Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
How to append keys to UEFISettings of a Confidential VM image version
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 27%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECZ%3C/text%3E%3C/svg%3E)
Chen Zhou
0
Reputation points
I am trying to extend the Intel TDX RTMR[2] register of a confidential VM. This requires adding a custom kernel module to expose an interface. Hence, I need to append my key to the image version UEFI settings to allow installation of my custom module.
I followed this document to create a image version with additional keys.
I use the az cli to create an image version from an existing confidential VM.
az deployment group create --resource-group tdx_group --template-file image_template.json --parameters image_parameters.json
The template is as follows, with a public key added.
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"galleryName": {
"type": "string"
},
"imageDefinitionName": {
"type": "string"
},
"versionName": {
"type": "string"
},
"sourceVmId": {
"type": "string"
},
"defaultReplicaCount": {
"type": "int"
},
"excludedFromLatest": {
"type": "bool"
},
"regionReplications": {
"type": "array"
},
"location": {
"type": "string"
},
"allowDeletionOfReplicatedLocations": {
"type": "bool"
},
"replicationMode": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"apiVersion": "2024-03-03",
"type": "Microsoft.Compute/galleries/images/versions",
"dependsOn": [],
"name": "[concat(parameters('galleryName'), '/', parameters('imageDefinitionName'), '/', parameters('versionName'))]",
"location": "[parameters('location')]",
"properties": {
"publishingProfile": {
"replicaCount": "[parameters('defaultReplicaCount')]",
"targetRegions": "[parameters('regionReplications')]",
"excludeFromLatest": "[parameters('excludedFromLatest')]",
"replicationMode": "[parameters('replicationMode')]"
},
"storageProfile": {
"source": {
"virtualMachineId": "[parameters('sourceVmId')]"
}
},
"safetyProfile": {
"allowDeletionOfReplicatedLocations": "[parameters('allowDeletionOfReplicatedLocations')]"
},
"securityProfile": {
"uefiSettings": {
"signatureTemplateNames": [
"MicrosoftUefiCertificateAuthorityTemplate"
],
"additionalSignatures": {
"db": [
{
"type": "x509",
"value": [
"Base64 Certificate"
]
}
]
}
}
}
},
"tags": {}
}
],
"outputs": {}
}
However, Azure rejects with the following error:
{"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/883f*fc1c3/resourceGroups//providers/Microsoft.Resources/deployments/image_template","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"InvalidParameter","target":"galleryImageversion.properties.securityProfile.uefiSettings","message":"This parent Image Definition has security type 'ConfidentialVM' and does not support UefiSettings. UefiSettings is only supported by TrustedLaunchSupported, ConfidentialVmSupported or TrustedLaunchAndConfidentialVmSupported security types."}]}}
How can I customize the UEFI settings and kernel in this case? Or is there any other approach to extend the Intel TDX RTMR[2] from user space?
Azure Virtual Machines
Sign in to answer