Skip to content

Can not create disk with ConfidentialVM_NonPersistedTPM securityType #29207

Description

@fnerdman

Describe the bug

I want to create a disk that should be booted as a confidential TDX VM, with --os-disk-security-encryption-type set to NonPersistedTPM:

az disk create \
    -n ${DISK_NAME} 
    -g ${RESOURCE_GROUP} \
    -l ${REGION} \
    --os-type Linux \
    --upload-type Upload \
    --upload-size-bytes ${DISK_SIZE} \
    --sku standard_lrs \
    --security-type ConfidentialVM_NonPersistedTPM \
    --hyper-v-generation V2

This fails with:

az disk create: 'ConfidentialVM_NonPersistedTPM' is not a valid value for '--security-type'. Allowed values: TrustedLaunch, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithCustomerKey, Standard.

So now I can't start a confidential VM with NonPersistedTPM:

az vm create \
    --name ${DISK_NAME} \
    --size ${VM_SIZE} \
    --resource-group ${RESOURCE_GROUP} \
    --attach-os-disk ${DISK_NAME} \
    --os-type Linux \
    --security-type ConfidentialVM \
    --enable-vtpm true \
    --enable-secure-boot false  \
    --os-disk-security-encryption-type NonPersistedTPM 

Related command

az disk create

Errors

az disk create: 'ConfidentialVM_NonPersistedTPM' is not a valid value for '--security-type'. Allowed values: TrustedLaunch, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithCustomerKey, Standard.

Issue script & Debug output

az disk create: 'ConfidentialVM_NonPersistedTPM' is not a valid value for '--security-type'. Allowed values: TrustedLaunch, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithCustomerKey, Standard.

Expected behavior

Disk is created with securityType=ConfidentialVM_NonPersistedTPM

Environment Summary

az --version
azure-cli 2.61.0

core 2.61.0
telemetry 1.1.0

Dependencies:
msal 1.28.0
azure-mgmt-resource 23.1.1

Python location '/opt/homebrew/Cellar/azure-cli/2.61.0/libexec/bin/python'
Extensions directory '/Users/*/.azure/cliextensions'

Python (Darwin) 3.11.9 (main, Apr 2 2024, 08:25:04) [Clang 15.0.0 (clang-1500.3.9.4)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

Issue discussing adding the NonPersistedTPM featuer: #27479
PoC patch, that fixes the problem locally for me: Azure/azure-sdk-for-python#36161

Metadata

Metadata

Labels

Auto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamComputeaz vm/vmss/image/disk/snapshotact-observability-squadcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type
No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions