This topic lists the requirements and recommendations for using a custom Linux image to create a Confidential VM instance. It is an addendum to the standard process for using custom images with Compute Engine instances.
Considerations
Consider the following requirements and recommendations when preparing a custom image for creating a Confidential VM.
AMD Secure Encrypted Virtualization (SEV)-related Linux kernel patches
Using kernel version 5.4 or later and enabling the following options is recommended.
CONFIG_AMD_MEM_ENCRYPTCONFIG_NET_VENDOR_GOOGLECONFIG_PCI_MSICONFIG_GVECONFIG_SWIOTLB
If you need to use earlier kernel versions, you may need to do additional work to install device drivers.
Compute Engine virtual network interface (gVNIC) device driver
Use version 1.01 or later. For additional instructions, see Creating instances that use the Compute Engine virtual network interface.
NVM Express (NVMe) interface
The NVMe interface must be available during boot on the guest OS for both persistent disks (PDs) and attached SSDs. The kernel and initramfs image (if used) must include the NVMe driver module in order to mount the root directory.
Timeout errors
If you are encountering timeout errors for I/O operations submitted to NVMe devices, you can try increasing the timeout parameter.
SEV_CAPABLE tag
Confidential VM instance creation requires that the image has the SEV_CAPABLE
guest OS feature tag.
Learn how to enable guest operating system features on a custom image.
Getting support
If you need help setting up your own image with Confidential VM, you can use one of the support options.
What's next
- Learn more about using operating system images to create boot disks for Compute Engine instances.