GCP Secured
Published on

Shielded & Confidential VM’s

Shielded VM

Shielded VM’s are hardened VM’s with easily configured security features like a verification of the bootloader/kernel.

These measures protect the vm against remote attacks, privilege escalation & malicious insiders which might attack in the form of rootkits & bootkits.

How it works

During Measured Boot, a hash of each component (for example, the firmware, bootloader, or kernel) is created as the component is loaded, and that hash is then concatenated and rehashed with the hashes of any components that have already been loaded. This will ensure that each component hasn’t changed. Afterwards you can check in the logs for:

  • earlyBootReportEvent: Identifies whether the early boot sequence integrity check passed, and provides details on the PCR values from the baseline and the most recent boot sequence that were compared to make that determination.
  • lateBootReportEvent: Identifies whether the late boot sequence integrity check passed, and provides details on the PCR values from the baseline and the most recent boot sequence that were compared to make that determination.

How to use it

  • Create a new compute instace
  • Select an image that supports Shielded VM features.
Bootdisk
  • Turn on all shielded VM features
Shielded VM Options

Confidential VM

A confidential VM allows encryption in memory meaning that even when a workload is being executed your data is still encrypted.

How it works

Using new AMD chips memory is only encrypted & decrypted on the CPU Chip. It does this by creating 1 ephemeral key on the CPU generated by the hardware. The key is not extractable and changes on every boot.

This technique protects against accidental data leakage, malicious administrators, “curious” neighbours & cloud infrastructure bugs.

How to use it

The great thing about it is that you don’t need to change anything in the code.

  1. Create an instance
  2. Expand the CPU platform and GPU section
  3. Enable Confidential VM Service
Confidentuak VM settings

Limitations

  • Scalable up to 224 vCPUs & 896 GiB Ram
  • Beta feature, only available in zones with the new AMD N2D processors (haven’t found them in Europe-West1 on 12th of August 2020)
  • Might slow down workloads by 2%-6% by Google Benchmarks, recommended to do your own.