Set disk identifier for confidential UVM's scratch and Pass UVM measurement info to sidecar GCS #2545
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR updates the github.com/Microsoft/go-winio dependency from v0.6.2 to v0.6.3-0.20251027160822-ad3df93bed29 and integrates new functionality for VHD identifier management and UVM reference information handling in confidential computing scenarios.
Key changes:
- Updates go-winio dependency to add virtual disk identifier get/set functionality
- Implements UVM reference info file handling for confidential WCOW VMs
- Sets predefined GUID identifier on scratch VHDs for reliable disk identification
- Removes deprecated
// +buildconstraint comments in favor of//go:builddirectives
Reviewed Changes
Copilot reviewed 7 out of 38 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| go.mod, go.sum, vendor/modules.txt | Updates go-winio dependency to v0.6.3-0.20251027160822-ad3df93bed29 |
| vendor/github.com/Microsoft/go-winio/vhd/vhd.go | Adds GetVirtualDiskIdentifier and SetVirtualDiskIdentifier functions for VHD management |
| vendor/github.com/Microsoft/go-winio/vhd/zvhd_windows.go | Adds Windows syscall implementations for virtual disk information operations |
| vendor/github.com/Microsoft/go-winio/pkg/bindfilter/bind_filter.go | Simplifies error messages by replacing fmt.Errorf with errors.New for static errors |
| vendor/github.com/Microsoft/go-winio/*.go | Removes deprecated // +build constraint comments |
| internal/uvm/create_wcow.go | Defines unformattedScratchIdentifier GUID and sets it on scratch VHDs |
| internal/uvm/security_policy.go | Adds WithWCOWUVMReferenceInfo option to handle UVM reference info files |
| internal/uvm/start.go | Integrates UVM reference info file into confidential UVM setup |
| internal/oci/uvm.go | Adds annotation parsing for UVM reference info file path |
| internal/protocol/guestresource/resources.go | Updates WCOWConfidentialOptions struct with EncodedUVMReference field |
| internal/gcs-sidecar/host.go | Stores UVM reference info from security policy request |
| vendor/github.com/Microsoft/go-winio/.golangci.yml | Adds linter exclusion for gosec G115 integer overflow warnings |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ambarve
force-pushed
the
cwcow_scratch_guid
branch
2 times, most recently
from
597d8d4 to
dbe8c71
Compare
anmaxvl
approved these changes
Oct 29, 2025
MahatiC
suggested changes
Oct 29, 2025
MahatiC
approved these changes
Oct 29, 2025
ambarve
force-pushed
the
cwcow_scratch_guid
branch
from
dbe8c71 to
120822c
Compare
ambarve
changed the title
Confidential UVMs boot with a scratch that is completely empty (not even a partition table on it). The UVM formats it as a part of the boot flow. However, the UVM needs a way to correctly identify and distinguish between the scratch & boot VHDs. We do this by setting a pre-defined GUID in the VirtualDiskIdentifier field of the VHD metadata. A fixed pre-defined GUID will be set in the metadata of every UVM's scratch. Signed-off-by: Amit Barve <[email protected]>
ambarve
force-pushed
the
cwcow_scratch_guid
branch
from
120822c to
b7dc4bc
Compare
ambarve
changed the title
anmaxvl
approved these changes
Oct 29, 2025
A reference_info.cose file is usually shipped along with other UVM boot files. This file contains signed measurements of the UVM. We need to pass the contents of this file to the sidecar GCS so that it can make it available to the containers running inside the UVM. Signed-off-by: Amit Barve <[email protected]>
ambarve
force-pushed
the
cwcow_scratch_guid
branch
from
8d6f821 to
1249099
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds following two commits:
Confidential UVMs boot with a scratch that is completely empty (not even a partition table
on it). The UVM formats it as a part of the boot flow. However, the UVM needs a way to
correctly identify and distinguish between the scratch & boot VHDs. We do this by setting
a pre-defined GUID in the VirtualDiskIdentifier field of the VHD metadata. A fixed
pre-defined GUID will be set in the metadata of every UVM's scratch.
A reference_info.cose file is usually shipped along with other UVM boot files. This file
contains signed measurements of the UVM. We need to pass the contents of this file to the
sidecar GCS so that it can make it available to the containers running inside the UVM.