search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.92k stars 2.89k forks source link

Can not create disk with ConfidentialVM_NonPersistedTPM securityType #29207

Open fnerdman opened 1 month ago

fnerdman commented 1 month ago

Describe the bug

I want to create a disk that should be booted as a confidential TDX VM, with --os-disk-security-encryption-type set to NonPersistedTPM:

az disk create \
    -n ${DISK_NAME} 
    -g ${RESOURCE_GROUP} \
    -l ${REGION} \
    --os-type Linux \
    --upload-type Upload \
    --upload-size-bytes ${DISK_SIZE} \
    --sku standard_lrs \
    --security-type ConfidentialVM_NonPersistedTPM \
    --hyper-v-generation V2

This fails with:

az disk create: 'ConfidentialVM_NonPersistedTPM' is not a valid value for '--security-type'. Allowed values: TrustedLaunch, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithCustomerKey, Standard.

So now I can't start a confidential VM with NonPersistedTPM:

az vm create \
    --name ${DISK_NAME} \
    --size ${VM_SIZE} \
    --resource-group ${RESOURCE_GROUP} \
    --attach-os-disk ${DISK_NAME} \
    --os-type Linux \
    --security-type ConfidentialVM \
    --enable-vtpm true \
    --enable-secure-boot false  \
    --os-disk-security-encryption-type NonPersistedTPM

Related command

az disk create

Errors

az disk create: 'ConfidentialVM_NonPersistedTPM' is not a valid value for '--security-type'. Allowed values: TrustedLaunch, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithCustomerKey, Standard.

Issue script & Debug output

az disk create: 'ConfidentialVM_NonPersistedTPM' is not a valid value for '--security-type'. Allowed values: TrustedLaunch, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithCustomerKey, Standard.

Expected behavior

Disk is created with securityType=ConfidentialVM_NonPersistedTPM

Environment Summary

az --version azure-cli 2.61.0

core 2.61.0 telemetry 1.1.0

Dependencies: msal 1.28.0 azure-mgmt-resource 23.1.1

Python location '/opt/homebrew/Cellar/azure-cli/2.61.0/libexec/bin/python' Extensions directory '/Users/*/.azure/cliextensions'

Python (Darwin) 3.11.9 (main, Apr 2 2024, 08:25:04) [Clang 15.0.0 (clang-1500.3.9.4)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

Issue discussing adding the NonPersistedTPM featuer: https://github.com/Azure/azure-cli/issues/27479 PoC patch, that fixes the problem locally for me: https://github.com/Azure/azure-sdk-for-python/pull/36161

yonzhan commented 1 month ago

Thank you for opening this issue, we will look into it.