Skip to content

feat: disable kernel lockdown mode for azurelinux 3.0 aks image #7990

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
miz060 wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

feat: disable kernel lockdown mode for azurelinux 3.0 aks image #7990

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions vhdbuilder/packer/pre-install-dependencies.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,13 @@ if [[ ${OS} == ${MARINER_OS_NAME} ]] && [[ "${ENABLE_CGROUPV2,,}" == "true" ]];
fi
capture_benchmark "${SCRIPT_NAME}_enable_cgroupv2_for_azurelinux"

# Remove lockdown=integrity from kernel cmdline for Azure Linux 3.0
# The kernel has an OOT patch that auto-enables lockdown when secure boot is detected
if isMarinerOrAzureLinux "$OS" && [[ "$OS_VERSION" == "3.0" ]]; then
disableKernelLockdownCmdline
fi
capture_benchmark "${SCRIPT_NAME}_disable_kernel_lockdown_cmdline"

# shellcheck disable=SC3010
if [[ ${UBUNTU_RELEASE//./} -ge 2204 && "${ENABLE_FIPS,,}" != "true" ]]; then

Expand Down
9 changes: 9 additions & 0 deletions vhdbuilder/scripts/linux/mariner/tool_installs_mariner.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,15 @@ activateNfConntrack() {
echo nf_conntrack >> /etc/modules-load.d/contrack.conf
}

# Remove lockdown=integrity from kernel cmdline for Azure Linux 3.0.
# The AzureLinux 3.0 kernel has an OOT patch that automatically enables
# lockdown when secure boot is detected.
disableKernelLockdownCmdline() {
echo "Removing lockdown=integrity from kernel cmdline..."
dnf_install 120 5 25 grubby || exit $ERR_APT_INSTALL_TIMEOUT
grubby --update-kernel=ALL --remove-args="lockdown"
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

disableKernelLockdownCmdline prints that it is removing lockdown=integrity, but the command uses --remove-args="lockdown" and does not check the grubby exit code. This can either remove more than intended (e.g., other lockdown modes) or silently fail to remove the specific lockdown=integrity arg, leaving the VHD in the problematic state. Please (1) remove the exact arg you intend (e.g., lockdown=integrity) and/or validate the resulting cmdline, and (2) fail the build if the grubby update fails (consistent with the dnf_install error handling).

Suggested change
grubby --update-kernel=ALL --remove-args="lockdown"
grubby --update-kernel=ALL --remove-args="lockdown=integrity" || exit $ERR_APT_INSTALL_TIMEOUT
# Verify that lockdown=integrity has been removed from all kernels' cmdlines.
if grubby --info=ALL | grep -q 'lockdown=integrity'; then
echo "Failed to remove lockdown=integrity from kernel cmdline."
exit $ERR_APT_INSTALL_TIMEOUT
fi

Copilot uses AI. Check for mistakes.
}

installFIPS() {

echo "Installing FIPS..."
Expand Down
Loading