From be04c8fcce284a309898301f92a83b0eb64a176a Mon Sep 17 00:00:00 2001
From: Baihua Lu <balu@microsoft.com>
Date: Tue, 28 Apr 2026 15:13:43 +0800
Subject: [PATCH] [AI Generated] BugFix: add securityProfile to ephemeral OS
 disk for ConfidentialVM deployments

---
 lisa/microsoft/testsuites/core/provisioning.py        | 1 -
 lisa/sut_orchestrator/azure/arm_template.bicep        | 3 +++
 lisa/sut_orchestrator/azure/autogen_arm_template.json | 3 +++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/lisa/microsoft/testsuites/core/provisioning.py b/lisa/microsoft/testsuites/core/provisioning.py
index 2917108087..885d8aaf5e 100644
--- a/lisa/microsoft/testsuites/core/provisioning.py
+++ b/lisa/microsoft/testsuites/core/provisioning.py
@@ -211,7 +211,6 @@ def verify_deployment_provision_standard_ssd_disk(
         requirement=simple_requirement(
             environment_status=EnvironmentStatus.Deployed,
             disk=DiskEphemeral(),
-            supported_features=[CvmDisabled()],  # TODO: Fix disk deployment for CVM
         ),
     )
     def verify_deployment_provision_ephemeral_managed_disk(
diff --git a/lisa/sut_orchestrator/azure/arm_template.bicep b/lisa/sut_orchestrator/azure/arm_template.bicep
index 13a1f55c19..1f01ce9bc3 100644
--- a/lisa/sut_orchestrator/azure/arm_template.bicep
+++ b/lisa/sut_orchestrator/azure/arm_template.bicep
@@ -111,6 +111,9 @@ func getLinuxConfiguration(keyPath string, publicKeyData string, disable_passwor
 
 func getEphemeralOSImage(node object) object => {
   name: '${node.name}-osDisk'
+  managedDisk: {
+    securityProfile: (empty(node.security_profile) || (node.security_profile.security_type != 'ConfidentialVM')) ? null : getSecurityProfileForOSDisk(node)
+  }
   diffDiskSettings: {
       option: 'local'
       placement: node.ephemeral_disk_placement_type
diff --git a/lisa/sut_orchestrator/azure/autogen_arm_template.json b/lisa/sut_orchestrator/azure/autogen_arm_template.json
index 6e27d74f77..c68fa202c4 100644
--- a/lisa/sut_orchestrator/azure/autogen_arm_template.json
+++ b/lisa/sut_orchestrator/azure/autogen_arm_template.json
@@ -111,6 +111,9 @@
             "type": "object",
             "value": {
               "name": "[format('{0}-osDisk', parameters('node').name)]",
+              "managedDisk": {
+                "securityProfile": "[if(or(empty(parameters('node').security_profile), not(equals(parameters('node').security_profile.security_type, 'ConfidentialVM'))), null(), __bicep.getSecurityProfileForOSDisk(parameters('node')))]"
+              },
               "diffDiskSettings": {
                 "option": "local",
                 "placement": "[parameters('node').ephemeral_disk_placement_type]"