diff --git a/README.md b/README.md index 6dbbbcfd4c..233c40af06 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,15 @@ To build a VM machine from this repo's source, see the [instructions](docs/creat See notable upcoming changes by viewing issues with the [Announcement](https://github.com/actions/runner-images/labels/Announcement) label. +> **🔐 Security First: Generation 2 Azure VM Images Now Available!** +> +> Security is our priority. We are now introducing support for **Generation 2 (Gen 2) Azure VM images** for the latest Ubuntu releases. Gen 2 VMs provide enhanced security features including UEFI Secure Boot, vTPM, Trusted Launch compatibility, and protection against rootkits and bootkits. +> +> For more information and setup instructions, see [Creating Gen 2 Images](docs/create-image-and-azure-resources.md#security-first-generation-2-vm-support). +> +> 🚀 **Stay tuned for Windows Server 2025 Gen 2 support coming soon!** + + ## Image Definitions ### Beta diff --git a/docs/create-image-and-azure-resources.md b/docs/create-image-and-azure-resources.md index 36e74926d8..9c49de2a47 100644 --- a/docs/create-image-and-azure-resources.md +++ b/docs/create-image-and-azure-resources.md @@ -98,7 +98,20 @@ Finally, run the `GenerateResourcesAndImage` function, setting the mandatory arg - `ResourceGroupName` - the name of the resource group that will store the resulting artifact (e.g., "imagegen-test"). The resource group must already exist in your Azure subscription; - `AzureLocation` - the location where resources will be created (e.g., "East US"); -- `ImageType` - the type of image to build (valid options are "Windows2019", "Windows2022", "Windows2025", "Ubuntu2204", "Ubuntu2404"). +- `ImageType` - the type of image to build (valid options are "Windows2019", "Windows2022", "Windows2025", "Ubuntu2204", "Ubuntu2404", "Ubuntu2404Gen2"). + +> **🔐 Security First: Generation 2 VM Support** +> +> Security is our priority. We introduced **Generation 2 (Gen 2) VM** support in Azure to provide enhanced security features: +> +> - 🔐 **UEFI Secure Boot** – prevents unauthorized or malicious bootloaders from running +> - 🛡️ **vTPM (virtual Trusted Platform Module)** – enables OS-level encryption +> - 🧩 **Trusted Launch compatibility** – adds measured boot, Secure Boot, and attestation +> - 🧱 **Improved firmware isolation** – reduces exposure to BIOS-level attacks +> - 🧮 **Support for confidential and encrypted computing** – required for features like Azure Confidential VMs +> - 🚫 **Protection from rootkits and bootkits** – due to secure boot chain enforcement +> +> To use Gen 2 VMs, select `Ubuntu2404Gen2` as your `ImageType`. This function automatically creates all required Azure resources and initiates the Packer image generation for the selected image type. diff --git a/helpers/GenerateResourcesAndImage.ps1 b/helpers/GenerateResourcesAndImage.ps1 index 592313e7d5..88cdeabf32 100644 --- a/helpers/GenerateResourcesAndImage.ps1 +++ b/helpers/GenerateResourcesAndImage.ps1 @@ -6,6 +6,7 @@ enum ImageType { Windows2025 = 3 Ubuntu2204 = 4 Ubuntu2404 = 5 + Ubuntu2404Gen2 = 6 } Function Get-PackerTemplate { @@ -38,6 +39,10 @@ Function Get-PackerTemplate { $relativeTemplatePath = Join-Path (Join-Path "ubuntu" "templates") "build.ubuntu-24_04.pkr.hcl" $imageOS = "ubuntu24" } + ([ImageType]::Ubuntu2404Gen2) { + $relativeTemplatePath = Join-Path (Join-Path "ubuntu" "templates") "build.ubuntu-24_04.pkr.hcl" + $imageOS = "ubuntu24-gen2" + } default { throw "Unknown type of image" } } diff --git a/images/ubuntu/templates/locals.ubuntu.pkr.hcl b/images/ubuntu/templates/locals.ubuntu.pkr.hcl index fe9b189aba..4c2f292664 100644 --- a/images/ubuntu/templates/locals.ubuntu.pkr.hcl +++ b/images/ubuntu/templates/locals.ubuntu.pkr.hcl @@ -11,6 +11,12 @@ locals { offer = "ubuntu-24_04-lts" sku = "server-gen1" os_disk_size_gb = coalesce(var.os_disk_size_gb, 75) + }, + "ubuntu24-gen2" = { + publisher = "canonical" + offer = "ubuntu-24_04-lts" + sku = "server" + os_disk_size_gb = coalesce(var.os_disk_size_gb, 75) } }