Trusted Launch CLI Change Request - VM Disk Snapshot & Config

[wangzelin007]

Related command

az snapshot show
az disk create
az disk grant-access

Resource Provider

Microsoft.Compute/disks
Microsoft.Compute/snapshots

Description of Feature or Work Requested

feature request to add output value, new parameter and add values into existing parameters for following commands to support Trusted Launch VM Disks:

• az snapshot show
• az disk create
• az disk grant-access

Feature request is to provide customers with completion of Trusted Launch VM (already GA) disk management:

• validate if the snapshot customer has taken is enabled for TrustedLaunch.
• import managed OS disk along with VMGuestState disk required for Trusted Launch VMs.
• upload managed OS disk using same parameter --for-upload and specify that upload will be for Trusted Launch VM or Non-Trusted Launch VM

Additional Output Value

az snapshot show

When customer use az snapshot show command, the output should return SecurityProfile of the snapshot. SecurityProfile output is already supported in az disk show command, same needs to be extended to snapshots as well.

"securityProfile": {
"securityType": "TrustedLaunch"
},

New Parameter

--security-data-uri (az disk create)

New string parameter --security-data-uri for command az disk create:

• Allows customer to pass Blob URI for VM Guest State VHD.
• When specified, the command should interpret that disk will be imported from un-managed VHD in storage account or another managed disk for TrustedLaunch VM OS Disk Security Type.
• --security-type parameter mandatory when --security-data-uri value is passed.
• --hyper-v-generation parameter value should be V2
• This is the URI of a blob to be imported into VM guest state.

--secure-vm-guest-state-sas (az disk grant-access)

New bool parameter --secure-vm-guest-state-sas for az disk grant-access:

• Allows customer to query VM Guest State SAS.
• Required when --for-upload is set to new value secureOSUpload.
• Output should show both accessSas and securityDataAccessSAS in response.

Existing Parameter

--for-upload (az disk create)

Convert --for-upload to type enum and Introduce additional value of secureOSUpload for parameter --for-upload in command az disk create. In addition to same, replace true with nonSecureOSUpload

Post change, following values will be accepted for parameter:

--for-upload value	Description
false	OS Disk created is not using upload method.
nonSecureOSUpload	OS Disk created using upload method for VM with security type Standard
secureOSUpload	OS Disk created using upload method will be used with VM using TrustedLaunch security type or ConfidentialVM

• Allows customer to specify that disk will be uploaded from local storage for TrustedLaunch VM OS Disk Security Type using parameter value secureOSUpload.
• For VMs with Standard security type, customers provide parameter value of nonSecureOSUpload
• --security-type parameter mandatory when --for-upload is set to secureOSUpload
• --hyper-v-generation parameter value should be V2 when --for-upload value is set to secureOSUpload
• Parameter --secure-vm-guest-state-sas required for az disk grant-access when --for-upload is set to secureOSUpload

End to End Usage

Scenario 1 - Get Trusted Launch VM Disk Snapshot

1. Get Virtual Machine Disk snapshot.

   az snapshot show --id $snapshotResourceId

   {
     "completionPercent": null,
     "creationData": {
       "createOption": "Copy",
       "galleryImageReference": null,
       "imageReference": null,
       "logicalSectorSize": null,
       "sourceResourceId": "/subscriptions/390a3e32-6963-47d8-bcef-ee8db1c22720/resourceGroups/tvm-cli-change-rg/providers/Microsoft.Compute/disks/tvm-cli-change-vm_OsDisk_1_78358962d0b645a0a3899f18c98b099a",
       "sourceUniqueId": "78358962-d0b6-45a0-a389-9f18c98b099a",
       "sourceUri": null,
       "storageAccountId": null,
       "uploadSizeBytes": null
     },
     "diskAccessId": null,
     "diskSizeBytes": 32213303296,
     "diskSizeGb": 30,
     "diskState": "Unattached",
     "encryption": {
       "diskEncryptionSetId": null,
       "type": "EncryptionAtRestWithPlatformKey"
     },
     "encryptionSettingsCollection": null,
     "extendedLocation": null,
     "hyperVGeneration": "V2",
     "id": "/subscriptions/390a3e32-6963-47d8-bcef-ee8db1c22720/resourceGroups/tvm-cli-change-rg/providers/Microsoft.Compute/snapshots/test01",
     "incremental": false,
     "location": "southeastasia",
     "managedBy": null,
     "name": "test01",
     "networkAccessPolicy": "AllowAll",
     "osType": "Linux",
     "provisioningState": "Succeeded",
     "publicNetworkAccess": "Enabled",
     "purchasePlan": null,
     "resourceGroup": "tvm-cli-change-rg",
     "securityProfile": {
       "securityType": "TrustedLaunch"
     },
     "sku": {
       "name": "Standard_LRS",
       "tier": "Standard"
     },
     "supportedCapabilities": {
       "acceleratedNetwork": true,
       "architecture": "x64"
     },
     "supportsHibernation": null,
     "tags": {},
     "timeCreated": "2022-04-29T12:48:54.475669+00:00",
     "type": "Microsoft.Compute/snapshots",
     "uniqueId": "8e845670-5c0f-4153-a178-9a544ba4b7e1"
   }

Scenario 2 - Secure Import of Trusted Launch VM OS Disk

1. Create disk with --for-secure-import and -security-data-uri parameter:

   az disk create -n $diskName -g $resourceGroup \
       -l $location --os-type Windows --hyper-v-generation V2 \
       --security-type "TrustedLaunch" \
       --source $sourceDiskVhdUri --security-data-uri $guestStateDiskVhdUri \
       --sku standard_lrs
   

Scenario 3 - Secure Upload of Trusted Launch VM OS Disk

1. Create an empty disk with --for-secure-upload parameter:

   az disk create -n $diskName -g $resourceGroup \
       -l $location --os-type Windows --hyper-v-generation V2 \
       --security-type "TrustedLaunch" --for-upload secureOSUpload \
       --upload-size-bytes 34359738880 --sku standard_lrs
   

2. Grant access to generate accessSas and securityDataAccessSAS using --secure-vm-guest-state-sas parameter

   diskSas = $(az disk grant-access -n $diskName -g $resourceGroupName \
       --access-level Write --duration-in-seconds 86400 \
       --secure-vm-guest-state-sas true)
   

   Returned value schema:

   {
     "accessSas": "https://md-impexp-t0rdsfgsdfg4.blob.core.windows.net/w2c3mj0ksfgl/abcd?sv=2017-04-17&sr=b&si=600a9281-d39e-4cc3-91d2-923c4a696537&sig=xXaT6mFgf139ycT87CADyFxb%2BnPXBElYirYRlbnJZbs%3D",
     "securityDataAccessSas": "<VM Guest State Sas URI>"
   }

3. Copy Disk Content from Local Disk:

   AzCopy.exe copy "c:\somewhere\mydisk.vhd" $diskSas.AccessSAS --blob-type PageBlob

4. Copy VM Guest State content from a local VHD:

   AzCopy.exe copy "c:\somewhere\myvmgs.vhd" $diskSas.securityDataAccessSAS --blob-type PageBlob

Minimum API Version Required

2021-08-01

Swagger PR link

Azure/azure-rest-api-specs#17118

Target Date

2022-07-05

Additional context

Request for Trusted Launch VM feature.

• Link to CVM Disk RP Swagger Spec
• Get Managed Disk Information JSON
• Get Snapshot Information JSON
• Get Access JSON
• Trusted Launch specific modifications in Get-AzSnapshot response & New-AzDiskConfig cmdlet

Contacts

Role	Contact
Main developer contacts (emails + github aliases)	Abhishek Verma (AZURE) Abhishek.Verma@microsoft.com, Anshul Solanki Anshul.Solanki@microsoft.com
PM contact (email + github alias)	Ajay Kundnani ajay.kundnani@microsoft.com
Other people who should attend a design review (email)	Run Cai run.cai@microsoft.com, Deepak J V J.Deepak@microsoft.com