Azure · ZhidongPeng · May 11, 2026 · May 4, 2026 · May 7, 2026 · May 9, 2026
diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
@@ -106,12 +106,15 @@ FFFFFFFF
 fffi
 ffi
 FIXEDFILEINFO
+Fmanagement
 FOF
+Fresource
 FSETID
 FSO
 fsprogs
 fstorage
 fstype
+ftoken
 fwlink
 Fzpeng
 gaplugin
@@ -312,6 +315,7 @@ tokio
 topdir
 totalentries
 transitioning
+trustyuser
 UBR
 UBRSTRING
 udev
@@ -323,6 +327,7 @@ Unregistering
 unregisters
 unspec
 uzers
+valu
 VCpus
 vcruntime
 vendored
@@ -365,6 +370,7 @@ WMI
 workarounds
 WORKINGSET
 WORKDIR
+wrongvalue
 WScript
 wsf
 Wsh
@@ -380,4 +386,5 @@ xsi
 xxxx
 xxxxxxxx
 xxxxxxxxxxx
-zipsas
+zipsas
+zypper
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -78,7 +78,7 @@ jobs:
                 rpm \
                 musl-tools \
 
-        sudo snap install dotnet-sdk --classic
+        sudo apt-get install -y dotnet-sdk-8.0
         sudo chown -R root:root /var/lib
 
     # Initializes the CodeQL tools for scanning.

diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
@@ -297,7 +297,7 @@ jobs:
                   libssl-dev \
                   pkg-config \
 
-          sudo snap install dotnet-sdk --classic
+          sudo apt-get install -y dotnet-sdk-8.0
           sudo chown -R root:root /var/lib
 
       - name: Run build-linux.sh Debug amd64

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/e2etest/GuestProxyAgentTest/LinuxScripts/GuestProxyAgentExtensionValidation.sh b/e2etest/GuestProxyAgentTest/LinuxScripts/GuestProxyAgentExtensionValidation.sh
@@ -55,6 +55,28 @@ if [[ $os == *"Ubuntu"* ]]; then
             break
         fi
     done
+elif [[ $os == *"SUSE"* ]] || [[ $os == *"SLES"* ]]; then
+    for  i in {1..3}; do
+        echo "$(date -u +"%Y-%m-%dT%H:%M:%SZ") - start installing jq via zypper $i"
+        sudo zypper refresh
+        sudo zypper --non-interactive install jq
+        if ! command -v jq &>/dev/null; then
+            echo "$(date -u +"%Y-%m-%dT%H:%M:%SZ") - zypper install failed, downloading jq binary directly"
+            arch=$(uname -m)
+            if [[ "$arch" == "aarch64" ]]; then
+                jq_arch="arm64"
+            else
+                jq_arch="amd64"
+            fi
+            sudo curl -L -o /usr/local/bin/jq "https://github.com/jqlang/jq/releases/latest/download/jq-linux-${jq_arch}"
+            sudo chmod +x /usr/local/bin/jq
+        fi
+        sleep 10
+        if command -v jq &>/dev/null; then
+            echo "$(date -u +"%Y-%m-%dT%H:%M:%SZ") - jq installed successfully"
+            break
+        fi
+    done
 else
     for  i in {1..3}; do
         echo "$(date -u +"%Y-%m-%dT%H:%M:%SZ") - start installing jq via dnf $i"

diff --git a/e2etest/GuestProxyAgentTest/LinuxScripts/IMDSPingTest.sh b/e2etest/GuestProxyAgentTest/LinuxScripts/IMDSPingTest.sh
@@ -16,18 +16,24 @@ for i in {1..10}; do
     fi
     sleep 1
 
+    authorizationHeader=$(curl -s -I -H "Metadata:True" $url | grep -Fi "x-ms-azure-host-authorization")
     if [ "${imdsSecureChannelEnabled,,}" = "true" ]  # case insensitive comparison
     then
-        authorizationHeader=$(curl -s -I -H "Metadata:True" $url | grep -Fi "x-ms-azure-host-authorization")
         if [ "$authorizationHeader" = "" ]; then
             echo "$(date -u +"%Y-%m-%dT%H:%M:%SZ") - Response authorization header not exist"
             exit -1
         else
-            echo "$(date -u +"%Y-%m-%dT%H:%M:%SZ") - Response authorization header exists"
+            echo "$(date -u +"%Y-%m-%dT%H:%M:%SZ") - Response authorization header exists as expected"
         fi
         sleep 1
     else
-		echo "$(date -u +"%Y-%m-%dT%H:%M:%SZ") - IMDS secure channel is not enabled. Skipping x-ms-azure-host-authorization header validation"
+        if [ "$authorizationHeader" = "" ]; then
+            echo "$(date -u +"%Y-%m-%dT%H:%M:%SZ") - Response authorization header not exist as expected"
+        else
+            echo "$(date -u +"%Y-%m-%dT%H:%M:%SZ") - Response authorization header exists"
+            exit -1
+        fi
+        sleep 1
 	fi
 done
 

diff --git a/e2etest/GuestProxyAgentTest/Models/TestMap.cs b/e2etest/GuestProxyAgentTest/Models/TestMap.cs
@@ -19,6 +19,7 @@ public class TestGroupDetails
         public string VmImageOffer { get; set; } = null!;
         public string VmImageSku { get; set; } = null!;
         public string VmImageVersion { get; set; } = null!;
+        public string SharedGalleryImageUniqueId { get; set; } = null!;
         public List<TestScenarioConfig> Scenarios { get; set; } = null!;
     }
 

diff --git a/e2etest/GuestProxyAgentTest/Scripts/IMDSPingTest.ps1 b/e2etest/GuestProxyAgentTest/Scripts/IMDSPingTest.ps1
@@ -23,19 +23,24 @@ while ($i -lt 10) {
             exit -1
         }
 
+        $responseHeaders = $response.Headers
         if ("$imdsSecureChannelEnabled" -ieq "true") { # case insensitive comparison
-            $responseHeaders = $response.Headers
             if ($null -eq $responseHeaders["x-ms-azure-host-authorization"]) {
                 Write-Error "$((Get-Date).ToUniversalTime()) - Ping test failed. Response does not contain x-ms-azure-host-authorization header"
                 exit -1
             }
             else {
                 Write-Output "$((Get-Date).ToUniversalTime()) - Ping test passed. Response contains x-ms-azure-host-authorization header"
             }
-
         }
         else {
-            Write-Output "$((Get-Date).ToUniversalTime()) - IMDS secure channel is not enabled. Skipping x-ms-azure-host-authorization header validation"
+            if ($null -eq $responseHeaders["x-ms-azure-host-authorization"]) {
+                Write-Output "$((Get-Date).ToUniversalTime()) - Ping test passed. Response does not contain x-ms-azure-host-authorization header as expected"
+            }
+            else {
+                Write-Error "$((Get-Date).ToUniversalTime()) - Ping test failed. Response contains x-ms-azure-host-authorization header"
+                exit -1
+            }
         }
 
         $webRequest.Abort()

diff --git a/e2etest/GuestProxyAgentTest/Settings/TestScenarioSetting.cs b/e2etest/GuestProxyAgentTest/Settings/TestScenarioSetting.cs
@@ -13,6 +13,7 @@ public class TestScenarioSetting
         internal string vmImageOffer = "";
         internal string vmImageSku = "";
         internal string vmImageVersion = "";
+        internal string sharedGalleryImageUniqueId = "";
         internal string suffixName = new Random().Next(1000).ToString();
         internal string testScenarioClassName = "GuestProxyAgentTest.TestScenarios.BVTScenario";
         internal int testScenarioTimeoutMilliseconds = 1000 * 60 * 120;
@@ -26,7 +27,8 @@ internal VMImageDetails VMImageDetails
                     Publisher = vmImagePublisher,
                     Offer = vmImageOffer,
                     Sku = vmImageSku,
-                    Version = vmImageVersion
+                    Version = vmImageVersion,
+                    SharedGalleryImageUniqueId = sharedGalleryImageUniqueId
                 };
             }
         }
@@ -54,11 +56,13 @@ public class VMImageDetails
         public string Offer { get; set; } = null!;
         public string Sku { get; set; } = null!;
         public string Version { get; set; } = null!;
+        public string SharedGalleryImageUniqueId { get; set; } = null!;
 
         public bool IsArm64
         {
             get
             {
+                // TODO: SharedGalleryImageUniqueId also contains architecture info, need to parse it when it's available
                 return (Offer == null ? false : Offer.Contains("arm64", StringComparison.OrdinalIgnoreCase)) ||
                   (Sku == null ? false : Sku.Contains("arm64", StringComparison.OrdinalIgnoreCase));
             }

diff --git a/e2etest/GuestProxyAgentTest/TestCases/EnableProxyAgentCase.cs b/e2etest/GuestProxyAgentTest/TestCases/EnableProxyAgentCase.cs
@@ -52,14 +52,34 @@ public override async Task StartAsync(TestCaseExecutionContext context)
             if (EnableProxyAgent)
             {
                 // property 'inVMAccessControlProfileReferenceId' cannot be used together with property 'mode'
-                patch.SecurityProfile.ProxyAgentSettings.WireServer = new HostEndpointSettings
+                if (string.IsNullOrEmpty(TestSetting.Instance.InVmWireServerAccessControlProfileReferenceId))
                 {
-                    InVmAccessControlProfileReferenceId = TestSetting.Instance.InVmWireServerAccessControlProfileReferenceId,
-                };
-                patch.SecurityProfile.ProxyAgentSettings.Imds = new HostEndpointSettings
+                    patch.SecurityProfile.ProxyAgentSettings.WireServer = new HostEndpointSettings
+                    {
+                        Mode = HostEndpointSettingsMode.Enforce,
+                    };
+                }
+                else
+                {
+                    patch.SecurityProfile.ProxyAgentSettings.WireServer = new HostEndpointSettings
+                    {
+                        InVmAccessControlProfileReferenceId = TestSetting.Instance.InVmWireServerAccessControlProfileReferenceId,
+                    };
+                }
+                if (string.IsNullOrEmpty(TestSetting.Instance.InVmIMDSAccessControlProfileReferenceId))
                 {
-                    InVmAccessControlProfileReferenceId = TestSetting.Instance.InVmIMDSAccessControlProfileReferenceId,
-                };
+                    patch.SecurityProfile.ProxyAgentSettings.Imds = new HostEndpointSettings
+                    {
+                        Mode = HostEndpointSettingsMode.Enforce,
+                    };
+                }
+                else
+                {
+                    patch.SecurityProfile.ProxyAgentSettings.Imds = new HostEndpointSettings
+                    {
+                        InVmAccessControlProfileReferenceId = TestSetting.Instance.InVmIMDSAccessControlProfileReferenceId,
+                    };
+                }
             }
 
             await vmr.UpdateAsync(Azure.WaitUntil.Completed, patch, cancellationToken: context.CancellationToken);

diff --git a/e2etest/GuestProxyAgentTest/TestMap/Mariner2-Fips-TestGroup.yml b/e2etest/GuestProxyAgentTest/TestMap/Mariner2-Fips-TestGroup.yml
diff --git a/e2etest/GuestProxyAgentTest/TestMap/Redhat90-Arm64-TestGroup.yml b/e2etest/GuestProxyAgentTest/TestMap/Redhat90-Arm64-TestGroup.yml
@@ -7,4 +7,8 @@ scenarios:
   - className: GuestProxyAgentTest.TestScenarios.BVTScenario
     name: BVTScenario
   - name: LinuxPackageScenario
-    className: GuestProxyAgentTest.TestScenarios.LinuxPackageScenario
+    className: GuestProxyAgentTest.TestScenarios.LinuxPackageScenario
+  - name: ProxyAgentExtension
+    className: GuestProxyAgentTest.TestScenarios.ProxyAgentExtension
+  - name: LinuxImplicitExtension
+    className: GuestProxyAgentTest.TestScenarios.LinuxImplicitExtension
diff --git a/e2etest/GuestProxyAgentTest/TestMap/Redhat90-TestGroup.yml b/e2etest/GuestProxyAgentTest/TestMap/Redhat90-TestGroup.yml
@@ -7,4 +7,8 @@ scenarios:
   - className: GuestProxyAgentTest.TestScenarios.BVTScenario
     name: BVTScenario
   - name: LinuxPackageScenario
-    className: GuestProxyAgentTest.TestScenarios.LinuxPackageScenario
+    className: GuestProxyAgentTest.TestScenarios.LinuxPackageScenario
+  - name: ProxyAgentExtension
+    className: GuestProxyAgentTest.TestScenarios.ProxyAgentExtension
+  - name: LinuxImplicitExtension
+    className: GuestProxyAgentTest.TestScenarios.LinuxImplicitExtension
diff --git a/e2etest/GuestProxyAgentTest/TestMap/Rocky9-TestGroup.yml b/e2etest/GuestProxyAgentTest/TestMap/Rocky9-TestGroup.yml
@@ -7,4 +7,8 @@ scenarios:
   - className: GuestProxyAgentTest.TestScenarios.BVTScenario
     name: BVTScenario
   - name: LinuxPackageScenario
-    className: GuestProxyAgentTest.TestScenarios.LinuxPackageScenario
+    className: GuestProxyAgentTest.TestScenarios.LinuxPackageScenario
+  - name: ProxyAgentExtension
+    className: GuestProxyAgentTest.TestScenarios.ProxyAgentExtension
+  - name: LinuxImplicitExtension
+    className: GuestProxyAgentTest.TestScenarios.LinuxImplicitExtension
diff --git a/e2etest/GuestProxyAgentTest/TestMap/Suse15SP4-Arm64-TestGroup.yml b/e2etest/GuestProxyAgentTest/TestMap/Suse15SP4-Arm64-TestGroup.yml
@@ -7,4 +7,8 @@ scenarios:
   - className: GuestProxyAgentTest.TestScenarios.BVTScenario
     name: BVTScenario
   - name: LinuxPackageScenario
-    className: GuestProxyAgentTest.TestScenarios.LinuxPackageScenario
+    className: GuestProxyAgentTest.TestScenarios.LinuxPackageScenario
+  - name: ProxyAgentExtension
+    className: GuestProxyAgentTest.TestScenarios.ProxyAgentExtension
+  - name: LinuxImplicitExtension
+    className: GuestProxyAgentTest.TestScenarios.LinuxImplicitExtension
diff --git a/e2etest/GuestProxyAgentTest/TestMap/Suse15SP4-TestGroup.yml b/e2etest/GuestProxyAgentTest/TestMap/Suse15SP4-TestGroup.yml
@@ -7,4 +7,8 @@ scenarios:
   - className: GuestProxyAgentTest.TestScenarios.BVTScenario
     name: BVTScenario
   - name: LinuxPackageScenario
-    className: GuestProxyAgentTest.TestScenarios.LinuxPackageScenario
+    className: GuestProxyAgentTest.TestScenarios.LinuxPackageScenario
+  - name: ProxyAgentExtension
+    className: GuestProxyAgentTest.TestScenarios.ProxyAgentExtension
+  - name: LinuxImplicitExtension
+    className: GuestProxyAgentTest.TestScenarios.LinuxImplicitExtension