Modifying Shielded VM options

Use this topic to learn how to modify the Shielded VM options on a VM instance. To see which images support Shielded VM features, see OS image security features.

On a Shielded VM instance, Compute Engine enables the virtual Trusted Platform Module (vTPM) and integrity monitoring options by default. If you disable the vTPM, Compute Engine disables integrity monitoring because integrity monitoring relies on data gathered by Measured Boot.

Compute Engine does not enable Secure Boot by default because unsigned drivers and other low-level software might not be compatible. Secure Boot helps ensure that the system only runs authentic software by verifying the signature of all boot components, and halting the boot process if signature verification fails. This helps prevent forms of kernel malware, such as rootkits or bootkits, from persisting across VM reboots. If appropriate for your specific workloads, that is, you can ensure that enabling Secure Boot doesn't prevent a representative test VM from booting, Google recommends enabling Secure Boot.

Before you begin

Permissions required for this task

To perform this task, you must have the following permissions:

  • compute.instances.updateShieldedInstanceConfig on the VM

Modifying Shielded VM options on a VM instance

Use the following procedure to modify Shielded VM options:

Console

  1. In the Google Cloud Console, go to the VM instances page.

    Go to the VM instances page

  2. Click the instance name to open the VM instance details page.

  3. Click Stop.

  4. After the instance stops, click Edit.

  5. In the Shielded VM section, modify the Shielded VM options:

    • Toggle Turn on Secure Boot to enable Secure Boot. Compute Engine does not enable Secure Boot by default because unsigned drivers and other low-level software might not be compatible. Even so, if possible, Google recommends enabling Secure Boot.

    • Toggle Turn on vTPM to disable the virtual trusted platform module (vTPM). By default, Compute Engine enables the Virtual Trusted Platform Module (vTPM).

    • Toggle Turn on Integrity Monitoring to disable integrity monitoring. By default, Compute Engine enables integrity monitoring.

  6. Click Save.

  7. Click Start to start the instance.

gcloud

  1. Stop the instance, replacing VM_NAME with the name of the VM to stop:

    gcloud compute instances stop VM_NAME
    
  2. Update the Shielded VM options:

    gcloud compute instances update VM_NAME [SECURE_BOOT] [SHIELDED_VTPM] [INTEGRITY_MONITORING]
    

    Replace the following:

    • VM_NAME: Name of the VM on which to update the Shielded VM options.
    • SECURE_BOOT: Compute Engine does not enable Secure Boot by default because some unsigned drivers and low-level software are not compatible. Even so, if possible, Google recommends enabling Secure Boot. Enable Secure Boot by using --shielded-secure-boot, and disable by using --no-shielded-secure-boot.
    • SHIELDED_VTPM: Enabled by default. Disable the virtual trusted platform module (vTPM) by using --no-shielded-vtpm, and enable by using --shielded-vtpm.
    • INTEGRITY_MONITORING: Enabled by default. Disable integrity monitoring by using --no-shielded-integrity-monitoring, and enable by using --shielded-integrity-monitoring.
  3. Start the instance, replacing VM_NAME with the name of the VM to start:

    gcloud compute instances start VM_NAME
    

API

  1. Stop the instance:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/stop
    

    Replace the following:

    • PROJECT_ID: Project containing the VM to stop.
    • ZONE: Zone containing the VM to stop.
    • VM_NAME: VM to stop.
  2. Use instances.updateShieldedInstanceConfig to enable or disable Shielded VM options on the instance:

    PATCH https://compute.googleapis.com/compute/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/updateShieldedInstanceConfig
    
    {
      "enableSecureBoot": {true|false},
      "enableVtpm": {true|false},
      "enableIntegrityMonitoring": {true|false}
    }
    

    Replace the following:

    • PROJECT_ID: Project containing the VM to enable or disable Shielded VM options on.
    • ZONE: Zone containing the VM to enable or disable Shielded VM options on.
    • VM_NAME: VM to enable or disable Shielded VM options on.
    • enableSecureBoot: Compute Engine does not enable Secure Boot by default because unsigned drivers and other low-level software might not be compatible. If possible, Google recommends enabling Secure Boot.
    • enableVtpm: Compute Engine enables the Virtual Trusted Platform Module (vTPM) by default.
    • enableIntegrityMonitoring: Compute Engine enables integrity monitoring by default.
  3. Start the instance:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/start
    

    Replace the following:

    • PROJECT_ID: Project containing the VM to start.
    • ZONE: Zone containing the VM to start.
    • VM_NAME: VM to start.

What's next