Disable video console in SNP mode

ambarve · ambarve · commit 1f31fdda902b · 2025-09-26T09:25:07.000-04:00
Video console is not supported when a UVM is being started in SNP isolation mode. It is
anyway always disabled when starting a pod, but uvmboot tool always enabled it until
now. This change only enables it if the isolation mode isn't SNP.

Also, adds a new log statement to log the generated UVM HCS doc.

Signed-off-by: Amit Barve &lt;ambarve@microsoft.com&gt;
diff --git a/internal/tools/uvmboot/conf_wcow.go b/internal/tools/uvmboot/conf_wcow.go
@@ -114,8 +114,10 @@ var cwcowCommand = cli.Command{
 			options.DisableSecureBoot = cwcowDisableSecureBoot
 			options.GuestStateFilePath = cwcowVMGSPath
 			options.IsolationType = cwcowIsolationMode
-			// always enable graphics console with uvmboot - helps with testing/debugging
-			options.EnableGraphicsConsole = true
+
+			// graphics console helps with testing/debugging however, it
+			// doesn't work in SNP isolation mode.
+			options.EnableGraphicsConsole = cwcowIsolationMode != "SecureNestedPaging"
 			options.WritableEFI = cwcowWritableEFI
 
 			var err error
diff --git a/internal/uvm/create_wcow.go b/internal/uvm/create_wcow.go
@@ -5,6 +5,7 @@ package uvm
 import (
 	"context"
 	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"maps"
 	"os"
@@ -354,7 +355,7 @@ func prepareSecurityConfigDoc(ctx context.Context, uvm *UtilityVM, opts *Options
 
 	enableHCL := true
 	doc.VirtualMachine.SecuritySettings = &hcsschema.SecuritySettings{
-		EnableTpm: false,
+		EnableTpm: false, // TPM MUST always remain false in confidential mode as per the design
 		Isolation: &hcsschema.IsolationSettings{
 			IsolationType: "SecureNestedPaging",
 			HclEnabled:    &enableHCL,
@@ -531,6 +532,10 @@ func CreateWCOW(ctx context.Context, opts *OptionsWCOW) (_ *UtilityVM, err error
 		return nil, fmt.Errorf("error in preparing config doc: %w", err)
 	}
 
+	// log the HCS doc for debugging purposes, we don't care about the JSON marshalling errors here
+	jsondoc, _ := json.Marshal(doc)
+	log.G(ctx).Tracef("UVM HCS doc: %s", jsondoc)
+
 	err = uvm.create(ctx, doc)
 	if err != nil {
 		return nil, fmt.Errorf("error while creating the compute system: %w", err)
