Confidential Computing¶
Info
Confidential Computing is in early preview on Verda Cloud and available as Spot instances via the cloud console and API to select customers. If you are interested, reach out to us.
Confidential Computing (CC) protects data in use — while it is actively being processed in memory — not just at rest on disk or in transit over the network. Verda Confidential VMs (CVM) run inside a hardware-enforced Trusted Execution Environment (TEE) that encrypts both CPU and GPU memory and cryptographically isolates your workload from the hypervisor and the cloud provider. Even Verda's own infrastructure cannot read plaintext data inside a running CVM.
Confidential Compute instances cannot reboot from inside the guest
A running CVM has no firmware/bootloader to re-measure it, so an in-guest reboot (or shutdown -r) will not bring the instance back up. To restart a CVM, use the Verda console (or API): Shutdown, then Start. Each boot is freshly measured and attestable.
How it works¶
- AMD SEV-SNP (CPU): each CVM gets a unique AES-128 memory encryption key managed exclusively by the AMD Secure Processor (AMD-SP), an on-chip security co-processor the hypervisor cannot access. SEV-SNP adds memory integrity protection via the Reverse Map Table (RMP), which prevents the hypervisor from replaying, remapping, or corrupting guest memory pages. CPU register state is additionally encrypted on every hypervisor exit (SEV-ES).
- NVIDIA Confidential Computing (GPU): the RTX PRO 6000 Blackwell GPU runs in CC mode with all ingress and egress paths protected by AES-256-GCM encryption. GPU memory is isolated from the host. NVIDIA firmware verifies its own integrity at boot via an on-die hardware Root of Trust before the GPU accepts any workload.
- Encrypted PCIe transfers: data moving between the CVM and the GPU passes through bounce buffers. Payloads are AES-GCM-encrypted inside the CVM, staged through a shared PCIe buffer, and decrypted only once inside GPU-protected memory. A rolling 96-bit IV and an AES-GCM AuthTag prevent replay and tampering on the bus.
- Trust boundary: the TEE perimeter encloses the CVM and the GPU's protected memory. The KVM/QEMU hypervisor, host OS, cloud management software, and all other VMs sit outside this boundary and are treated as untrusted.
- Measured boot (direct kernel boot): Verda launches each CVM with QEMU direct kernel boot (
-kernel/-initrd/-append) and SEV-SNP kernel hashes enabled, so a SHA-384 digest of the OVMF firmware, kernel, initramfs, and kernel command line is folded into the SEV-SNP launch measurement. The attestation report therefore covers your exact boot chain — not only that the hardware is genuine, but that the firmware, kernel and initrd that booted are the ones you expect. You can recompute and verify this yourself (see Verify measured boot). - Attestation: before any workload runs, you can cryptographically verify the full stack. CPU and GPU attestation are independent: the AMD-SP issues a signed SEV-SNP report (VCEK-signed ECDSA, tied to the firmware TCB version and the launch measurement above) verifiable against AMD's certificate chain, while
nvattestperforms GPU-only remote attestation — proving the GPU is genuine, firmware is unmodified, and CC mode is active.
Architecture¶
The AMD-SP hardware and the CVM (including its assigned GPU) are the only trusted components. The hypervisor can schedule and terminate the VM but cannot read its memory or register state. Verda's management plane is outside the trust boundary and has no access to plaintext data or decryption keys.
Attestation chain¶
Before a workload runs, the full hardware stack can be verified by a remote party. CPU and GPU attestation are separate flows. See System Attestation for the exact commands to run on your instance.
- CPU attestation (AMD SEV-SNP): the AMD-SP generates a report containing the launch measurement (a SHA-384 over the OVMF firmware plus — because Verda uses direct kernel boot — the kernel, initramfs and kernel command line), the SEV-SNP TCB version, and a user-supplied nonce or public key hash. The report is signed with the VCEK — a per-chip ECDSA key cryptographically derived from the firmware version — verifiable against AMD's public certificate chain. This is handled independently via the SEV guest driver (
/dev/sev-guest). - GPU attestation (NVIDIA):
nvattest attest --device gpu --verifier remotedrives a GPU-only attestation flow. The NVIDIA driver establishes an SPDM session with GPU firmware using a Diffie-Hellman key exchange, and GPU firmware returns a certificate and measurement report signed by NVIDIA's Root of Trust, proving the GPU is genuine and running unmodified firmware in CC mode. On success,nvattestautomatically sets the GPU Ready State, which gates CUDA workload execution.
Supported Hardware¶
Verda currently supports confidential computing on the NVIDIA RTX PRO 6000 (Single GPU). Support for additional Blackwell GPUs is planned for the future:
| GPU Model | Configuration | Availability |
|---|---|---|
| NVIDIA RTX PRO 6000 | Single GPU | Available (Spot only) |
| NVIDIA B200 | Single GPU | Coming soon |
| NVIDIA B200 | Multi GPU | Coming soon |
| NVIDIA B300 | Single GPU | Coming soon |
| NVIDIA B300 | Multi GPU | Coming soon |
Info
RTX PRO 6000 Multi GPU is not supported.
System Attestation¶
Attestation lets you verify that your instance is running with full confidential computing protections enabled.
Verify CPU RAM encryption¶
$ sudo dmesg | grep -i sev-snp
[ 1.816039] Memory Encryption Features active: AMD SEV SEV-ES SEV-SNP
Run AMD SEV-SNP CPU attestation¶
Install snpguest (one-time):
$ curl -fsSL https://github.com/virtee/snpguest/releases/download/v0.10.0/snpguest \
-o /usr/local/bin/snpguest && chmod +x /usr/local/bin/snpguest
Check that SEV, SEV-ES, and SNP are all active:
Generate an attestation report and fetch the AMD certificate chain:
$ mkdir -p /tmp/snp-attest
$ snpguest report /tmp/snp-attest/report.bin /tmp/snp-attest/nonce.bin --random
$ snpguest fetch ca pem /tmp/snp-attest/ turin
$ snpguest fetch vcek pem /tmp/snp-attest/ /tmp/snp-attest/report.bin
Verify the certificate chain — AMD ARK → ASK → VCEK:
$ snpguest verify certs /tmp/snp-attest/
The AMD ARK was self-signed!
The AMD ASK was signed by the AMD ARK!
The VCEK was signed by the AMD ASK!
Verify the attestation report is signed by this chip's VCEK:
$ snpguest verify attestation /tmp/snp-attest/ /tmp/snp-attest/report.bin
Reported TCB Boot Loader from certificate matches the attestation report.
Reported TCB TEE from certificate matches the attestation report.
Reported TCB SNP from certificate matches the attestation report.
Reported TCB Microcode from certificate matches the attestation report.
VEK signed the Attestation Report!
Verify measured boot¶
Because Verda boots your CVM with direct kernel boot and SEV-SNP kernel hashes, the launch measurement in the SEV-SNP report equals a SHA-384 over the OVMF firmware, the kernel, the initramfs, and the kernel command line. You can verify it end-to-end: fetch the signed report, independently recompute the expected measurement from the on-disk boot artifacts, and compare.
Download and run the helper inside the CVM, as root:
$ chmod +x measure_boot.sh
$ sudo ./measure_boot.sh
[+] Fetching SEV-SNP attestation report...
[+] Computing expected measurement with sev-snp-measure...
OVMF : /boot/OVMF.amdsev.fd
Kernel : /boot/vmlinuz
Initrd : /boot/initrd.img
Cmdline : console=ttyS0 root=UUID=... ro ...
vCPUs : 30 (family=26 model=2 stepping=1)
Report measurement : 5D8F582C2D1FF3311E6B2E25509F130343B012EC5EFE06756E01E5FB4FE44DF4...
Expected measurement : 5D8F582C2D1FF3311E6B2E25509F130343B012EC5EFE06756E01E5FB4FE44DF4...
MATCH: launch measurement matches OVMF+kernel+initrd+cmdline
A MATCH means the running CVM was launched from exactly that firmware, kernel, initramfs and command line — the hardware and the boot chain are verified. The script auto-installs its dependencies (snpguest, and sev-snp-measure via pipx), so the instance needs outbound internet and apt the first time.
Note
Verda always ships the firmware and boot artifacts the measurement is computed over at /boot/OVMF.amdsev.fd, /boot/vmlinuz, and /boot/initrd.img, so the script runs with no extra setup. To pin a known-good value, record the Expected measurement from a trusted build and compare future reports against it (the report's measurement is what the AMD-SP signs).
Verify GPU confidential compute mode¶
$ nvidia-smi conf-compute -q
==============NVSMI CONF-COMPUTE LOG==============
CC State : ON
Multi-GPU Mode : None
CPU CC Capabilities : AMD SEV-SNP
GPU CC Capabilities : CC Capable
CC GPUs Ready State : Not Ready
Run NVIDIA GPU attestation¶
Note
Use of the NVIDIA attestation script requires compliance with NVIDIA's Product-Specific Terms for Confidential Computing. Contact us here to arrange the necessary licensing.
Install nvattest (one-time):
Run remote attestation against the GPU:
$ nvattest attest --device gpu --verifier remote
Devices:
- Device 0:
Device Type: gpu
Hardware Model: GB20X
UEID: 632831960640621557346471716215948155372539415535
VBIOS Version: 98.02.8D.00.01
Driver Version: 580.126.09
Measurement Result: success
Attestation Report Cert Chain:
Status: valid, OCSP: good
Expires: 9999-12-31T23:59:59Z
Driver RIM Cert Chain:
Status: valid, OCSP: good
Expires: 2028-01-07T22:11:08Z
VBIOS RIM Cert Chain:
Status: valid, OCSP: good
Expires: 2027-08-26T10:19:38Z
GPU attestation was successful
Key fields to check in the output:
| Field | Expected |
|---|---|
| Measurement Result | success |
| Attestation Report Cert Chain | valid, OCSP: good |
| Driver RIM Cert Chain | valid, OCSP: good |
| VBIOS RIM Cert Chain | valid, OCSP: good |
| Final line | GPU attestation was successful |
Set the GPU ready state¶
The GPU will not accept any workload until a user inside the CVM sets the ReadyState. This prevents accidental usage before attestation is complete.
Successfully passing remote attestation (see above) automatically sets the ready state. You can also set it manually:
Protecting Your Confidential Data¶
When running a Confidential VM, you can create a user with an encrypted home folder so that your data at rest is also protected.
Create an encrypted user¶
Log in to your user with login (this will ask for your password and decrypt the home folder):
Verify home folder encryption¶
Create a test file from your user session:
Then exit and inspect the home folder as root. If encryption is working correctly, you will not see test.txt but instead encrypted directory entries:
$ exit
root@ncc-vm:~# ls -lah /home/newusername/
total 8.0K
dr-x------ 2 newusername newusername 4.0K Mar 2 14:25 .
drwxr-xr-x 4 root root 4.0K Mar 2 14:44 ..
lrwxrwxrwx 1 newusername newusername 33 Mar 2 14:25 .Private -> /home/.ecryptfs/newusername/.Private
lrwxrwxrwx 1 newusername newusername 34 Mar 2 14:25 .ecryptfs -> /home/.ecryptfs/newusername/.ecryptfs
Booting a Custom OS¶
By default, Verda CVM instances are provisioned with Ubuntu 24.04. If you need a different or custom OS (e.g. Ubuntu 25.10), you can replace the OS on the primary volume in place. Verda uses direct kernel boot, so there is no GRUB step: the instance is booted once into a RAM-only dropbear SSH initramfs that pauses before mounting /dev/vda, the new image is streamed straight onto /dev/vda, and the instance is then restarted into the new OS.
Warning
CC instances cannot reboot from inside the guest. Each step that "restarts" the VM means: in the Verda console, Shutdown then Start (the scripts power the guest off for you and then wait for it to come back).
How it works¶
dropbear-initramfsis installed on the running instance, plus aninit-premount/99-pausehook that holds the boot in the initramfs forever — DHCP comes up anddropbearlistens on port 22, but/dev/vdais never mounted.- The instance is powered off; you Start it from the Verda console. Verda extracts the kernel/initrd and boots the paused initramfs, where
/dev/vdais free. - The new image is streamed from your local machine straight onto
/dev/vda. - The instance is powered off again; you Start it, and Verda boots the new OS.
Prerequisites¶
- A Verda CVM instance with SSH access as root.
- On the local machine:
Download the helper scripts and sample env file into a working directory:
1. Configure¶
$ cp env_sample.txt .env
$ # Edit .env: set REMOTE (root@<instance-ip>); SSH_KEY defaults to your ed25519 key
2. Build the OS image (local machine)¶
Produces questing-server-raw.img (~3.5 GiB raw, ~650 MB compressed on the wire): Ubuntu 25.10 with your SSH key injected, DHCP networking, cloud-init disabled, and a first-boot growpart+resize2fs that fills the disk.
3. Boot into the rescue initramfs¶
Installs dropbear-initramfs + the 99-pause hook, rebuilds the initramfs, and powers the instance off. When prompted, go to the Verda console and Start the instance (if it still shows running, Shutdown first, then Start). The script waits until dropbear answers and /dev/vda is unmounted.
4. Flash the new OS¶
Verifies /dev/vda is unmounted, streams the image onto it, and triggers an in-guest poweroff. When prompted, Start the instance again from the Verda console; the script waits for the new OS to answer SSH and reports success.