GCP Confidential VM & Shielded VM Analysis
This repository contains the literature research on the current state of Confidential Compute at Google Cloud Platform (GCP).
Goal
The goal of this document is to provide an overview of the Confidential Compute service and shielded VM provided by Google Cloud (GCP).
This document includes: (1) the description of the trust-layers used by Google, (2) links to resources, (3) example code and (4) an explicit literature research into known vulnerabilities of the AMD EPYC CPU that is the main hardware component of the Google Confidential Compute.
use case of GCP and Confidential Compute
The perspective of this analysis is to determine, the level of decoupling there can be realized between you as GCP user and GCP as Cloud Service Provider (GCP).
A common use case for this requirement is the processing of Personally identifiable information (PII) that needs to be decoupled from parties under US law, when it concerns data of EU Citizens due to EU GDPR legislation.
Content
Topics discussed in this document are:
- GCP Titan (TPM)
- GCP Shielded VM (vTPM)
- GCP Confidential VM (TEE)
- GCP Integrity Monitoring
- GCP Organizational Policies
- GCP Combining Encryption
Quality Assurance
The goal is to have various Subject Matter Experts (SME) review
(1) this document and
(2) the Zotero reference library,
and to provide feedback via for example adding issues in the GitHub tracker.
To achieve this, from a compliance viewpoint, is by not including information from any of our clients and employers. In addition the context of and in a company is very specific and unique and therefore difficult to comment on by SME’s not knowledgeable of this context.
Open for contribution
This analysis is documented in the LaTeX format, so that versioning and contribution can be facilitated via Git/ GitHub and is open for everybody to contribute.
The Confidential Compute technology and the offerings at GCP are continuously updated, so this analysis should also be continuously updated.
License
The content of this document is a (re-)mix of available public sources. The original authors are Maarten Baijs, Laurens Knoll and Edzo Botjes. This document includes reference to these public sources. The license of this document is Creative Commons By Association 4.0. This implies that everybody is free to use, adapt and change the content of this document but needs to mention explicitly that this document is the source.
Tool Support
Zotero
-
References are part of the public Zotero reference group
“confidential compute”. -
Zotero is an open source reference manager.
-
Zotero has great support in academia for example: Caltech University Library, APA - Compatible reference tools, How to use zotero in google docs.
-
This document was maintained as Google Document before but is now maintained on github.
CI pipeline for LaTeX example
This repository contains examples from the blog post How to annoy your co-authors: a Gitlab CI pipeline for LaTeX.
This latex-pipeline is using Docker and GNU make together with latexMK in a the texlive:latest container.
The texlive:latest container. is updated weekly by the texlive organisation.
When you need to change the (advanced) setting, y
ou can do this via the Makefile
and latexmkrc
files.
Compile locally with
make clean render
OR
Continiously Compile locally with
to keep compiling the pdf when the input files are updated.
make clean render LATEXMK_OPTIONS_EXTRA=-pvc
Continiously Refresh PDF-viewer with
This runs the PDF viewer Evince that refreshes.
evince paper/latexmk/main.pdf
automatically when the pdf is changed.
Documentation Conventions
- Every sentence around 7 words.
- After every '.' an \n (enter) in the source file.
- Every \cite or \citep on a new line (\n).
- When in landscape images to the right, text to the left.
- Language setting is US_EN
- Figures have as label prefix 'fig:'
- All figures should have transparent background color.
Backlog
- Update authors information (org).
- Setup/ reserve an DOI in Zenodo for this doc.
- Move backlog to github .
- Refactor gitlab-ci to github actions.
- Adjust latex template design based on Binx based on Xebia.
- Rotate whitepaper to landscape
Fonts
- The google font familiy is well supported in LaTeX, new and free to use.
- Currently this document is using the Noto font.
Noto
- The Noto font is part of google font familiy and has extensive math and unicode support
- Noto@google_font
- Notomath@utwente
- Noto@Overleaf
- Noto Sans@tug
\usepackage[sfdefault]{noto}
\usepackage[T1]{fontenc}
EB Garamond
- "The elegant EB Garamond is a fantastic alternative for Times New Roman."
- EB Garamond@google_font
- EB Garamond@tug
\usepackage[cmintegrals,cmbraces]{newtxmath}
\usepackage{ebgaramond-maths}
\usepackage[T1]{fontenc}
Merriweather
- Merriweather is softer and more casual than Times New Roman, yet still distinguished.
- Merriweather@google_font
- Merriweather@tug
\usepackage{merriweather} %% Option 'black' gives heavier bold face
\usepackage[T1]{fontenc}
Roboto
\usepackage[sfdefault]{roboto} %% Option 'sfdefault' only if the base font of the document is to be sans serif
\usepackage[T1]{fontenc}
- "The mission of the Scientific and Technical Information Exchange (STIX) font creation project is the preparation of a comprehensive set of fonts that serve the scientific and engineering community in the process from manuscript creation through final publication, both in electronic and print formats."
- stix2 homepage
- Stix2@tug
\usepackage[T1]{fontenc}
%\usepackage{stix2}
LaTeX Resources
Overall
on Text layout
- https://www.overleaf.com/learn/latex/Hyperlinks
- https://www.overleaf.com/learn/latex/Font_sizes%2C_families%2C_and_styles
- https://www.overleaf.com/learn/latex/Text_alignment
- https://tex.stackexchange.com/questions/23766/suppress-fancy-header-and-footer-on-first-page-only