Feature: [Ubuntu, no-CVM] CVM machines to not get UEFI and kek certificate updates#356
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces Confidential VM (CVM) detection logic to prevent UEFI/KEK certificate updates from running on Canonical CVMs, while adding unit tests to validate the new behavior.
Changes:
- Added CVM detection in
EnvLayerusing Azure IMDS and an FDE-based detection script. - Updated
PatchInstallerto skip certificate updates when a CVM is detected. - Added/updated unit tests covering CVM detection and the certificate-update skip path.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/core/src/core_logic/PatchInstaller.py | Skips update_certs() when CVM detection indicates the VM is confidential. |
| src/core/src/bootstrap/EnvLayer.py | Implements CVM detection via IMDS and FDE-based script execution. |
| src/core/src/bootstrap/Constants.py | Adds a constant path for the CVM detection script. |
| src/core/tests/Test_PatchInstaller.py | Adds a test ensuring certificate updates are skipped on confidential VMs. |
| src/core/tests/Test_EnvLayer.py | Adds tests for IMDS/FDE CVM detection and call ordering. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #356 +/- ##
==========================================
+ Coverage 94.04% 94.08% +0.04%
==========================================
Files 109 109
Lines 19967 20099 +132
==========================================
+ Hits 18778 18911 +133
+ Misses 1189 1188 -1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
michellemcdaniel
previously approved these changes
Jun 24, 2026
kjohn-msft
reviewed
Jun 29, 2026
kjohn-msft
reviewed
Jun 29, 2026
kjohn-msft
requested changes
Jun 29, 2026
…nuxPatchExtension into rarane/certupdate/nocvm
michellemcdaniel
approved these changes
Jul 9, 2026
kjohn-msft
approved these changes
Jul 9, 2026
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
These changes are for Canonical CVMs, the ask is, Canonical CVMs should not get UEFI and kek certificate updates.
There are 2 ways (imds and fde) of determining if a VM is a CVM, we are checking using both mechanisms and only applying certificate updates if both of these compute to false.
In VM tests:
1.core.log
1.status.txt