Attestation is the process of increasing confidence that a Confidential VM instance is legitimate and operating in an expected state. It's a vital tool in validating that your workload is running in a trusted execution environment (TEE).
CPU-based attestation
Attestation reports are the evidence that your VM is running in a TEE. They are generated by the Confidential VM instance, and depending on the Confidential Computing technology used are signed either by a software-based vTPM, or a dedicated, hardware-based Trusted Security Module (TSM). Attestation reports contain measurements related to bootloader activity, hardware configuration, firmware configuration, and other boot-time logged events that help to validate the Confidential VM instance's state and identity.
The type of attestation report you can request depends on the Confidential Computing technology your Confidential VM instance is using.
Signing source | Type | Report coverage | Confidential Computing technology | ||
---|---|---|---|---|---|
SEV | SEV-SNP | Intel TDX | |||
Google-managed vTPM | Software-based vTPM | Boot loader activity, kernel integrity | |||
AMD Secure Processor | Hardware-based TSM | Hardware and firmware environment | |||
Intel TDX module | Hardware-based TSM | Hardware and firmware environment |
Request an attestation report
You can request attestation reports from the Google-managed vTPM, AMD's Secure Processor, and Intel's TDX module with the following tools:
Go-TPM tools (version 0.4.4 or later is required for AMD SEV-SNP and Intel TDX support)
The GceNonHostInfo
event in the vTPM attestation event log shows what
Confidential Computing technology is in use. Go-TPM tools can request an
attestation report from the AMD Secure Processor if AMD SEV-SNP is used, or from
the Intel TDX module if Intel TDX is used.
For hardware attestation reports only, you can send a cryptographic challenge to the TSM with the following tools:
For AMD SEV-SNP, use SEV Guest. Version Chip Endorsement Key (VCEK) certificates are cached on the VM instead of requested directly from AMD's key distribution system (KDS).
For Intel TDX, use TDX Guest.
Intel TDX on Ubuntu
For Ubuntu images on kernel 1016 and newer, the tdx_guest
module is in the
linux-modules-extra
package.
To install the linux-modules-extra
package, run the following command:
sudo apt-get install linux-modules-extra-gcp
If you encounter problems while installing linux-modules-extra-gcp
, you can
update the kernel by running the following command:
sudo apt-get upgrade
You must reboot or manually load the module for the changes to take effect. To manually load the module, run the following command:
sudo modprobe tdx_guest
Verify attestation reports with Google Cloud Attestation
If your trust model allows it, instead of writing and running an attestation verifier yourself, you can use Google Cloud Attestation. This involves using Go-TPM tools to retrieve an attestation quote from a Confidential VM instance's vTPM, and sending it to Google Cloud Attestation for verification. If the quote passes verification, Google Cloud Attestation returns a token containing VM information that you can then compare against your own policy to confirm whether or not the VM should be trusted.
Google Cloud Attestation can only be used with AMD SEV Confidential VM instances.
For an end-to-end example of working with Google Cloud Attestation, see the vTPM Remote Attestation on Confidential Virtual Machine codelab.
GPU-based attestation
The GPU attestation involves verifying the GPU driver, the GPU device, or both.
GPU Driver attestation
To ensure robust attestation, enable Secure Boot when creating your Confidential VM instance.
Secure Boot allows for the loading of only distribution-signed GPU drivers. This verification is essential for confirming that the GPU driver is officially released and provided by NVIDIA. An official driver is important as it establishes a secure Security Protocol and Data Model (SPDM) session with GPU devices and serves as the root of trust for NVIDIA GPU device attestation.
NVIDIA GPU Device attestation
In addition to GPU driver attestation, you can further attest to NVIDIA GPU devices. NVIDIA GPU device attestation verifies the Video BIOS (VBIOS) running on the GPU. This lets you identify NVIDIA software versions and assess the presence of potential vulnerabilities.
To perform NVIDIA GPU device attestation, first install the NVIDIA's nvtrust
library, and then use it for local or remote attestation.
API_LINK="https://api.github.com/repos/NVIDIA/nvtrust/tags"
LATEST_VER="$(curl -s "${API_LINK}" | jq -r '..name')"
DOWNLOAD_LINK="https://github.com/NVIDIA/nvtrust/archive/refs/tags/${LATEST_VER}.tar.gz"
echo "Downloading nvtrust version ${LATEST_VER}"
curl -L "${DOWNLOAD_LINK}" -o nvtrust.tar.gz
mkdir github_nvtrust
tar xvf nvtrust.tar.gz -C github_nvtrust
cd github_nvtrust/nvtrust-${LATEST_VER:1}
python3 -m venv./prodtest
source./prodtest/bin/activate
Local GPU device attestation
Local GPU device attestation lets you perform the attestation process directly on your VM instance and view the results locally to verify the integrity of your GPU.
To perform local GPU device attestation, install the local verifier tool. For detailed instructions, see Verifier.
Remote GPU device attestation
Remote GPU device attestation uses the NVIDIA Remote Attestation Service (NRAS) to verify the integrity of your GPU. This process results in an attestation token signed by NVIDIA. This token can be presented to third parties to demonstrate the authenticity and integrity of your GPU, often required for accessing sensitive data or resources.
For detailed instructions, see NVIDIA attestation SDK and NVIDIA remote attestation service (NRAS).