UEFI_COMPATIBLE is not needed when passing in image guest OS features#333
Conversation
|
@tanmay-hc can you review? |
There was a problem hiding this comment.
Pull request overview
This PR removes the plugin-side requirement to include UEFI_COMPATIBLE in image_guest_os_features in order to set Secure Boot-related image initial state (PK/KEK/DB/DBX), aligning behavior with how gcloud accepts image_signatures_db and related fields.
Changes:
- Updates
CreateShieldedVMStateConfigto build the Shielded VM initial state from the provided key/database inputs without gating onimage_guest_os_features. - Adjusts builder and post-processor call sites to the new helper signature.
- Updates the builder test fixture config to no longer include
UEFI_COMPATIBLEby default.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| post-processor/googlecompute-import/post-processor.go | Updates Shielded VM initial state creation to no longer depend on guest OS features. |
| lib/common/shielded_vms.go | Removes UEFI_COMPATIBLE gating from Shielded VM initial state construction; updates function signature accordingly. |
| builder/googlecompute/step_create_image.go | Updates image creation step to call the new Shielded VM initial state helper signature. |
| builder/googlecompute/config_test.go | Updates test config fixture to not require UEFI_COMPATIBLE in image_guest_os_features. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Ping on this one @tanmay-hc ! |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
CreateShieldedVMStateConfig has been returning a non-nil pointer to a
zero-value compute.InitialStateConfig{} whenever no signature inputs
(image_platform_key, image_key_exchange_key, image_signatures_db,
image_forbidden_signatures_db) were configured. Because Go's omitempty
tag only drops nil pointers (not pointers to empty structs), the image
insert request body included:
"shieldedInstanceInitialState": {}
GCP treats an explicit (even empty) shieldedInstanceInitialState as
*the* initial state for the new image and therefore replaces the
PK / KEKs / db / dbx that would otherwise be inherited from the source
disk. With no signature databases, UEFI Secure Boot has nothing to
validate the bootloader against, and any VM launched from such an
image with shielded-vm secure boot enabled fails to boot:
BdsDxe: failed to load Boot0001 "UEFI Google PersistentDisk"
... Status: Security Violation.
This regression was introduced in #318 (released in v1.2.5). Subsequent
work in #333 removed the UEFI_COMPATIBLE gate but kept the empty-struct
return path, so v1.2.6 is still affected.
Fix: return nil from CreateShieldedVMStateConfig when no signature
inputs are configured, so the caller leaves
compute.Image.ShieldedInstanceInitialState unset and GCP inherits the
initial state from the source disk.
Adds:
- Unit tests for CreateShieldedVMStateConfig covering both the
no-inputs (nil return) and inputs-provided (non-nil return) paths.
- Step-level regression test asserting that the image insert spec has
no ShieldedInstanceInitialState when no signature inputs are
configured.
Description
Remove the need to pass in
UEFI_COMPATIBLEas a guest OS feature to pass Secure Boot.Resolved Issues
Closes #332
Rollback Plan
If a change needs to be reverted, we will roll out an update to the code within 7 days.