This document describes how to enable and disable the Shielded VM options on a VM instance. To see which images support Shielded VM features, see OS image security features.
Overview
On a Shielded VM instance, Compute Engine enables the virtual Trusted Platform Module (vTPM) and integrity monitoring options by default. If you disable the vTPM, Compute Engine disables integrity monitoring because integrity monitoring relies on data gathered by Measured Boot.
Compute Engine does not enable Secure Boot by default because unsigned drivers and other low-level software might not be compatible. Secure Boot helps ensure that the system only runs authentic software by verifying the signature of all boot components and stopping the boot process if signature verification fails. This helps prevent forms of kernel malware, such as rootkits or bootkits from persisting across VM reboots. Google recommends enabling Secure Boot if you can ensure that it doesn't prevent a representative test VM from booting and if it is appropriate for your workload.
Limitations
Even though Compute Engine VM instances support Secure Boot, an image loaded on a Compute Engine VM might not. Notably, although most Linux distributions support Secure Boot on recent x86 images, it isn't always supported by default on ARM64. Many Linux images are configured to refuse to load unsigned builds of out-of-tree kernel modules when Secure Boot is enabled. This most commonly affects GPU drivers, but also sometimes affects security monitoring tools that require kernel modules.
Permissions required for this task
To perform this task, you must have the following permissions:
compute.instances.updateShieldedInstanceConfig
on the VM instance
Modifying Shielded VM options on a VM instance
Use the following procedure to modify Shielded VM options:
Console
In the Google Cloud console, go to the VM instances page.
Click the instance name to open the VM instance details page.
Click Stop.
After the instance stops, click Edit.
In the Shielded VM section, modify the Shielded VM options:
Toggle Turn on Secure Boot to enable Secure Boot Compute Engine does not enable Secure Boot by default because unsigned drivers and other low-level software might not be compatible. If possible, Google recommends enabling Secure Boot.
Toggle Turn on vTPM to disable the virtual trusted platform module (vTPM). By default, Compute Engine enables the Virtual Trusted Platform Module (vTPM).
Toggle Turn on Integrity Monitoring to disable integrity monitoring. By default, Compute Engine enables integrity monitoring.
Click Save.
Click Start to start the instance.
gcloud
Stop the instance:
gcloud compute instances stop VM_NAME
Replace
VM_NAME
with the name of the VM to stop.Update the Shielded VM options:
gcloud compute instances update VM_NAME \ [--[no-]shielded-secure-boot] \ [--[no-]shielded-vtpm] \ [--[no-]shielded-integrity-monitoring]
Replace
VM_NAME
with the name of the VM on which to update the Shielded VM options.shielded-secure-boot
: Compute Engine does not enable Secure Boot by default because unsigned drivers and other low-level software might not be compatible. If possible, Google recommends enabling Secure Boot.- Enable Secure Boot by using the
--shielded-secure-boot
flag (recommended). - Disable Secure Boot by using
--no-shielded-secure-boot
.
shielded-vtpm
: the virtual trusted platform module (vTPM) is enabled by default. + Enable by using--shielded-vtpm
(default) + Disable by using the--no-shielded-vtpm
flagshielded-integrity-monitoring
: integrity monitoring is enabled by default. + Enable by using--shielded-integrity-monitoring
(default) + Disable by using the--no-shielded-integrity-monitoring
flag.- Enable Secure Boot by using the
Start the instance:
gcloud compute instances start VM_NAME
Replace
VM_NAME
with the name of the VM to start.
API
Stop the instance:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/stop
Replace the following:
PROJECT_ID
: project containing the VM to stopZONE
: zone containing the VM to stopVM_NAME
: the VM to stop
Use
instances.updateShieldedInstanceConfig
to enable or disable Shielded VM options on the instance:PATCH https://compute.googleapis.com/compute/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/updateShieldedInstanceConfig { "enableSecureBoot": {true|false}, "enableVtpm": {true|false}, "enableIntegrityMonitoring": {true|false} }
Replace the following:
PROJECT_ID
: the project containing the VM to enable or disable Shielded VM options on.ZONE
: the zone containing the VM to enable or disable Shielded VM options on.VM_NAME
: the VM to enable or disable Shielded VM options on.
enableSecureBoot
: Compute Engine does not enable Secure Boot by default because unsigned drivers and other low-level software might not be compatible. If possible, Google recommends enabling Secure Boot.enableVtpm
: Compute Engine enables the Virtual Trusted Platform Module (vTPM) by default.enableIntegrityMonitoring
: Compute Engine enables integrity monitoring by default.Start the instance:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/start
Replace the following:
PROJECT_ID
: project containing the VM to startZONE
: zone containing the VM to startVM_NAME
: VM to start
What's next
- Read more about the security features offered by Shielded VM.
- Learn more about monitoring integrity on a Shielded VM instance.