fix(acl): bump marketplace to 3.20260517.01 and adapt to UKI rename

.pipelines/.vsts-vhd-builder-release.yaml

@@ -873,7 +873,7 @@ stages:
               echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner'
               echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3'
               echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-acl'
-              echo '##vso[task.setvariable variable=IMG_VERSION]3.20260510.01'
+              echo '##vso[task.setvariable variable=IMG_VERSION]3.20260517.01'
               echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2'
               echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16ds_v5'
               echo '##vso[task.setvariable variable=FEATURE_FLAGS]None'
@@ -898,7 +898,7 @@ stages:
               echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner'
               echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3'
               echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-arm64-gen2-acl'
-              echo '##vso[task.setvariable variable=IMG_VERSION]3.20260510.02'
+              echo '##vso[task.setvariable variable=IMG_VERSION]3.20260517.01'
               echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2'
               echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16pds_v6'
               echo '##vso[task.setvariable variable=FEATURE_FLAGS]None'
@@ -923,7 +923,7 @@ stages:
               echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner'
               echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3'
               echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-acl'
-              echo '##vso[task.setvariable variable=IMG_VERSION]3.20260510.01'
+              echo '##vso[task.setvariable variable=IMG_VERSION]3.20260517.01'
               echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2'
               echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16ds_v5'
               echo '##vso[task.setvariable variable=FEATURE_FLAGS]None'
@@ -948,7 +948,7 @@ stages:
               echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner'
               echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3'
               echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-arm64-gen2-acl'
-              echo '##vso[task.setvariable variable=IMG_VERSION]3.20260510.02'
+              echo '##vso[task.setvariable variable=IMG_VERSION]3.20260517.01'
               echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2'
               echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16pds_v6'
               echo '##vso[task.setvariable variable=FEATURE_FLAGS]None'

.pipelines/.vsts-vhd-builder.yaml

@@ -212,7 +212,7 @@ stages:
             echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner'
             echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3'
             echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-acl'
-            echo '##vso[task.setvariable variable=IMG_VERSION]3.20260510.01'
+            echo '##vso[task.setvariable variable=IMG_VERSION]3.20260517.01'
             echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2'
             echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16ds_v5'
             echo '##vso[task.setvariable variable=FEATURE_FLAGS]None'
@@ -234,7 +234,7 @@ stages:
             echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner'
             echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3'
             echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-arm64-gen2-acl'
-            echo '##vso[task.setvariable variable=IMG_VERSION]3.20260510.02'
+            echo '##vso[task.setvariable variable=IMG_VERSION]3.20260517.01'
             echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2'
             echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16pds_v6'
             echo '##vso[task.setvariable variable=FEATURE_FLAGS]None'
@@ -256,7 +256,7 @@ stages:
             echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner'
             echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3'
             echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-acl'
-            echo '##vso[task.setvariable variable=IMG_VERSION]3.20260510.01'
+            echo '##vso[task.setvariable variable=IMG_VERSION]3.20260517.01'
             echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2'
             echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16ds_v5'
             echo '##vso[task.setvariable variable=FEATURE_FLAGS]None'
@@ -278,7 +278,7 @@ stages:
             echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner'
             echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3'
             echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-arm64-gen2-acl'
-            echo '##vso[task.setvariable variable=IMG_VERSION]3.20260510.02'
+            echo '##vso[task.setvariable variable=IMG_VERSION]3.20260517.01'
             echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2'
             echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16pds_v6'
             echo '##vso[task.setvariable variable=FEATURE_FLAGS]None'

vhdbuilder/packer/cleanup-vhd.sh

@@ -13,9 +13,22 @@ rm -f /etc/machine-id
 touch /etc/machine-id
 chmod 644 /etc/machine-id
 # Restore the UKI firstboot addon consumed by ignition-quench during this build
-# Without this, VMs created from this VHD won't get flatcar.first_boot=detected on the kernel cmdline
-if [ -f /boot/acl/uki-addons/firstboot.addon.efi ] && [ ! -f /boot/EFI/Linux/acl.efi.extra.d/firstboot.addon.efi ]; then
-  install -D -m 0644 /boot/acl/uki-addons/firstboot.addon.efi /boot/EFI/Linux/acl.efi.extra.d/firstboot.addon.efi
+# Without this, VMs created from this VHD won't get flatcar.first_boot=detected on the kernel cmdline.
+# The active UKI follows UAPI naming (vmlinuz-<version>.efi) on newer ACL images and was
+# previously named acl.efi -- discover it dynamically rather than hardcoding either name.
+if [ -f /boot/acl/uki-addons/firstboot.addon.efi ]; then
+  uki_path="$(find /boot/EFI/Linux -maxdepth 1 -type f \
+        \( -name 'vmlinuz-*.efi' -o -name 'acl.efi' \) 2>/dev/null \
+        | sort | head -n1)"
+  if [ -z "${uki_path}" ]; then
+    echo "cleanup-vhd: No UKI found under /boot/EFI/Linux (expected acl.efi or vmlinuz-*.efi); firstboot addon not restored" >&2
+    exit 1
+  fi
+  uki_name="$(basename "${uki_path}")"
+  addon_dir="/boot/EFI/Linux/${uki_name}.extra.d"
+  if [ ! -f "${addon_dir}/firstboot.addon.efi" ]; then
+    install -D -m 0644 /boot/acl/uki-addons/firstboot.addon.efi "${addon_dir}/firstboot.addon.efi"
+  fi
 fi
 # Cleanup disk usage diagnostics file (created by generate-disk-usage.sh)
 rm -f /opt/azure/disk-usage.txt

vhdbuilder/packer/test/linux-vhd-content-test.sh

@@ -642,10 +642,22 @@ testFips() {
     else
       err $test "/etc/system-fips marker file does not exist."
     fi
-    if [ -f /boot/EFI/Linux/acl.efi.extra.d/fips.addon.efi ]; then
-      echo "ACL FIPS UKI addon file exists in active ESP location."
+    # ACL images historically named the UKI "acl.efi"; newer (UAPI-compliant)
+    # images use "vmlinuz-<version>.efi". systemd-boot loads cmdline addons
+    # from "<UKI filename>.extra.d/", so the addon directory tracks the
+    # UKI's actual name. Probe for either layout.
+    uki_path=$(find /boot/EFI/Linux -maxdepth 1 -type f \
+      \( -name 'vmlinuz-*.efi' -o -name 'acl.efi' \) 2>/dev/null | sort | head -n1)
+    if [ -z "${uki_path}" ]; then
+      err $test "No UKI found under /boot/EFI/Linux (expected acl.efi or vmlinuz-*.efi)."
     else
-      err $test "ACL FIPS UKI addon file does not exist in active ESP location."
+      uki_name=$(basename "${uki_path}")
+      fips_addon_path="/boot/EFI/Linux/${uki_name}.extra.d/fips.addon.efi"
+      if [ -f "${fips_addon_path}" ]; then
+        echo "ACL FIPS UKI addon file exists at ${fips_addon_path}."
+      else
+        err $test "ACL FIPS UKI addon file does not exist at ${fips_addon_path}."
+      fi
     fi
   fi
 

vhdbuilder/scripts/linux/acl/tool_installs_acl.sh

@@ -33,13 +33,33 @@ installFIPS() {
     echo "Installing FIPS..."
 
     local fips_addon_src="/boot/acl/uki-addons/fips.addon.efi"
-    local fips_addon_dst="/boot/EFI/Linux/acl.efi.extra.d/fips.addon.efi"
 
     if [ ! -f "${fips_addon_src}" ]; then
         echo "FIPS addon not found at ${fips_addon_src}" >&2
         exit 1
     fi
 
+    # Discover the active UKI on the ESP. systemd-boot loads addons from
+    # the directory named "<UKI filename>.extra.d/", so the destination
+    # must track the UKI's actual name. ACL images historically named the
+    # UKI "acl.efi"; newer (UAPI-compliant) images use "vmlinuz-<ver>.efi".
+    # Hardcoding "acl.efi.extra.d/" silently orphans the addon on the new
+    # naming scheme and leaves the kernel booting without fips=1.
+    local uki_path
+    uki_path="$(find /boot/EFI/Linux -maxdepth 1 -type f \
+        \( -name 'vmlinuz-*.efi' -o -name 'acl.efi' \) 2>/dev/null \
+        | sort | head -n1)"
+
+    if [ -z "${uki_path}" ]; then
+        echo "No UKI found under /boot/EFI/Linux (expected acl.efi or vmlinuz-*.efi)" >&2
+        exit 1
+    fi
+
+    local uki_name
+    uki_name="$(basename "${uki_path}")"
+    local fips_addon_dst="/boot/EFI/Linux/${uki_name}.extra.d/fips.addon.efi"
+
+    echo "Installing FIPS addon: ${fips_addon_src} -> ${fips_addon_dst}"
     install -D -m 0644 "${fips_addon_src}" "${fips_addon_dst}"
 
     touch /etc/system-fips