Announcing new Confidential Computing updates for even more hardware security options

Google Cloud is committed to ensuring that your data remains safe, secure, and firmly under your control. This begins with fortifying the very foundation of your compute infrastructure — your Compute Engine virtual machines (VMs) — with the power of Confidential Computing.

Confidential Computing protects data while it’s being used and processed with a hardware-based Trusted Execution Environment (TEE). TEEs are secure and isolated environments that prevent unauthorized access or modification of applications and data while they are in use. 

At Google, we have been early adopters and investors in Confidential Computing products and solutions. For more than four years, we’ve grown our Confidential Computing offerings and added new capabilities, and our customers have deployed these capabilities to enhance the security and confidentiality of their workloads in many innovative ways. Today, we’re announcing the general availability of several new Confidential Computing options and updates to the Google Cloud attestation service. 

1. Now generally available: Confidential VM with AMD SEV on C3D machine series 

We’re proud to announce that Confidential VMs are now generally available on the general purpose C3D machine series with AMD Secure Encrypted Virtualization (AMD SEV) technology. Confidential VMs with AMD SEV technology use hardware-based memory encryption to help ensure your data and applications can't be read or modified while in use. The C3D machine series are powered by the 4th generation AMD EPYC™ (Genoa) processor and designed to deliver optimal, reliable, and consistent performance with Google’s Titanium hardware.

Previously, Confidential VMs were only generally available on the general purpose N2D and C2D machine series. Expanding to the C3D machine series allows security-minded customers to use the latest general purpose hardware with improved performance and data confidentiality. Running on the latest hardware means better performance. You can read more about Confidential VMs on C3D machine series performance here.

Confidential VMs with AMD SEV on the C3D machines series are available in all regions and zones that have C3D machines. 

2. Now generally available: Confidential VM with Intel TDX on the C3 machine series

We’re proud to announce that Confidential VMs are now generally available on the general-purpose C3 machine series with Intel® Trust Domain Extensions (Intel® TDX) technology. Confidential VMs with Intel TDX technology use hardware-based memory encryption to help ensure your data and applications can't be read or modified while in use. 

Enabling confidential computing on a C3 VM requires no code changes. These hardened VMs offer remote attestation so you can verify your VM is running in a TEE with Intel Trust Authority or your own attestation service. The C3 machine series is powered by the 4th generation Intel Xeon Scalable processors (code-named Sapphire Rapids), DDR5 memory, and Google Titanium.

Built-in CPU acceleration with Intel AMX
All C3 VMs, including Confidential VM ones, have Intel® Advanced Matrix Extensions (Intel® AMX) on by default. Intel AMX is a new instruction set architecture (ISA) extension designed to accelerate artificial intelligence (AI) and machine learning (ML) workloads. AMX introduces new instructions that can be used to perform matrix multiplication and convolution operations, which are two of the most common operations in AI and ML. By combining Confidential VMs with Intel AMX, you can run AI/ML applications with an additional layer of security.

What our customers say about Confidential VMs with Intel TDX
“As more enterprises migrate their data and workloads to the cloud, there is an increasing demand to safeguard the privacy and integrity of data, especially sensitive workloads, intellectual property, AI models and information of value. This collaboration enables enterprises to protect and control their data at rest, in transit and in use with fully verifiable attestation. Our close collaboration with Google Cloud and Intel increases our customers' trust in their cloud migration,” said Todd Moore, vice president, Data Security Products, Thales.

“We are excited to announce our integration of Anjuna Seaglass with Google Cloud Confidential VMs on C3 machines leveraging Intel TDX technology. Confidential Computing has emerged as a crucial enabler for a range of cutting-edge use cases, including the trustworthy deployment of AI. The streamlined user experience of our joint solution, including full hardware attestation, is poised to ease customer adoption, as evidenced by the strong response we are experiencing from prospective customers,” Steve Van Lare, vice president, engineering, Anjuna Security.

“Utilizing Google Cloud's C3 VMs equipped with Intel TDX has empowered Edgeless Systems to further enhance our Constellation and Contrast solutions. We value our partnership with Google Cloud, acknowledging their dedication to expanding the confidential computing landscape. The inclusion of Intel TDX now offers our customers greater choice and flexibility, ensuring they have access to the latest in confidential computing hardware options,” said Moritz Eckert, chief architect, Edgeless Systems.

Confidential VM with Intel TDX on the C3 machine series is available in the following regions: asia-southeast1, us-central1, and europe-west4. If you require other regions, please work with your Google Cloud representative, or let us know. 

3. Now generally available: Confidential VM with AMD SEV-SNP on the N2D machine series

This past June, Confidential VMs became generally available with next level AMD Secure Encrypted Virtualization-Secure Nested Paging (AMD SEV-SNP) on the general purpose N2D machines series, giving customers data confidentiality, data integrity, and hardware-rooted attestation. Previously, Confidential VMs were only generally available with a confidential computing technology called AMD Secure Encrypted Virtualization (SEV), which gave users data confidentiality. 

All Confidential VMs help customers maintain control of their data in the public cloud, achieve cryptographic isolation in a multi-tenant environment, and add an additional layer of defense and data protection against cloud operators, admins, and insiders. However, Confidential VMs with AMD SEV-SNP have additional security features that help prevent malicious hypervisor-based attacks like data replay and memory remapping. 

Creating Confidential VMs with AMD SEV-SNP on the N2D machine series is easy and requires no code changes. Additionally, you receive the security benefits with minimal performance impact. To learn more about the performance of these VMs, check out this AMD performance brief. 

Confidential VMs with AMD SEV-SNP on the N2D machine series are available in following regions: asia-southeast1, us-central1, europe-west3, and europe-west4. If you require other regions, please work with your Google representative or let us know.

What our customers say about Confidential VMs with AMD SEV-SNP
“We’re thrilled to announce the integration of Google Confidential VMs into Enclaive’s multicloud platform for Confidential Compute. This milestone marks a significant leap forward in our commitment to providing our customers unparalleled security across cloud environments. By leveraging AMD SEV-SNP advanced memory encryption technology along with attested disk encryption, we ensure that in the Google Cloud data remains private and protected even during processing. This integration empowers businesses to trust Google Cloud with their most sensitive workloads, driving forward a new era of secure computing,” said Dr. Sebastian Gajek, CTO, Enclaive.

"By leveraging Google Cloud's Confidential VMs powered by AMD EPYC CPUs with SEV-SNP technology, encloud has achieved a breakthrough in secure gen AI deployment. This advanced infrastructure allows us to provide end-to-end encrypted AI processing, ensuring that our clients' sensitive data and AI models remain protected even during computation. This level of security is crucial for regulated industries adopting gen AI technologies, and Google Cloud offerings have been pivotal in making this possible," said Parth Shukla, CTO, Encloud.

4. Signed UEFI binaries for Confidential VMs with AMD SEV-SNP and Intel TDX

We're excited to announce a significant security enhancement to our Confidential VMs powered by AMD SEV-SNP and Intel TDX technologies: signed launch measurements (UEFI binary and initial state). UEFI is the firmware that controls the startup process of a computer, and by signing these binaries, we've added an extra layer of protection against unauthorized modifications or tampering. 

Signing the UEFI and allowing you to verify the signatures can help you gain more trust and transparency that the firmware running on your Confidential VMs is genuine and hasn't been compromised. By verifying the firmware's authenticity and integrity, you can be more confident that your attested devices are running in a secure and trusted environment. 

This is just one of many steps Google plans on taking to build a more verifiably trustworthy and secure system. To try it out yourself, see Verify Firmware.

5. Google Cloud attestation now supports Confidential VM with AMD SEV

If your trust model allows it, instead of writing and running an attestation verifier yourself, you can use the Google Cloud attestation service. To do so, use Go-TPM tools to retrieve an attestation quote from an AMD SEV Confidential VM instance's vTPM, and send it to the Google Cloud Attestation service for verification with the command ./go-tpm token. 

If the attestation quote passes verification, the Google Cloud Attestation returns a token containing VM information that you can then compare against your own policy to confirm whether or not the VM should be trusted. Currently,Google’s attestation service supports AMD SEV only.

To test it out, try the codelab today. To learn more about attestation for Confidential VMs, click here.

Confidential VM pricing

Confidential VM incurs additional costs on top of Compute Engine pricing. Confidential VM consists of flat rate per-vCPU and per-GB costs, which vary depending on whether a Confidential VM instance is on demand or preemptible, and which Confidential Computing technology (such as Intel TDX, AMD SEV, or AMD SEV-SNP) is used. 

For Confidential VM pricing, see here. For Compute Engine pricing, see here.

Getting started with Confidential VMs

Learn how to start protecting your data and workloads today by creating a Confidential VM.