Skip to content

Feature: [Ubuntu, no-CVM] CVM machines to not get UEFI and kek certificate updates#356

Merged
kjohn-msft merged 11 commits into
masterfrom
rarane/certupdate/nocvm
Jul 9, 2026
Merged

Feature: [Ubuntu, no-CVM] CVM machines to not get UEFI and kek certificate updates#356
kjohn-msft merged 11 commits into
masterfrom
rarane/certupdate/nocvm

Conversation

@rane-rajasi

@rane-rajasi rane-rajasi commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

These changes are for Canonical CVMs, the ask is, Canonical CVMs should not get UEFI and kek certificate updates.
There are 2 ways (imds and fde) of determining if a VM is a CVM, we are checking using both mechanisms and only applying certificate updates if both of these compute to false.

In VM tests:

  • Trusted VM that is NOT a CVM:
    1.core.log
    1.status.txt
  • Trusted VM that is CVM: Wasn't able to create a CVM in canary, no sizes available

@rane-rajasi rane-rajasi requested review from a team, kjohn-msft, michellemcdaniel and najams and removed request for a team June 22, 2026 17:20
@rane-rajasi rane-rajasi requested a review from kjohn-msft as a code owner June 22, 2026 17:20
@rane-rajasi rane-rajasi requested a review from najams as a code owner June 22, 2026 17:20
Comment thread src/core/src/bootstrap/EnvLayer.py Fixed
Comment thread src/core/src/core_logic/PatchInstaller.py Fixed
Comment thread src/core/src/core_logic/PatchInstaller.py Fixed

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces Confidential VM (CVM) detection logic to prevent UEFI/KEK certificate updates from running on Canonical CVMs, while adding unit tests to validate the new behavior.

Changes:

  • Added CVM detection in EnvLayer using Azure IMDS and an FDE-based detection script.
  • Updated PatchInstaller to skip certificate updates when a CVM is detected.
  • Added/updated unit tests covering CVM detection and the certificate-update skip path.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/core/src/core_logic/PatchInstaller.py Skips update_certs() when CVM detection indicates the VM is confidential.
src/core/src/bootstrap/EnvLayer.py Implements CVM detection via IMDS and FDE-based script execution.
src/core/src/bootstrap/Constants.py Adds a constant path for the CVM detection script.
src/core/tests/Test_PatchInstaller.py Adds a test ensuring certificate updates are skipped on confidential VMs.
src/core/tests/Test_EnvLayer.py Adds tests for IMDS/FDE CVM detection and call ordering.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/core/src/core_logic/PatchInstaller.py
Comment thread src/core/src/bootstrap/EnvLayer.py Outdated
Comment thread src/core/tests/Test_EnvLayer.py
@codecov

codecov Bot commented Jun 22, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.08%. Comparing base (662fb40) to head (54775e0).

Additional details and impacted files
@@            Coverage Diff             @@
##           master     #356      +/-   ##
==========================================
+ Coverage   94.04%   94.08%   +0.04%     
==========================================
  Files         109      109              
  Lines       19967    20099     +132     
==========================================
+ Hits        18778    18911     +133     
+ Misses       1189     1188       -1     
Flag Coverage Δ
python27 94.08% <100.00%> (+0.04%) ⬆️
python312 94.08% <100.00%> (+0.08%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Comment thread src/core/src/bootstrap/EnvLayer.py Outdated
Comment thread src/core/src/bootstrap/EnvLayer.py Outdated
Comment thread src/core/src/bootstrap/EnvLayer.py
Comment thread src/tools/Package-Core.py Outdated
Comment thread src/core/src/external_dependencies/DetectConfidentialVMShim.sh
@kjohn-msft kjohn-msft merged commit a985d1b into master Jul 9, 2026
9 checks passed
@kjohn-msft kjohn-msft deleted the rarane/certupdate/nocvm branch July 9, 2026 16:57
@yashnap yashnap mentioned this pull request Jul 10, 2026
yashnap added a commit that referenced this pull request Jul 10, 2026
This release contains:

Remove distutils import which is deprecated since Python 3.12 :
[361](#361)

[Bugfix] Core packager to always keep __main_ at the end :
[360](#360)

Feature: [Ubuntu, no-CVM] CVM machines to not get UEFI and kek
certificate updates :
[356](#356)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants