From 8ba6cef6b6513a27e7bdd2fab6a7bc6875fc1614 Mon Sep 17 00:00:00 2001 From: Ryan Johnson Date: Tue, 7 Nov 2023 15:24:34 -0500 Subject: [PATCH] feat: add vbs - Add support for Virtualization Based Security by enabling a step to add configuration flags to the virtual machine. - Added `vbs_enabled` and `vvtd_enabled`. - Added checks to ensure: - `vvtd_enabled` must be set to `true` when `vbs_enabled` is set to `true` - `nestedhv` must be set to `true` when `vbs_enabled` is set to `true` - `vtpm` must be set to `true` when `vbs_enabled` is set to `true` - `firmware` must be set to `efi-secure` when `vbs_enabled` is set to `true` Signed-off-by: Ryan Johnson --- builder/vsphere/clone/builder.go | 3 + builder/vsphere/clone/config.go | 20 +- builder/vsphere/clone/config.hcl2spec.go | 4 + builder/vsphere/common/step_add_flag.go | 90 ++++++++ .../vsphere/common/step_add_flag.hcl2spec.go | 33 +++ builder/vsphere/common/step_add_flag_test.go | 196 ++++++++++++++++++ builder/vsphere/driver/vm.go | 19 ++ builder/vsphere/driver/vm_mock.go | 18 ++ builder/vsphere/iso/builder.go | 3 + builder/vsphere/iso/config.go | 21 +- builder/vsphere/iso/config.hcl2spec.go | 4 + .../common/FlagConfig-not-required.mdx | 10 + 12 files changed, 400 insertions(+), 21 deletions(-) create mode 100644 builder/vsphere/common/step_add_flag.go create mode 100644 builder/vsphere/common/step_add_flag.hcl2spec.go create mode 100644 builder/vsphere/common/step_add_flag_test.go create mode 100644 docs-partials/builder/vsphere/common/FlagConfig-not-required.mdx diff --git a/builder/vsphere/clone/builder.go b/builder/vsphere/clone/builder.go index f1870994..58c2678d 100644 --- a/builder/vsphere/clone/builder.go +++ b/builder/vsphere/clone/builder.go @@ -62,6 +62,9 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook) &common.StepConfigureHardware{ Config: &b.config.HardwareConfig, }, + &common.StepAddFlag{ + FlagConfig: b.config.FlagConfig, + }, &common.StepAddCDRom{ Config: &b.config.CDRomConfig, }, diff --git a/builder/vsphere/clone/config.go b/builder/vsphere/clone/config.go index 6e5a9c94..9c461b84 100644 --- a/builder/vsphere/clone/config.go +++ b/builder/vsphere/clone/config.go @@ -26,15 +26,15 @@ type Config struct { common.LocationConfig `mapstructure:",squash"` common.HardwareConfig `mapstructure:",squash"` common.ConfigParamsConfig `mapstructure:",squash"` - - common.CDRomConfig `mapstructure:",squash"` - common.RemoveCDRomConfig `mapstructure:",squash"` - common.FloppyConfig `mapstructure:",squash"` - common.RunConfig `mapstructure:",squash"` - common.BootConfig `mapstructure:",squash"` - common.WaitIpConfig `mapstructure:",squash"` - Comm communicator.Config `mapstructure:",squash"` - common.ShutdownConfig `mapstructure:",squash"` + common.FlagConfig `mapstructure:",squash"` + common.CDRomConfig `mapstructure:",squash"` + common.RemoveCDRomConfig `mapstructure:",squash"` + common.FloppyConfig `mapstructure:",squash"` + common.RunConfig `mapstructure:",squash"` + common.BootConfig `mapstructure:",squash"` + common.WaitIpConfig `mapstructure:",squash"` + Comm communicator.Config `mapstructure:",squash"` + common.ShutdownConfig `mapstructure:",squash"` // Create a snapshot when set to `true`, so the VM can be used as a base // for linked clones. Defaults to `false`. @@ -79,8 +79,8 @@ func (c *Config) Prepare(raws ...interface{}) ([]string, error) { errs = packersdk.MultiErrorAppend(errs, c.CloneConfig.Prepare()...) errs = packersdk.MultiErrorAppend(errs, c.LocationConfig.Prepare()...) errs = packersdk.MultiErrorAppend(errs, c.HardwareConfig.Prepare()...) + errs = packersdk.MultiErrorAppend(errs, c.FlagConfig.Prepare(&c.HardwareConfig)...) errs = packersdk.MultiErrorAppend(errs, c.HTTPConfig.Prepare(&c.ctx)...) - errs = packersdk.MultiErrorAppend(errs, c.CDRomConfig.Prepare()...) errs = packersdk.MultiErrorAppend(errs, c.CDConfig.Prepare(&c.ctx)...) errs = packersdk.MultiErrorAppend(errs, c.BootConfig.Prepare(&c.ctx)...) diff --git a/builder/vsphere/clone/config.hcl2spec.go b/builder/vsphere/clone/config.hcl2spec.go index 89b0f83c..638380f6 100644 --- a/builder/vsphere/clone/config.hcl2spec.go +++ b/builder/vsphere/clone/config.hcl2spec.go @@ -69,6 +69,8 @@ type FlatConfig struct { ConfigParams map[string]string `mapstructure:"configuration_parameters" cty:"configuration_parameters" hcl:"configuration_parameters"` ToolsSyncTime *bool `mapstructure:"tools_sync_time" cty:"tools_sync_time" hcl:"tools_sync_time"` ToolsUpgradePolicy *bool `mapstructure:"tools_upgrade_policy" cty:"tools_upgrade_policy" hcl:"tools_upgrade_policy"` + VbsEnabled *bool `mapstructure:"vbs_enabled" cty:"vbs_enabled" hcl:"vbs_enabled"` + VvtdEnabled *bool `mapstructure:"vvtd_enabled" cty:"vvtd_enabled" hcl:"vvtd_enabled"` CdromType *string `mapstructure:"cdrom_type" cty:"cdrom_type" hcl:"cdrom_type"` ISOPaths []string `mapstructure:"iso_paths" cty:"iso_paths" hcl:"iso_paths"` RemoveCdrom *bool `mapstructure:"remove_cdrom" cty:"remove_cdrom" hcl:"remove_cdrom"` @@ -216,6 +218,8 @@ func (*FlatConfig) HCL2Spec() map[string]hcldec.Spec { "configuration_parameters": &hcldec.AttrSpec{Name: "configuration_parameters", Type: cty.Map(cty.String), Required: false}, "tools_sync_time": &hcldec.AttrSpec{Name: "tools_sync_time", Type: cty.Bool, Required: false}, "tools_upgrade_policy": &hcldec.AttrSpec{Name: "tools_upgrade_policy", Type: cty.Bool, Required: false}, + "vbs_enabled": &hcldec.AttrSpec{Name: "vbs_enabled", Type: cty.Bool, Required: false}, + "vvtd_enabled": &hcldec.AttrSpec{Name: "vvtd_enabled", Type: cty.Bool, Required: false}, "cdrom_type": &hcldec.AttrSpec{Name: "cdrom_type", Type: cty.String, Required: false}, "iso_paths": &hcldec.AttrSpec{Name: "iso_paths", Type: cty.List(cty.String), Required: false}, "remove_cdrom": &hcldec.AttrSpec{Name: "remove_cdrom", Type: cty.Bool, Required: false}, diff --git a/builder/vsphere/common/step_add_flag.go b/builder/vsphere/common/step_add_flag.go new file mode 100644 index 00000000..f1c1e88f --- /dev/null +++ b/builder/vsphere/common/step_add_flag.go @@ -0,0 +1,90 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +//go:generate packer-sdc struct-markdown +//go:generate packer-sdc mapstructure-to-hcl2 -type FlagConfig + +package common + +import ( + "context" + "fmt" + + "github.com/hashicorp/packer-plugin-sdk/multistep" + packersdk "github.com/hashicorp/packer-plugin-sdk/packer" + "github.com/hashicorp/packer-plugin-vsphere/builder/vsphere/driver" + "github.com/vmware/govmomi/vim25/types" +) + +type FlagConfig struct { + // Enable Virtualization Based Security option for virtual machine. Defaults to `false`. + // Requires `vvtd_enabled` and `NestedHV` to be set to `true`. + // Requires `vTPM` to be set to `true`. + // Requires `firmware` to be set to `efi-secure`. + VbsEnabled bool `mapstructure:"vbs_enabled"` + // Enable IO/MMU option for virtual machine. Defaults to `false`. + VvtdEnabled bool `mapstructure:"vvtd_enabled"` +} + +func (c *FlagConfig) Prepare(h *HardwareConfig) []error { + var errs []error + + if h == nil { + return append(errs, fmt.Errorf("no hardware config provided")) + } + + if c.VbsEnabled { + if !c.VvtdEnabled { + errs = append(errs, fmt.Errorf("`vvtd_enabled` must be set to `true` when `vbs_enabled` is set to `true`")) + } + + if !h.NestedHV { + errs = append(errs, fmt.Errorf("`nestedhv` must be set to `true` when `vbs_enabled` is set to `true`")) + } + + if !h.VTPMEnabled { + errs = append(errs, fmt.Errorf("`vtpm` must be set to `true` when `vbs_enabled` is set to `true`")) + } + + if h.Firmware != "efi-secure" { + errs = append(errs, fmt.Errorf("`firmware` must be set to `efi-secure` when `vbs_enabled` is set to `true`")) + } + } + + return errs +} + +type StepAddFlag struct { + FlagConfig FlagConfig +} + +func (s *StepAddFlag) Run(ctx context.Context, state multistep.StateBag) multistep.StepAction { + ui := state.Get("ui").(packersdk.Ui) + vm := state.Get("vm").(driver.VirtualMachine) + + var info *types.VirtualMachineFlagInfo + + if s.FlagConfig.VbsEnabled || s.FlagConfig.VvtdEnabled { + info = &types.VirtualMachineFlagInfo{} + + if s.FlagConfig.VbsEnabled { + info.VbsEnabled = &s.FlagConfig.VbsEnabled + } + + if s.FlagConfig.VvtdEnabled { + info.VvtdEnabled = &s.FlagConfig.VvtdEnabled + } + + ui.Say("Adding virtual machine flags...") + if err := vm.AddFlag(ctx, info); err != nil { + state.Put("error", fmt.Errorf("error adding virtual machine flag: %v", err)) + return multistep.ActionHalt + } + } + + return multistep.ActionContinue +} + +func (s *StepAddFlag) Cleanup(state multistep.StateBag) { + // Nothing to clean up. +} diff --git a/builder/vsphere/common/step_add_flag.hcl2spec.go b/builder/vsphere/common/step_add_flag.hcl2spec.go new file mode 100644 index 00000000..fb1d0075 --- /dev/null +++ b/builder/vsphere/common/step_add_flag.hcl2spec.go @@ -0,0 +1,33 @@ +// Code generated by "packer-sdc mapstructure-to-hcl2"; DO NOT EDIT. + +package common + +import ( + "github.com/hashicorp/hcl/v2/hcldec" + "github.com/zclconf/go-cty/cty" +) + +// FlatFlagConfig is an auto-generated flat version of FlagConfig. +// Where the contents of a field with a `mapstructure:,squash` tag are bubbled up. +type FlatFlagConfig struct { + VbsEnabled *bool `mapstructure:"vbs_enabled" cty:"vbs_enabled" hcl:"vbs_enabled"` + VvtdEnabled *bool `mapstructure:"vvtd_enabled" cty:"vvtd_enabled" hcl:"vvtd_enabled"` +} + +// FlatMapstructure returns a new FlatFlagConfig. +// FlatFlagConfig is an auto-generated flat version of FlagConfig. +// Where the contents a fields with a `mapstructure:,squash` tag are bubbled up. +func (*FlagConfig) FlatMapstructure() interface{ HCL2Spec() map[string]hcldec.Spec } { + return new(FlatFlagConfig) +} + +// HCL2Spec returns the hcl spec of a FlagConfig. +// This spec is used by HCL to read the fields of FlagConfig. +// The decoded values from this spec will then be applied to a FlatFlagConfig. +func (*FlatFlagConfig) HCL2Spec() map[string]hcldec.Spec { + s := map[string]hcldec.Spec{ + "vbs_enabled": &hcldec.AttrSpec{Name: "vbs_enabled", Type: cty.Bool, Required: false}, + "vvtd_enabled": &hcldec.AttrSpec{Name: "vvtd_enabled", Type: cty.Bool, Required: false}, + } + return s +} diff --git a/builder/vsphere/common/step_add_flag_test.go b/builder/vsphere/common/step_add_flag_test.go new file mode 100644 index 00000000..92519a8d --- /dev/null +++ b/builder/vsphere/common/step_add_flag_test.go @@ -0,0 +1,196 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +package common + +import ( + "context" + "fmt" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + "github.com/hashicorp/packer-plugin-sdk/multistep" + "github.com/hashicorp/packer-plugin-vsphere/builder/vsphere/driver" +) + +func TestFlagConfig_Prepare(t *testing.T) { + tc := []struct { + name string + config *FlagConfig + hardwareConfig *HardwareConfig + fail bool + expectedErrMsg string + }{ + { + name: "Should not fail for empty config", + config: new(FlagConfig), + hardwareConfig: new(HardwareConfig), + fail: false, + expectedErrMsg: "", + }, + { + name: "VbsEnabled but VvtdEnabled not set", + config: &FlagConfig{ + VbsEnabled: true, + }, + hardwareConfig: &HardwareConfig{ + Firmware: "efi-secure", + NestedHV: true, + VTPMEnabled: true, + }, + fail: true, + expectedErrMsg: "`vvtd_enabled` must be set to `true` when `vbs_enabled` is set to `true`", + }, + { + name: "VbsEnabled but NestedHV not set", + config: &FlagConfig{ + VbsEnabled: true, + VvtdEnabled: true, + }, + hardwareConfig: &HardwareConfig{ + Firmware: "efi-secure", + VTPMEnabled: true, + }, + fail: true, + expectedErrMsg: "`nestedhv` must be set to `true` when `vbs_enabled` is set to `true`", + }, + { + name: "VbsEnabled but VTPMEnabled not set", + config: &FlagConfig{ + VbsEnabled: true, + VvtdEnabled: true, + }, + hardwareConfig: &HardwareConfig{ + NestedHV: true, + Firmware: "efi-secure", + }, + fail: true, + expectedErrMsg: "`vtpm` must be set to `true` when `vbs_enabled` is set to `true`", + }, + { + name: "VbsEnabled but Firmware not set to efi-secure", + config: &FlagConfig{ + VbsEnabled: true, + VvtdEnabled: true, + }, + hardwareConfig: &HardwareConfig{ + NestedHV: true, + VTPMEnabled: true, + Firmware: "efi", + }, + fail: true, + expectedErrMsg: "`firmware` must be set to `efi-secure` when `vbs_enabled` is set to `true`", + }, + { + name: "VbsEnabled and all required fields set", + config: &FlagConfig{ + VbsEnabled: true, + VvtdEnabled: true, + }, + hardwareConfig: &HardwareConfig{ + NestedHV: true, + VTPMEnabled: true, + Firmware: "efi-secure", + }, + fail: false, + expectedErrMsg: "", + }, + } + + for _, c := range tc { + errs := c.config.Prepare(c.hardwareConfig) + if c.fail { + if len(errs) == 0 { + t.Fatalf("Config prepare should fail") + } + if errs[0].Error() != c.expectedErrMsg { + t.Fatalf("Expected error message: %s but was '%s'", c.expectedErrMsg, errs[0].Error()) + } + } else { + if len(errs) != 0 { + t.Fatalf("Config prepare should not fail") + } + } + } +} + +func TestStepAddFlag_Run(t *testing.T) { + tc := []struct { + name string + state *multistep.BasicStateBag + step *StepAddFlag + vmMock *driver.VirtualMachineMock + expectedAction multistep.StepAction + expectedVmMock *driver.VirtualMachineMock + fail bool + errMessage string + }{ + { + name: "Add Flag", + state: basicStateBag(nil), + step: &StepAddFlag{ + FlagConfig: FlagConfig{ + VbsEnabled: true, + VvtdEnabled: true, + }, + }, + vmMock: new(driver.VirtualMachineMock), + expectedAction: multistep.ActionContinue, + expectedVmMock: &driver.VirtualMachineMock{ + AddFlagCalled: true, + AddFlagCalledTimes: 1, + AddFlagVbsEnabledValues: true, + AddFlagVvtdEnabledValues: true, + }, + fail: false, + errMessage: "", + }, + { + name: "Fail to add flag", + state: basicStateBag(nil), + step: &StepAddFlag{ + FlagConfig: FlagConfig{ + VbsEnabled: true, + VvtdEnabled: false, + }, + }, + vmMock: &driver.VirtualMachineMock{ + AddFlagErr: fmt.Errorf("AddFlag error"), + }, + expectedAction: multistep.ActionHalt, + expectedVmMock: &driver.VirtualMachineMock{ + AddFlagCalled: true, + AddFlagCalledTimes: 1, + AddFlagVbsEnabledValues: true, + AddFlagVvtdEnabledValues: false, + }, + fail: true, + errMessage: fmt.Sprintf("error adding virtual machine flag: %v", fmt.Errorf("AddFlag error")), + }, + } + + for _, c := range tc { + t.Run(c.name, func(t *testing.T) { + c.state.Put("vm", c.vmMock) + if action := c.step.Run(context.TODO(), c.state); action != c.expectedAction { + t.Fatalf("unexpected action %v", action) + } + err, ok := c.state.Get("error").(error) + if ok { + if err.Error() != c.errMessage { + t.Fatalf("unexpected error %s", err.Error()) + } + } else { + if c.fail { + t.Fatalf("expected to fail but it didn't") + } + } + + if diff := cmp.Diff(c.vmMock, c.expectedVmMock, + cmpopts.IgnoreInterfaces(struct{ error }{})); diff != "" { + t.Fatalf("unexpected VirtualMachine calls: %s", diff) + } + }) + } +} diff --git a/builder/vsphere/driver/vm.go b/builder/vsphere/driver/vm.go index 25a75034..c3de0480 100644 --- a/builder/vsphere/driver/vm.go +++ b/builder/vsphere/driver/vm.go @@ -55,6 +55,7 @@ type VirtualMachine interface { RemoveDevice(keepFiles bool, device ...types.BaseVirtualDevice) error addDevice(device types.BaseVirtualDevice) error AddConfigParams(params map[string]string, info *types.ToolsConfigInfo) error + AddFlag(ctx context.Context, info *types.VirtualMachineFlagInfo) error Export() (*nfc.Lease, error) CreateDescriptor(m *ovf.Manager, cdp types.OvfCreateDescriptorParams) (*types.OvfCreateDescriptorResult, error) NewOvfManager() *ovf.Manager @@ -1187,6 +1188,24 @@ func (vm *VirtualMachineDriver) AddConfigParams(params map[string]string, info * return nil } +func (vm *VirtualMachineDriver) AddFlag(ctx context.Context, flagSpec *types.VirtualMachineFlagInfo) error { + confSpec := types.VirtualMachineConfigSpec{ + Flags: flagSpec, + } + + task, err := vm.vm.Reconfigure(ctx, confSpec) + if err != nil { + return err + } + + err = task.Wait(ctx) + if err != nil { + return err + } + + return nil +} + func (vm *VirtualMachineDriver) Export() (*nfc.Lease, error) { return vm.vm.Export(vm.driver.ctx) } diff --git a/builder/vsphere/driver/vm_mock.go b/builder/vsphere/driver/vm_mock.go index 926e8e6e..bae98dc6 100644 --- a/builder/vsphere/driver/vm_mock.go +++ b/builder/vsphere/driver/vm_mock.go @@ -36,6 +36,12 @@ type VirtualMachineMock struct { AddCdromTypes []string AddCdromPaths []string + AddFlagCalled bool + AddFlagCalledTimes int + AddFlagErr error + AddFlagVbsEnabledValues bool + AddFlagVvtdEnabledValues bool + GetDirCalled bool GetDirResponse string GetDirErr error @@ -209,6 +215,18 @@ func (vm *VirtualMachineMock) AddConfigParams(params map[string]string, info *ty return nil } +func (vm *VirtualMachineMock) AddFlag(ctx context.Context, info *types.VirtualMachineFlagInfo) error { + vm.AddFlagCalled = true + vm.AddFlagCalledTimes++ + if info.VbsEnabled != nil { + vm.AddFlagVbsEnabledValues = *info.VbsEnabled + } + if info.VvtdEnabled != nil { + vm.AddFlagVvtdEnabledValues = *info.VvtdEnabled + } + return vm.AddFlagErr +} + func (vm *VirtualMachineMock) Export() (*nfc.Lease, error) { return nil, nil } diff --git a/builder/vsphere/iso/builder.go b/builder/vsphere/iso/builder.go index cdb55d1a..2ac3d1c5 100644 --- a/builder/vsphere/iso/builder.go +++ b/builder/vsphere/iso/builder.go @@ -75,6 +75,9 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook) &common.StepConfigureHardware{ Config: &b.config.HardwareConfig, }, + &common.StepAddFlag{ + FlagConfig: b.config.FlagConfig, + }, &common.StepAddCDRom{ Config: &b.config.CDRomConfig, }, diff --git a/builder/vsphere/iso/config.go b/builder/vsphere/iso/config.go index bd2dc38e..3a7cf007 100644 --- a/builder/vsphere/iso/config.go +++ b/builder/vsphere/iso/config.go @@ -26,16 +26,15 @@ type Config struct { common.LocationConfig `mapstructure:",squash"` common.HardwareConfig `mapstructure:",squash"` common.ConfigParamsConfig `mapstructure:",squash"` - - commonsteps.ISOConfig `mapstructure:",squash"` - - common.CDRomConfig `mapstructure:",squash"` - common.RemoveCDRomConfig `mapstructure:",squash"` - common.FloppyConfig `mapstructure:",squash"` - common.RunConfig `mapstructure:",squash"` - common.BootConfig `mapstructure:",squash"` - common.WaitIpConfig `mapstructure:",squash"` - Comm communicator.Config `mapstructure:",squash"` + common.FlagConfig `mapstructure:",squash"` + commonsteps.ISOConfig `mapstructure:",squash"` + common.CDRomConfig `mapstructure:",squash"` + common.RemoveCDRomConfig `mapstructure:",squash"` + common.FloppyConfig `mapstructure:",squash"` + common.RunConfig `mapstructure:",squash"` + common.BootConfig `mapstructure:",squash"` + common.WaitIpConfig `mapstructure:",squash"` + Comm communicator.Config `mapstructure:",squash"` common.ShutdownConfig `mapstructure:",squash"` @@ -86,8 +85,8 @@ func (c *Config) Prepare(raws ...interface{}) ([]string, error) { errs = packersdk.MultiErrorAppend(errs, c.CreateConfig.Prepare()...) errs = packersdk.MultiErrorAppend(errs, c.LocationConfig.Prepare()...) errs = packersdk.MultiErrorAppend(errs, c.HardwareConfig.Prepare()...) + errs = packersdk.MultiErrorAppend(errs, c.FlagConfig.Prepare(&c.HardwareConfig)...) errs = packersdk.MultiErrorAppend(errs, c.HTTPConfig.Prepare(&c.ctx)...) - errs = packersdk.MultiErrorAppend(errs, c.CDRomConfig.Prepare()...) errs = packersdk.MultiErrorAppend(errs, c.CDConfig.Prepare(&c.ctx)...) errs = packersdk.MultiErrorAppend(errs, c.BootConfig.Prepare(&c.ctx)...) diff --git a/builder/vsphere/iso/config.hcl2spec.go b/builder/vsphere/iso/config.hcl2spec.go index 16e23744..b9582ec4 100644 --- a/builder/vsphere/iso/config.hcl2spec.go +++ b/builder/vsphere/iso/config.hcl2spec.go @@ -67,6 +67,8 @@ type FlatConfig struct { ConfigParams map[string]string `mapstructure:"configuration_parameters" cty:"configuration_parameters" hcl:"configuration_parameters"` ToolsSyncTime *bool `mapstructure:"tools_sync_time" cty:"tools_sync_time" hcl:"tools_sync_time"` ToolsUpgradePolicy *bool `mapstructure:"tools_upgrade_policy" cty:"tools_upgrade_policy" hcl:"tools_upgrade_policy"` + VbsEnabled *bool `mapstructure:"vbs_enabled" cty:"vbs_enabled" hcl:"vbs_enabled"` + VvtdEnabled *bool `mapstructure:"vvtd_enabled" cty:"vvtd_enabled" hcl:"vvtd_enabled"` ISOChecksum *string `mapstructure:"iso_checksum" required:"true" cty:"iso_checksum" hcl:"iso_checksum"` RawSingleISOUrl *string `mapstructure:"iso_url" required:"true" cty:"iso_url" hcl:"iso_url"` ISOUrls []string `mapstructure:"iso_urls" cty:"iso_urls" hcl:"iso_urls"` @@ -216,6 +218,8 @@ func (*FlatConfig) HCL2Spec() map[string]hcldec.Spec { "configuration_parameters": &hcldec.AttrSpec{Name: "configuration_parameters", Type: cty.Map(cty.String), Required: false}, "tools_sync_time": &hcldec.AttrSpec{Name: "tools_sync_time", Type: cty.Bool, Required: false}, "tools_upgrade_policy": &hcldec.AttrSpec{Name: "tools_upgrade_policy", Type: cty.Bool, Required: false}, + "vbs_enabled": &hcldec.AttrSpec{Name: "vbs_enabled", Type: cty.Bool, Required: false}, + "vvtd_enabled": &hcldec.AttrSpec{Name: "vvtd_enabled", Type: cty.Bool, Required: false}, "iso_checksum": &hcldec.AttrSpec{Name: "iso_checksum", Type: cty.String, Required: false}, "iso_url": &hcldec.AttrSpec{Name: "iso_url", Type: cty.String, Required: false}, "iso_urls": &hcldec.AttrSpec{Name: "iso_urls", Type: cty.List(cty.String), Required: false}, diff --git a/docs-partials/builder/vsphere/common/FlagConfig-not-required.mdx b/docs-partials/builder/vsphere/common/FlagConfig-not-required.mdx new file mode 100644 index 00000000..dae2d264 --- /dev/null +++ b/docs-partials/builder/vsphere/common/FlagConfig-not-required.mdx @@ -0,0 +1,10 @@ + + +- `vbs_enabled` (bool) - Enable Virtualization Based Security option for virtual machine. Defaults to `false`. + Requires `vvtd_enabled` and `NestedHV` to be set to `true`. + Requires `vTPM` to be set to `true`. + Requires `firmware` to be set to `efi-secure`. + +- `vvtd_enabled` (bool) - Enable IO/MMU option for virtual machine. Defaults to `false`. + +