Attestation is the process of increasing confidence that a Confidential VM instance is legitimate and operating in an expected state. It's a vital tool in validating that your workload is running in a trusted execution environment (TEE).
Attestation reports are the evidence that your VM is running in a TEE. They are generated by the Confidential VM instance, and depending on the Confidential Computing technology used are signed either by a software-based vTPM, or a dedicated, hardware-based Trusted Security Module (TSM). Attestation reports contain measurements related to bootloader activity, hardware configuration, firmware configuration, and other boot-time logged events that help to validate the Confidential VM instance's state and identity.
The type of attestation report you can request depends on the Confidential Computing technology your Confidential VM instance is using.
| Signing source | Type | Report coverage | Confidential Computing technology | ||
|---|---|---|---|---|---|
| SEV | SEV-SNP | Intel TDX | |||
| Google-managed vTPM | Software-based vTPM | Boot loader activity, kernel integrity | |||
| AMD Secure Processor | Hardware-based TSM | Hardware and firmware environment | |||
| Intel TDX module | Hardware-based TSM | Hardware and firmware environment | |||
Request an attestation report
You can request attestation reports from the Google-managed vTPM, AMD's Secure Processor, and Intel's TDX module with the following tools:
Go-TPM tools (version 0.4.4 or later is required for AMD SEV-SNP and Intel TDX support)
The GceNonHostInfo event in the vTPM attestation event log shows what
Confidential Computing technology is in use. Go-TPM tools can request an
attestation report from the AMD Secure Processor if AMD SEV-SNP is used, or from
the Intel TDX module if Intel TDX is used.
For hardware attestation reports only, you can send a cryptographic challenge to the TSM with the following tools:
For AMD SEV-SNP, use SEV Guest. Version Chip Endorsement Key (VCEK) certificates are cached on the VM instead of requested directly from AMD's key distribution system (KDS).
For Intel TDX, use TDX Guest.
Intel TDX on Ubuntu
For Ubuntu images on kernel 1016 and newer, the tdx_guest module is in the
linux-modules-extra package.
To install the linux-modules-extra package, run the following command:
sudo apt-get install linux-modules-extra-gcp
If you encounter problems while installing linux-modules-extra-gcp, you can
update the kernel by running the following command:
sudo apt-get upgrade
You must reboot or manually load the module for the changes to take effect. To manually load the module, run the following command:
sudo modprobe tdx_guest
Verify attestation reports with Google Cloud Attestation
If your trust model allows it, instead of writing and running an attestation verifier yourself, you can use Google Cloud Attestation. This involves using Go-TPM tools to retrieve an attestation quote from a Confidential VM instance's vTPM, and sending it to Google Cloud Attestation for verification. If the quote passes verification, Google Cloud Attestation returns a token containing VM information that you can then compare against your own policy to confirm whether or not the VM should be trusted.
Google Cloud Attestation can only be used with AMD SEV Confidential VM instances.
For an end-to-end example of working with Google Cloud Attestation, see the vTPM Remote Attestation on Confidential Virtual Machine codelab.