[UEFI] Adding feature flag to be used for partner testing

rane-rajasi · rane-rajasi · commit dcdf117aac75 · 2026-05-28T04:21:05.000-07:00
diff --git a/src/core/src/bootstrap/Constants.py b/src/core/src/bootstrap/Constants.py
@@ -58,6 +58,7 @@ class SystemPaths(EnumBackport):
 
     class AzGPSPaths(EnumBackport):
         EULA_SETTINGS = "/var/lib/azure/linuxpatchextension/patch.eula.settings"
+        UEFI_SETTINGS = "/var/lib/azure/linuxpatchextension/patch.uefi.settings"
 
     class EnvSettings(EnumBackport):
         LOG_FOLDER = "logFolder"
@@ -87,6 +88,11 @@ class EulaSettings(EnumBackport):
         ACCEPTED_BY = 'AcceptedBy'
         LAST_MODIFIED = 'LastModified'
 
+    class UEFISettings(EnumBackport):
+        ENABLE_UEFI_CERT_UPDATE = 'EnableUEFICertUpdate'
+        ENABLED_By = 'EnabledBy'
+        LAST_MODIFIED = 'LastModified'
+
     TEMP_FOLDER_DIR_NAME = "tmp"
     TEMP_FOLDER_CLEANUP_ARTIFACT_LIST = ["*.list", "azgps*"]
 
diff --git a/src/core/src/core_logic/ExecutionConfig.py b/src/core/src/core_logic/ExecutionConfig.py
@@ -92,6 +92,9 @@ def __init__(self, env_layer, composite_logger, execution_parameters):
         # EULA config
         self.accept_package_eula = self.__is_eula_accepted_for_all_patches()
 
+        # UEFI config
+        self.enable_uefi_cert_update = self.__is_uefi_cert_update_enabled()
+
     def __transform_execution_config_for_auto_assessment(self):
         self.activity_id = str(uuid.uuid4())
         self.included_classifications_list = self.included_package_name_mask_list = self.excluded_package_name_mask_list = []
@@ -267,3 +270,42 @@ def __fetch_specific_eula_setting(settings_source, setting_to_fetch):
             return settings_source[setting_to_fetch]
         return None
 
+    def __is_uefi_cert_update_enabled(self):
+        # type: () -> bool
+        """ Reads customer provided config on UEFI cert update from disk and returns a boolean.
+        NOTE: This is a temporary solution implemented expressly for validating cert updates with partners and will be deprecated soon """
+        is_uefi_cert_update_enabled = False
+        try:
+            if os.path.exists(Constants.AzGPSPaths.UEFI_SETTINGS):
+                uefi_cert_update_settings = json.loads(self.env_layer.file_system.read_with_retry(Constants.AzGPSPaths.UEFI_CERT_UPDATE_SETTINGS) or 'null')
+                enable_uefi_cert_update = self.__fetch_specific_uefi_cert_update_setting(uefi_cert_update_settings, Constants.UEFISettings.ENABLE_UEFI_CERT_UPDATE)
+                enabled_by = self.__fetch_specific_uefi_cert_update_setting(uefi_cert_update_settings, Constants.UEFISettings.ENABLED_BY)
+                last_modified = self.__fetch_specific_uefi_cert_update_setting(uefi_cert_update_settings, Constants.UEFISettings.LAST_MODIFIED)
+                if enable_uefi_cert_update is not None and self.__is_truthy(enable_uefi_cert_update):
+                    is_uefi_cert_update_enabled = True
+                self.composite_logger.log_debug("UEFI cert update config values from disk: [EnableUefiCertUpdate={0}] [EnabledBy={1}] [LastModified={2}]. Computed value of [IsUefiCertUpdateEnabled={3}]"
+                                                .format(str(enable_uefi_cert_update), str(enabled_by), str(last_modified), str(is_uefi_cert_update_enabled)))
+            else:
+                self.composite_logger.log_debug("No UEFI cert update settings found on the VM. Computed value of [IsUefiCertUpdateEnabled={0}]".format(str(is_uefi_cert_update_enabled)))
+        except Exception as error:
+            self.composite_logger.log_debug("Error occurred while reading and parsing UEFI cert update settings. Not enabling UEFI cert update. Error=[{0}]".format(repr(error)))
+
+        return is_uefi_cert_update_enabled
+
+    @staticmethod
+    def __is_truthy(value):
+        # type: (any) -> bool
+        """Case-insensitive truthy evaluator for config values."""
+        if isinstance(value, bool):
+            return value
+        if isinstance(value, int):
+            return value == 1
+
+        # Cross-version text types:
+        # py2 -> (str, unicode)
+        # py3 -> (str, str)
+        text_types = (str, type(u""))
+        if isinstance(value, text_types):
+            return value.strip().lower() in ("true", "1")
+        return False
+
diff --git a/src/core/src/core_logic/PatchInstaller.py b/src/core/src/core_logic/PatchInstaller.py
@@ -77,8 +77,9 @@ def start_installation(self, simulate=False):
                 self.composite_logger.log_debug("Attempting to reboot the machine prior to patch installation as there is a reboot pending...")
                 reboot_manager.start_reboot_if_required_and_time_available(maintenance_window.get_remaining_time_in_minutes(None, False))
 
-        # Update certs if available
-        self.try_update_certificates_for_default_patching()
+        # Update certificates if feature flag to update certs is set
+        if self.execution_config.enable_uefi_cert_update:
+            self.try_update_certificates_for_default_patching()
 
         if self.execution_config.max_patch_publish_date != str():
             self.package_manager.set_max_patch_publish_date(self.execution_config.max_patch_publish_date)
diff --git a/src/tools/references/patch.uefi.settings b/src/tools/references/patch.uefi.settings
@@ -0,0 +1 @@
+{"EnableUEFICertUpdate": "true", "EnabledBy": "LSG", "LastModified": "2026-05-23"}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+{"EnableUEFICertUpdate": "true", "EnabledBy": "LSG", "LastModified": "2026-05-23"}`