Confidential Computing instance profiles - x86 Gen 3

The confidential computing family of 3rd generation IBM Cloud® VPC virtual server profiles (balanced and compute) are built atop the 4th Generation Intel® Xeon® Scalable processors. The confidential computing profiles provide a broad set of capabilities and scale from 2 vCPUs (1 physical core) up to 128 vCPUs (64 physical cores). These profiles support the Intel SGX confidential computing capability.

Operating Systems

Linux

Processor Generation

Intel 8474C - 4th Generation Xeon Scalable processor

Availability

SGX status: Select availability
Regions:
- Dallas (us-south)
- Washington DC (us-east)
- Frankfurt (eu-de)
TDX Status: Select availability
Regions:
- Washington DC (us-east)

Capabilities

Core type: Dedicated
Dedicated host: No
Hyperthreading: Yes (SMT-2)
Secure boot: Yes
Confidential computing: SGX, TDX
Live migration: No
Instance storage: Yes

VM Configuration

Hardware type: q35
Cloud networking: virtio
Block boot volume: virtio
Block data volumes: virtio
Instance storage: virtio

Instance profiles

Balanced

Confidential computing balanced instance profile options for x86 architecture, Gen 3
Profile	vCPUs / Cores / NUMA Domains	Memory (GiB)	SGX mode	TDX mode	Bandwidth cap (Gbps)	Instance storage (Qty x GB)
bx3dc-2x10	2 / 1 / 1	10	4GB EPC	0GB EPC	4	1 x 65
bx3dc-4x20	4 / 2 / 1	20	8GB EPC	0GB EPC	8	1 x 130
bx3dc-8x40	8 / 4 / 1	40	16GB EPC	0GB EPC	16	1 x 260
bx3dc-16x80	16 / 8 / 1	80	32GB EPC	0GB EPC	32	1 x 520
bx3dc-24x120	24 / 12 / 1	120	48GB EPC	0GB EPC	48	1 x 780
bx3dc-32x160	32 / 16 / 2	160	64GB EPC	0GB EPC	64	2 x 520
bx3dc-48x240	48 / 24 / 2	240	96GB EPC	0GB EPC	96	2 x 780
bx3dc-64x320	64 / 32 / 2	320	128GB EPC	0GB EPC	128	2 x 1024
bx3dc-96x480	96 / 48 / 2	480	192GB EPC	0GB EPC	192	2 x 1560

Compute

Confidential computing compute instance profile options for x86 architecture, Gen 3
Profile	vCPUs / Cores / NUMA Domains	Memory (GiB)	SGX mode	TDX mode	Bandwidth cap (Gbps)	Instance storage (Qty x GB)
cx3dc-2x5	2 / 1 / 1	5	2GB EPC	0GB EPC	4	1 x 65
cx3dc-4x10	4 / 2 / 1	10	4GB EPC	0GB EPC	8	1 x 130
cx3dc-8x20	8 / 4 / 1	20	8GB EPC	0GB EPC	16	1 x 260
cx3dc-16x40	16 / 8 / 1	40	16GB EPC	0GB EPC	32	1 x 520
cx3dc-24x60	24 / 12 / 1	60	24GB EPC	0GB EPC	48	1 x 780
cx3dc-32x80	32 / 16 / 2	80	32GB EPC	0GB EPC	64	2 x 520
cx3dc-48x120	48 / 24 / 2	120	48GB EPC	0GB EPC	96	2 x 780
cx3dc-64x160	64 / 32 / 2	160	64GB EPC	0GB EPC	128	2 x 1024
cx3dc-96x240	96 / 48 / 2	240	96GB EPC	0GB EPC	192	2 x 1560
cx3dc-128x320	128 / 64 / 2	320	128GB EPC	0GB EPC	200	2 x 2860

These profiles configure EPC memory when used in SGX mode only. In TDX mode the EPC memory is not configured.
Any profile with more than 120 GB memory does not support TDX mode.

Limits

An instance has a limit for the number of volumes and virtual network interfaces that can be attached. This limit is based on the size of the instance.

Confidential computing profile family limits for vCPU, maximum volumes, and maximum network interfaces
Number of vCPUs	Max volumes	Max vNICs
2-16	15	5
17-48	15	10
49+	15	15

SGX limitations

Windows guest not supported

TDX limitations

Windows guest not supported

Windows guest operating systems do not support TDX natively.
VNC not supported

The data that flows to the VNC console from the TDX virtual server is facilitated by the cloud provider. However, the cloud provider is not a trusted entity from the customer point of view. Since the data is exposed to the cloud provider, the TDX virtual server disables VNC.
Forced reboot leads to virtual server shutdown

For security reasons TDX virtual servers cannot be reset without terminating the virtual server. A forced reboot invoked from the control plane resets the virtual server, effectively terminating it. However, this behavior can be masked by the control plane by automatically starting the virtual server. The control plane is enhanced to run the automatic restart.