Share via

mkosi config to build a bootable OS disk for confidential VM

Hitesh Bhagchandani 65 Reputation points
2025-07-14T16:02:56.35+00:00

I want to create a bootable OS image using mkosi that I can use to create a confidential VM. My mkosi.conf so far is:

[Distribution]
Distribution=ubuntu
Release=jammy
Architecture=x86-64
Repositories=main,universe,restricted,multiverse

[Build]
ToolsTree=default
[Content]
Bootable=yes
Bootloader=uki
Initrds=./initrd
InitrdPackages=cryptsetup-initramfs
               libdevmapper1.02.1
               dmsetup
               kmod
               busybox-initramfs

RootPassword=root
Packages=systemd
         kmod
         udev
         dbus
         tzdata
         tpm2-tools
         linux-azure
         linux-headers-azure
         grub-efi-amd64
         grub-efi-amd64-bin
         linux-firmware
         apparmor
         apparmor-utils
         iptables-persistent
         netfilter-persistent
         ca-certificates
         vim
         docker.io
         docker-compose

KernelCommandLine="console=ttyS0 systemd.volatile=overlay"

[Runtime]
Firmware=uefi-secure-boot
TPM=true

[Output]
Format = disk
ManifestFormat = json

and my partitions are pretty simple:

$ cat mkosi/rootfs/mkosi.rcat mkosi/rootfs/mkosi.repart/00-esp.conf
[Partition]
Type=esp
Format=vfat
CopyFiles=/efi:/
CopyFiles=/boot:/
SizeMinBytes=1G
SizeMaxBytes=1G

$ cat mkosi/rootfs/mkosi.repart/12-root.conf
[Partition]
Type=root
Format=ext4
CopyFiles=/
Minimize=guess
ExcludeFilesTarget=/var/
ReadOnly=yes

When I boot the resulting image using qemu locally, on a Ubuntu Azure VM:

sudo qemu-system-x86_64     -enable-kvm     -cpu host     -smp 6     -m 4096     -bios /usr/share/qemu/OVMF.fd     -drive format=raw,file=/mnt/scratch/os_disk_azure.raw     -nographic

I get a kernel panic:

[    1.128508] /dev/root: Can't open blockdev
[    1.129344] VFS: Cannot open root device "" or unknown-block(0,0): error -6
[    1.130693] Please append a correct "root=" boot option; here are the available partitions:

this is very likely due to incorrect initramfs. But note that this works when linux-generic is used instead of linux-azure i.e. this image boots up fine in a generic kernel: 5.15.0-143-generic but fails on the azure linux kernel: 6.8.0-1031-azure.

Are there additional parameters I need to add to the mkosi.conf file? I am assuming an Azure image i.e. 6.8.0-1031-azure is needed to boot up a confidential VM.

Azure Virtual Machines
Azure Virtual Machines

An Azure service that is used to provision Windows and Linux virtual machines.

Answer accepted by question author
  1. Durga Reshma Malthi 11,595 Reputation points Microsoft External Staff Moderator
    2025-07-16T14:48:22.45+00:00

    Hi Hitesh Bhagchandani

    Your configuration is precise. To make sure Secure Boot works seamlessly for confidential VMs, here are a few key validations and suggestions:

    Your Validation section looks solid. Just ensure:

    • MOK.priv and MOK.crt are valid PEM-encoded key and certificate files.
    • They are not expired and match each other.
    • You generated them using mkosi genkey or equivalent tooling.

    Since you're using:

    Bootloader=grub

    ShimBootloader=signed

    UnifiedKernelImages=false

    Make sure:

    • The signed shim binary is present and correctly installed in the ESP.
    • GRUB is properly chained from shim and signed if needed.
    • Your ESP partition includes /EFI/BOOT/BOOTX64.EFI pointing to shim.

    Hope this helps!

    Please Let me know if you have any queries.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mounika Reddy Anumandla 7,135 Reputation points Moderator
    2025-07-14T17:27:46.0633333+00:00

    Hi Hitesh Bhagchandani,
    Confidential VMs (CVMs) in Azure should ideally run the Azure-tuned kernel, such as linux-azure, especially for support of features like SEV-SNP, TDX, TPM, measured boot, and UEFI Secure Boot.

    Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0) https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/linux-kernel-panic-troubleshooting#prerequisites

    This error occurs because of a recent system update (kernel). It's most commonly seen in RHEL-based distributions. You can identify this issue from the Azure serial console. You'll see the following error message:

    1. "Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)"

    This kind of error indicates that the initramfs file isn't generated, the GRUB configuration file has the initrd entry missing after a patching process, or a GRUB manual misconfiguration.

    Before rebooting a server, we recommend validating the GRUB configuration and /boot contents if there's a kernel update by running one of the following commands. It's important to ensure the update is done and there are no missing initramfs files.

    image

    ls -l /bootThe error says: You must add the root= parameter:KernelCommandLine="console=ttyS0 systemd.volatile=overlay root=/dev/sda2"

    Replace /dev/sda2 with the actual partition where your root filesystem is — you can check this by running lsblk on the raw image after building.

    [https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/linux-kernel-panic-troubleshooting#scenario-1-kernel-panic-occurs-at-boot-time]

    https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/kernel-related-boot-issues#missing-initramfs

    https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/linux-kernel-panic-troubleshooting#how-to-identify-a-kernel-panic

    Hope it helps!

    Let me know if you have any further queries!

    If the information is helpful, please click "upvote" to let us know!

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.