A Confidential Space image is a minimal, single-purpose OS that's run on a Confidential VM. It's designed to run a single workload only once, without persistent storage. That workload is layered on top of the Confidential Space image using Docker.
Confidential Space images are built on the existing security enhancements of Container-Optimized OS, and add the following benefits:
Encrypted disk partitions with integrity protection
Authenticated, encrypted network connections
Various boot measurements
Disabled remote access and cloud-specific tooling
Types of images
Confidential Space images are available in two variants: production and debug.
The debug version is considered insecure, and is used for testing your workload on non-production data. It differs from the production image in the following ways:
SSH is enabled.
The operator has root access to the VM that runs the workload.
The VM running the debug image doesn't stop after the workload is complete.
You can set which image is used when you deploy the workload.
Confidential Space image lifecycle
When you create a Confidential VM using a Confidential Space image, the latest version of the image is used. If you always delete your Confidential VM when your workload is done and create a new one each time you run the workload, then you can be sure the image is up to date.
However, long-running workloads or running a workload on a VM created in the past opens you up to the risk of using an outdated Confidential Space image, which might introduce security vulnerabilities.
To mitigate this, a data collaborator can use support attributes to check if a production Confidential Space image version running on a VM is recent, and deny it access to their data if it doesn't pass.
There are three support attributes:
LATEST: This is the latest version of the image, and is supported and monitored for vulnerabilities. TheLATESTimage is alsoSTABLEandUSABLE.STABLE: This version of the image is supported and monitored for vulnerabilities. ASTABLEimage is alsoUSABLE.USABLE: An image with only this attribute is out of support. Use it at your own risk.
Image versions
You can view the latest Confidential Space images with the following gcloud
command:
gcloud compute images list \
--project=confidential-space-images \
--no-standard-images
The following flags can change the returned images in the results:
Add the
--show-deprecatedflag to show older images.Add
--filter="family~'confidential-space$'"flag to show production images.Add
--filter="family~'confidential-space-debug$'"flag to show debug images.
The following tables detail the available Confidential Space image versions and their support attributes.
Production images
The following table contains Confidential Space image production versions.
| Image name | Container-Optimized OS version |
Released |
|---|---|---|
LATEST image |
||
| confidential-space-240200 | cos-dev-113-18146-0-0 | 2024-02-28 |
STABLE images |
||
| confidential-space-231201 | cos-dev-113-18059-0-0 | 2023-12-14 |
| confidential-space-231200 | cos-dev-113-18054-0-0 | 2023-12-05 |
| confidential-space-231001 | cos-dev-113-17965-0-0 | 2023-11-03 |
| confidential-space-230901 | cos-dev-113-17877-0-0 | 2023-10-02 |
| confidential-space-230600 | cos-dev-109-17637-0-0 | 2023-06-09 |
| confidential-space-2302-0 | cos-dev-105-17234-0-0 | 2023-03-02 |
| confidential-space-2212-0 | cos-dev-105-17234-0-0 | 2022-12-01 |
Debug images
The following table contains Confidential Space image debug versions.
| Image name | Container-Optimized OS version |
Released |
|---|---|---|
| confidential-space-debug-240200 | cos-dev-113-18146-0-0 | 2024-02-28 |
| confidential-space-debug-231201 | cos-dev-113-18059-0-0 | 2023-12-14 |
| confidential-space-debug-231200 | cos-dev-113-18054-0-0 | 2023-12-05 |
| confidential-space-debug-231001 | cos-dev-113-17965-0-0 | 2023-11-03 |
| confidential-space-debug-230901 | cos-dev-113-17877-0-0 | 2023-10-02 |
| confidential-space-debug-230600 | cos-dev-109-17637-0-0 | 2023-06-09 |
| confidential-space-debug-2302-0 | cos-dev-105-17234-0-0 | 2023-03-02 |
| confidential-space-debug-2212-0 | cos-dev-105-17234-0-0 | 2022-12-01 |