From 97ec9b5a0660af4b9941a8650f374edb395bc3b1 Mon Sep 17 00:00:00 2001 From: Mitch Zhu Date: Fri, 27 Feb 2026 00:10:51 +0000 Subject: [PATCH] feat: disable kernel lockdown mode for azurelinux 3.0 aks image The AzureLinux 3.0 kernel auto-enables lockdown when secure boot is detected via an OOT patch. Disable kernel lockdown by default to enable AKS customer installing their own custom GPU driver when using azurelinux 3.0. Signed-off-by: Mitch Zhu --- vhdbuilder/packer/pre-install-dependencies.sh | 7 +++++++ .../scripts/linux/mariner/tool_installs_mariner.sh | 9 +++++++++ 2 files changed, 16 insertions(+) diff --git a/vhdbuilder/packer/pre-install-dependencies.sh b/vhdbuilder/packer/pre-install-dependencies.sh index 2e1b81e4c31..12ef2118e6a 100644 --- a/vhdbuilder/packer/pre-install-dependencies.sh +++ b/vhdbuilder/packer/pre-install-dependencies.sh @@ -122,6 +122,13 @@ if [[ ${OS} == ${MARINER_OS_NAME} ]] && [[ "${ENABLE_CGROUPV2,,}" == "true" ]]; fi capture_benchmark "${SCRIPT_NAME}_enable_cgroupv2_for_azurelinux" +# Remove lockdown=integrity from kernel cmdline for Azure Linux 3.0 +# The kernel has an OOT patch that auto-enables lockdown when secure boot is detected +if isMarinerOrAzureLinux "$OS" && [[ "$OS_VERSION" == "3.0" ]]; then + disableKernelLockdownCmdline +fi +capture_benchmark "${SCRIPT_NAME}_disable_kernel_lockdown_cmdline" + # shellcheck disable=SC3010 if [[ ${UBUNTU_RELEASE//./} -ge 2204 && "${ENABLE_FIPS,,}" != "true" ]]; then diff --git a/vhdbuilder/scripts/linux/mariner/tool_installs_mariner.sh b/vhdbuilder/scripts/linux/mariner/tool_installs_mariner.sh index 4ba21baac0d..247bef28c5a 100755 --- a/vhdbuilder/scripts/linux/mariner/tool_installs_mariner.sh +++ b/vhdbuilder/scripts/linux/mariner/tool_installs_mariner.sh @@ -172,6 +172,15 @@ activateNfConntrack() { echo nf_conntrack >> /etc/modules-load.d/contrack.conf } +# Remove lockdown=integrity from kernel cmdline for Azure Linux 3.0. +# The AzureLinux 3.0 kernel has an OOT patch that automatically enables +# lockdown when secure boot is detected. +disableKernelLockdownCmdline() { + echo "Removing lockdown=integrity from kernel cmdline..." + dnf_install 120 5 25 grubby || exit $ERR_APT_INSTALL_TIMEOUT + grubby --update-kernel=ALL --remove-args="lockdown" +} + installFIPS() { echo "Installing FIPS..."