owners:
- [email protected]
- file://chrome/browser/ash/guest_os/OWNERS
caption: Configure Bruschetta VMs on <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>
desc: |-
Configure installation and runtime policies for Bruschetta VMs on
<ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>. This allows for
third-party VMs to be installed by users. This feature is disabled by default.
This policy is a map of configuration IDs to VM configurations. When a VM is
installed from a configuration it is persistently associated with that
configuration ID, and any runtime policies in that configuration apply to that
VM. Multiple VMs may be installed from the same configuration on the same device.
future_on:
- chrome_os
features:
dynamic_refresh: true
per_profile: false
cloud_only: true
unlisted: true
type: dict
schema:
type: object
description: Mapping from persistent IDs to VM configurations
patternProperties:
"[a-zA-Z0-9-_]+":
type: object
description: A VM configuration. Denotes a type of VM that the user can
install, which will be persistently associated with the ID of this
configuration, and controls that apply to this type of VM.
required:
- name
- enabled_state
properties:
name:
type: string
description: User visible name for this configuration
enabled_state:
type: string
description: Controls whether VMs using this configuration can be
installed and run (<ph name="INSTALL_ALLOWED">INSTALL_ALLOWED</ph>),
run but not installed (<ph name="RUN_ALLOWED">RUN_ALLOWED</ph>), or
cannot be run (<ph name="BLOCKED">BLOCKED</ph>). Note that to install
a VM the installer_image_x86_64 key must also be set. Removing a
configuration entirely implicitly sets this to <ph name="BLOCKED">BLOCKED</ph>,
preventing VMs from running without a policy.
enum:
- BLOCKED
- RUN_ALLOWED
- INSTALL_ALLOWED
installer_image_x86_64:
type: object
description: The UEFI-bootable disk image used to install the VM on x86_64 devices.
required:
- url
- hash
properties:
url:
type: string
description: URL of the disk image to download.
hash:
type: string
description: Hexadecimal encoded SHA-256 hash of the disk image.
uefi_pflash_x86_64:
type: object
description: The initial non-volatile UEFI data used by the VM firmware.
required:
- url
- hash
properties:
url:
type: string
description: URL of the data to download.
hash:
type: string
description: Hexadecimal encoded SHA-256 hash of the data.
vtpm:
type: object
description: Controls if VMs using this configuration have
access to a vTPM, defaults to false and
<ph name="FORCE_SHUTDOWN_IF_MORE_RESTRICTED">FORCE_SHUTDOWN_IF_MORE_RESTRICTED</ph>
if unset.
required:
- enabled
properties:
enabled:
type: boolean
description: Controls whether VMs using this configuration have
access to a vTPM, defaults to false.
policy_update_action:
type: string
description: Controls how to treat running VMs that don't match
this policy setting, defaults to
<ph name="FORCE_SHUTDOWN_IF_MORE_RESTRICTED">FORCE_SHUTDOWN_IF_MORE_RESTRICTED</ph>.
enum:
- NONE
- FORCE_SHUTDOWN_IF_MORE_RESTRICTED
- FORCE_SHUTDOWN_ALWAYS
oem_strings:
type: array
description: SMBIOS OEM strings to pass to the VM during install.
Defaults to the empty list.
items:
type: string
display_order:
type: integer
description: The order in which the VM configuration will be displayed in the installer.
When multiple VM configurations are specified, the one with the smallest display_order
value is displayed at the top of the list. Defaults to zero.
example_value:
vm-type:
name: Standard Virtual Machine
enabled_state: INSTALL_ALLOWED
installer_image_x86_64:
url: https://example.com/installer_image
hash: 761b22509ee7bd3e1a3da9eb9e37c6443acfc582670b733601ca5a1de44b99de
uefi_pflash_x86_64:
url: https://example.com/uefi_pflash
hash: 4d9a81e8feb96abb6da0d92642996a26edea6e94345da12a19999470c57bb0a6
vtpm:
enabled: true
policy_update_action: NONE
oem_strings:
- example config string
display_order: 5
tags:
- system-security