From c94337c135ab5ad60ac6a10b451cfb88a533989a Mon Sep 17 00:00:00 2001 From: HuijingHei Date: Wed, 9 Oct 2024 18:14:57 +0800 Subject: [PATCH] gcp: add `Launch a confidential VM` part --- modules/ROOT/pages/provisioning-gcp.adoc | 37 ++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/modules/ROOT/pages/provisioning-gcp.adoc b/modules/ROOT/pages/provisioning-gcp.adoc index bbdb311c..753c32c5 100644 --- a/modules/ROOT/pages/provisioning-gcp.adoc +++ b/modules/ROOT/pages/provisioning-gcp.adoc @@ -85,3 +85,40 @@ gcloud compute instances create \ NOTE: By design, https://cloud.google.com/compute/docs/startupscript[startup scripts] are not supported on FCOS. Instead, it is recommended to encode any startup logic as systemd service units in the Ignition configuration. Again, note you need to use the `user-data` key for Ignition; it will also not work to paste Ignition into this field in the web console. + + +== Launch a Confidential VM + +NOTE: For an overview about confidential VMs on GCP see https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview[confidential VM overview]. + +To launch a confidential FCOS instance specify the confidential compute type, and a related https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations[machine type] that supports confidential compute. +From the command-line, use `--confidential-compute-type` and `--machine-type`. + +.Launching a confidential instance using confidential type `AMD SEV_SNP` +[source, bash] +---- +STREAM='stable' +NAME='fcos-cvm-node01' +ZONE='us-central1-a' +CONFIG='example.ign' +MACHINE_TYPE='n2d-standard-2' +gcloud compute instances create \ + --image-project "fedora-coreos-cloud" \ + --image-family "fedora-coreos-${STREAM}" \ + --metadata-from-file "user-data=${CONFIG}" \ + --confidential-compute-type "SEV_SNP" \ + --machine-type "${MACHINE_TYPE}" \ + --maintenance-policy terminate \ + --zone "${ZONE} "${NAME}" +---- + +NOTE: Currently, we don't support `--confidential-compute-type=TDX` on GCP, see https://github.com/coreos/fedora-coreos-tracker/issues/1814[this issue] for more details. + +. Example Confidential VM Boot Verification +[source, bash] +---- +ssh core@ +# Confirm the VM is using `AMD SEV-SNP` confidential type +sudo systemd-detect-virt --cvm +sev-snp +---