To verify that Confidential Computing is enabled, you can use the
gcloud CLI. Some operating systems might also report
Confidential Computing properties in the dmesg logs when you connect to your
VM over SSH.
gcloud
Run the following command to determine which Confidential Computing technology your Confidential VM is using:
gcloud compute instances describe INSTANCE_NAME --zone=ZONE_NAME --format="yaml(confidentialInstanceConfig)"
Provide the following values:
INSTANCE_NAME: The Confidential VM instance name.
ZONE_NAME: The zone the Confidential VM instance is operating in.
You receive one of the following responses if your VM instance is using AMD SEV:
confidentialInstanceConfig:
enableConfidentialCompute: true
confidentialInstanceConfig:
confidentialInstanceType: SEV
You receive one of the following responses if your VM instance is using AMD SEV-SNP or Intel TDX:
confidentialInstanceConfig:
confidentialInstanceType: SEV_SNP
confidentialInstanceConfig:
confidentialInstanceType: TDX
SSH
To verify that Confidential Computing is enabled, you might be able to use the
dmesg logs on your VM.
In the Google Cloud console, go to the VM Instances page.
In the table on the Instances tab, find the row for your Confidential VM instance.
To open a terminal window for interacting with your Confidential VM instance, click SSH in the same row.
Run the following command:
sudo dmesg | grep -i "Encryption Features active"
If your VM is using AMD SEV, the response should be similar to the following example:
Memory Encryption Features active: SEV
If your VM is using AMD SEV-SNP, the response should be similar to the following example:
Memory Encryption Features active: SEV SEV-ES SEV-SNP
If your VM is using Intel TDX, the response should be similar to the following example:
Memory Encryption Features active: Intel TDX
To retrieve more detailed information about the state of a Confidential VM instance, you can examine integrity validation events. For more information, see Monitor Confidential VM integrity.