Shielded VM In GCP And How To Enable It

What do you mean by shielded VM?

Virtual machines (VMs) in the Google Cloud that have been “shielded” against rootkits and bootkits by a set of security rules. Enterprise workloads are better protected by using shielded virtual machines from dangers like insider threats, remote attacks, and privilege escalation. Shielded VMs make use of cutting-edge platform security features like integrity monitoring, UEFI firmware, secure and measured boot, and virtual trusted platform module (vTPM).

What does Shielded VM protect me against?

Shielded VM can help you protect your system from attack vectors like:

  1. Insiders with malicious intent: Insiders with malicious intent cannot alter a guest VM image without those activities being recorded. Additionally, they are unable to readily exfiltrate information secured with vTPM or change delicate crypto procedures.
  2. Harmful guest firmware, UEFI drivers, and guest system firmware.
  3. Malicious guest-VM kernel or user-mode flaws could affect the guest OS.

Shielded VM’s verifiable integrity is achieved through the use of the following features:

  • Secure Boot
  • Virtual trusted platform module(vTPM)-enabled Measured Boot
  • Integrity monitoring

Secure Boot

Secure Boot is a virtual trusted platform module (vTPM)-enabled Measured Boot. It helps ensure that the system only runs authentic software by verifying the digital signature of all boot components and halting the boot process if signature verification fails.

Virtual Trusted Platform Module (vTPM)

A vTPM is a virtualised trusted platform module, which is a specialised computer chip you can use to protect objects, like keys and certificates, that you use to authenticate access to your system.

The Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, called the integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.

You can also use the vTPM to protect secrets through shielding or sealing

Integrity monitoring

Integrity monitoring helps you understand and make decisions about the state of your VM instances. The Shielded VM vTPM enables Measured Boot by performing the measurements needed to create the integrity policy baseline used for comparison with measurements from subsequent VM boots to determine any changes.

How to enable Secure Boot in GCP?

There are number of ways to enable Secure Boot and we are going to cover all the ways :

Enable it via GCP console

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to VM instances.
  3. Select the instance name to view the VM instance details page.
  4. Stop the instance, by clicking STOP.
  5. When the instance has stopped, click EDIT.
  6. In the Shielded VM section, turn on both vTPM and Integrity Monitoring.
  7. Optionally, if you do not use any custom or unsigned drivers on the instance, turn on Secure Boot.
  8. To modify the instance, click SAVE.
  9. To restart the instance, click START.

Enable it via Terraform

resource "google_compute_instance" "cloudsbaba" {

  name         = "cloudsbaba_vm"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"
  boot_disk {}
      shielded_instance_config  {
         enable_integrity_monitoring = true
         enable_vtpm                 = true
         enable_secure_boot          = true
        }
}

Enable it via Organisation Policy (Terraform)

resource "google_organization_policy" "enable_shielded_vm" {
      org_id     = <organization_id>
      constraint = "compute.requireShieldedVm"
      boolean_policy.   {
           enforced = true   
    }
}

Let’s imagine If you want to exclude specific folders or projects from your GCP that I don’t want to enable, we can design some modules for shielded VM.

module "enforce_secure_boot" {

  source  = "github.com/terraform-google-modules/terraform-google-org-policy"
  version = “5.1.0”

  constraint        = "compute.requireShieldedVm"
  policy_type       = "boolean"
  policy_for        = "organization"
  organization_id   = <organization_id>
  enforce           = true
  exclude_folders   = [“folders”]
  exclude_projects  = [“projects”]

}

This is how we can enable shielded VM in GCP

Thanks….. for reading Follow more Blogs on Cloudsbaba

 

References:

Recent Posts