1. Overview
    1. Shielded VM offers verifiable integrity of Compute Engine VM instances to ensure instances have not been compromised by boot or kernel level malware or rootkits
    2. Shielded VM's verifiable integrity is achieved through the use of Secure Boot, virtual trusted platform module (vTPM)-enabled Measured Boot, and integrity monitoring
    3. Shielded VM is the first offering in the Shielded Cloud initiative
    4. The Shielded Cloud initiative is meant to provide an even more secure foundation for all of Google Cloud by providing verifiable integrity and offering features, like vTPM shielding or sealing, that help prevent data exfiltration
  2. Secure Boot
    1. Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails
    2. Shielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishing the root of trust for Secure Boot
    3. The Unified Extensible Firmware Interface (UEFI) firmware, securely manages the certificates that contain the keys used by the software manufacturers to sign the system firmware, the system boot loader, and any binaries they load
    4. Shielded VM instances use UEFI firmware
    5. On each boot, the UEFI firmware verifies the digital signature of each boot component against the secure store of approved keys
    6. Any boot component that is not properly signed, nor signed at all, is not allowed to run
  3. vTPM
    1. A vTPM is a virtualized trusted platform module, which is a specialized computer chip used to protect objects, like keys and certificates, used to authenticate access to systems
    2. The Shielded VM vTPM is fully compatible with the Trusted Computing Group (TPM) library specification 2.0 and uses BoringSSL, which is FIPS 140-2 L1 validated
    3. The Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, called the integrity policy baseline
    4. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed
    5. vTPM can be used to protect secrets through shielding or sealing
  4. Measured Boot
    1. During Measured Boot, a hash of each component (for example, the firmware, bootloader, or kernel) is created as the component is loaded, and that hash is then concatenated and rehashed with the hashes of any components that have already been loaded
    2. This information identifies both the components that were loaded, and their load order
    3. The first time a VM instance boots, Measured Boot creates the integrity policy baseline from the first set of these measurements, and securely stores this data
    4. Each time the VM instance boots after that, these measurements are taken again, and stored in secure memory until the next reboot
    5. Having these two sets of measurements enables integrity monitoring, which can be used to determine if there have been changes to a VM instance's boot sequence
  5. Integrity monitoring
    1. Integrity monitoring helps users to understand and make decisions about the state of VM instances
    2. Integrity monitoring relies on the measurements created by Measured Boot, which use platform configuration registers (PCRs) to store information about the components and component load order of both the integrity policy baseline (a known good boot sequence), and the most recent boot sequence
    3. Integrity monitoring compares the most recent boot measurements to the integrity policy baseline and returns a pair of pass/fail results depending on whether they match or not, one for the early boot sequence and one for the late boot sequence
    4. Integrity reports can be viewed in Cloud Monitoring, and set alerts on integrity failures
    5. Integrity monitoring results can be reviewed in Cloud Logging