Google Cloud this week announced expanded confidential computing offerings that include the general availability of confidential VMs on new AMD and Intel technology, signed UEFI binaries, and expanded attestation support.
Confidential computing relies on hardware-based Trusted Execution Environments (TEEs) to fortify Compute Engine virtual machines (VMs), secure and isolate customer workloads, and prevent unauthorized access to or modification of applications and data.
This week, Google Cloud announced the general availability of general-purpose confidential VMs on C3D machines with AMD Secure Encrypted Virtualization (AMD SEV) technology. Available in all regions and zones, the VMs are powered by the 4th generation AMD EPYC (Genoa) processor.
“Expanding to the C3D machine series allows security-minded customers to use the latest general purpose hardware with improved performance and data confidentiality,” Google says.
Additionally, Google made confidential VMs generally available on the general-purpose C3 machine series with Intel Trust Domain Extensions (TDX) technology in the asia-southeast1, us-central1, and europe-west4 regions.
These virtual machines are powered by the 4th generation Intel Xeon Scalable processors (code-named Sapphire Rapids), DDR5 memory, and Google Titanium, and have Intel Advanced Matrix Extensions (AMX) on by default.
Confidential VMs with AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) technology on the general purpose N2D machines series were made generally available in June to prevent malicious hypervisor-based attacks.
“Creating confidential VMs with AMD SEV-SNP on the N2D machine series is easy and requires no code changes. Additionally, you receive the security benefits with minimal performance impact,” Google notes, adding that the VMs are available in the asia-southeast1, us-central1, europe-west3, and europe-west4 regions.
The internet giant also announced the availability of signed launch measurements (UEFI binary and initial state) for confidential VMs powered by AMD SEV-SNP and Intel TDX.
“Signing the UEFI and allowing you to verify the signatures can help you gain more trust and transparency that the firmware running on your confidential VMs is genuine and hasn’t been compromised,” Google notes.
Additionally, the Google Cloud attestation service now supports confidential VM with AMD SEV, allowing customers to confirm whether their VMs should be trusted.
Related: Confidential VMs Hacked via New Ahoi Attacks
Related: Managing and Securing Distributed Cloud Environments
