Using your own Linux image

Stay organized with collections Save and categorize content based on your preferences.

This topic lists the requirements and recommendations for using a custom Linux image to create a Confidential VM instance. It is an addendum to the standard process for using custom images with Compute Engine instances.

Considerations

Consider the following requirements and recommendations when preparing a custom image for creating a Confidential VM.

AMD Secure Encrypted Virtualization (SEV)-related Linux kernel patches

Using kernel version 5.4 or later and enabling the following options is recommended.

  • CONFIG_AMD_MEM_ENCRYPT
  • CONFIG_NET_VENDOR_GOOGLE
  • CONFIG_PCI_MSI
  • CONFIG_GVE
  • CONFIG_SWIOTLB

If you need to use earlier kernel versions, you may need to do additional work to install device drivers.

Compute Engine virtual network interface (gVNIC) device driver

Use version 1.01 or later. For additional instructions, see Creating instances that use the Compute Engine virtual network interface.

NVM Express (NVMe) interface

The NVMe interface must be available during boot on the guest OS for both persistent disks (PDs) and attached SSDs. The kernel and initramfs image (if used) must include the NVMe driver module in order to mount the root directory.

Timeout errors

If you are encountering timeout errors for I/O operations submitted to NVMe devices, you can try increasing the timeout parameter.

SEV_CAPABLE tag

Confidential VM instance creation requires that the image has the SEV_CAPABLE guest OS feature tag.

Learn how to enable guest operating system features on a custom image.

Getting support

If you need help setting up your own image with Confidential VM, you can use one of the support options.

What's next

  • Learn more about using operating system images to create boot disks for Compute Engine instances.