Skip to content

UEFI_COMPATIBLE is not needed when passing in image guest OS features#333

Merged
tanmay-hc merged 2 commits into
hashicorp:mainfrom
rogerhu:rogerh/ISSUE-332-2
Apr 28, 2026
Merged

UEFI_COMPATIBLE is not needed when passing in image guest OS features#333
tanmay-hc merged 2 commits into
hashicorp:mainfrom
rogerhu:rogerh/ISSUE-332-2

Conversation

@rogerhu

@rogerhu rogerhu commented Feb 23, 2026

Copy link
Copy Markdown
Contributor

Description

Remove the need to pass in UEFI_COMPATIBLE as a guest OS feature to pass Secure Boot.

Resolved Issues

Closes #332

Rollback Plan

If a change needs to be reverted, we will roll out an update to the code within 7 days.

@rogerhu rogerhu requested a review from a team as a code owner February 23, 2026 03:10
@rogerhu

rogerhu commented Mar 3, 2026

Copy link
Copy Markdown
Contributor Author

@tanmay-hc can you review?

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes the plugin-side requirement to include UEFI_COMPATIBLE in image_guest_os_features in order to set Secure Boot-related image initial state (PK/KEK/DB/DBX), aligning behavior with how gcloud accepts image_signatures_db and related fields.

Changes:

  • Updates CreateShieldedVMStateConfig to build the Shielded VM initial state from the provided key/database inputs without gating on image_guest_os_features.
  • Adjusts builder and post-processor call sites to the new helper signature.
  • Updates the builder test fixture config to no longer include UEFI_COMPATIBLE by default.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
post-processor/googlecompute-import/post-processor.go Updates Shielded VM initial state creation to no longer depend on guest OS features.
lib/common/shielded_vms.go Removes UEFI_COMPATIBLE gating from Shielded VM initial state construction; updates function signature accordingly.
builder/googlecompute/step_create_image.go Updates image creation step to call the new Shielded VM initial state helper signature.
builder/googlecompute/config_test.go Updates test config fixture to not require UEFI_COMPATIBLE in image_guest_os_features.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread lib/common/shielded_vms.go
@rogerhu rogerhu requested a review from tanmay-hc April 17, 2026 07:06
@rogerhu

rogerhu commented Apr 27, 2026

Copy link
Copy Markdown
Contributor Author

Ping on this one @tanmay-hc !

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@tanmay-hc tanmay-hc merged commit 6254a5d into hashicorp:main Apr 28, 2026
16 checks passed
tanmay-hc pushed a commit that referenced this pull request May 25, 2026
CreateShieldedVMStateConfig has been returning a non-nil pointer to a
zero-value compute.InitialStateConfig{} whenever no signature inputs
(image_platform_key, image_key_exchange_key, image_signatures_db,
image_forbidden_signatures_db) were configured. Because Go's omitempty
tag only drops nil pointers (not pointers to empty structs), the image
insert request body included:

    "shieldedInstanceInitialState": {}

GCP treats an explicit (even empty) shieldedInstanceInitialState as
*the* initial state for the new image and therefore replaces the
PK / KEKs / db / dbx that would otherwise be inherited from the source
disk. With no signature databases, UEFI Secure Boot has nothing to
validate the bootloader against, and any VM launched from such an
image with shielded-vm secure boot enabled fails to boot:

    BdsDxe: failed to load Boot0001 "UEFI Google PersistentDisk"
    ... Status: Security Violation.

This regression was introduced in #318 (released in v1.2.5). Subsequent
work in #333 removed the UEFI_COMPATIBLE gate but kept the empty-struct
return path, so v1.2.6 is still affected.

Fix: return nil from CreateShieldedVMStateConfig when no signature
inputs are configured, so the caller leaves
compute.Image.ShieldedInstanceInitialState unset and GCP inherits the
initial state from the source disk.

Adds:
- Unit tests for CreateShieldedVMStateConfig covering both the
  no-inputs (nil return) and inputs-provided (non-nil return) paths.
- Step-level regression test asserting that the image insert spec has
  no ShieldedInstanceInitialState when no signature inputs are
  configured.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

UEFI_COMPATIBLE must be set in order to use image_signatures_db

3 participants