Attach EFI VHD in read-only mode by default

ambarve · ambarve · commit c93823621f3b · 2025-08-08T15:49:01.000-04:00
EFI VHDs should always be attached as read-only by default to block UVMs from writing to
it and corrupting its contents.

Signed-off-by: Amit Barve &lt;ambarve@microsoft.com&gt;
diff --git a/internal/oci/uvm.go b/internal/oci/uvm.go
@@ -245,6 +245,7 @@ func handleWCOWSecurityPolicy(ctx context.Context, a map[string]string, wopts *u
 	wopts.SecurityPolicyEnforcer = ParseAnnotationsString(a, annotations.WCOWSecurityPolicyEnforcer, wopts.SecurityPolicyEnforcer)
 	wopts.DisableSecureBoot = ParseAnnotationsBool(ctx, a, annotations.WCOWDisableSecureBoot, false)
 	wopts.GuestStateFilePath = ParseAnnotationsString(a, annotations.WCOWGuestStateFile, uvm.GetDefaultConfidentialVMGSPath())
+	wopts.WritableEFI = ParseAnnotationsBool(ctx, a, annotations.WCOWWritableEFI, false)
 	if ParseAnnotationsBool(ctx, a, annotations.WCOWNoSecurityHardware, false) {
 		wopts.NoSecurityHardware = true
 		wopts.IsolationType = "VirtualizationBasedSecurity"
diff --git a/internal/uvm/create_wcow.go b/internal/uvm/create_wcow.go
@@ -42,6 +42,7 @@ type ConfidentialWCOWOptions struct {
 	IsolationType      string
 	DisableSecureBoot  bool
 	FirmwareParameters string
+	WritableEFI        bool
 }
 
 // OptionsWCOW are the set of options passed to CreateWCOW() to create a utility vm.
@@ -402,8 +403,9 @@ func prepareSecurityConfigDoc(ctx context.Context, uvm *UtilityVM, opts *Options
 		Type_: "VirtualDisk",
 	}
 	doc.VirtualMachine.Devices.Scsi[guestrequest.ScsiControllerGuids[0]].Attachments["1"] = hcsschema.Attachment{
-		Path:  opts.BootFiles.BlockCIMFiles.EFIVHDPath,
-		Type_: "VirtualDisk",
+		Path:     opts.BootFiles.BlockCIMFiles.EFIVHDPath,
+		Type_:    "VirtualDisk",
+		ReadOnly: !opts.WritableEFI,
 	}
 	doc.VirtualMachine.Devices.Scsi[guestrequest.ScsiControllerGuids[0]].Attachments["2"] = hcsschema.Attachment{
 		Path:     opts.BootFiles.BlockCIMFiles.BootCIMVHDPath,
diff --git a/pkg/annotations/annotations.go b/pkg/annotations/annotations.go
@@ -205,6 +205,10 @@ const (
 	// Allows disabling secure boot for testing and debugging scenarios, secure boot doesn't apply to confidential LCOW so
 	// this is a WCOW only config
 	WCOWDisableSecureBoot = "io.microsoft.virtualmachine.wcow.no_secure_boot"
+
+	// Attaches the EFI/boot VHD in the writable mode (instead of the default read-only mode). This is usually required
+	// when debugging boot to capture bootstat traces.
+	WCOWWritableEFI = "io.microsoft.virtualmachine.wcow.writable_efi"
 )
 
 // WCOW host process container annotations.

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@ type ConfidentialWCOWOptions struct {`
`42`	`42`	`IsolationType string`
`43`	`43`	`DisableSecureBoot bool`
`44`	`44`	`FirmwareParameters string`
	`45`	`+ WritableEFI bool`
`45`	`46`	`}`
`46`	`47`
`47`	`48`	`// OptionsWCOW are the set of options passed to CreateWCOW() to create a utility vm.`
`@@ -402,8 +403,9 @@ func prepareSecurityConfigDoc(ctx context.Context, uvm UtilityVM, opts Options`
`402`	`403`	`Type_: "VirtualDisk",`
`403`	`404`	`}`
`404`	`405`	`doc.VirtualMachine.Devices.Scsi[guestrequest.ScsiControllerGuids[0]].Attachments["1"] = hcsschema.Attachment{`
`405`		`- Path: opts.BootFiles.BlockCIMFiles.EFIVHDPath,`
`406`		`- Type_: "VirtualDisk",`
	`406`	`+ Path: opts.BootFiles.BlockCIMFiles.EFIVHDPath,`
	`407`	`+ Type_: "VirtualDisk",`
	`408`	`+ ReadOnly: !opts.WritableEFI,`
`407`	`409`	`}`
`408`	`410`	`doc.VirtualMachine.Devices.Scsi[guestrequest.ScsiControllerGuids[0]].Attachments["2"] = hcsschema.Attachment{`
`409`	`411`	`Path: opts.BootFiles.BlockCIMFiles.BootCIMVHDPath,`