Confidential VM attestation

Attestation is the process of increasing confidence that a Confidential VM instance is legitimate and operating in an expected state. It's a vital tool in validating that your workload is running in a trusted execution environment (TEE).

CPU-based attestation

Attestation reports are the evidence that your VM is running in a TEE. They are generated by the Confidential VM instance, and depending on the Confidential Computing technology used are signed either by a software-based vTPM, or a dedicated, hardware-based Trusted Security Module (TSM). Attestation reports contain measurements related to bootloader activity, hardware configuration, firmware configuration, and other boot-time logged events that help to validate the Confidential VM instance's state and identity.

The type of attestation report you can request depends on the Confidential Computing technology your Confidential VM instance is using.

Signing source Type Report coverage Confidential Computing technology
SEV SEV-SNP Intel TDX
Google-managed vTPM Software-based vTPM Boot loader activity, kernel integrity
AMD Secure Processor Hardware-based TSM Hardware and firmware environment
Intel TDX module Hardware-based TSM Hardware and firmware environment

Request an attestation report

You can request attestation reports from the Google-managed vTPM, AMD's Secure Processor, and Intel's TDX module with the following tools:

  • Go-TPM

  • Go-TPM tools (version 0.4.4 or later is required for AMD SEV-SNP and Intel TDX support)

The GceNonHostInfo event in the vTPM attestation event log shows what Confidential Computing technology is in use. Go-TPM tools can request an attestation report from the AMD Secure Processor if AMD SEV-SNP is used, or from the Intel TDX module if Intel TDX is used.

For hardware attestation reports only, you can send a cryptographic challenge to the TSM with the following tools:

  • For AMD SEV-SNP, use SEV Guest. Version Chip Endorsement Key (VCEK) certificates are cached on the VM instead of requested directly from AMD's key distribution system (KDS).

  • For Intel TDX, use TDX Guest.

Intel TDX on Ubuntu

For Ubuntu images on kernel 1016 and newer, the tdx_guest module is in the linux-modules-extra package.

To install the linux-modules-extra package, run the following command:

sudo apt-get install linux-modules-extra-gcp

If you encounter problems while installing linux-modules-extra-gcp, you can update the kernel by running the following command:

sudo apt-get upgrade

You must reboot or manually load the module for the changes to take effect. To manually load the module, run the following command:

sudo modprobe tdx_guest

Verify attestation reports with Google Cloud Attestation

If your trust model allows it, instead of writing and running an attestation verifier yourself, you can use Google Cloud Attestation. This involves using Go-TPM tools to retrieve an attestation quote from a Confidential VM instance's vTPM, and sending it to Google Cloud Attestation for verification. If the quote passes verification, Google Cloud Attestation returns a token containing VM information that you can then compare against your own policy to confirm whether or not the VM should be trusted.

Google Cloud Attestation can only be used with AMD SEV Confidential VM instances.

For an end-to-end example of working with Google Cloud Attestation, see the vTPM Remote Attestation on Confidential Virtual Machine codelab.

GPU-based attestation

The GPU attestation involves verifying the GPU driver, the GPU device, or both.

GPU Driver attestation

To ensure robust attestation, enable Secure Boot when creating your Confidential VM instance.

Secure Boot allows for the loading of only distribution-signed GPU drivers. This verification is essential for confirming that the GPU driver is officially released and provided by NVIDIA. An official driver is important as it establishes a secure Security Protocol and Data Model (SPDM) session with GPU devices and serves as the root of trust for NVIDIA GPU device attestation.

NVIDIA GPU Device attestation

In addition to GPU driver attestation, you can further attest to NVIDIA GPU devices. NVIDIA GPU device attestation verifies the Video BIOS (VBIOS) running on the GPU. This lets you identify NVIDIA software versions and assess the presence of potential vulnerabilities.

To perform NVIDIA GPU device attestation, first install the NVIDIA's nvtrust library, and then use it for local or remote attestation.

API_LINK="https://api.github.com/repos/NVIDIA/nvtrust/tags"
LATEST_VER="$(curl -s "${API_LINK}" | jq -r '..name')"
DOWNLOAD_LINK="https://github.com/NVIDIA/nvtrust/archive/refs/tags/${LATEST_VER}.tar.gz"
echo "Downloading nvtrust version ${LATEST_VER}"
curl -L "${DOWNLOAD_LINK}" -o nvtrust.tar.gz
mkdir github_nvtrust
tar xvf nvtrust.tar.gz -C github_nvtrust
cd github_nvtrust/nvtrust-${LATEST_VER:1}
python3 -m venv./prodtest
source./prodtest/bin/activate

Local GPU device attestation

Local GPU device attestation lets you perform the attestation process directly on your VM instance and view the results locally to verify the integrity of your GPU.

To perform local GPU device attestation, install the local verifier tool. For detailed instructions, see Verifier.

Remote GPU device attestation

Remote GPU device attestation uses the NVIDIA Remote Attestation Service (NRAS) to verify the integrity of your GPU. This process results in an attestation token signed by NVIDIA. This token can be presented to third parties to demonstrate the authenticity and integrity of your GPU, often required for accessing sensitive data or resources.

For detailed instructions, see NVIDIA attestation SDK and NVIDIA remote attestation service (NRAS).