You can create a Confidential VM instance based on your own custom Linux image. This is the same process as creating a custom Linux image for Compute Engine, with additional requirements.
Confidential VM custom image requirements
Make sure to follow these requirements when building a custom image for a Confidential VM instance.
AMD SEV and SEV-SNP-related Linux kernel patches
The minimum kernel version required for Confidential VM differs depending on the technology you need.
For SEV, use kernel version 5.11 or later.
For SEV with live migration, use kernel version 6.6 or later. For long-term support (LTS) kernels, use version 6.1 LTS or later.
For SEV-SNP, use 6.1LTS or later.
Additionally, make sure the following kernel options are enabled:
CONFIG_AMD_MEM_ENCRYPT
CONFIG_NET_VENDOR_GOOGLE
CONFIG_PCI_MSI
CONFIG_GVE
CONFIG_SWIOTLB
If you need to use earlier kernel versions, you might need to do additional work to install device drivers.
Google Virtual Network Interface Controller (gVNIC) device driver
Use version 1.01 or later of the gVNIC driver. For additional instructions, see Using Google Virtual NIC.
NVMe interface
The NVMe interface must be available during boot on the guest operating system for persistent disks and attached SSDs.
The kernel and initramfs image (if used) must include the NVMe driver module to mount the root directory.
Operating system feature tags
Confidential VM instance creation requires that the image has the
SEV_CAPABLE
, SEV_LIVE_MIGRATABLE_V2
, or SEV_SNP_CAPABLE
guest OS feature
tag.
See Enable guest operating system features on custom images
to learn how to add a tag with the --guest-os-features
flag.
What's next
Learn more about using operating system images to create boot disks for Compute Engine instances.