Your submission was sent successfully! Close

  1. Blog
  2. Article

Hugo Huang
on 20 September 2023

Start your Ubuntu Confidential VM with Intel® TDX on Google Cloud

Confidential computing directly addresses the question of trust between cloud providers and their customers, with guarantees of data security for guest machines enforced by the underlying hardware of the cloud. According to the Confidential Computing Consortium, confidential computing is the protection of data in use by performing computation in a hardware-based, attested Trusted Execution Environment.

The close technical collaboration between Canonical and Google Cloud ensures that Ubuntu is optimised for Google Cloud operations at scale. Confidential Computing requires multiple pieces to align and we are delighted to offer full Ubuntu support for this crucial capability with Google Cloud. Organizations gain peace of mind that large classes of attacks on cloud guests are mitigated by Confidential Computing.

Intel® Trust Domain Extensions (Intel® TDX)

As an active contributor in confidential computing domain, Intel introduced Intel® Trust Domain Extensions (TDX) to its confidential computing portfolio with the launch of its new 4th Gen Xeon enterprise processors in January, 2023. Intel® Trust Domain Extensions is a combination of hardware and software features that provide isolation and security for virtual machines (VMs) running on Intel processors. Intel® TDX introduces architectural innovations to enable the deployment of hardware-isolated virtual machines (VMs), known as trust domains (TDs). The primary objective of Intel® TDX is to create a robust isolation layer between TDs and the virtual-machine manager (VMM)/hypervisor, as well as other non-TD software, offering comprehensive protection against a wide spectrum of potential threats. These hardware-isolated TDs encompass several critical components, including the Secure-Arbitration Mode (SEAM), which hosts the Intel® TDX module, an Intel-provided, digitally-signed security-services module. Additional features of TDX include:

  • the shared bit in the GPA, 
  • Secure EPT for address-translation integrity, 
  • the Physical-address-metadata table (PAMT) for page management, 
  • the Intel Total Memory Encryption-Multi Key (Intel TME-MK) engine for memory encryption and integrity, 
  • remote attestation 

All of the features are integral to ensuring the security and trustworthiness of TD execution within the Intel® TDX system.

In essence, Intel® TDX, a feature accompanying the latest 4th Generation Intel® Xeon CPUs, empowers you to execute your workloads within a logically isolated hardware-based execution environment in Google Compute Engine C3 machines. This remarkable capability is achieved through TDX’s allocation of a dedicated segment of system memory, which undergoes real-time encryption via an advanced AES-128 encryption engine. Additionally, TDX introduces stringent access control measures that meticulously govern memory access, effectively thwarting external access, including from the cloud’s privileged system software.

How Ubuntu supports Intel® TDX

Intel® TDX requires multiple pieces in the operating system to align with Intel CPUs. Ubuntu supports Intel® TDX through the Linux Stack for Intel® TDX. The Linux stack, denoting the strata of software constituting the Linux operating system, encompasses critical layers:

  • The kernel: At its nucleus, the kernel serves as the foundational pillar of the operating system, furnishing essential services upon which all other software builds.
  • Device drivers: These specialised software components act as intermediaries, facilitating seamless communication between the operating system and the hardware devices within the system.
  • System libraries: An arsenal of system libraries offers a repertoire of shared functions that find widespread utility across applications.
  • Userspace applications: At the outermost realm, userspace applications emerge as the tangible interface through which users engage directly with the system’s functionalities.

How to start your Ubuntu Confidential VM with Intel® TDX on Google Cloud

To get started with confidential computing on Google Cloud Intel® TDX, in the Google Cloud CLI, use instance create subcommand and specify — confidential-compute-type=TDX to select new C3 machines series that uses 4th Gen Intel® Xeon Scalable CPUs and enable Intel® TDX technology. Such as:

gcloud alpha compute instances create INSTANCE_NAME \
  --machine-type MACHINE_TYPE --zone us-central1-a \
  --confidential-compute-type=TDX \
  --on-host-maintenance=TERMINATE \
  --image-family=IMAGE_FAMILY_NAME \
  --image-project=IMAGE_PROJECT \
  --project PROJECT_NAME


  • MACHINE_TYPE is the C3 machine type to use.
  • IMAGE_FAMILY_NAME is the name of the Confidential VM-supported image family to use, such as Ubuntu 22.04 LTS and Ubuntu 22.04 LTS Pro Server.

In a few seconds, you will enjoy the latest advancements in security technology.

Additional resources for confidential computing:

Related posts

3 November 2023

Intel® TDX 1.0 technology preview available on Ubuntu 23.10

Confidential computing Article

Today’s security landscape faces a significant challenge: the lack of adequate protection for data in active use. Data breaches can happen at runtime (that is, when computation is taking place on a machine’s main memory), stemming from a range of vectors such as malicious insiders with elevated privileges or hackers exploiting vulnerabili ...

Felicia Jia
8 September 2023

Meet Canonical at Intel® Innovation 2023

Confidential computing Article

Intel® Innovation, one of Intel®’s flagship developer events, continues to span the worlds of architecture innovation, software tools and technology & research. Canonical is proud to be the silver sponsor in 2023 and will demonstrate our joint solutions from cloud to the edge.  As industry leaders in hardware and software, Intel and Canon ...

Hugo Huang
21 July 2023

Start your SNP VMs on Google Cloud

Cloud and server Article

SEV-SNP is a new security feature that is available on AMD’s EPYC processors. It stands for Secure Encrypted Virtualization Secure Nested Pages. SEV-SNP provides a new level of protection for firmware by encrypting the memory pages that contain the firmware code. This makes it much more difficult for attackers to gain access to the firmwa ...