Creating custom shielded images

This topic describes how to prepare the disk, generate security certificates,and enable any necessary operating system (OS) features to create a customshielded image.

By default, Shielded VM supportsContainer-Optimized OS, variousdistributions of Linux, and multiple versions of Windows Server. But if yourequire custom images for your application, you can still take advantage ofShielded VM.

Note: For the full list of operating systems that Shielded VM supports,seeImages with Shielded VMsupport.

Preparing the disk

Shielded VM relies onUnified Extensible Firmware Interface(UEFI)-compliantfirmware to support features such as Secure Boot. Shielded VM requiresa GUID Partition Table (GPT) scheme; master boot record (MBR) is notsupported.

The disk must have at least two partitions:

  • EFI System Partition (ESP): 100 megabytes (MB) is sufficient for thispartition, and is only a suggestion. You can create a larger partition ifnecessary. The only requirement for the ESP is that it should be formattedwith a File Allocation Table (FAT) filesystem.
  • OS Partition: The rest of the disk. This partition contains the boot OS(Linux or Windows). There is no restriction on the size of this partition.

You can create more data partitions as necessary.

Copying the OS to the OS partition

Once the disk is formatted and partitioned correctly, copy the OS files intothe OS partition. The OS has a boot loader that must be located at a valid pathon the ESP, as specified in theUEFI specification:\EFI\Boot\bootx64.efi. Note that it may be necessary to copy the OS bootloader to the given location.

For Windows, there is command calledbcdboot that can be used to copy the OSboot loader to the correct location, in addition to other actions that Windowsrequires (such as copying the BCD store). For more information, seeBCDBootCommand-LineOptions on the Microsoft Hardware Dev Center.

When using Shielded VM images, you can also take advantage of twoadditional security features: virtual Trusted Platform Module (vTPM) andintegrity monitoring. The following sections outline the benefits of thesefeatures and the OS requirements.

Virtual Trusted Platform Module (vTPM)

A trusted platform module is a specialized device to protect objects, like keysand certificates, that you use to authenticate access to your system. OnShielded VM images, virtualized versions of TPM devices are used toenableMeasured Boot. Inbrief, Measured Boot ensures the integrity of the critical load path of bootand kernel drivers. vTPM and Measured Boot are covered in more detail in theShielded VM documentation.

In order to take advantage of the vTPM and Measured Boot, a driver is required.The minimum OS versions with TPM 2.0 support are:

  • Windows Server 2012
  • Linux version 3.20
  • Red Hat Enterprise Linux 7.3

Integrity monitoring

Integrity monitoring provides a way to understand and make decisions about thestate of your VM instances. Monitoring uses the data generated byMeasuredBoot to report on the VMinstance. The Shielded VM documentation has more information aboutintegrity monitoring andautomating responses to integrity validation failures.

To support the Shielded VM integrity monitoring feature, the image mustproduce integrity signals:

  • Windows generates integrity signals by default.
  • Linux must have theIntegrity Measurement Architecture (IMA)module installed and enabled. The module must haveCONFIG_IMA_MEASURE_PCR_IDX setto 10. This is the default value for the IMA module.

Importing the disk image to Compute Engine

Once the image is prepared, you have to upload the image intoCompute Engine. For the necessary steps to upload the image toGoogle Cloud, seeImporting boot disk images toCompute Engine.

Warning: While importing the image using the instructions from the referenceddocument, don't import the image file into your custom images list.Shielded VM requires additional steps and arguments that areexplained in the following sections.

Setting up certificates for Secure Boot

When adding a Shielded VM image, a set of Secure Boot publiccertificates and databases are passed into Compute Engine. These filesare stored in the corresponding UEFI variables and used to establish trustrelationships between the platform, firmware, and OS. Certificates areDistinguished Encoding Rules (DER)-encoded X.509 certificates. The databases canbe either a certificate or raw binary. There are four values in total:

  • Platform Key (pk): A key used to establish the trust relationshipbetween the platform owner and the firmware. You may only specifyoneplatform key, and it must be a valid X.509 certificate.
  • Key Exchange Key (kek): A key used to establish a trust relationshipbetween the firmware and the OS. You may specify multiple keys for thisvalue.
  • Forbidden Key Database (dbx): A database of certificates that havebeen revoked and will cause the system to stop booting if a boot file issigned with one of them. You may specify single or multiple values for thisvalue.
  • Key Database (db): A database of certificates that are trusted and canbe used to sign boot files. You may specify single or multiple values forthis value.

TheUEFI specification contains more information about these values and how they work.

In the following exampleOpenSSL is used to create the Secure Boot keys and certificates.

  • Generate a 2048-bit RSA key pair

    opensslgenrsa-outsecure-boot-key.rsa2048

  • Generate a self-signed X.509 certificate from the key in DER format

    opensslreq-new-x509-sha256\-subj'/CN=secure-boot'\-keysecure-boot-key.rsa\-outformDER\-outsecure-boot-cert.pem

Adding the shielded image to Google Cloud

Using the uploaded image and certificates, you can now add the image toCompute Engine. The image can be added using the Google Cloud CLI or theCompute Engine API.

gcloud

Add the custom image to Compute Engine:

gcloud compute images create [IMAGE_NAME] \    --source-disk [SOURCE_DISK] \    --source-disk-zone [ZONE] \    --platform-key-file= \    --key-exchange-key-file= \    --signature-database-file=, \    --forbidden-database-file= \    --guest-os-features="UEFI_COMPATIBLE[,WINDOWS]"

where:

  • [IMAGE_NAME] is the name for the new image.
  • [SOURCE_DISK] is the disk from which you want to create the new image.
  • [ZONE] is the zone where the disk is located.

TheWINDOWS option forguest-os-features is only required when using a Windowsimage. For more information on creating an image, see thegcloud create reference.

REST

Follow the instructions tocreate an image from a persistent diskbut specify theinitial_state_config in the request body.

..."sourceDisk": "/zones/[ZONE]/disks/[SOURCE_DISK]","initial_state_config": {    "pk": {        "content": [KEY],        "fileType": [BIN,X509]    },    "keks": [        {            "content": [KEY],            "fileType": [BIN,X509]        },        ...    ],    "dbxs": [        {            "content": [KEY],            "fileType": [BIN,X509]        },        ...    ],    "dbs": [        {            "content": [KEY],            "fileType": [BIN,X509]        },        ...    ]}

Default certificates

Note thatpk,keks,dbxs anddbs are optional fields. If you provide aninitial state configuration, some or all of these fields may be unset. When anew instance is created from the image, Google Cloud provides a defaultvalue forPK,KEK,db, anddbx unless a custom value was set on anyunset field. If you provide no initial state configuration (that is, theconfiguration is missing, not just empty), the image will have the initial stateconfiguration of the source image.

These fields' default values are:

  • PK: The certificate associated with the default private key created byGoogle.
  • KEK: The default Microsoft KEK certificate. Download from Microsoft:MicCorKEKCA2011_2011-06-24.crt
  • dbx: The default Microsoft DBX revocation list. Download from UnifiedExtensible Firmware Interface Forum:UEFI revocation listfile
  • db: The following two certificates:
    • The Microsoft Windows Production PCA 2011 with a SHA-1 Cert Hash of58 0a 6f 4c c4 e4 b6 69 b9 eb dc 1b 2b 3e 08 7b 80 d0 67 8d.Download from Microsoft:MicWinProPCA2011_2011-10-19.crt
    • The Microsoft Corporation UEFI CA 2011 with a SHA-1 Certificate Hash of46 de f6 3b 5c e6 1c f8 ba 0d e2 e6 63 9c 10 19 d0 ed 14 f3. Downloadfrom Microsoft:MicCorUEFCA2011_2011-06-27.crt

Be careful, since adding your own certificates will overwrite the default onesrather than merging them with the ones you provide.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-11-24 UTC.