From e9313f83191225cea47d692b548ea715e5413c34 Mon Sep 17 00:00:00 2001
From: Michail Resvanis <mresvani@redhat.com>
Date: Tue, 25 Apr 2023 18:17:51 +0200
Subject: [PATCH] Add support for Confidential VM images

https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview#size-support

Signed-off-by: Michail Resvanis <mresvani@redhat.com>
---
 docs/book/src/capi/providers/azure.md         | 12 ++++++++++
 images/capi/Makefile                          | 22 +++++++++++++++++--
 .../capi/ansible/roles/setup/tasks/debian.yml | 15 +++++++++++++
 images/capi/azure_targets.sh                  |  2 ++
 images/capi/packer/azure/azure-sig-cvm.json   |  7 ++++++
 images/capi/packer/azure/scripts/init-sig.sh  | 19 +++++++++++++++-
 images/capi/packer/azure/ubuntu-2004-cvm.json |  9 ++++++++
 images/capi/packer/azure/ubuntu-2204-cvm.json |  9 ++++++++
 .../azure/windows-2019-containerd-cvm.json    | 16 ++++++++++++++
 .../azure/windows-2022-containerd-cvm.json    | 16 ++++++++++++++
 images/capi/scripts/ci-azure-e2e.sh           | 22 +++++++++++++++++++
 11 files changed, 146 insertions(+), 3 deletions(-)
 create mode 100644 images/capi/packer/azure/azure-sig-cvm.json
 create mode 100644 images/capi/packer/azure/ubuntu-2004-cvm.json
 create mode 100644 images/capi/packer/azure/ubuntu-2204-cvm.json
 create mode 100644 images/capi/packer/azure/windows-2019-containerd-cvm.json
 create mode 100644 images/capi/packer/azure/windows-2022-containerd-cvm.json

diff --git a/docs/book/src/capi/providers/azure.md b/docs/book/src/capi/providers/azure.md
index ece46c7b23..202350116f 100644
--- a/docs/book/src/capi/providers/azure.md
+++ b/docs/book/src/capi/providers/azure.md
@@ -42,6 +42,18 @@ make build-azure-sig-ubuntu-1804-gen2
 
 Generation 2 images may only be used with Shared Image Gallery, not VHD.
 
+### Confidential VM Images
+
+Confidential VMs require specific generation 2 OS images. The naming pattern of those images includes the suffix `-cvm`. For example:
+
+```bash
+# Ubuntu 20.04 LTS for Confidential VMs
+make build-azure-sig-ubuntu-2004-cvm
+
+# Windows 2019 with containerd for Confindential VMs
+make build-azure-sig-windows-2019-containerd-cvm
+```
+
 ### Configuration
 #### Common Azure options
 
diff --git a/images/capi/Makefile b/images/capi/Makefile
index f6042322ec..c3596b3abe 100644
--- a/images/capi/Makefile
+++ b/images/capi/Makefile
@@ -333,9 +333,11 @@ GCE_BUILD_NAMES			   ?= gce-ubuntu-1804 gce-ubuntu-2004 gce-ubuntu-2204
 VHD_TARGETS := $(shell grep VHD_TARGETS azure_targets.sh | sed 's/VHD_TARGETS=//' | tr -d \")
 SIG_TARGETS := $(shell grep SIG_TARGETS azure_targets.sh | sed 's/SIG_TARGETS=//' | tr -d \")
 SIG_GEN2_TARGETS := $(shell grep SIG_GEN2_TARGETS azure_targets.sh | sed 's/SIG_GEN2_TARGETS=//' | tr -d \")
+SIG_CVM_TARGETS := $(shell grep SIG_CVM_TARGETS azure_targets.sh | sed 's/SIG_CVM_TARGETS=//' | tr -d \")
 AZURE_BUILD_VHD_NAMES	   ?= $(addprefix azure-vhd-,$(VHD_TARGETS))
 AZURE_BUILD_SIG_NAMES	   ?= $(addprefix azure-sig-,$(SIG_TARGETS))
 AZURE_BUILD_SIG_GEN2_NAMES ?= $(addsuffix -gen2,$(addprefix azure-sig-,$(SIG_GEN2_TARGETS)))
+AZURE_BUILD_SIG_CVM_NAMES ?= $(addsuffix -cvm,$(addprefix azure-sig-,$(SIG_CVM_TARGETS)))
 
 OCI_BUILD_NAMES			   ?= oci-ubuntu-1804 oci-ubuntu-2004 oci-ubuntu-2204 oci-oracle-linux-8 oci-oracle-linux-9 oci-windows-2019 oci-windows-2022
 
@@ -373,8 +375,10 @@ AZURE_BUILD_VHD_TARGETS	:= $(addprefix build-,$(AZURE_BUILD_VHD_NAMES))
 AZURE_VALIDATE_VHD_TARGETS	:= $(addprefix validate-,$(AZURE_BUILD_VHD_NAMES))
 AZURE_BUILD_SIG_TARGETS	:= $(addprefix build-,$(AZURE_BUILD_SIG_NAMES))
 AZURE_BUILD_SIG_GEN2_TARGETS	:= $(addprefix build-,$(AZURE_BUILD_SIG_GEN2_NAMES))
+AZURE_BUILD_SIG_CVM_TARGETS	:= $(addprefix build-,$(AZURE_BUILD_SIG_CVM_NAMES))
 AZURE_VALIDATE_SIG_TARGETS	:= $(addprefix validate-,$(AZURE_BUILD_SIG_NAMES))
 AZURE_VALIDATE_SIG_GEN2_TARGETS	:= $(addprefix validate-,$(AZURE_BUILD_SIG_GEN2_NAMES))
+AZURE_VALIDATE_SIG_CVM_TARGETS	:= $(addprefix validate-,$(AZURE_BUILD_SIG_CVM_NAMES))
 DO_BUILD_TARGETS 	:= $(addprefix build-,$(DO_BUILD_NAMES))
 DO_VALIDATE_TARGETS 	:= $(addprefix validate-,$(DO_BUILD_NAMES))
 OPENSTACK_BUILD_TARGETS	:= $(addprefix build-,$(OPENSTACK_BUILD_NAMES))
@@ -462,6 +466,10 @@ $(AZURE_BUILD_SIG_TARGETS): deps-azure
 $(AZURE_BUILD_SIG_GEN2_TARGETS): deps-azure
 	. $(abspath packer/azure/scripts/init-sig.sh) $(subst build-azure-sig-,,$@) && packer build $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="$(abspath packer/azure/azure-config.json)" -var-file="$(abspath packer/azure/azure-sig-gen2.json)" -var-file="$(abspath packer/azure/$(subst build-azure-sig-,,$@).json)" -only="$(subst build-azure-,,$@)" $(ABSOLUTE_PACKER_VAR_FILES) packer/azure/packer$(findstring -windows,$@).json
 
+.PHONY: $(AZURE_BUILD_SIG_CVM_TARGETS)
+$(AZURE_BUILD_SIG_CVM_TARGETS): deps-azure
+	. $(abspath packer/azure/scripts/init-sig.sh) $(subst build-azure-sig-,,$@) && packer build $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="$(abspath packer/azure/azure-config.json)" -var-file="$(abspath packer/azure/azure-sig-cvm.json)" -var-file="$(abspath packer/azure/$(subst build-azure-sig-,,$@).json)" -only="$(subst build-azure-,,$@)" $(ABSOLUTE_PACKER_VAR_FILES) packer/azure/packer$(findstring -windows,$@).json
+
 .PHONY: $(AZURE_VALIDATE_SIG_TARGETS)
 $(AZURE_VALIDATE_SIG_TARGETS): deps-azure
 	packer validate $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="$(abspath packer/azure/azure-config.json)" -var-file="$(abspath packer/azure/azure-sig.json)" -var-file="$(abspath packer/azure/$(subst validate-azure-sig-,,$@).json)" -only="$(subst validate-azure-,,$@)" $(ABSOLUTE_PACKER_VAR_FILES) packer/azure/packer$(findstring -windows,$@).json
@@ -470,6 +478,10 @@ $(AZURE_VALIDATE_SIG_TARGETS): deps-azure
 $(AZURE_VALIDATE_SIG_GEN2_TARGETS): deps-azure
 	packer validate $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="$(abspath packer/azure/azure-config.json)" -var-file="$(abspath packer/azure/azure-sig-gen2.json)" -var-file="$(abspath packer/azure/$(subst validate-azure-sig-,,$@).json)" -only="$(subst validate-azure-,,$@)" $(ABSOLUTE_PACKER_VAR_FILES) packer/azure/packer$(findstring windows,$@).json
 
+.PHONY: $(AZURE_VALIDATE_SIG_CVM_TARGETS)
+$(AZURE_VALIDATE_SIG_CVM_TARGETS): deps-azure
+	packer validate $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="$(abspath packer/azure/azure-config.json)" -var-file="$(abspath packer/azure/azure-sig-cvm.json)" -var-file="$(abspath packer/azure/$(subst validate-azure-sig-,,$@).json)" -only="$(subst validate-azure-,,$@)" $(ABSOLUTE_PACKER_VAR_FILES) packer/azure/packer$(findstring -windows,$@).json
+
 .PHONY: $(DO_BUILD_TARGETS)
 $(DO_BUILD_TARGETS): deps-do
 	packer build $(PACKER_NODE_FLAGS) -var-file="$(abspath packer/digitalocean/$(subst build-do-,,$@).json)" $(ABSOLUTE_PACKER_VAR_FILES) packer/digitalocean/packer.json
@@ -601,6 +613,8 @@ build-azure-sig-rhel-8: ## Builds RHEL 8 Azure managed image in Shared Image Gal
 build-azure-sig-windows-2019: ## Builds Windows Server 2019 Azure managed image in Shared Image Gallery
 build-azure-sig-windows-2019-containerd: ## Builds Windows Server 2019 with containerd Azure managed image in Shared Image Gallery
 build-azure-sig-windows-2022-containerd: ## Builds Windows Server 2022 with containerd Azure managed image in Shared Image Gallery
+build-azure-sig-windows-2019-containerd-cvm: ## Builds Windows Server 2019 with containerd CVM Azure managed image in Shared Image Gallery
+build-azure-sig-windows-2022-containerd-cvm: ## Builds Windows Server 2022 with containerd CVM Azure managed image in Shared Image Gallery
 build-azure-sig-windows-2004: ## Builds Windows Server 2004 SAC Azure managed image in Shared Image Gallery
 build-azure-vhd-ubuntu-1804: ## Builds Ubuntu 18.04 VHD image for Azure
 build-azure-vhd-ubuntu-2004: ## Builds Ubuntu 20.04 VHD image for Azure
@@ -617,8 +631,10 @@ build-azure-sig-flatcar-gen2: ## Builds Flatcar Azure Gen2 managed image in Shar
 build-azure-sig-ubuntu-1804-gen2: ## Builds Ubuntu 18.04 Gen2 managed image in Shared Image Gallery
 build-azure-sig-ubuntu-2004-gen2: ## Builds Ubuntu 20.04 Gen2 managed image in Shared Image Gallery
 build-azure-sig-ubuntu-2204-gen2: ## Builds Ubuntu 22.04 Gen2 managed image in Shared Image Gallery
+build-azure-sig-ubuntu-2004-cvm: ## Builds Ubuntu 20.04 CVM managed image in Shared Image Gallery
+build-azure-sig-ubuntu-2204-cvm: ## Builds Ubuntu 22.04 CVM managed image in Shared Image Gallery
 build-azure-vhds: $(AZURE_BUILD_VHD_TARGETS) ## Builds all Azure VHDs
-build-azure-sigs: $(AZURE_BUILD_SIG_TARGETS) $(AZURE_BUILD_SIG_GEN2_TARGETS) ## Builds all Azure Shared Image Gallery images
+build-azure-sigs: $(AZURE_BUILD_SIG_TARGETS) $(AZURE_BUILD_SIG_GEN2_TARGETS) $(AZURE_BUILD_SIG_CVM_TARGETS) ## Builds all Azure Shared Image Gallery images
 
 build-do-ubuntu-1804: ## Builds Ubuntu 18.04 DigitalOcean Snapshot
 build-do-ubuntu-2004: ## Builds Ubuntu 20.04 DigitalOcean Snapshot
@@ -784,8 +800,10 @@ validate-azure-vhd-windows-2004: ## Validate Windows Server 2004 SAC VHD image A
 validate-azure-sig-centos-7-gen2: ## Validates CentOS 7 Azure managed image in Shared Image Gallery Packer config
 validate-azure-sig-ubuntu-1804-gen2: ## Validates Ubuntu 18.04 Azure managed image in Shared Image Gallery Packer config
 validate-azure-sig-ubuntu-2004-gen2: ## Validates Ubuntu 20.04 Azure managed image in Shared Image Gallery Packer config
+validate-azure-sig-ubuntu-2004-cvm: ## Validates Ubuntu 20.04 CVM Azure managed image in Shared Image Gallery Packer config
 validate-azure-sig-ubuntu-2204-gen2: ## Validates Ubuntu 22.04 Azure managed image in Shared Image Gallery Packer config
-validate-azure-all: $(AZURE_VALIDATE_SIG_TARGETS) $(AZURE_VALIDATE_VHD_TARGETS) $(AZURE_VALIDATE_SIG_GEN2_TARGETS) ## Validates all images for Azure Packer config
+validate-azure-sig-ubuntu-2204-cvm: ## Validates Ubuntu 22.04 CVM Azure managed image in Shared Image Gallery Packer config
+validate-azure-all: $(AZURE_VALIDATE_SIG_TARGETS) $(AZURE_VALIDATE_VHD_TARGETS) $(AZURE_VALIDATE_SIG_GEN2_TARGETS) $(AZURE_VALIDATE_SIG_CVM_TARGETS) ## Validates all images for Azure Packer config
 
 validate-do-ubuntu-1804: ## Validates Ubuntu 18.04 DigitalOcean Snapshot Packer config
 validate-do-ubuntu-2004: ## Validates Ubuntu 20.04 DigitalOcean Snapshot Packer config
diff --git a/images/capi/ansible/roles/setup/tasks/debian.yml b/images/capi/ansible/roles/setup/tasks/debian.yml
index 5b306e778e..190fabd67e 100644
--- a/images/capi/ansible/roles/setup/tasks/debian.yml
+++ b/images/capi/ansible/roles/setup/tasks/debian.yml
@@ -62,6 +62,16 @@
   loop: "{{ extra_repos.split() }}"
   when: extra_repos != ""
 
+- name: Hold nullboot
+  ansible.builtin.dpkg_selections:
+    name: nullboot
+    selection: hold
+  when: packer_build_name is search('cvm')
+
+- name: Add '--no-tpm --no-efivars' to nullboot post install script
+  command: "sed -i 's/nullbootctl/nullbootctl --no-tpm --no-efivars/' /var/lib/dpkg/info/nullboot.postinst"
+  when: packer_build_name is search('cvm')
+
 - name: perform a dist-upgrade
   apt:
     force_apt_get: True
@@ -103,3 +113,8 @@
   until: apt_lock_status is not failed
   retries: 5
   delay: 10
+
+- name: Remove '--no-tpm --no-efivars' from nullboot post install script
+  command: "sed -i 's/nullbootctl --no-tpm --no-efivars/nullbootctl/' /var/lib/dpkg/info/nullboot.postinst"
+  when: packer_build_name is search('cvm')
+
diff --git a/images/capi/azure_targets.sh b/images/capi/azure_targets.sh
index 827696d189..458c330ead 100644
--- a/images/capi/azure_targets.sh
+++ b/images/capi/azure_targets.sh
@@ -4,3 +4,5 @@ SIG_TARGETS="ubuntu-1804 ubuntu-2004 ubuntu-2204 centos-7 rhel-8 windows-2019 wi
 SIG_CI_TARGETS="ubuntu-2004 ubuntu-2204 windows-2019-containerd windows-2022-containerd flatcar"
 SIG_GEN2_TARGETS="ubuntu-1804 ubuntu-2004 ubuntu-2204 centos-7 flatcar"
 SIG_GEN2_CI_TARGETS="ubuntu-2004 ubuntu-2204 flatcar"
+SIG_CVM_TARGETS="ubuntu-2004 ubuntu-2204 windows-2019-containerd windows-2022-containerd"
+SIG_CVM_CI_TARGETS="ubuntu-2204 windows-2022-containerd"
diff --git a/images/capi/packer/azure/azure-sig-cvm.json b/images/capi/packer/azure/azure-sig-cvm.json
new file mode 100644
index 0000000000..9a14059e43
--- /dev/null
+++ b/images/capi/packer/azure/azure-sig-cvm.json
@@ -0,0 +1,7 @@
+{
+  "image_name": "capi-{{user `distribution`}}-{{user `distribution_version`}}-cvm",
+  "replication_regions": "{{env `AZURE_LOCATION`}}",
+  "resource_group_name": "{{env `RESOURCE_GROUP_NAME`}}",
+  "shared_image_gallery_name": "{{env `GALLERY_NAME`}}",
+  "sig_image_version": "0.3.{{user `build_timestamp`}}"
+}
diff --git a/images/capi/packer/azure/scripts/init-sig.sh b/images/capi/packer/azure/scripts/init-sig.sh
index 2f6296a483..e4f1abcb41 100755
--- a/images/capi/packer/azure/scripts/init-sig.sh
+++ b/images/capi/packer/azure/scripts/init-sig.sh
@@ -34,6 +34,8 @@ packer validate -syntax-only $PACKER_FILE || exit 1
 
 az sig create --resource-group ${RESOURCE_GROUP_NAME} --gallery-name ${GALLERY_NAME}
 
+SECURITY_TYPE_CVM_SUPPORTED_FEATURE="SecurityType=ConfidentialVmSupported"
+
 create_image_definition() {
   az sig image-definition create \
     --resource-group ${RESOURCE_GROUP_NAME} \
@@ -43,7 +45,8 @@ create_image_definition() {
     --offer ${SIG_OFFER:-capz-demo} \
     --sku ${SIG_SKU:-$2} \
     --hyper-v-generation ${3} \
-    --os-type ${4}
+    --os-type ${4} \
+    --features ${5:-''}
 }
 
 SIG_TARGET=$1
@@ -73,6 +76,14 @@ case ${SIG_TARGET} in
   windows-2022-containerd)
     create_image_definition ${SIG_TARGET} "win-2022-containerd" "V1" "Windows"
   ;;
+  windows-2019-containerd-cvm)
+    SKU="windows-2019-cvm-containerd"
+    create_image_definition ${SKU} ${SKU} "V2" "Windows" ${SECURITY_TYPE_CVM_SUPPORTED_FEATURE}
+  ;;
+  windows-2022-containerd-cvm)
+    SKU="windows-2022-cvm-containerd"
+    create_image_definition ${SKU} ${SKU} "V2" "Windows" ${SECURITY_TYPE_CVM_SUPPORTED_FEATURE}
+  ;;
   flatcar)
     SKU="flatcar-${FLATCAR_CHANNEL}-${FLATCAR_VERSION}"
     create_image_definition ${SKU} ${SKU} "V1" "Linux"
@@ -83,9 +94,15 @@ case ${SIG_TARGET} in
   ubuntu-2004-gen2)
     create_image_definition ${SIG_TARGET} "20_04-lts-gen2" "V2" "Linux"
   ;;
+  ubuntu-2004-cvm)
+    create_image_definition ${SIG_TARGET} "20_04-lts-cvm" "V2" "Linux" ${SECURITY_TYPE_CVM_SUPPORTED_FEATURE}
+  ;;
   ubuntu-2204-gen2)
     create_image_definition ${SIG_TARGET} "22_04-lts-gen2" "V2" "Linux"
   ;;
+  ubuntu-2204-cvm)
+    create_image_definition ${SIG_TARGET} "22_04-lts-cvm" "V2" "Linux" ${SECURITY_TYPE_CVM_SUPPORTED_FEATURE}
+  ;;
   centos-7-gen2)
     create_image_definition "centos-7-gen2" "centos-7-gen2" "V2" "Linux"
   ;;
diff --git a/images/capi/packer/azure/ubuntu-2004-cvm.json b/images/capi/packer/azure/ubuntu-2004-cvm.json
new file mode 100644
index 0000000000..f60679eb81
--- /dev/null
+++ b/images/capi/packer/azure/ubuntu-2004-cvm.json
@@ -0,0 +1,9 @@
+{
+  "build_name": "ubuntu-2004-cvm",
+  "distribution": "ubuntu",
+  "distribution_release": "focal",
+  "distribution_version": "2004",
+  "image_offer": "0001-com-ubuntu-confidential-vm-focal",
+  "image_publisher": "Canonical",
+  "image_sku": "20_04-lts-cvm"
+}
diff --git a/images/capi/packer/azure/ubuntu-2204-cvm.json b/images/capi/packer/azure/ubuntu-2204-cvm.json
new file mode 100644
index 0000000000..0766227b7b
--- /dev/null
+++ b/images/capi/packer/azure/ubuntu-2204-cvm.json
@@ -0,0 +1,9 @@
+{
+  "build_name": "ubuntu-2204-cvm",
+  "distribution": "ubuntu",
+  "distribution_release": "jammy",
+  "distribution_version": "2204",
+  "image_offer": "0001-com-ubuntu-confidential-vm-jammy",
+  "image_publisher": "Canonical",
+  "image_sku": "22_04-lts-cvm"
+}
diff --git a/images/capi/packer/azure/windows-2019-containerd-cvm.json b/images/capi/packer/azure/windows-2019-containerd-cvm.json
new file mode 100644
index 0000000000..a34c584e45
--- /dev/null
+++ b/images/capi/packer/azure/windows-2019-containerd-cvm.json
@@ -0,0 +1,16 @@
+{
+  "additional_registry_images": "false",
+  "additional_registry_images_list": "",
+  "build_name": "windows-2019-containerd-cvm",
+  "distribution": "windows",
+  "distribution_version": "2019",
+  "image_offer": "windows-cvm",
+  "image_publisher": "MicrosoftWindowsServer",
+  "image_sku": "2019-datacenter-cvm",
+  "image_version": "latest",
+  "load_additional_components": "false",
+  "runtime": "containerd",
+  "vm_size": "Standard_D4s_v3",
+  "windows_updates_kbs": "",
+  "wins_url": ""
+}
diff --git a/images/capi/packer/azure/windows-2022-containerd-cvm.json b/images/capi/packer/azure/windows-2022-containerd-cvm.json
new file mode 100644
index 0000000000..4776438148
--- /dev/null
+++ b/images/capi/packer/azure/windows-2022-containerd-cvm.json
@@ -0,0 +1,16 @@
+{
+  "additional_registry_images": "false",
+  "additional_registry_images_list": "",
+  "build_name": "windows-2022-containerd-cvm",
+  "distribution": "windows",
+  "distribution_version": "2022",
+  "image_offer": "windows-cvm",
+  "image_publisher": "MicrosoftWindowsServer",
+  "image_sku": "2022-datacenter-cvm",
+  "image_version": "latest",
+  "load_additional_components": "false",
+  "runtime": "containerd",
+  "vm_size": "Standard_D4s_v3",
+  "windows_updates_kbs": "",
+  "wins_url": ""
+}
diff --git a/images/capi/scripts/ci-azure-e2e.sh b/images/capi/scripts/ci-azure-e2e.sh
index 2fbacd7a96..c0c91e7813 100755
--- a/images/capi/scripts/ci-azure-e2e.sh
+++ b/images/capi/scripts/ci-azure-e2e.sh
@@ -38,6 +38,7 @@ source azure_targets.sh
 IFS=' ' read -r -a VHD_CI_TARGETS <<< "${VHD_CI_TARGETS}"
 IFS=' ' read -r -a SIG_CI_TARGETS <<< "${SIG_CI_TARGETS}"
 IFS=' ' read -r -a SIG_GEN2_CI_TARGETS <<< "${SIG_GEN2_CI_TARGETS}"
+IFS=' ' read -r -a SIG_CVM_CI_TARGETS <<< "${SIG_CVM_CI_TARGETS}"
 
 # Append the "gen2" targets to the original SIG list
 for element in "${SIG_GEN2_CI_TARGETS[@]}"
@@ -45,6 +46,9 @@ do
     SIG_CI_TARGETS+=("${element}-gen2")
 done
 
+# Append "-cvm" suffix to SIG CVM targets
+SIG_CVM_CI_TARGETS=("${SIG_CVM_CI_TARGETS[@]/%/-cvm}")
+
 # shellcheck source=parse-prow-creds.sh
 source "packer/azure/scripts/parse-prow-creds.sh"
 
@@ -59,6 +63,11 @@ get_random_region() {
     echo "${REGIONS[${RANDOM} % ${#REGIONS[@]}]}"
 }
 
+export VALID_CVM_LOCATIONS=("eastus" "westus" "northeurope" "westeurope")
+get_random_cvm_region() {
+    echo "${VALID_CVM_LOCATIONS[${RANDOM} % ${#VALID_CVM_LOCATIONS[@]}]}"
+}
+
 export PATH=${PWD}/.local/bin:$PATH
 export PATH=${PYTHON_BIN_DIR:-"/root/.local/bin"}:$PATH
 
@@ -96,6 +105,19 @@ if [[ "${AZURE_BUILD_FORMAT:-vhd}" == "sig" ]]; then
         make build-azure-sig-${target} > ${ARTIFACTS}/azure-sigs/${target}.log 2>&1 &
         PIDS["sig-${target}"]=$!
     done
+
+    SELECTED_LOCATION="${AZURE_LOCATION}"
+    if [[ ! " ${VALID_CVM_LOCATIONS[*]} " =~ " ${SELECTED_LOCATION} " ]]; then
+        SELECTED_LOCATION="$(get_random_cvm_region)"
+        echo "AZURE_LOCATION=${AZURE_LOCATION} is invalid for Confidential VM targets. Valid CVM locations: ${VALID_CVM_LOCATIONS[*]}."
+        echo "Selected location is ${SELECTED_LOCATION}."
+    fi
+
+    for target in ${SIG_CVM_CI_TARGETS[@]};
+    do
+        AZURE_LOCATION="${SELECTED_LOCATION}" make build-azure-sig-${target} > ${ARTIFACTS}/azure-sigs/${target}.log 2>&1 &
+        PIDS["sig-${target}"]=$!
+    done
 else
     for target in ${VHD_CI_TARGETS[@]};
     do