Confidential Computing instance profiles - x86 Gen 3
The confidential computing family of 3rd generation IBM Cloud® VPC virtual server profiles (balanced and compute) are built atop the 4th Generation Intel® Xeon® Scalable processors. The confidential computing profiles provide a broad set of capabilities and scale from 2 vCPUs (1 physical core) up to 128 vCPUs (64 physical cores). These profiles support the Intel SGX confidential computing capability.
Operating systems
- Linux
Processor generation
- Intel 8474C - 4th Generation Xeon Scalable processor
Availability
-
SGX status: Select availability
-
Regions:
- Dallas (
us-south) - Washington DC (
us-east) - Frankfurt (
eu-de)
- Dallas (
-
TDX Status: Select availability
-
Regions:
- Washington DC (
us-east)
- Washington DC (
Capabilities
- Core type: Dedicated
- Dedicated host: No
- Hyperthreading: Yes (SMT-2)
- Secure boot: Yes
- Confidential computing: SGX, TDX
- Live migration: No
- Instance storage: Yes
- Volume bandwidth allocation method:
weightedby default, it can be updated topooled.
VM configuration
- Hardware type: q35
- Cloud networking: virtio
- Block boot volume: virtio
- Block data volumes: virtio
- Instance storage: virtio
Instance profiles
Balanced
| Profile | vCPUs / Cores / NUMA domains | Memory (GiB) | SGX mode | TDX mode | Bandwidth cap (Gbps) | Instance storage (Qty x GB) |
|---|---|---|---|---|---|---|
| bx3dc-2x10 | 2 / 1 / 1 | 10 | 4 GB EPC | 0 GB EPC | 4 | 1 x 65 |
| bx3dc-4x20 | 4 / 2 / 1 | 20 | 8 GB EPC | 0 GB EPC | 8 | 1 x 130 |
| bx3dc-8x40 | 8 / 4 / 1 | 40 | 16 GB EPC | 0 GB EPC | 16 | 1 x 260 |
| bx3dc-16x80 | 16 / 8 / 1 | 80 | 32 GB EPC | 0 GB EPC | 32 | 1 x 520 |
| bx3dc-24x120 | 24 / 12 / 1 | 120 | 48 GB EPC | 0 GB EPC | 48 | 1 x 780 |
| bx3dc-32x160 | 32 / 16 / 2 | 160 | 64 GB EPC | 0 GB EPC | 64 | 2 x 520 |
| bx3dc-48x240 | 48 / 24 / 2 | 240 | 96 GB EPC | 0 GB EPC | 96 | 2 x 780 |
| bx3dc-64x320 | 64 / 32 / 2 | 320 | 128 GB EPC | 0 GB EPC | 128 | 2 x 1024 |
| bx3dc-96x480 | 96 / 48 / 2 | 480 | 192 GB EPC | 0 GB EPC | 192 | 2 x 1560 |
Compute
| Profile | vCPUs / Cores / NUMA domains | Memory (GiB) | SGX mode | TDX mode | Bandwidth cap (Gbps) | Instance storage (Qty x GB) |
|---|---|---|---|---|---|---|
| cx3dc-2x5 | 2 / 1 / 1 | 5 | 2 GB EPC | 0 GB EPC | 4 | 1 x 65 |
| cx3dc-4x10 | 4 / 2 / 1 | 10 | 4 GB EPC | 0 GB EPC | 8 | 1 x 130 |
| cx3dc-8x20 | 8 / 4 / 1 | 20 | 8 GB EPC | 0 GB EPC | 16 | 1 x 260 |
| cx3dc-16x40 | 16 / 8 / 1 | 40 | 16 GB EPC | 0 GB EPC | 32 | 1 x 520 |
| cx3dc-24x60 | 24 / 12 / 1 | 60 | 24 GB EPC | 0 GB EPC | 48 | 1 x 780 |
| cx3dc-32x80 | 32 / 16 / 2 | 80 | 32 GB EPC | 0 GB EPC | 64 | 2 x 520 |
| cx3dc-48x120 | 48 / 24 / 2 | 120 | 48 GB EPC | 0 GB EPC | 96 | 2 x 780 |
| cx3dc-64x160 | 64 / 32 / 2 | 160 | 64 GB EPC | 0 GB EPC | 128 | 2 x 1024 |
| cx3dc-96x240 | 96 / 48 / 2 | 240 | 96 GB EPC | 0 GB EPC | 192 | 2 x 1560 |
| cx3dc-128x320 | 128 / 64 / 2 | 320 | 128 GB EPC | 0 GB EPC | 200 | 2 x 2860 |
- These profiles configure EPC memory when used in SGX mode only. In TDX mode the EPC memory is not configured.
- Any profile with more than 120 GB memory does not support TDX mode.
Limits
An instance has a limit for the number of volumes and virtual network interfaces that can be attached. This limit is based on the size of the instance.
| Number of vCPUs | Max volumes | Max vNICs |
|---|---|---|
| 2-16 | 12 | 5 |
| 17-48 | 12 | 10 |
| 49+ | 12 | 15 |
Boot volume profiles
In the current release of Block Storage for VPC offering, only first-generation volumes from the tiered and custom volume profile families can be used as boot volumes for the Confidential Computing instances if secure boot is needed. Second-generation
boot volumes with the sdp profile do not support secure boot.
SGX limitations
- Windows guest not supported
TDX limitations
-
Windows guest not supported
Windows guest operating systems do not support TDX natively.
-
VNC not supported
The data that flows to the VNC console from the TDX virtual server is facilitated by the cloud provider. However, the cloud provider is not a trusted entity from the customer point of view. Since the data is exposed to the cloud provider, the TDX virtual server disables VNC.
-
Forced reboot leads to virtual server shutdown
For security reasons TDX virtual servers cannot be reset without terminating the virtual server. A forced reboot that is invoked from the control plane resets the virtual server, effectively terminating it. However, this behavior can be masked by the control plane by automatically starting the virtual server. The control plane is enhanced to run the automatic restart.