Skip to content

Commit

Permalink
MGMT-13627: Add ConfidentialVM and TrustedLaunch options to AzureMach…
Browse files Browse the repository at this point in the history
…ineProviderSpec

This change introduces the security profile to the OS disk parameters
and adds the SecurityType and UefiSettings sections to the VM security
profile.

The SecurityType defines whether the VM is a Confidential or a Trusted Launch
VM. This field should be set to enable the UefiSettings section.

The UefiSettings fields include the booleans vTpmEnabled and SecureBootEnabled.

The OS disk security profile includes the SecurityEncryptionType and the
DiskEncryptionSet fields. The SecurityEncryptionType can be used when the
VM is a Confidential one. When SecurityEncryptionType is set, vTpmEnabled
should be set to true and the VM security profile's SecurityType should
also be set to ConfidentialVM.

Possible values for the SecurityEncryptionType are:
- DiskWithVMGuestState, OS disk encryption before VM deployment that
  uses platform-managed keys (PMK) or a customer-managed key (CMK)
- VMGuestStateOnly, no OS disk confidential encryption

When the SecurityEncryptionType is set to DiskWithVMGuestState, the
DiskEncryptionSet can be specified to allow for Customer-managed keys
to be used to encrypt the OS disk and the VMGuestState blob.

Signed-off-by: Michail Resvanis <[email protected]>
  • Loading branch information
mresvanis committed Jun 19, 2023
1 parent 031bc93 commit 3f4e0b1
Show file tree
Hide file tree
Showing 5 changed files with 266 additions and 7 deletions.
77 changes: 74 additions & 3 deletions machine/v1beta1/types_azureprovider.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,28 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

// SecurityEncryptionTypes represents the Encryption Type when the Azure Virtual Machine is a
// Confidential VM.
type SecurityEncryptionTypes string

const (
// SecurityEncryptionTypesVMGuestStateOnly disables OS disk confidential encryption.
SecurityEncryptionTypesVMGuestStateOnly SecurityEncryptionTypes = "VMGuestStateOnly"
// SecurityEncryptionTypesDiskWithVMGuestState enables OS disk confidential encryption with a
// platform-managed key (PMK) or a customer-managed key (CMK).
SecurityEncryptionTypesDiskWithVMGuestState SecurityEncryptionTypes = "DiskWithVMGuestState"
)

// SecurityTypes represents the SecurityType of the virtual machine.
type SecurityTypes string

const (
// SecurityTypesConfidentialVM defines the SecurityType of the virtual machine as a Confidential VM.
SecurityTypesConfidentialVM SecurityTypes = "ConfidentialVM"
// SecurityTypesTrustedLaunch defines the SecurityType of the virtual machine as a Trusted Launch VM.
SecurityTypesTrustedLaunch SecurityTypes = "TrustedLaunch"
)

// AzureMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field
// for an Azure virtual machine. It is used by the Azure machine actuator to create a single Machine.
// Required parameters such as location that are not specified by this configuration, will be defaulted
Expand Down Expand Up @@ -397,6 +419,28 @@ type OSDiskManagedDiskParameters struct {
// DiskEncryptionSet is the disk encryption set properties
// +optional
DiskEncryptionSet *DiskEncryptionSetParameters `json:"diskEncryptionSet,omitempty"`
// SecurityProfile specifies the security profile for the managed disk.
// +optional
SecurityProfile *VMDiskSecurityProfile `json:"securityProfile,omitempty"`
}

// VMDiskSecurityProfile specifies the security profile settings for the managed disk.
// It can be set only for Confidential VMs.
type VMDiskSecurityProfile struct {
// DiskEncryptionSet specifies the customer managed disk encryption set resource id for the
// managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and
// VMGuest blob.
// +optional
DiskEncryptionSet *DiskEncryptionSetParameters `json:"diskEncryptionSet,omitempty"`
// SecurityEncryptionType specifies the encryption type of the managed disk.
// It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState
// blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only.
// When set to VMGuestStateOnly, the vTPM should be enabled.
// When set to DiskWithVMGuestState, both SecureBoot and vTPM should be enabled.
// It can be set only for Confidential VMs.
// +kubebuilder:validation:Enum=VMGuestStateOnly;DiskWithVMGuestState
// +optional
SecurityEncryptionType SecurityEncryptionTypes `json:"securityEncryptionType,omitempty"`
}

// DataDiskManagedDiskParameters is the parameters of a DataDisk managed disk.
Expand Down Expand Up @@ -437,11 +481,38 @@ type DiskEncryptionSetParameters struct {
// SecurityProfile specifies the Security profile settings for a
// virtual machine or virtual machine scale set.
type SecurityProfile struct {
// This field indicates whether Host Encryption should be enabled
// or disabled for a virtual machine or virtual machine scale
// set. Default is disabled.
// This field indicates whether Host Encryption should be enabled or disabled for a virtual
// machine or virtual machine scale set.
// This should be disabled when SecurityEncryptionType is set to DiskWithVMGuestState.
// Default is disabled.
// +optional
EncryptionAtHost *bool `json:"encryptionAtHost,omitempty"`
// SecurityType specifies the SecurityType of the virtual machine. It has to be set to any specified value to
// enable UEFISettings. The default behavior is: UEFISettings will not be enabled unless this property is set.
// +kubebuilder:validation:Enum=ConfidentialVM;TrustedLaunch
// +optional
SecurityType SecurityTypes `json:"securityType,omitempty"`
// UEFISettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.
// +optional
UEFISettings *UEFISettings `json:"uefiSettings,omitempty"`
}

// UEFISettings specifies the security settings like secure boot and vTPM used while creating the
// virtual machine.
type UEFISettings struct {
// SecureBoot specifies whether secure boot should be enabled on the virtual machine.
// Secure Boot verifies the digital signature of all boot components and halts the boot process if
// signature verification fails.
// If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.
//+optional
SecureBoot SecureBootPolicy `json:"secureBoot,omitempty"`
// VirtualizedTrustedPlatformModule specifies whether vTPM should be enabled on the virtual machine.
// When enabled the virtualized trusted platform module measurements are used to create a known good boot integrity policy baseline.
// The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.
// This is required to be enabled if SecurityEncryptionType is defined.
// If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.
// +optional
VirtualizedTrustedPlatformModule VirtualizedTrustedPlatformModulePolicy `json:"virtualizedTrustedPlatformModule,omitempty"`
}

// AzureUltraSSDCapabilityState defines the different states of an UltraSSDCapability
Expand Down
47 changes: 47 additions & 0 deletions machine/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

25 changes: 24 additions & 1 deletion machine/v1beta1/zz_generated.swagger_doc_generated.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

82 changes: 80 additions & 2 deletions openapi/generated_openapi/zz_generated.openapi.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 3f4e0b1

Please sign in to comment.