Google’s new Confidential Virtual Machines on 2nd Gen AMD EPYCby Dr. Ian Cutress on July 14, 2020 8:00 AM EST
With AMD’s market share slowly increasing, it becomes very interesting to see where EPYC is being deployed. The latest announcement today comes from AMD and Google, with news that Google’s Compute Engine will start to offer new Confidential Virtual Machines (cVMs) built upon AMD’s Secure Encryption Virtualization (SEV) feature. These new cVMs are variants of Google’s N2D series offerings, and Google states that enabling SEV for full memory and virtualization encryption has a near zero performance penalty.
Secure Encryption Virtualization in AMD’s 2nd Gen EPYC processors allows cloud providers to encrypt all the data and memory of a virtual machine at the per-VM level. These are generated on-the-fly in hardware, and are non-exportable, reducing the risk of side attacks by potentially aggressive neighbors. Previously this sort of computing model was only possible if a host assumed control of a whole server, which for most use cases isn’t practical.
With SEV2, technically AMD allows for up to 509 keys per system. Google will offer images for its cVMs with Ubuntu 18.04/20.04, COS v81, and RHEL 8.2; other operating system images will be available in due course.
These cVMs will be available in vCPU listings, confirming that simultaneous multi-threading is enabled on the hardware. Both Google and AMD declined to comment on the exact EPYC CPUs being used, only that they were part of the 2nd Gen Rome family.
This is technically a beta launch, with Google being the first cloud provider to offer SEV-enabled VMs. Google is also promoting the use of its Asylo open-source framework for confidential computing, promising to make deployment easy at a high performance.
A number of 30 MB gifs were created by Google to showcase the new cVMs. Rather than share them with you in an outdated 1989 format, we converted them to video:
Users wanting access to the new VMs should go to the relevant Google page.