From e413878f794ebc83af089a8222ce67f33ce11fa1 Mon Sep 17 00:00:00 2001
From: Mahati Chamarthy <mahati.chamarthy@gmail.com>
Date: Mon, 5 Jan 2026 17:14:32 +0000
Subject: [PATCH] Move common confidential options for LCOW and WCOW

Signed-off-by: Mahati Chamarthy <mahati.chamarthy@gmail.com>
---
 internal/oci/uvm.go            |  4 ++--
 internal/tools/uvmboot/lcow.go |  2 +-
 internal/uvm/create.go         | 12 ++++++++++--
 internal/uvm/create_lcow.go    | 26 ++++++++++++--------------
 internal/uvm/create_wcow.go    | 11 ++++-------
 5 files changed, 29 insertions(+), 26 deletions(-)

diff --git a/internal/oci/uvm.go b/internal/oci/uvm.go
index 1c5f32c55f..36a567d54c 100644
--- a/internal/oci/uvm.go
+++ b/internal/oci/uvm.go
@@ -206,7 +206,7 @@ func handleLCOWSecurityPolicy(ctx context.Context, a map[string]string, lopts *u
 		// VPMem not supported by the enlightened kernel for SNP so set count to zero.
 		lopts.VPMemDeviceCount = 0
 		// set the default GuestState filename.
-		lopts.GuestStateFile = uvm.GuestStateFile
+		lopts.GuestStateFilePath = uvm.GuestStateFile
 		lopts.KernelBootOptions = ""
 		lopts.AllowOvercommit = false
 		lopts.SecurityPolicyEnabled = true
@@ -388,7 +388,7 @@ func SpecToUVMCreateOpts(ctx context.Context, s *specs.Spec, id, owner string) (
 		handleLCOWSecurityPolicy(ctx, s.Annotations, lopts)
 
 		// override the default GuestState and DmVerityRootFs filenames if specified
-		lopts.GuestStateFile = ParseAnnotationsString(s.Annotations, annotations.LCOWGuestStateFile, lopts.GuestStateFile)
+		lopts.GuestStateFilePath = ParseAnnotationsString(s.Annotations, annotations.LCOWGuestStateFile, lopts.GuestStateFilePath)
 		lopts.DmVerityRootFsVhd = ParseAnnotationsString(s.Annotations, annotations.DmVerityRootFsVhd, lopts.DmVerityRootFsVhd)
 		lopts.DmVerityMode = ParseAnnotationsBool(ctx, s.Annotations, annotations.DmVerityMode, lopts.DmVerityMode)
 		lopts.DmVerityCreateArgs = ParseAnnotationsString(s.Annotations, annotations.DmVerityCreateArgs, lopts.DmVerityCreateArgs)
diff --git a/internal/tools/uvmboot/lcow.go b/internal/tools/uvmboot/lcow.go
index b666d869b6..47265dc3dc 100644
--- a/internal/tools/uvmboot/lcow.go
+++ b/internal/tools/uvmboot/lcow.go
@@ -274,7 +274,7 @@ func createLCOWOptions(ctx context.Context, c *cli.Context, id string) (*uvm.Opt
 		options.SecurityPolicyEnforcer = c.String(securityPolicyEnforcerArgName)
 	}
 	if c.IsSet(securityHardwareFlag) {
-		options.GuestStateFile = uvm.GuestStateFile
+		options.GuestStateFilePath = uvm.GuestStateFile
 		options.SecurityPolicyEnabled = true
 		options.AllowOvercommit = false
 	}
diff --git a/internal/uvm/create.go b/internal/uvm/create.go
index 59352f7794..c3d5cb0675 100644
--- a/internal/uvm/create.go
+++ b/internal/uvm/create.go
@@ -131,6 +131,14 @@ type Options struct {
 	ConsolePipe           string // The named pipe path to use for the serial console (COM1).  eg \\.\pipe\vmpipe
 }
 
+type ConfidentialCommonOptions struct {
+	GuestStateFilePath     string // The vmgs file path to load
+	SecurityPolicy         string // Optional security policy
+	SecurityPolicyEnabled  bool   // Set when there is a security policy to apply on actual SNP hardware, use this rathen than checking the string length
+	SecurityPolicyEnforcer string // Set which security policy enforcer to use (open door or rego). This allows for better fallback mechanic.
+	UVMReferenceInfoFile   string // Path to the file that contains the signed UVM measurements
+}
+
 func verifyWCOWBootFiles(bootFiles *WCOWBootFiles) error {
 	if bootFiles == nil {
 		return fmt.Errorf("boot files is nil")
@@ -323,8 +331,8 @@ func (uvm *UtilityVM) CloseCtx(ctx context.Context) (err error) {
 		_ = uvm.WaitCtx(ctx)
 	}
 
-	if lopts, ok := uvm.createOpts.(*OptionsLCOW); ok && uvm.HasConfidentialPolicy() && lopts.GuestStateFile != "" {
-		vmgsFullPath := filepath.Join(lopts.BundleDirectory, lopts.GuestStateFile)
+	if lopts, ok := uvm.createOpts.(*OptionsLCOW); ok && uvm.HasConfidentialPolicy() && lopts.GuestStateFilePath != "" {
+		vmgsFullPath := filepath.Join(lopts.BundleDirectory, lopts.GuestStateFilePath)
 		e := log.G(ctx).WithField("VMGS file", vmgsFullPath)
 		e.Debug("removing VMGS file")
 		if err := os.Remove(vmgsFullPath); err != nil {
diff --git a/internal/uvm/create_lcow.go b/internal/uvm/create_lcow.go
index 7e17e755e9..4cc23a45ca 100644
--- a/internal/uvm/create_lcow.go
+++ b/internal/uvm/create_lcow.go
@@ -90,16 +90,12 @@ const (
 )
 
 type ConfidentialLCOWOptions struct {
-	GuestStateFile         string // The vmgs file to load
-	UseGuestStateFile      bool   // Use a vmgs file that contains a kernel and initrd, required for SNP
-	SecurityPolicy         string // Optional security policy
-	SecurityPolicyEnabled  bool   // Set when there is a security policy to apply on actual SNP hardware, use this rathen than checking the string length
-	SecurityPolicyEnforcer string // Set which security policy enforcer to use (open door, standard or rego). This allows for better fallback mechanic.
-	UVMReferenceInfoFile   string // Filename under `BootFilesPath` for (potentially signed) UVM image reference information.
-	BundleDirectory        string // pod bundle directory
-	DmVerityRootFsVhd      string // The VHD file (bound to the vmgs file via embedded dmverity hash data file) to load.
-	DmVerityMode           bool   // override to be able to turn off dmverity for debugging
-	DmVerityCreateArgs     string // set dm-verity args when booting with verity in non-SNP mode
+	*ConfidentialCommonOptions
+	UseGuestStateFile  bool   // Use a vmgs file that contains a kernel and initrd, required for SNP
+	BundleDirectory    string // pod bundle directory
+	DmVerityRootFsVhd  string // The VHD file (bound to the vmgs file via embedded dmverity hash data file) to load.
+	DmVerityMode       bool   // override to be able to turn off dmverity for debugging
+	DmVerityCreateArgs string // set dm-verity args when booting with verity in non-SNP mode
 }
 
 // OptionsLCOW are the set of options passed to CreateLCOW() to create a utility vm.
@@ -177,8 +173,10 @@ func NewDefaultOptionsLCOW(id, owner string) *OptionsLCOW {
 		EnableScratchEncryption: false,
 		DisableTimeSyncService:  false,
 		ConfidentialLCOWOptions: &ConfidentialLCOWOptions{
-			SecurityPolicyEnabled: false,
-			UVMReferenceInfoFile:  UVMReferenceInfoFile,
+			ConfidentialCommonOptions: &ConfidentialCommonOptions{
+				SecurityPolicyEnabled: false,
+				UVMReferenceInfoFile:  UVMReferenceInfoFile,
+			},
 		},
 	}
 
@@ -350,7 +348,7 @@ func makeLCOWVMGSDoc(ctx context.Context, opts *OptionsLCOW, uvm *UtilityVM) (_
 	}
 
 	// The kernel and minimal initrd are combined into a single vmgs file.
-	vmgsTemplatePath := filepath.Join(opts.BootFilesPath, opts.GuestStateFile)
+	vmgsTemplatePath := filepath.Join(opts.BootFilesPath, opts.GuestStateFilePath)
 	if _, err := os.Stat(vmgsTemplatePath); os.IsNotExist(err) {
 		return nil, fmt.Errorf("the GuestState vmgs file '%s' was not found", vmgsTemplatePath)
 	}
@@ -367,7 +365,7 @@ func makeLCOWVMGSDoc(ctx context.Context, opts *OptionsLCOW, uvm *UtilityVM) (_
 		return nil, err
 	}
 
-	vmgsFileFullPath := filepath.Join(opts.BundleDirectory, opts.GuestStateFile)
+	vmgsFileFullPath := filepath.Join(opts.BundleDirectory, opts.GuestStateFilePath)
 	if err := copyfile.CopyFile(ctx, vmgsTemplatePath, vmgsFileFullPath, true); err != nil {
 		return nil, fmt.Errorf("failed to copy VMGS template file: %w", err)
 	}
diff --git a/internal/uvm/create_wcow.go b/internal/uvm/create_wcow.go
index 7658657a69..ffa6b6d0a3 100644
--- a/internal/uvm/create_wcow.go
+++ b/internal/uvm/create_wcow.go
@@ -45,12 +45,7 @@ var (
 )
 
 type ConfidentialWCOWOptions struct {
-	GuestStateFilePath     string // The vmgs file path
-	SecurityPolicyEnabled  bool   // Set when there is a security policy to apply on actual SNP hardware, use this rathen than checking the string length
-	SecurityPolicy         string // Optional security policy
-	SecurityPolicyEnforcer string // Set which security policy enforcer to use (open door or rego). This allows for better fallback mechanic.
-	UVMReferenceInfoFile   string // Path to the file that contains the signed UVM measurements
-
+	*ConfidentialCommonOptions
 	/* Below options are only included for testing/debugging purposes - shouldn't be used in regular scenarios */
 	IsolationType      string
 	DisableSecureBoot  bool
@@ -111,7 +106,9 @@ func NewDefaultOptionsWCOW(id, owner string) *OptionsWCOW {
 		Options:                newDefaultOptions(id, owner),
 		AdditionalRegistryKeys: []hcsschema.RegistryValue{},
 		ConfidentialWCOWOptions: &ConfidentialWCOWOptions{
-			SecurityPolicyEnabled: false,
+			ConfidentialCommonOptions: &ConfidentialCommonOptions{
+				SecurityPolicyEnabled: false,
+			},
 		},
 		OutputHandlerCreator: parseLogrus,
 		ForwardLogs:          true, // Default to true for WCOW, and set to false for CWCOW in internal/oci/uvm.go SpecToUVMCreateOpts