feat: disable kernel lockdown mode for azurelinux 3.0 aks image by default (#7990)

Signed-off-by: Mitch Zhu <mitchzhu@microsoft.com>

Author: miz060

vhdbuilder/packer/pre-install-dependencies.sh

@@ -123,6 +123,13 @@ if [[ ${OS} == ${MARINER_OS_NAME} ]] && [[ "${ENABLE_CGROUPV2,,}" == "true" ]];
 fi
 capture_benchmark "${SCRIPT_NAME}_enable_cgroupv2_for_azurelinux"
 
+# Remove lockdown=integrity from kernel cmdline for Azure Linux 3.0
+# The kernel has an OOT patch that auto-enables lockdown when secure boot is detected
+if isMarinerOrAzureLinux "$OS" && [ "$OS_VERSION" = "3.0" ]; then
+  disableKernelLockdownCmdline
+fi
+capture_benchmark "${SCRIPT_NAME}_disable_kernel_lockdown_cmdline"
+
 # shellcheck disable=SC3010
 if [[ ${UBUNTU_RELEASE//./} -ge 2204 && "${ENABLE_FIPS,,}" != "true" ]]; then
 

vhdbuilder/scripts/linux/mariner/tool_installs_mariner.sh

@@ -172,6 +172,19 @@ activateNfConntrack() {
     echo nf_conntrack >> /etc/modules-load.d/contrack.conf
 }
 
+# Remove lockdown=integrity from kernel cmdline for Azure Linux 3.0.
+# The AzureLinux 3.0 kernel has an OOT patch that automatically enables
+# lockdown when secure boot is detected.
+disableKernelLockdownCmdline() {
+    echo "Removing lockdown=integrity from kernel cmdline..."
+    if [ -f /etc/default/grub ]; then
+        sed -i 's/lockdown=integrity//g' /etc/default/grub
+        grub2-mkconfig -o /boot/grub2/grub.cfg || exit 1
+    else
+        echo "Warning: /etc/default/grub not found, skipping lockdown removal"
+    fi
+}
+
 installFIPS() {
 
     echo "Installing FIPS..."