MGMT-13627: Add ConfidentialVM and TrustedLaunch options to AzureMach…

…ineProviderSpec

This change introduces the security profile to the OS disk parameters
and adds the SecurityType and UefiSettings sections to the VM security
profile.

The SecurityType defines whether the VM is a Confidential or a Trusted Launch
VM. This field should be set to enable the UefiSettings section.

The UefiSettings fields include the booleans vTpmEnabled and SecureBootEnabled.

The OS disk security profile includes the SecurityEncryptionType and the
DiskEncryptionSet fields. The SecurityEncryptionType can be used when the
VM is a Confidential one. When SecurityEncryptionType is set, vTpmEnabled
should be set to true and the VM security profile's SecurityType should
also be set to ConfidentialVM.

Possible values for the SecurityEncryptionType are:
- DiskWithVMGuestState, OS disk encryption before VM deployment that
  uses platform-managed keys (PMK) or a customer-managed key (CMK)
- VMGuestStateOnly, no OS disk confidential encryption

When the SecurityEncryptionType is set to DiskWithVMGuestState, the
DiskEncryptionSet can be specified to allow for Customer-managed keys
to be used to encrypt the OS disk and the VMGuestState blob.

Signed-off-by: Michail Resvanis <[email protected]>

machine/v1beta1/types_azureprovider.go

@@ -6,6 +6,28 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+// SecurityEncryptionTypes represents the Encryption Type when the Azure Virtual Machine is a
+// Confidential VM.
+type SecurityEncryptionTypes string
+
+const (
+	// SecurityEncryptionTypesVMGuestStateOnly disables OS disk confidential encryption.
+	SecurityEncryptionTypesVMGuestStateOnly SecurityEncryptionTypes = "VMGuestStateOnly"
+	// SecurityEncryptionTypesDiskWithVMGuestState enables OS disk confidential encryption with a
+	// platform-managed key (PMK) or a customer-managed key (CMK).
+	SecurityEncryptionTypesDiskWithVMGuestState SecurityEncryptionTypes = "DiskWithVMGuestState"
+)
+
+// SecurityTypes represents the SecurityType of the virtual machine.
+type SecurityTypes string
+
+const (
+	// SecurityTypesConfidentialVM defines the SecurityType of the virtual machine as a Confidential VM.
+	SecurityTypesConfidentialVM SecurityTypes = "ConfidentialVM"
+	// SecurityTypesTrustedLaunch defines the SecurityType of the virtual machine as a Trusted Launch VM.
+	SecurityTypesTrustedLaunch SecurityTypes = "TrustedLaunch"
+)
+
 // AzureMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field
 // for an Azure virtual machine. It is used by the Azure machine actuator to create a single Machine.
 // Required parameters such as location that are not specified by this configuration, will be defaulted
@@ -397,6 +419,28 @@ type OSDiskManagedDiskParameters struct {
 	// DiskEncryptionSet is the disk encryption set properties
 	// +optional
 	DiskEncryptionSet *DiskEncryptionSetParameters `json:"diskEncryptionSet,omitempty"`
+	// SecurityProfile specifies the security profile for the managed disk.
+	// +optional
+	SecurityProfile *VMDiskSecurityProfile `json:"securityProfile,omitempty"`
+}
+
+// VMDiskSecurityProfile specifies the security profile settings for the managed disk.
+// It can be set only for Confidential VMs.
+type VMDiskSecurityProfile struct {
+	// DiskEncryptionSet specifies the customer managed disk encryption set resource id for the
+	// managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and
+	// VMGuest blob.
+	// +optional
+	DiskEncryptionSet *DiskEncryptionSetParameters `json:"diskEncryptionSet,omitempty"`
+	// SecurityEncryptionType specifies the encryption type of the managed disk.
+	// It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState
+	// blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only.
+	// When set to VMGuestStateOnly, the VTpmEnabled should be set to true.
+	// When set to DiskWithVMGuestState, both SecureBootEnabled and VTpmEnabled should be set to true.
+	// It can be set only for Confidential VMs.
+	// +kubebuilder:validation:Enum=VMGuestStateOnly;DiskWithVMGuestState
+	// +optional
+	SecurityEncryptionType SecurityEncryptionTypes `json:"securityEncryptionType,omitempty"`
 }
 
 // DataDiskManagedDiskParameters is the parameters of a DataDisk managed disk.
@@ -437,11 +481,38 @@ type DiskEncryptionSetParameters struct {
 // SecurityProfile specifies the Security profile settings for a
 // virtual machine or virtual machine scale set.
 type SecurityProfile struct {
-	// This field indicates whether Host Encryption should be enabled
-	// or disabled for a virtual machine or virtual machine scale
-	// set. Default is disabled.
+	// This field indicates whether Host Encryption should be enabled or disabled for a virtual
+	// machine or virtual machine scale set.
+	// This should be disabled when SecurityEncryptionType is set to DiskWithVMGuestState.
+	// Default is disabled.
 	// +optional
 	EncryptionAtHost *bool `json:"encryptionAtHost,omitempty"`
+	// SecurityType specifies the SecurityType of the virtual machine. It has to be set to any specified value to
+	// enable UefiSettings. The default behavior is: UefiSettings will not be enabled unless this property is set.
+	// +kubebuilder:validation:Enum=ConfidentialVM;TrustedLaunch
+	// +optional
+	SecurityType SecurityTypes `json:"securityType,omitempty"`
+	// UefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.
+	// +optional
+	UefiSettings *UefiSettings `json:"uefiSettings,omitempty"`
+}
+
+// UefiSettings specifies the security settings like secure boot and vTPM used while creating the
+// virtual machine.
+type UefiSettings struct {
+	// SecureBootEnabled specifies whether secure boot should be enabled on the virtual machine.
+	// Secure Boot verifies the digital signature of all boot components and halts the boot process if
+	// signature verification fails.
+	// If omitted, the platform chooses a default, which is subject to change over time, currently that default is false.
+	//+optional
+	SecureBootEnabled *bool `json:"secureBootEnabled,omitempty"`
+	// VTpmEnabled specifies whether vTPM should be enabled on the virtual machine.
+	// When true it enables the virtualized trusted platform module measurements to create a known good boot integrity policy baseline.
+	// The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.
+	// This is required to be set to Enabled if SecurityEncryptionType is defined.
+	// If omitted, the platform chooses a default, which is subject to change over time, currently that default is false.
+	// +optional
+	VTpmEnabled *bool `json:"vTpmEnabled,omitempty"`
 }
 
 // AzureUltraSSDCapabilityState defines the different states of an UltraSSDCapability