MGMT-13627: Add ConfidentialVM options to AzureMachineProviderSpec

This changes introduces the security profile to the OS disk parameters
and adds the vTPM and SecureBoot fields to the security profile of the
VM.

The OS disk security profile includes the SecurityEncryptionType and the
DiskEncryptionSetID fields. The SecurityEncryptionType defines whether the VM
is a Confidential VM. It cannot be defined alongside the EncryptionAtHost.
When SecurityEncryptionType is defined the VirtualizedTrustedPlatformModule
should be set to Enabled, while SecureBoot can be either Enabled or
Disabled.

Possible values for the SecurityEncryptionType are:
- DiskWithVMGuestState, OS disk encryption before VM deployment that
  uses platform-managed keys (PMK) or a customer-managed key (CMK)
- VMGuestStateOnly, no OS disk confidential encryption

When the SecurityEncryptionType is set to DiskWithVMGuestState, the
DiskEncryptionSetID can be specified to allow for Customer-managed keys
to be used to encrypt the OS disk and the VMGuestState blob.

Signed-off-by: Michail Resvanis <[email protected]>

machine/v1beta1/types_azureprovider.go

@@ -6,6 +6,18 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+// SecurityEncryptionType represents the Encryption Type when the Azure Virtual Machine is a
+// Confidential VM.
+type SecurityEncryptionType string
+
+const (
+	// SecurityEncryptionTypeVMGuestStateOnly disables OS disk confidential encryption.
+	SecurityEncryptionTypeVMGuestStateOnly SecurityEncryptionType = "VMGuestStateOnly"
+	// SecurityEncryptionTypeDiskWithVMGuestState enables OS disk confidential encryption with a
+	// platform-managed key (PMK) or a customer-managed key (CMK).
+	SecurityEncryptionTypeDiskWithVMGuestState SecurityEncryptionType = "DiskWithVMGuestState"
+)
+
 // AzureMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field
 // for an Azure virtual machine. It is used by the Azure machine actuator to create a single Machine.
 // Required parameters such as location that are not specified by this configuration, will be defaulted
@@ -397,6 +409,30 @@ type OSDiskManagedDiskParameters struct {
 	// DiskEncryptionSet is the disk encryption set properties
 	// +optional
 	DiskEncryptionSet *DiskEncryptionSetParameters `json:"diskEncryptionSet,omitempty"`
+	// SecurityProfile specifies the security profile for the managed disk.
+	// +optional
+	SecurityProfile *VMDiskSecurityProfile `json:"securityProfile,omitempty"`
+}
+
+// VMDiskSecurityProfile specifies the security profile settings for the managed disk.
+// It can be set only for Confidential VMs.
+type VMDiskSecurityProfile struct {
+	// DiskEncryptionSet specifies the customer managed disk encryption set resource id for the
+	// managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and
+	// VMGuest blob.
+	// +optional
+	DiskEncryptionSet *DiskEncryptionSetParameters `json:"diskEncryptionSet,omitempty"`
+	// SecurityEncryptionType specifies the encryption type of the managed disk.
+	// It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState
+	// blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only.
+	// When this field is defined, EncryptionAtHost should be disabled.
+	// When set to VMGuestStateOnly, the VirtualizedTrustedPlatformModule should be set to Enabled.
+	// When set to DiskWithVMGuestState, both SecureBoot and VirtualizedTrustedPlatformModule
+	// should be set to Enabled.
+	// It can be set only for Confidential VMs.
+	// +kubebuilder:validation:Enum=VMGuestStateOnly;DiskWithVMGuestState
+	// +optional
+	SecurityEncryptionType SecurityEncryptionType `json:"securityEncryptionType,omitempty"`
 }
 
 // DataDiskManagedDiskParameters is the parameters of a DataDisk managed disk.
@@ -437,11 +473,25 @@ type DiskEncryptionSetParameters struct {
 // SecurityProfile specifies the Security profile settings for a
 // virtual machine or virtual machine scale set.
 type SecurityProfile struct {
-	// This field indicates whether Host Encryption should be enabled
-	// or disabled for a virtual machine or virtual machine scale
-	// set. Default is disabled.
+	// This field indicates whether Host Encryption should be enabled or disabled for a virtual
+	// machine or virtual machine scale set.
+	// This should be disabled when SecurityEncryptionType is set to DiskWithVMGuestState.
+	// Default is disabled.
 	// +optional
 	EncryptionAtHost *bool `json:"encryptionAtHost,omitempty"`
+	// SecureBoot defines whether the instance should have secure boot enabled.
+	// Secure Boot verifies the digital signature of all boot components and halts the boot process if signature verification fails.
+	// If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled.
+	// +kubebuilder:validation:Enum=Enabled;Disabled
+	//+optional
+	SecureBoot SecureBootPolicy `json:"secureBoot,omitempty"`
+	// VirtualizedTrustedPlatformModule enable virtualized trusted platform module measurements to create a known good boot integrity policy baseline.
+	// The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.
+	// This is required to be set to Enabled if SecurityEncryptionType is defined.
+	// If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled.
+	// +kubebuilder:validation:Enum=Enabled;Disabled
+	// +optional
+	VirtualizedTrustedPlatformModule VirtualizedTrustedPlatformModulePolicy `json:"virtualizedTrustedPlatformModule,omitempty"`
 }
 
 // AzureUltraSSDCapabilityState defines the different states of an UltraSSDCapability

openapi/openapi.json

@@ -19379,6 +19379,10 @@
           "description": "DiskEncryptionSet is the disk encryption set properties",
           "$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.DiskEncryptionSetParameters"
         },
+        "securityProfile": {
+          "description": "SecurityProfile specifies the security profile for the managed disk.",
+          "$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.VMDiskSecurityProfile"
+        },
         "storageAccountType": {
           "description": "StorageAccountType is the storage account type to use. Possible values include \"Standard_LRS\", \"Premium_LRS\".",
           "type": "string",
@@ -19463,8 +19467,16 @@
       "type": "object",
       "properties": {
         "encryptionAtHost": {
-          "description": "This field indicates whether Host Encryption should be enabled or disabled for a virtual machine or virtual machine scale set. Default is disabled.",
+          "description": "This field indicates whether Host Encryption should be enabled or disabled for a virtual machine or virtual machine scale set. This should be disabled when SecurityEncryptionType is set to DiskWithVMGuestState. Default is disabled.",
           "type": "boolean"
+        },
+        "secureBoot": {
+          "description": "SecureBoot defines whether the instance should have secure boot enabled. Secure Boot verifies the digital signature of all boot components and halts the boot process if signature verification fails. If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled.",
+          "type": "string"
+        },
+        "virtualizedTrustedPlatformModule": {
+          "description": "VirtualizedTrustedPlatformModule enable virtualized trusted platform module measurements to create a known good boot integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. This is required to be set to Enabled if SecurityEncryptionType is defined. If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled.",
+          "type": "string"
         }
       }
     },
@@ -19532,6 +19544,20 @@
         }
       }
     },
+    "com.github.openshift.api.machine.v1beta1.VMDiskSecurityProfile": {
+      "description": "VMDiskSecurityProfile specifies the security profile settings for the managed disk. It can be set only for Confidential VMs.",
+      "type": "object",
+      "properties": {
+        "diskEncryptionSet": {
+          "description": "DiskEncryptionSet specifies the customer managed disk encryption set resource id for the managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and VMGuest blob.",
+          "$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.DiskEncryptionSetParameters"
+        },
+        "securityEncryptionType": {
+          "description": "SecurityEncryptionType specifies the encryption type of the managed disk. It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only. When this field is defined, EncryptionAtHost should be disabled. When set to VMGuestStateOnly, the VirtualizedTrustedPlatformModule should be set to Enabled. When set to DiskWithVMGuestState, both SecureBoot and VirtualizedTrustedPlatformModule should be set to Enabled. It can be set only for Confidential VMs.",
+          "type": "string"
+        }
+      }
+    },
     "com.github.openshift.api.machine.v1beta1.VSphereMachineProviderSpec": {
       "description": "VSphereMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field for an VSphere virtual machine. It is used by the vSphere machine actuator to create a single Machine. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).",
       "type": "object",