How to bind the pk in Azure VM?
Hello, Thanks for your support. I have one question.
Question > Does it support to bind pk key to VM for UEFI feature currently?
I’m trying to bind pk key in azure vm. I referred this document. I saw only db key in ARM template your reference document. I can bind the db-key as Microsoft’s reference document, and then I changed the ARM template to bind pk, kek, db for UEFI feature. But this vm has provisioning error when deploying vm.
step1. I have error when I add pk key with ‘MicrosoftUefiCertificateAuthorityTemplate’ as signatureTemplateNames in uefiSettings --> I changed the value ‘NoSignatureTemplate’ instead of ‘MicrosoftUefiCertificateAuthorityTemplate’
step2. I deployed this ARM template and then I have saw provisioning error code.
provisioning_state_error_code.png
pk_kek_db_template.json.txt
Ref : https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-secure-boot-custom-uefi#method-to-create-azure-c[…]vm-by-using-the-azure-cli
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
},
"resources": [
{
"type": "Microsoft.Compute/galleries",
"apiVersion": "2022-01-03",
"name": "customuefigallerytest",
"location": "[resourceGroup().location]",
"tags": {
"AzSecPackAutoConfigReady": "true"
},
"properties": {
"identifier": {}
}
},
{
"type": "Microsoft.Compute/galleries/images",
"apiVersion": "2022-08-03",
"name": "[concat('customuefigallerytest', '/', 'image_def')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Compute/galleries', 'customuefigallerytest')]"
],
"tags": {
"AzSecPackAutoConfigReady": "true"
},
"properties": {
"hyperVGeneration": "V2",
"architecture": "x64",
"osType": "Linux",
"osState": "Generalized",
"identifier": {
"publisher": "testpublisher",
"offer": "testoffer",
"sku": "testsku"
},
"features": [
{
"name": "SecurityType",
"value": "TrustedLaunchSupported"
}
],
"recommended": {
"vCPUs": {
"min": 1,
"max": 16
},
"memory": {
"min": 1,
"max": 32
}
}
}
},
{
"type": "Microsoft.Compute/galleries/images/versions",
"apiVersion": "2022-08-03",
"name": "[concat('customuefigallerytest', '/','image_def','/', '1.0.0')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Compute/galleries/images', 'customuefigallerytest', 'image_def')]",
"[resourceId('Microsoft.Compute/galleries', 'customuefigallerytest')]"
],
"properties": {
"publishingProfile": {
"targetRegions": [
{
"name": "[resourceGroup().location]",
"regionalReplicaCount": 1
}
]
},
"storageProfile": {
"osDiskImage": {
"hostCaching": "ReadOnly",
"source": {
"uri": "https://sourceosvhdeastus2euap.blob.core.windows.net/ubuntu2204cvmsmalldisk/abcd",
"storageAccountId": "/subscriptions/130068aa-dcf8-46e8-a2cc-205ab4a32b30/resourceGroups/sharmade-customuefi-canarytest/providers/Microsoft.Storage/storageAccounts/sourceosvhdeastus2euap"
}
}
},
"securityProfile": {
"uefiSettings": {
"signatureTemplateNames": [
"MicrosoftUefiCertificateAuthorityTemplate"
],
"additionalSignatures": {
"pk": [
{
"type": "x509",
"value": [
"MIIxxx="
]
}
],
"kek": [
{
"type": "x509",
"value": [
"MIIyyy="
]
}
],
"db": [
{
"type": "x509",
"value": [
"MIIzzz="
]
}
]
}
}
}
}
}
]
}