Add confidential WCOW debug mode and boot files overrides#2799
Open
anmaxvl wants to merge 1 commit into
Open
Conversation
Add a confidential-WCOW debug mode that saves the per-UVM boot/EFI and scratch VHDs on teardown for troubleshooting, plus boot-files location overrides. - New annotations: io.microsoft.wcow.debug (WCOWDebugMode) and io.microsoft.wcow.debug_data_path (WCOWDebugDataPath), validated as confidential-only with a non-empty data path. - Unified boot files root override: io.microsoft.virtualmachine.bootfilesrootpath (BootFilesRootPath) for both LCOW and WCOW, replacing the lcow/wcow-specific variants. - Isolation-type-aware VMGS selection (snp/vbs/gso), fixing the previous SNP-only default for VBS/GSO confidential pods. - uvmboot cwcow: --debug-mode/--debug-data-path and --boot-files-path (derive EFI/BootCIM/VMGS from a directory) as an alternative to individual flags. - Tests for the new annotation parsing, debug-mode validation, isolation VMGS mapping, and boot files root. Signed-off-by: Maksim An <maksiman@microsoft.com> Co-authored-by: Claude Opus 4.8
There was a problem hiding this comment.
Pull request overview
This PR adds a confidential WCOW debug mode that preserves per-UVM boot/EFI and scratch VHDs on teardown, and introduces a unified boot-files root override used to derive confidential WCOW boot artifacts (EFI/rootfs/VMGS/reference info) based on isolation type.
Changes:
- Add confidential WCOW debug annotations and plumb them through OCI parsing, uvmboot tooling, and UVM teardown preservation.
- Introduce a unified
BootFilesRootPathannotation and use it to derive confidential WCOW boot artifacts (EFI/rootfs/VMGS/reference info). - Select the default confidential WCOW VMGS based on isolation type (SNP/VBS/GSO) and add tests covering these behaviors.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/annotations/annotations.go | Adds new debug annotations and a unified BootFilesRootPath annotation constant. |
| internal/uvm/create.go | Preserves confidential WCOW scratch/EFI VHDs on UVM teardown when debug mode is enabled. |
| internal/uvm/create_wcow.go | Adds debug options, boot-files root override, and isolation-type-aware VMGS/boot artifact path helpers. |
| internal/uvm/create_test.go | Adds unit test coverage for isolation-type-to-VMGS filename mapping. |
| internal/tools/uvmboot/conf_wcow.go | Adds --debug-mode/--debug-data-path and --boot-files-path handling for confidential WCOW UVM boot. |
| internal/oci/uvm.go | Parses/validates new debug annotations, applies unified boot-files root, and derives default VMGS by isolation type. |
| internal/oci/uvm_test.go | Adds tests for boot-files root parsing, isolation-aware VMGS defaulting, and debug-mode validation. |
| cmd/containerd-shim-runhcs-v1/pod.go | Uses the boot-files root override when selecting confidential WCOW EFI/rootfs VHDs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+355
to
+360
| if wopts, ok := uvm.createOpts.(*OptionsWCOW); ok && | ||
| wopts.ConfidentialWCOWOptions != nil && | ||
| wopts.DebugMode && | ||
| wopts.DebugDataPath != "" && | ||
| wopts.BootFiles != nil && | ||
| wopts.BootFiles.BlockCIMFiles != nil { |
Comment on lines
+91
to
+93
| // confidentialWCOWOSBootFilesPath returns the directory that holds the confidential WCOW boot | ||
| // files. If root is non-empty it is used as-is (allowing the location to be overridden via the | ||
| // WCOWBootFilesRootPath annotation), otherwise the default location next to the shim executable is used. |
Comment on lines
+312
to
+314
| // BootFilesRootPath indicates the path to find the boot files to use when creating the UVM. It applies | ||
| // to both LCOW and WCOW (including confidential WCOW, where it locates boot.vhd, rootfs.vhd, VMGS, and | ||
| // reference info). If unset, a platform-specific default location is used. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a confidential-WCOW debug mode that saves the per-UVM boot/EFI and scratch VHDs on teardown for troubleshooting, plus boot-files location overrides.
New annotations: io.microsoft.wcow.debug (WCOWDebugMode) and io.microsoft.wcow.debug_data_path (WCOWDebugDataPath), validated as confidential-only with a non-empty data path.
Unified boot files root override: io.microsoft.virtualmachine.bootfilesrootpath (BootFilesRootPath) for both LCOW and WCOW, replacing the lcow/wcow-specific variants.
Isolation-type-aware VMGS selection (snp/vbs/gso), fixing the previous SNP-only default for VBS/GSO confidential pods.
uvmboot cwcow: --debug-mode/--debug-data-path and --boot-files-path (derive EFI/BootCIM/VMGS from a directory) as an alternative to individual flags.
Tests for the new annotation parsing, debug-mode validation, isolation VMGS mapping, and boot files root.
Co-authored-by: Claude Opus 4.8