Add support for generating confidential virtual machine images (#9448)

- kernel-uki: include i18n dracut module so UKI systemd-vconsole-setup service works - toolkit: add support for partition type UUID - imageconfigs: add CVM image definition Signed-off-by: Thien Trung Vuong <tvuong@microsoft.com> Co-authored-by: Dan Streetman <ddstreet@microsoft.com>
2024-06-25 14:02:17 -07:00 · 2024-06-25 14:02:17 -07:00 · 4c37bb0e07
--- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec
+++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec
@ -10,7 +10,7 @@
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
 Version:        6.6.29.1
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@ -145,6 +145,10 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /module_info.ld

 %changelog
+* Wed Jun 12 2024 Dan Streetman <ddstreet@microsoft.com> - 6.6.29.1-6
+- include i18n (kbd package) in UKI, to provide loadkeys binary so
+  systemd-vconsole-setup works
+
 * Tue Jun 11 2024 Juan Camposeco <juanarturoc@microsoft.com> 6.6.29.1-5
 - Add patch to enable mstflint kernel driver

--- a/SPECS/kernel-headers/kernel-headers.spec
+++ b/SPECS/kernel-headers/kernel-headers.spec
@ -14,7 +14,7 @@
 Summary:        Linux API header files
 Name:           kernel-headers
 Version:        6.6.29.1
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@ -75,6 +75,10 @@ done
 %endif

 %changelog
+* Wed Jun 12 2024 Dan Streetman <ddstreet@microsoft.com> - 6.6.29.1-6
+- include i18n (kbd package) in UKI, to provide loadkeys binary so
+  systemd-vconsole-setup works
+
 * Tue Jun 11 2024 Juan Camposeco <juanarturoc@microsoft.com> - 6.6.29.1-5
 - Bump release to match kernel

--- a/SPECS/kernel/kernel-uki-dracut.conf
+++ b/SPECS/kernel/kernel-uki-dracut.conf
@ -6,7 +6,7 @@ compress="xz"
 early_microcode="no"

 # modules: basics
-dracutmodules+=" base systemd systemd-initrd dracut-systemd dbus usrmount shutdown "
+dracutmodules+=" base systemd systemd-initrd dracut-systemd dbus usrmount shutdown i18n "

 # modules: storage support
 dracutmodules+=" dm rootfs-block fs-lib "
--- a/SPECS/kernel/kernel-uki.signatures.json
+++ b/SPECS/kernel/kernel-uki.signatures.json
@ -1,5 +1,5 @@
 {
 "Signatures": {
-  "kernel-uki-dracut.conf": "02e94ed85e599ba4cc0f517fdfa0766d7d692c844a0ed0ac961ba787fc41d569"
+  "kernel-uki-dracut.conf": "f2ebdc85615d9c3bfeae52b5b0269517e98c9e73cd2202127ce47d174c480d6a"
 }
 }
--- a/SPECS/kernel/kernel-uki.spec
+++ b/SPECS/kernel/kernel-uki.spec
@ -18,7 +18,7 @@
 Summary:        Unified Kernel Image
 Name:           kernel-uki
 Version:        6.6.29.1
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@ -36,6 +36,7 @@ BuildRequires:  system-release
 BuildRequires:  tpm2-tools
 BuildRequires:  cryptsetup
 BuildRequires:  device-mapper
+BuildRequires:  kbd

 %description
 The kernel-uki package contains the Linux kernel packaged as a Unified
@ -64,6 +65,10 @@ install -D -t %{buildroot}/lib/modules/%{kernelver} vmlinuz-uki.efi
 /lib/modules/%{kernelver}/vmlinuz-uki.efi

 %changelog
+* Wed Jun 12 2024 Dan Streetman <ddstreet@microsoft.com> - 6.6.29.1-6
+- include i18n (kbd package) in UKI, to provide loadkeys binary so
+  systemd-vconsole-setup works
+
 * Tue Jun 11 2024 Juan Camposeco <juanarturoc@microsoft.com> - 6.6.29.1-5
 - Bump release to match kernel

--- a/SPECS/kernel/kernel.spec
+++ b/SPECS/kernel/kernel.spec
@ -30,7 +30,7 @@
 Summary:        Linux Kernel
 Name:           kernel
 Version:        6.6.29.1
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@ -407,6 +407,10 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_sysconfdir}/bash_completion.d/bpftool

 %changelog
+* Wed Jun 12 2024 Dan Streetman <ddstreet@microsoft.com> - 6.6.29.1-6
+- include i18n (kbd package) in UKI, to provide loadkeys binary so
+  systemd-vconsole-setup works
+
 * Tue Jun 11 2024 Juan Camposeco <juanarturoc@microsoft.com> - 6.6.29.1-5
 - Add patch to enable mstflint kernel driver 4.28.0-1

--- a/toolkit/docs/formats/imageconfig.md
+++ b/toolkit/docs/formats/imageconfig.md
@ -1,14 +1,17 @@
 # Image configuration

-Image configuration consists of two sections - Disks and SystemConfigs - that describe the produced artifact(image). Image configuration code can be found in (configuration.go)[../../tools/imagegen/configuration/configuration.go] and validity of the configuration file can be verified by the [imageconfigvalidator](../../tools/imageconfigvalidator/imageconfigvalidator.go)
+Image configuration consists of two sections - Disks and SystemConfigs - that describe the produced artifact(image). Image configuration code can be found in [configuration.go](../../tools/imagegen/configuration/configuration.go) and validity of the configuration file can be verified by the [imageconfigvalidator](../../tools/imageconfigvalidator/imageconfigvalidator.go)

 ## Disks
+
 Disks entry specifies the disk configuration like its size (for virtual disks), partitions and partition table.

 ## TargetDisk
+
 Required when building unattended ISO installer. This field defines the physical disk to which Azure Linux should be installed. The `Type` field must be set to `path` and the `Value` field must be set to the desired target disk path.

 ### Artifacts
+
 Artifact (non-ISO image building only) defines the name, type and optional compression of the output Azure Linux image.

 Sample Artifacts entry, creating a raw rootfs, compressed to .tar.gz format(note that this format does not support partitions, so there would be no "Partitions" entry):
@ -22,6 +25,7 @@ Sample Artifacts entry, creating a raw rootfs, compressed to .tar.gz format(note
 ]

 ```
+
 Sample Artifacts entry, creating a vhdx disk image:

 ``` json
@ -34,6 +38,7 @@ Sample Artifacts entry, creating a vhdx disk image:
 ```

 ### Partitions
+
 "Partitions" key holds an array of Partition entries.

 Partition defines the size, name and file system type for a partition.
@ -64,12 +69,14 @@ Sample partitions entry, specifying a boot partition and a root partition:
        "ID": "rootfs",
        "Start": 9,
        "End": 0,
-        "FsType": "ext4"
+        "FsType": "ext4",
+        "Type": "linux-root-amd64"
    }
 ]
 ```

 #### Flags
+
 "Flags" key controls special handling for certain partitions.

 - `esp` indicates this is the UEFI esp partition
@ -78,6 +85,24 @@ Sample partitions entry, specifying a boot partition and a root partition:
 - `boot` indicates this is a boot partition
 - `dmroot` indicates this partition will be used for a device mapper root device (i.e. `Encryption` or `ReadOnlyVerityRoot`)

+#### TypeUUID
+
+"TypeUUID" key sets the partition type UUID. The "Type" key can be used instead to set the partition type using a friendly name.
+
+- `linux`: "0fc63daf-8483-4772-8e79-3d69d8477de4",
+- `esp`: "c12a7328-f81f-11d2-ba4b-00a0c93ec93b",
+- `xbootldr`: "bc13c2ff-59e6-4262-a352-b275fd6f7172",
+- `linux-root-amd64`: "4f68bce3-e8cd-4db1-96e7-fbcaf984b709",
+- `linux-swap`: "0657fd6d-a4ab-43c4-84e5-0933c84b4f4f",
+- `linux-home`: "933ac7e1-2eb4-4f13-b844-0e14e2aef915",
+- `linux-srv`: "3b8f8425-20e0-4f3b-907f-1a25a76f98e8",
+- `linux-var`: "4d21b016-b534-45c2-a9fb-5c16e091fd2d",
+- `linux-tmp`: "7ec6f557-3bc5-4aca-b293-16ef5df639d1",
+- `linux-lvm`: "e6d6d379-f507-44c2-a23c-238f2a3df928",
+- `linux-raid`: "a19d880f-05fc-4d3b-a006-743f0f84911e",
+- `linux-luks`: "ca7d7ccb-63ed-4c53-861c-1742536059cc",
+- `linux-dm-crypt`: "7ffec5c9-2d00-49b7-8941-3ea10a5586b7",
+
 ## SystemConfigs

 SystemConfigs is an array of SystemConfig entries.
@ -113,6 +138,7 @@ A sample PartitionSettings entry, designating an EFI and a root partitions:
 A PartitionSetting may set a `MountIdentifier` to control how a partition is identified in the `fstab` file. The supported options are `uuid`, `partuuid`, and `partlabel`. If the `MountIdentifier` is omitted `partuuid` will be selected by default.

 `partlabel` may not be used with `mbr` disks, and requires the `Name` key in the corresponding `Partition` be populated. An example with the rootfs mounted via `PARTLABEL=my_rootfs`, but the boot mount using the default `PARTUUID=<PARTUUID>`:
+
 ``` json
 "Partitions": [

@ -127,6 +153,7 @@ A PartitionSetting may set a `MountIdentifier` to control how a partition is ide
    }
 ]
 ```
+
 ``` json
 "PartitionSettings": [
    {
@ -169,10 +196,12 @@ A sample `ParitionSettings` entry using `overlay` algorithm:
 }

 ```
+
 `RdiffBaseImage` represents the base image when `rdiff` algorithm is used.
 `OverlayBaseImage` represents the base image when `overlay` algorithm is used.

 ### EnableGrubMkconfig
+
 EnableGrubMkconfig is a optional boolean that controls whether the image uses grub2-mkconfig to generate the boot configuration (/boot/grub2/grub.cfg) or not. If EnableGrubMkconfig is specified, only valid values are `true` and `false`. Default is `true`.

 ### PackageLists
@ -186,6 +215,7 @@ PackageLists **must not include kernel packages**! To provide a kernel, use Kern
 If any of the packages depends on a kernel, make sure that the required kernel is provided with KernelOptions.

 A sample PackageLists entry pointing to three files containing package lists:
+
 ``` json
 "PackageLists": [
    "packagelists/hyperv-packages.json",
@ -222,6 +252,7 @@ This may be any value compatible with the `%_install_langs` rpm macro.
 The `OverrideRpmLocales` and `DisableRpmDocs` settings are stored in `/usr/lib/rpm/macros.d/macros.installercustomizations_*` files on the final system. The files selected for install are based on the `rpm` macros at the time of transaction, so to restore these files on an installed system remove the associated macro definition and run  `tdnf -y reinstall $(rpm -qa)`. This will reinstall all packages and apply the new settings.

 ### Customization Scripts
+
 The tools offer the option of executing arbitrary shell scripts during various points of the image generation process. There are three points that scripts can be executed: `PreInstall`, `PostInstall`, and `ImageFinalize`.

 >Installer starts -> `PreInstallScripts` -> Create Partitions -> Install Packages -> `PostInstallScripts` -> Configure Bootloader (if any) -> Calculate dm-verity hashes (if configured) -> `ImageFinalizeScripts`
@ -229,6 +260,7 @@ The tools offer the option of executing arbitrary shell scripts during various p
 Each of the `PreInstallScripts`, `PostInstallScripts`, and `FinalizeImageScripts` entires are an array of file paths and the corresponding input arguments. The scripts will be executed in sequential order and within the context of the final image. The file paths are relative to the image configuration file. Scripts may be passed without arguments if desired.

 All scripts follow the same format in the image config .json file:
+
 ``` json
 "PreInstallScripts | PostInstallScripts | FinalizeImageScripts":[
    {
@ -302,6 +334,7 @@ Fields:
 The `Networks` entry is added to enable the users to specify the network configuration parameters to enable users to set IP address, configure the hostname, DNS etc. Currently, the Azure Linux tooling only supports a subset of the kickstart network command options: `bootproto`, `gateway`, `ip`, `net mask`, `DNS` and `device`. Hostname can be configured using the `Hostname` entry of the image config.

 A sample Networks entry pointing to one network configuration:
+
 ``` json
    "Networks":[
    {
@ -364,6 +397,7 @@ KernelOptions is mandatory for all non-`rootfs` image types.
 KernelOptions may be included in `rootfs` images which expect a kernel, such as the initrd for an ISO, if desired.

 Currently there is only one key with an assigned meaning:
+
 - `default` key needs to be always provided. It designates a kernel that is used when no other scenario is applicable (i.e. by default).

 Keys starting with an underscore are ignored - they can be used for providing comments.
@ -377,29 +411,37 @@ A sample KernelOptions specifying a default kernel:
 ```

 ### ReadOnlyVerityRoot
+
 "ReadOnlyVerityRoot" key controls making the root filesystem read-only using dm-verity.
 It will create a verity disk from the partition mounted at "/". The verity data is stored as
 part of the image's initramfs. More details can be found in [Misc: Read Only Roots](../how_it_works/5_misc.md#dm-verity-read-only-roots)

 #### Considerations
+
 Having a read-only root filesystem will change the behavior of the image in some fundamental ways. There are several areas that should be considered before enabling a read-only root:

 ##### Writable Data
+
 Any writable data which needs to be preserved will need to be stored into a separate writable partition. The `TmpfsOverlays` key will create throw-away writable partitions which are reset on every boot. The example configs create an overlay on `/var`, but the more refined the overlays are, the more secure they will be.

 ##### GPL Licensing
+
 If using a read-only root in conjunction with a verified boot flow that uses a signed initramfs, carefully consider the implications on GPLv3 code. The read-only nature of the filesystem means a user cannot replace GPLv3 components without re-signing a new initramfs.

 ##### Users
+
 Since users are controlled by files in `/etc`, these files are read-only when this is set. It is recommended to either use SSH key based login or pre-hash the password to avoid storing passwords in plain text in the config files (See [Users](#users)).

 ##### Separate `/boot` Partition
+
 Since the root partition's hash tree is stored as part of the initramfs, the initramfs cannot be stored on the same root partition (it would invalidate the measurements). To avoid this a separate `/boot` partition is needed to house the hash tree (via the initramfs).

 ##### ISO
+
 The ISO command line installer supports enabling read-only roots if they are configured through the configuration JSON file (see [full.json's](../../imageconfigs/full.json) `"Azure Linux Core Read-Only"` entry). The automatic partition creation mode will create the required `/boot` partition if the read-only root is enabled.

 The GUI installer does not currently support read-only roots.
+
 - `Enable`: Enable dm-verity on the root filesystem
 - `Name`: Custom name for the mounted root (default is `"verity_root_fs"`)
 - `ErrorCorrectionEnable`: Enable automatic error correction of modified blocks (default is `true`)
@ -413,6 +455,7 @@ The GUI installer does not currently support read-only roots.
    `verity-read-only-root-debug-tools` package to create the required mount points.

 A sample ReadOnlyVerityRoot specifying a basic read-only root using default error correction. This configuration may be used for both normal images and ISO configurations:
+
 ``` json
 "ReadOnlyVerityRoot": {
    "Enable": true,
@ -427,23 +470,29 @@ A sample ReadOnlyVerityRoot specifying a basic read-only root using default erro
 KernelCommandLine is an optional key which allows additional parameters to be passed to the kernel when it is launched from Grub.

 #### ImaPolicy
+
 ImaPolicy is a list of Integrity Measurement Architecture (IMA) policies to enable, they may be any combination of `tcb`, `appraise_tcb`, `secure_boot`.

 #### EnableFIPS
+
 EnableFIPS is a optional boolean option that controls whether the image tools create the image with FIPS mode enabled or not. If EnableFIPS is specificed, only valid values are `true` and `false`.

 #### ExtraCommandLine
+
 ExtraCommandLine is a string which will be appended to the end of the kernel command line and may contain any additional parameters desired. The `` ` `` character is reserved and may not be used. **Note: Some kernel command line parameters are already configured by default in [grub.cfg](../../tools/internal/resources/assets/grub2/grub.cfg) and [/etc/default/grub](../../tools/internal/resources/assets/grub2/grub) for mkconfig-based images. Many command line options may be overwritten by passing a new value. If a specific argument must be removed from the existing grub template a `FinalizeImageScript` is currently required.

 #### SELinux
+
 The Security Enhanced Linux (SELinux) feature is enabled by using the `SELinux` key, with value containing the mode to use on boot.  The `enforcing` and `permissive` values will set the mode in /etc/selinux/config.
 This will instruct init (systemd) to set the configured mode on boot.  The `force_enforcing` option will set enforcing in the config and also add `enforcing=1` in the kernel command line,
 which is a higher precedent than the config file. This ensures SELinux boots in enforcing even if the /etc/selinux/config was altered.

 #### SELinuxPolicy
+
 An optional field to overwrite the SELinux policy package name. If not set, the default is `selinux-policy`.

 #### CGroup
+
 The version for CGroup in Azure Linux images can be enabled by using the `CGroup` key with value containing which version to use on boot. The value that can be chosen is either `version_one` or `version_two`.
 The `version_two` value will set the cgroupv2 to be used in Azure Linux by setting the config value `systemd.unified_cgroup_hierarchy=1` in the default kernel command line. The value `version_one` or no value set will keep cgroupv1 (current default) to be enabled on boot.
 For more information about cgroups with Kubernetes, see [About cgroupv2](https://kubernetes.io/docs/concepts/architecture/cgroups/).
@ -553,7 +602,8 @@ A sample image configuration, producing a VHDX disk image:
                    "ID": "rootfs",
                    "Start": 9,
                    "End": 0,
-                    "FsType": "ext4"
+                    "FsType": "ext4",
+                    "Type": "linux-root-amd64"
                }
            ]
        }
--- a/toolkit/imageconfigs/additionalconfigs/sdboot-loader.conf
+++ b/toolkit/imageconfigs/additionalconfigs/sdboot-loader.conf
@ -0,0 +1 @@
+timeout 3
--- a/toolkit/imageconfigs/cvm.json
+++ b/toolkit/imageconfigs/cvm.json
@ -0,0 +1,73 @@
+{
+    "Disks": [
+        {
+            "PartitionTableType": "gpt",
+            "MaxSize": 2048,
+            "Artifacts": [
+                {
+                    "Name": "cvm",
+                    "Type": "vhd"
+                }
+            ],
+            "Partitions": [
+                {
+                    "ID": "efi",
+                    "Flags": [
+                        "esp",
+                        "boot"
+                    ],
+                    "Start": 1,
+                    "End": 513,
+                    "FsType": "fat32",
+                    "Type": "esp"
+                },
+                {
+                    "ID": "rootfs",
+                    "Start": 513,
+                    "End": 0,
+                    "FsType": "ext4",
+                    "Type": "linux-root-amd64"
+                }
+            ]
+        }
+    ],
+    "SystemConfigs": [
+        {
+            "Name": "Standard",
+            "BootType": "efi",
+            "PartitionSettings": [
+                {
+                    "ID": "efi",
+                    "MountPoint": "/efi",
+                    "MountOptions": "umask=0077"
+                },
+                {
+                    "ID": "rootfs",
+                    "MountPoint": "/"
+                }
+            ],
+            "PackageLists": [
+                "packagelists/marketplace-tools-packages.json",
+                "packagelists/azurevm-packages.json",
+                "packagelists/cvm-packages.json",
+                "packagelists/hyperv-packages.json"
+            ],
+            "AdditionalFiles": {
+                "additionalconfigs/sdboot-loader.conf": "/efi/loader/loader.conf"
+            },
+            "KernelOptions": {
+                "default": "kernel"
+            },
+            "FinalizeImageScripts": [
+                {
+                    "Path": "scripts/setup_cvm_image.sh"
+                },
+                {
+                    "Path": "scripts/cleanup.sh"
+                }
+            ],
+            "Hostname": "azurelinux",
+            "DisableRpmDocs": true
+        }
+    ]
+}
--- a/toolkit/imageconfigs/packagelists/cvm-packages.json
+++ b/toolkit/imageconfigs/packagelists/cvm-packages.json
@ -0,0 +1,12 @@
+{
+    "packages": [
+        "shim",
+        "systemd-boot",
+        "kernel-uki",
+        "tpm2-tools",
+        "ca-certificates",
+        "cronie-anacron",
+        "logrotate",
+        "core-packages-base-image"
+    ]
+}
--- a/toolkit/imageconfigs/scripts/setup_cvm_image.sh
+++ b/toolkit/imageconfigs/scripts/setup_cvm_image.sh
@ -0,0 +1,35 @@
+#!/bin/bash
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+set -e
+
+EFIDIR="BOOT"
+KERNEL_VERSION=""
+
+# Image generation is done in a chroot environment, so running `uname -r`
+# will return the version of the host running kernel. This function works
+# under the assumption that exactly one kernel is installed in the end image.
+get_kernel_version() {
+    kernel_modules_dir="/usr/lib/modules"
+    KERNEL_VERSION="$(ls $kernel_modules_dir)"
+}
+
+# symlink /boot/efi to ../efi
+cp -a /boot/efi/. /efi
+rm -rf /boot/efi
+ln -s ../efi /boot/efi
+
+# The shim has its default boot-loader filename built in as grubx64.efi.
+# To switch to systemd-boot, we overwrite that file location with the
+# sd-boot EFI binary as a workaround.
+cp /lib/systemd/boot/efi/systemd-bootx64.efi /efi/EFI/$EFIDIR/grubx64.efi
+
+# empty /etc/fstab file
+echo > /etc/fstab
+
+# copy UKI into the ESP
+mkdir -p /efi/EFI/Linux
+get_kernel_version
+echo "Kernel version = $KERNEL_VERSION"
+cp /lib/modules/$KERNEL_VERSION/vmlinuz-uki.efi /efi/EFI/Linux/vmlinuz-uki-$KERNEL_VERSION.efi
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@ -1,5 +1,5 @@
 filesystem-1.1-21.azl3.aarch64.rpm
-kernel-headers-6.6.29.1-5.azl3.noarch.rpm
+kernel-headers-6.6.29.1-6.azl3.noarch.rpm
 glibc-2.38-6.azl3.aarch64.rpm
 glibc-devel-2.38-6.azl3.aarch64.rpm
 glibc-i18n-2.38-6.azl3.aarch64.rpm
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@ -1,5 +1,5 @@
 filesystem-1.1-21.azl3.x86_64.rpm
-kernel-headers-6.6.29.1-5.azl3.noarch.rpm
+kernel-headers-6.6.29.1-6.azl3.noarch.rpm
 glibc-2.38-6.azl3.x86_64.rpm
 glibc-devel-2.38-6.azl3.x86_64.rpm
 glibc-i18n-2.38-6.azl3.x86_64.rpm
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@ -152,7 +152,7 @@ intltool-0.51.0-7.azl3.noarch.rpm
 itstool-2.0.7-1.azl3.noarch.rpm
 kbd-2.2.0-2.azl3.aarch64.rpm
 kbd-debuginfo-2.2.0-2.azl3.aarch64.rpm
-kernel-headers-6.6.29.1-5.azl3.noarch.rpm
+kernel-headers-6.6.29.1-6.azl3.noarch.rpm
 kmod-30-1.azl3.aarch64.rpm
 kmod-debuginfo-30-1.azl3.aarch64.rpm
 kmod-devel-30-1.azl3.aarch64.rpm
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@ -157,8 +157,8 @@ intltool-0.51.0-7.azl3.noarch.rpm
 itstool-2.0.7-1.azl3.noarch.rpm
 kbd-2.2.0-2.azl3.x86_64.rpm
 kbd-debuginfo-2.2.0-2.azl3.x86_64.rpm
-kernel-cross-headers-6.6.29.1-5.azl3.noarch.rpm
-kernel-headers-6.6.29.1-5.azl3.noarch.rpm
+kernel-cross-headers-6.6.29.1-6.azl3.noarch.rpm
+kernel-headers-6.6.29.1-6.azl3.noarch.rpm
 kmod-30-1.azl3.x86_64.rpm
 kmod-debuginfo-30-1.azl3.x86_64.rpm
 kmod-devel-30-1.azl3.x86_64.rpm
--- a/toolkit/tools/imagegen/configuration/partition.go
+++ b/toolkit/tools/imagegen/configuration/partition.go
@ -29,6 +29,8 @@ const (
 // kickstart-style unattended installation**)
 type Partition struct {
 	FsType    string          `json:"FsType"`
+	Type      string          `json:"Type"`
+	TypeUUID  string          `json:"TypeUUID"`
 	ID        string          `json:"ID"`
 	Name      string          `json:"Name"`
 	End       uint64          `json:"End"`
@ -76,6 +78,19 @@ func (p *Partition) IsValid() (err error) {
 		}
 	}

+	if p.Type != "" && p.TypeUUID != "" {
+		err = fmt.Errorf("cannot set Type and TypeUUID at the same time")
+		return
+	}
+
+	if p.Type != "" {
+		if _, exists := PartitionTypeNameToUUID[p.Type]; !exists {
+			err = fmt.Errorf("unrecognized partition type (%s), consider setting TypeUUID parameter explicitly or add a new entry to partition type table", p.Type)
+			return
+		}
+
+	}
+
 	err = nameCheck(p.Name)
 	if err != nil {
 		return err
--- a/toolkit/tools/imagegen/configuration/partition_test.go
+++ b/toolkit/tools/imagegen/configuration/partition_test.go
@ -118,3 +118,22 @@ func TestShouldFailParsingInvalidJSON_Partition(t *testing.T) {
 	assert.Error(t, err)
 	assert.Equal(t, "failed to parse [Partition]: json: cannot unmarshal string into Go struct field IntermediateTypePartition.End of type uint64", err.Error())
 }
+
+func TestShouldFailBothTypeAndTypeUUIDSpecified_Partition(t *testing.T) {
+	invalidPartition := validPartition
+	invalidPartition.Type = "linux"
+	invalidPartition.TypeUUID = "0fc63daf-8483-4772-8e79-3d69d8477de4"
+
+	err := invalidPartition.IsValid()
+	assert.Error(t, err)
+	assert.Equal(t, "cannot set Type and TypeUUID at the same time", err.Error())
+}
+
+func TestShouldFailUnsupportedTypeName_Partition(t *testing.T) {
+	invalidPartition := validPartition
+	invalidPartition.Type = "linux-root-aarch64"
+
+	err := invalidPartition.IsValid()
+	assert.Error(t, err)
+	assert.Equal(t, "unrecognized partition type (linux-root-aarch64), consider setting TypeUUID parameter explicitly or add a new entry to partition type table", err.Error())
+}
--- a/toolkit/tools/imagegen/configuration/partitiontype.go
+++ b/toolkit/tools/imagegen/configuration/partitiontype.go
@ -0,0 +1,22 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package configuration
+
+// Common partition types: https://wiki.archlinux.org/title/GPT_fdisk#Partition_type
+// More type UUIDs can be found here: https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
+var PartitionTypeNameToUUID = map[string]string{
+	"linux":            "0fc63daf-8483-4772-8e79-3d69d8477de4",
+	"esp":              "c12a7328-f81f-11d2-ba4b-00a0c93ec93b",
+	"xbootldr":         "bc13c2ff-59e6-4262-a352-b275fd6f7172",
+	"linux-root-amd64": "4f68bce3-e8cd-4db1-96e7-fbcaf984b709",
+	"linux-swap":       "0657fd6d-a4ab-43c4-84e5-0933c84b4f4f",
+	"linux-home":       "933ac7e1-2eb4-4f13-b844-0e14e2aef915",
+	"linux-srv":        "3b8f8425-20e0-4f3b-907f-1a25a76f98e8",
+	"linux-var":        "4d21b016-b534-45c2-a9fb-5c16e091fd2d",
+	"linux-tmp":        "7ec6f557-3bc5-4aca-b293-16ef5df639d1",
+	"linux-lvm":        "e6d6d379-f507-44c2-a23c-238f2a3df928",
+	"linux-raid":       "a19d880f-05fc-4d3b-a006-743f0f84911e",
+	"linux-luks":       "ca7d7ccb-63ed-4c53-861c-1742536059cc",
+	"linux-dm-crypt":   "7ffec5c9-2d00-49b7-8941-3ea10a5586b7",
+}
--- a/toolkit/tools/imagegen/diskutils/diskutils.go
+++ b/toolkit/tools/imagegen/diskutils/diskutils.go
@ -620,14 +620,10 @@ func InitializeSinglePartition(diskDevPath string, partitionNumber int, partitio

 	logger.Log.Debugf("Initializing partition device path: %v", partDevPath)

-	// Set partition friendly name (only for gpt)
+	// Set partition friendly name and partition type UUID (only for gpt)
 	if partitionTableType == "gpt" {
-		partitionName := partition.Name
-		_, stderr, err := shell.Execute("flock", "--timeout", timeoutInSeconds, diskDevPath, "parted", diskDevPath, "--script", "name", partitionNumberStr, partitionName)
-		if err != nil {
-			logger.Log.Warnf("Failed to set partition friendly name using parted: %v", stderr)
-			// Not-fatal
-		}
+		setGptPartitionName(partition, timeoutInSeconds, diskDevPath, partitionNumberStr)
+		setGptPartitionType(partition, timeoutInSeconds, diskDevPath, partitionNumberStr)
 	}

 	// Set partition flags if necessary
@ -669,6 +665,35 @@ func InitializeSinglePartition(diskDevPath string, partitionNumber int, partitio
 	return
 }

+func setGptPartitionName(partition configuration.Partition, timeoutInSeconds, diskDevPath, partitionNumberStr string) (err error) {
+	partitionName := partition.Name
+	_, stderr, err := shell.Execute("flock", "--timeout", timeoutInSeconds, diskDevPath, "parted", diskDevPath, "--script", "name", partitionNumberStr, partitionName)
+	if err != nil {
+		logger.Log.Warnf("failed to set partition friendly name using parted: %v", stderr)
+		err = nil
+		// Not-fatal
+	}
+	return
+}
+
+func setGptPartitionType(partition configuration.Partition, timeoutInSeconds, diskDevPath, partitionNumberStr string) (err error) {
+	if partition.TypeUUID != "" || partition.Type != "" {
+		var typeUUID string
+		if partition.TypeUUID != "" {
+			typeUUID = partition.TypeUUID
+		} else {
+			typeUUID = configuration.PartitionTypeNameToUUID[partition.Type]
+		}
+		_, stderr, err := shell.Execute("flock", "--timeout", timeoutInSeconds, diskDevPath, "parted", diskDevPath, "--script", "type", partitionNumberStr, typeUUID)
+		if err != nil {
+			logger.Log.Warnf("failed to set partition type using parted: %v", stderr)
+			err = nil
+			// Not-fatal
+		}
+	}
+	return
+}
+
 // FormatSinglePartition formats the given partition to the type specified in the partition configuration
 func FormatSinglePartition(partDevPath string, partition configuration.Partition,
 ) (fsType string, err error) {