Re-include Linux kmod cert in x64 secure boot template#2896
Re-include Linux kmod cert in x64 secure boot template#2896mebersol merged 2 commits intomicrosoft:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the x64 Hyper-V Secure Boot template set to support Trusted Launch scenarios that require the Linux kmod certificate, and adds placeholder “confidential” x64 template JSON files for future use.
Changes:
- Re-add the Azure Services Linux Kmod PCA certificate to the x64
MicrosoftUEFICertificateAuthoritytemplate’sdb. - Add new (currently unused) x64 “Confidential” template JSON files for Windows and Microsoft UEFI.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| vm/devices/firmware/hyperv_secure_boot_templates/templates/x64/MicrosoftUEFICertificateAuthority_Template.json | Adds the Linux kmod PCA cert to db (aligning x64 with the existing aarch64 template contents). |
| vm/devices/firmware/hyperv_secure_boot_templates/templates/x64/MicrosoftWindows_Confidential_Template.json | New confidential Windows template JSON (not currently referenced by the resource crate API). |
| vm/devices/firmware/hyperv_secure_boot_templates/templates/x64/MicrosoftUEFI_Confidential_Template.json | New confidential UEFI template JSON (not currently referenced by the resource crate API). |
| { | ||
| "type": "Microsoft.Compute/disks", | ||
| "properties": { | ||
| "uefiSettings": { | ||
| "signatureMode": "Replace", | ||
| "signatures": { |
There was a problem hiding this comment.
These new templates are not referenced by hyperv_secure_boot_templates/src/lib.rs, so they won't be parsed/validated by hyperv_uefi_custom_vars_json::load_template_from_json in unit tests (build.rs only checks JSON syntax via serde_json). Consider adding a lightweight validation test (or wiring them into the template include list) so schema issues are caught now rather than when the templates are first used.
| { | ||
| "type": "Microsoft.Compute/disks", | ||
| "properties": { | ||
| "uefiSettings": { | ||
| "signatureMode": "Replace", | ||
| "signatures": { |
There was a problem hiding this comment.
These new templates are not referenced by hyperv_secure_boot_templates/src/lib.rs, so they won't be parsed/validated by hyperv_uefi_custom_vars_json::load_template_from_json in unit tests (build.rs only checks JSON syntax via serde_json). Consider adding a lightweight validation test (or wiring them into the template include list) so schema issues are caught now rather than when the templates are first used.
mebersol
added
backport_2505
Trusted Launch VMs should include the Linux kmod certificate for x64 Additionally, add new templates (currently unused) for future confidential scenarios.
Trusted Launch VMs should include the Linux kmod certificate for x64 Additionally, add new templates (currently unused) for future confidential scenarios.
Trusted Launch VMs should include the Linux kmod certificate for x64
Additionally, add new templates (currently unused) for future confidential scenarios.