> Confidential computing (Intel SGX, ARM TrustZone, AMD SEV-SNP) handle this by encrypting the virtual machine memory so that even having full root on the host does not expose vm compute or memory.
Google's current confidential compute offering does not prove at runtime that it's actually confidential. You just get a bit in your cloud console saying 'yep it's confidential' (and some runtime CPU bit too, but that's easily spoofable by a compromised hypervisor), but no cryptographically verifiable proof from AMD that things actually are confidential.
Yes, Google tries to abstract SEV from you, but it is SEV-SNP that we really need for this. Our account manager confirmed they’re not offering SEV-SNP yet.
Google's current confidential compute offering does not prove at runtime that it's actually confidential. You just get a bit in your cloud console saying 'yep it's confidential' (and some runtime CPU bit too, but that's easily spoofable by a compromised hypervisor), but no cryptographically verifiable proof from AMD that things actually are confidential.