Confidential VM attestation

Attestation is the process of increasing confidence that a Confidential VM instance is legitimate and operating in an expected state. It's a vital tool in validating that your workload is running in a trusted execution environment (TEE).

Attestation reports are the evidence that your VM is running in a TEE. They are generated by the Confidential VM instance, and depending on the Confidential Computing technology used are signed either by a software-based vTPM, or a dedicated, hardware-based Trusted Security Module (TSM). Attestation reports contain measurements related to bootloader activity, hardware configuration, firmware configuration, and other boot-time logged events that help to validate the Confidential VM instance's state and identity.

The type of attestation report you can request depends on the Confidential Computing technology your Confidential VM instance is using.

Signing source Type Report coverage Confidential Computing technology
SEV SEV-SNP Intel TDX
Google-managed vTPM Software-based vTPM Boot loader activity, kernel integrity
AMD Secure Processor Hardware-based TSM Hardware and firmware environment
Intel TDX module Hardware-based TSM Hardware and firmware environment

Request an attestation report

You can request attestation reports from the Google-managed vTPM, AMD's Secure Processor, and Intel's TDX module with the following tools:

  • Go-TPM

  • Go-TPM tools (version 0.4.4 or later is required for AMD SEV-SNP and Intel TDX support)

The GceNonHostInfo event in the vTPM attestation event log shows what Confidential Computing technology is in use. Go-TPM tools can request an attestation report from the AMD Secure Processor if AMD SEV-SNP is used, or from the Intel TDX module if Intel TDX is used.

For hardware attestation reports only, you can send a cryptographic challenge to the TSM with the following tools:

  • For AMD SEV-SNP, use SEV Guest. Version Chip Endorsement Key (VCEK) certificates are cached on the VM instead of requested directly from AMD's key distribution system (KDS).

  • For Intel TDX, use TDX Guest.

Intel TDX on Ubuntu

For Ubuntu images on kernel 1016 and newer, the tdx_guest module is in the linux-modules-extra package.

To install the linux-modules-extra package, run the following command:

sudo apt-get install linux-modules-extra-gcp

If you encounter problems while installing linux-modules-extra-gcp, you can update the kernel by running the following command:

sudo apt-get upgrade

You must reboot or manually load the module for the changes to take effect. To manually load the module, run the following command:

sudo modprobe tdx_guest

Verify attestation reports with Google Cloud Attestation

If your trust model allows it, instead of writing and running an attestation verifier yourself, you can use Google Cloud Attestation. This involves using Go-TPM tools to retrieve an attestation quote from a Confidential VM instance's vTPM, and sending it to Google Cloud Attestation for verification. If the quote passes verification, Google Cloud Attestation returns a token containing VM information that you can then compare against your own policy to confirm whether or not the VM should be trusted.

Google Cloud Attestation can only be used with AMD SEV Confidential VM instances.

For an end-to-end example of working with Google Cloud Attestation, see the vTPM Remote Attestation on Confidential Virtual Machine codelab.