gcp: add `Launch a confidential VM` part

[HuijingHei]

Thanks @dustymabe for the kindly review and suggestions!

[travier]

For this PR and https://github.com/coreos/fedora-coreos-docs/pull/671, we should add a note that while the resulting VM is launched in Confidential Mode, it does not really is a "Confidential VM". The disk still needs to be encrypted, the security offered by Secure Boot right now is almost non-existent, etc.

At this stage, this is more a developer facing documentation as there would be very little benefits for users.

[dustymabe]

The disk still needs to be encrypted

does that mean you'd need to upload your own disk image (already encrypted)?

are there steps for the more "Confidential" option?

[travier]

It varies per cloud and setups. Azure has support to encrypt a disk image for you (just the rootfs), bind it to a TPM and then pass it to a new Confidential VM. I don't think we support that in FCOS right now (at least I've not tested).

In the more general case, you would encrypt the disk on first boot. This requires in turn that you can verify the content that you are pulling from the rootfs so this essentially requires composefs with fs-verity. You also have to verify that you booted the right thing with the expected ignition config, so this calls for Secure Boot signed UKI and remote attestation.

So overall, the complete setup for Confidential Computing is not ready right now thus I would prefer that we don't present it in the docs as a "turn this switch on" section. It's good to have this documented (thanks @HuijingHei) but let's make it clear that it needs more work to actually get a confidential VM.

[HuijingHei]

It's good to have this documented but let's make it clear that it needs more work to actually get a confidential VM.

Maybe can hold this until we support FCOS as a real confidential VM, in case resulting confusion for users.