always set SecurityPolicyEnabled when policy is present#2748
Open
anmaxvl wants to merge 2 commits into
Open
Conversation
Previously, SecurityPolicyEnabled was only set for LCOW when no-security-hardware was false, which meant the security policy was never plumbed to the GCS in the no-hardware dev path. This differed from the WCOW path which always sets SecurityPolicyEnabled when a policy is present. Move SecurityPolicyEnabled assignment out of the !noSecurityHardware block so it is set whenever a security policy string is present. Gate the SNP-specific HCS document (makeLCOWSecurityDoc) on GuestStateFilePath instead, since that is only set when real SNP hardware is available. Add AI generated unit tests. Signed-off-by: Maksim An <maksiman@microsoft.com>
helsaawy
approved these changes
May 21, 2026
Contributor
|
@anmaxvl Can you please make the verify and behaviour and make the changes in V2 shim as well- hcsshim/internal/builder/vm/lcow/specs.go Line 334 in ab454d9 |
…resent Always set ConfidentialConfig when a security policy is present. Add NoSecurityHardware to SandboxOptions and use isConfidentialSNP to gate SNP-specific HCS document construction (schema V25, confidential boot options, NUMA skip, etc.) separately from policy presence. Signed-off-by: Maksim An <maksiman@microsoft.com>
anmaxvl
force-pushed
the
fix-lcow-policy-plumbing
branch
from
6e7d936 to
5809d15
Compare
rawahars
reviewed
May 25, 2026
| // NoSecurityHardware indicates that SNP hardware is not available. When true, | ||
| // the security policy is still plumbed to the GCS but the HCS document uses the | ||
| // standard (non-SNP) format. | ||
| NoSecurityHardware bool |
Contributor
There was a problem hiding this comment.
Since NoSecurityHardware is used locally within lcow builder, can we avoid adding it to SandboxOptions?
SandboxOptions are used outside the package and usually contain the fields which are used later in the workflow.
rawahars
reviewed
May 25, 2026
| // isConfidentialSNP is true when we have a security policy AND real SNP hardware. | ||
| // This gates SNP-specific HCS document construction (schema V25, confidential boot, etc.). | ||
| // When no-security-hardware is set, we still plumb the policy but use the standard HCS doc. | ||
| isConfidentialSNP := sandboxOptions.ConfidentialConfig != nil && !sandboxOptions.NoSecurityHardware |
Contributor
There was a problem hiding this comment.
Maybe move NoSecurityHardware parsing here. It serves no purpose inside parseSandboxOptions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Previously, SecurityPolicyEnabled was only set for LCOW when no-security-hardware was false, which meant the security policy was never plumbed to the GCS in the no-hardware dev path. This differed from the WCOW path which always sets SecurityPolicyEnabled when a policy is present.
Move SecurityPolicyEnabled assignment out of the !noSecurityHardware block so it is set whenever a security policy string is present. Gate the SNP-specific HCS document (makeLCOWSecurityDoc) on GuestStateFilePath instead, since that is only set when real SNP hardware is available.
Add AI generated unit tests.