Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can not create disk with ConfidentialVM_NonPersistedTPM securityType #29207

Open
fnerdman opened this issue Jun 19, 2024 · 3 comments
Open

Can not create disk with ConfidentialVM_NonPersistedTPM securityType #29207

fnerdman opened this issue Jun 19, 2024 · 3 comments
Assignees
@zhoxing-ms @yanzhudd
Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team Compute az vm/vmss/image/disk/snapshot customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog

Comments

@fnerdman
Copy link

Describe the bug

I want to create a disk that should be booted as a confidential TDX VM, with --os-disk-security-encryption-type set to NonPersistedTPM:

az disk create \
    -n ${DISK_NAME} 
    -g ${RESOURCE_GROUP} \
    -l ${REGION} \
    --os-type Linux \
    --upload-type Upload \
    --upload-size-bytes ${DISK_SIZE} \
    --sku standard_lrs \
    --security-type ConfidentialVM_NonPersistedTPM \
    --hyper-v-generation V2

This fails with:

az disk create: 'ConfidentialVM_NonPersistedTPM' is not a valid value for '--security-type'. Allowed values: TrustedLaunch, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithCustomerKey, Standard.

So now I can't start a confidential VM with NonPersistedTPM:

az vm create \
    --name ${DISK_NAME} \
    --size ${VM_SIZE} \
    --resource-group ${RESOURCE_GROUP} \
    --attach-os-disk ${DISK_NAME} \
    --os-type Linux \
    --security-type ConfidentialVM \
    --enable-vtpm true \
    --enable-secure-boot false  \
    --os-disk-security-encryption-type NonPersistedTPM

Related command

az disk create

Errors

az disk create: 'ConfidentialVM_NonPersistedTPM' is not a valid value for '--security-type'. Allowed values: TrustedLaunch, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithCustomerKey, Standard.

Issue script & Debug output

az disk create: 'ConfidentialVM_NonPersistedTPM' is not a valid value for '--security-type'. Allowed values: TrustedLaunch, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithCustomerKey, Standard.

Expected behavior

Disk is created with securityType=ConfidentialVM_NonPersistedTPM

Environment Summary

az --version
azure-cli 2.61.0

core 2.61.0
telemetry 1.1.0

Dependencies:
msal 1.28.0
azure-mgmt-resource 23.1.1

Python location '/opt/homebrew/Cellar/azure-cli/2.61.0/libexec/bin/python'
Extensions directory '/Users/*/.azure/cliextensions'

Python (Darwin) 3.11.9 (main, Apr 2 2024, 08:25:04) [Clang 15.0.0 (clang-1500.3.9.4)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

Issue discussing adding the NonPersistedTPM featuer: #27479
PoC patch, that fixes the problem locally for me: Azure/azure-sdk-for-python#36161
@fnerdman fnerdman added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Jun 19, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Compute az vm/vmss/image/disk/snapshot labels Jun 19, 2024
@yonzhan
Copy link
Collaborator

yonzhan commented Jun 19, 2024

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jun 19, 2024
@yonzhan yonzhan added this to the Backlog milestone Jun 19, 2024
@yonzhan yonzhan removed the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Jun 19, 2024
@Hyodar Hyodar mentioned this issue Sep 12, 2024
Closed
6 tasks
@Hyodar
Copy link

Hyodar commented Sep 12, 2024

Maybe related to this?

azure-cli/src/azure-cli-core/azure/cli/core/profiles/_shared.py

Line 160 in c85d66c

'disks': '2023-04-02',

@fnerdman
Copy link
Author

Applying the diff of Azure/azure-sdk-for-python#36161 to the subfolder v2023_04_02 instead of v2021_08_01 currently fixes the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zhoxing-ms zhoxing-ms

@yanzhudd yanzhudd

Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team Compute az vm/vmss/image/disk/snapshot customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
5 participants
@fnerdman @zhoxing-ms @Hyodar @yonzhan @yanzhudd