How to bind the pk in Azure VM?

mk 5 Reputation points
2024-11-06T07:46:21.08+00:00

Hello, Thanks for your support. I have one question.
Question > Does it support to bind pk key to VM for UEFI feature currently?

I’m trying to bind pk key in azure vm. I referred this document. I saw only db key in ARM template your reference document. I can bind the db-key as Microsoft’s reference document, and then I changed the ARM template to bind pk, kek, db for UEFI feature. But this vm has provisioning error when deploying vm.

step1. I have error when I add pk key with  ‘MicrosoftUefiCertificateAuthorityTemplate’ as signatureTemplateNames in uefiSettings --> I changed the value ‘NoSignatureTemplate’ instead of ‘MicrosoftUefiCertificateAuthorityTemplate’

step2. I deployed this ARM template and then I have saw provisioning error code.
provisioning_state_error_code.png
pk_kek_db_template.json.txt
Ref : https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-secure-boot-custom-uefi#method-to-create-azure-c[…]vm-by-using-the-azure-cli

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json",
    "contentVersion": "1.0.0.0",
    "parameters": {
    },
    "resources": [
        {
            "type": "Microsoft.Compute/galleries",
            "apiVersion": "2022-01-03",
            "name": "customuefigallerytest",
            "location": "[resourceGroup().location]",
            "tags": {
                "AzSecPackAutoConfigReady": "true"
            },
            "properties": {
                "identifier": {}
            }
        },
        {
            "type": "Microsoft.Compute/galleries/images",
            "apiVersion": "2022-08-03",
            "name": "[concat('customuefigallerytest', '/', 'image_def')]",
            "location": "[resourceGroup().location]",
            "dependsOn": [
                "[resourceId('Microsoft.Compute/galleries', 'customuefigallerytest')]"
            ],
            "tags": {
                "AzSecPackAutoConfigReady": "true"
            },
            "properties": {
                "hyperVGeneration": "V2",
                "architecture": "x64",
                "osType": "Linux",
                "osState": "Generalized",
                "identifier": {
                    "publisher": "testpublisher",
                    "offer": "testoffer",
                    "sku": "testsku"
                },
                "features": [
                    {
                        "name": "SecurityType",
                        "value": "TrustedLaunchSupported"
                    }
                ],
                "recommended": {
                    "vCPUs": {
                        "min": 1,
                        "max": 16
                    },
                    "memory": {
                        "min": 1,
                        "max": 32
                    }
                }
            }
        },
        {
            "type": "Microsoft.Compute/galleries/images/versions",
            "apiVersion": "2022-08-03",
            "name": "[concat('customuefigallerytest', '/','image_def','/', '1.0.0')]",
            "location": "[resourceGroup().location]",
            "dependsOn": [
                "[resourceId('Microsoft.Compute/galleries/images', 'customuefigallerytest', 'image_def')]",
                "[resourceId('Microsoft.Compute/galleries', 'customuefigallerytest')]"
            ],
            "properties": {
                "publishingProfile": {
                    "targetRegions": [
                        {
                            "name": "[resourceGroup().location]",
                            "regionalReplicaCount": 1
                        }
                    ]
                },
                "storageProfile": {
                    "osDiskImage": {
                        "hostCaching": "ReadOnly",
                        "source": {
                            "uri": "https://sourceosvhdeastus2euap.blob.core.windows.net/ubuntu2204cvmsmalldisk/abcd",
                            "storageAccountId": "/subscriptions/130068aa-dcf8-46e8-a2cc-205ab4a32b30/resourceGroups/sharmade-customuefi-canarytest/providers/Microsoft.Storage/storageAccounts/sourceosvhdeastus2euap"
                        }
                    }
                },
                "securityProfile": {
                    "uefiSettings": {
                        "signatureTemplateNames": [
                            "MicrosoftUefiCertificateAuthorityTemplate"
                        ],
                        "additionalSignatures": {
                            "pk": [                                
                                {
                                   "type": "x509",                                              
                            	   "value": [
                                        "MIIxxx="
                                   ]
                                }
                            ],
                            "kek": [
                                {                                    
   								   "type": "x509",
                                   "value": [
                                        "MIIyyy="
                                   ]
                                }
                            ],
                            "db": [
                                {
                                    "type": "x509",
                                    "value": [
                                        "MIIzzz="
                                    ]
                                }
                            ]
                        }
                    }
                }
            }
        }
    ]
}
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,113 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sai Krishna Katakam 1,190 Reputation points Microsoft Vendor
    2024-11-06T10:41:26.57+00:00

    Hi mk,

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    For a Trusted Launch VM, a new feature called Secure Boot UEFI keys is now in preview. With this feature, you can bind UEFI keys (db/dbx/pk/kek) for driver/kernel modules signed by using a private key that's owned by your third-party vendors. In this public preview, you can bind UEFI keys by using the Azure Compute Gallery. Binding UEFI keys for an Azure Marketplace image, or as part of VM deployment parameters, isn't currently supported.

    Note: - Binding UEFI keys mostly applies to Linux-based Trusted Launch VMs.

    Please refer to below document:
    https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-secure-boot-custom-uefi#overview

    If you have any further queries, do let us know. If the comment is helpful, please click "Upvote".

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.