisites and recommendations for creating a Confidential VM instance using a custom Linux image. It extends the regular procedure for using custom pictures with Compute Engine instances.
Considerations
When developing a custom image for establishing a Confidential VM, keep the following prerequisites and recommendations in mind.
AMD Secure Encrypted Virtualization (SEV)-related Linux kernel patches
It is advised that you use kernel version 5.4 or later and enable the following parameters.
For both persistent disks (PDs) and attached SSDs, the NVMe interface must be available during guest OS boot. To mount the root directory, the kernel and initramfs image (if used) must have the NVMe driver module.
Timeout errors
If you are getting timeout errors when performing I/O operations on NVMe devices, consider raising the timeout parameter.
SEV_CAPABLE tag
The image must include the SEV CAPABLE guest OS feature tag in order to create a confidential VM instance.
Validating instances using Cloud Monitoring
Integrity monitoring
Integrity monitoring is a Shielded VM and Confidential VM capability that assists you in understanding and making choices about the condition of your VM instances.
Enable integrity monitoring
In new Confidential VM instances, integrity monitoring is enabled by default.
View integrity reports
In Cloud Monitoring, you may see integrity reports and trigger alerts for integrity failures. Cloud Logging allows you to examine the specifics of integrity monitoring data.
View launch attestation report events
Confidential VM creates a one-of-a-kind sort of integrity validation event known as a launch attestation report event. A launch attestation report event is created as part of the integrity validation events for an AMD Secure Encrypted Virtualization (SEV)-based Confidential VM every time it boots.
To access the launch attestation report event from the integrity report, follow these steps:
Navigate to the VM instances page in the Google Cloud console.
To view the VM instance details page, choose the Confidential VM instance name.
Click Cloud Logging under Logs.
The integrity report is filled with integrity validation events when logging begins. The image below depicts a typical integrity report:
Search for the string sevLaunchAttestationReportEvent.
About launch attestation report events
The events in the launch attestation report confirm whether a VM is an AMD SEV-based Confidential VM. A launch attestation report event includes the following details:
integrityEvaluationPassed: The outcome of a Virtual Machine Monitor integrity check on the measurement produced by AMD SEV.
sevPolicy: This VM has the AMD SEV policy bits set; policy bits are set upon Confidential VM launch to enforce constraints such as whether debug mode is enabled.
The screenshot below depicts a typical launch attestation report event:
Related security technologies
You may also use Secure Boot and Measured Boot, both of which use Shielded VM.
Secure Boot
By checking the digital signature of all boot components and terminating the boot process if signature verification fails, Secure Boot helps ensure that the Confidential VM instance's system only runs authentic software. Firmware authenticated and confirmed by Google's Certificate Authority serves as the foundation for Secure Boot, which verifies your VM's identity and confirms that it is part of the project and region you choose.
By default, Secure Boot is disabled.
Measured Boot
Measured Boot is enabled by a Confidential VM's Virtual Trusted Platform Module (vTPM) and helps protect the Confidential VM against unauthorized alterations. Measured Boot checks the bootloader, kernel, and boot drivers of a Confidential VM instance for integrity.
PCR[0] (a platform control register) is modified with SEV value during Measured Boot of a Confidential VM instance.
In new Confidential VM instances, Measured Boot is enabled by default.
Viewing supported images
This section explains how to see and list the operating system images supported by Confidential VM.
List supported images
To make public images more discoverable, Confidential VM supports them with the SEV_CAPABLE guest OS feature tag.
The SEV_CAPABLE guest OS feature tag may be used to filter Confidential VM-supported images.
Shielded Container Optimized OS (COS)
gcloud compute images list --filter="guestOsFeatures[].type:(SEV_CAPABLE)" \
--project cos-cloud \
--no-standard-images;
Ubuntu Linux
gcloud compute images list --filter="guestOsFeatures[].type:(SEV_CAPABLE)" \
--project ubuntu-os-cloud \
--no-standard-images;
View image details
To display information on a specific image, use the zones describe subcommand, as shown here, changing the IMAGE_NAME placeholder with the image's name and the IMAGE_PROJECT_NAME placeholder with the image's project name:
An organizational policy is a set of constraints. As the organization policy administrator, you establish an organization policy and apply it to organizations, folders, and projects to impose limits on that resource and its children.
What is GCP policy?
A policy is a grouping of bindings. A binding is a contract that ties one or more participants or principals to a single duty. User accounts, service accounts, Google groups, and domains are all examples of principals (such as G Suite). A role is a specified set of permissions; each role can be either an IAM preset role or a bespoke role generated by the user.
Which images can be installed in the GCP VM?
You can utilize one of the following picture types: Google, open source communities, and third-party suppliers produce and manage public photos. All Google Cloud projects have access to these pictures by default and may use them to generate instances. Custom pictures are only available for your Cloud project.
Conclusion
In this article, we have extensively discussed some advanced concepts of Confidential VM and confidential computing. Our discussion mainly focused on enforcing organization policies, validating instances using cloud monitoring, and viewing supported images.
We hope this blog has helped you enhance your Google cloud knowledge. To learn more about Google cloud concepts, refer to our articles on All about GCP Certifications: Google Cloud Platform | Coding Ninjas Blog.
, then IAM & Admin, and finally Organization Policies.
on the Policy Details page for Restrict Non-Confidential Computing.
84+ registered