Verify Confidential Computing is enabled

There are multiple ways to verify that Confidential Computing is enabled for a VM instance.

gcloud

Run the following command to determine which Confidential Computing technology your Confidential VM is using:

gcloud compute instances describe INSTANCE_NAME \
    --zone=ZONE_NAME \
    --format="yaml(confidentialInstanceConfig)"

Provide the following values:

  • INSTANCE_NAME: The Confidential VM instance name.

  • ZONE_NAME: The zone the Confidential VM instance is operating in.

You receive one of the following responses if your VM instance is using AMD SEV:

confidentialInstanceConfig:
  enableConfidentialCompute: true

confidentialInstanceConfig:
  confidentialInstanceType: SEV

You receive one of the following responses if your VM instance is using AMD SEV-SNP or Intel TDX:

confidentialInstanceConfig:
  confidentialInstanceType: SEV_SNP

confidentialInstanceConfig:
  confidentialInstanceType: TDX

dmesg

To determine which Confidential Computing technology your Confidential VM is using, you might be able to use the dmesg logs on your VM.

To check if your dmesg logs contain Confidential Computing information, use SSH to connect to your VM and run dmesg:

  1. In the Google Cloud console, go to the VM Instances page.

    Go to VM Instances

  2. In the table on the Instances tab, find the row for your Confidential VM instance.

  3. To open a terminal window for interacting with your Confidential VM instance, click SSH in the same row.

  4. Run the following command:

    sudo dmesg | grep -i "Encryption Features active"

If your VM is using AMD SEV, the response should be similar to the following example:

Memory Encryption Features active: SEV

If your VM is using AMD SEV-SNP, the response should be similar to the following example:

Memory Encryption Features active: SEV SEV-ES SEV-SNP

If your VM is using Intel TDX, the response should be similar to the following example:

Memory Encryption Features active: Intel TDX