Security First: Generation 2 Azure VM Images Now Available!

README.md

@@ -56,6 +56,15 @@ To build a VM machine from this repo's source, see the [instructions](docs/creat
 
 See notable upcoming changes by viewing issues with the [Announcement](https://github.com/actions/runner-images/labels/Announcement) label.
 
+> **🔐 Security First: Generation 2 Azure VM Images Now Available!**
+>
+> Security is our priority. We are now introducing support for **Generation 2 (Gen 2) Azure VM images** for the latest Ubuntu releases. Gen 2 VMs provide enhanced security features including UEFI Secure Boot, vTPM, Trusted Launch compatibility, and protection against rootkits and bootkits.
+>
+> For more information and setup instructions, see [Creating Gen 2 Images](docs/create-image-and-azure-resources.md#security-first-generation-2-vm-support).
+>
+> 🚀 **Stay tuned for Windows Server 2025 Gen 2 support coming soon!**
+
+
 ## Image Definitions
 
 ### Beta

docs/create-image-and-azure-resources.md

@@ -98,7 +98,20 @@ Finally, run the `GenerateResourcesAndImage` function, setting the mandatory arg
 - `ResourceGroupName` - the name of the resource group that will store the resulting artifact (e.g., "imagegen-test").
     The resource group must already exist in your Azure subscription;
 - `AzureLocation` - the location where resources will be created (e.g., "East US");
-- `ImageType` - the type of image to build (valid options are "Windows2019", "Windows2022", "Windows2025", "Ubuntu2204", "Ubuntu2404").
+- `ImageType` - the type of image to build (valid options are "Windows2019", "Windows2022", "Windows2025", "Ubuntu2204", "Ubuntu2404", "Ubuntu2404Gen2").
+
+> **🔐 Security First: Generation 2 VM Support**
+>
+> Security is our priority. We introduced **Generation 2 (Gen 2) VM** support in Azure to provide enhanced security features:
+>
+> - 🔐 **UEFI Secure Boot** – prevents unauthorized or malicious bootloaders from running
+> - 🛡️ **vTPM (virtual Trusted Platform Module)** – enables OS-level encryption
+> - 🧩 **Trusted Launch compatibility** – adds measured boot, Secure Boot, and attestation
+> - 🧱 **Improved firmware isolation** – reduces exposure to BIOS-level attacks
+> - 🧮 **Support for confidential and encrypted computing** – required for features like Azure Confidential VMs
+> - 🚫 **Protection from rootkits and bootkits** – due to secure boot chain enforcement
+>
+> To use Gen 2 VMs, select `Ubuntu2404Gen2` as your `ImageType`.
 
 This function automatically creates all required Azure resources and initiates the Packer image generation for the selected image type.
 

helpers/GenerateResourcesAndImage.ps1

@@ -6,6 +6,7 @@ enum ImageType {
     Windows2025   = 3
     Ubuntu2204    = 4
     Ubuntu2404    = 5
+    Ubuntu2404Gen2 = 6
 }
 
 Function Get-PackerTemplate {
@@ -38,6 +39,10 @@ Function Get-PackerTemplate {
             $relativeTemplatePath = Join-Path (Join-Path "ubuntu" "templates") "build.ubuntu-24_04.pkr.hcl"
             $imageOS = "ubuntu24"
         }
+        ([ImageType]::Ubuntu2404Gen2) {
+            $relativeTemplatePath = Join-Path (Join-Path "ubuntu" "templates") "build.ubuntu-24_04.pkr.hcl"
+            $imageOS = "ubuntu24-gen2"
+        }
         default { throw "Unknown type of image" }
     }
 

images/ubuntu/templates/locals.ubuntu.pkr.hcl

@@ -11,6 +11,12 @@ locals {
             offer           = "ubuntu-24_04-lts"
             sku             = "server-gen1"
             os_disk_size_gb = coalesce(var.os_disk_size_gb, 75)
+      },
+      "ubuntu24-gen2" = {
+            publisher       = "canonical"
+            offer           = "ubuntu-24_04-lts"
+            sku             = "server"
+            os_disk_size_gb = coalesce(var.os_disk_size_gb, 75)
       }
   }