openhcl: plumb AziHsmEnabled to UefiConfigBlob and dps (#2767)

[maheeraeron]

Plumbs a new flag AziHsmEnabled into the UefiConfigBlob which will come from the host. This flag is necesary to ensure that UEFI knows whether to enable the AziHsm driver or not.

This PR also adds a vmm test to get coverage on the AziHsm driver with and without tpm and the AziHsm flag.

This PR is a cherry-pick of this: 07a1184

But, it also removes the hv_sint_enabled setting.

[github-actions]

⚠️ Unsafe Code Detected

This PR modifies files containing unsafe Rust code. Extra scrutiny is required during review.

For more on why we check whole files, instead of just diffs, check out the Rustonomicon

[Copilot]

Pull request overview

This PR plumbs a new AziHsmEnabled flag through the UEFI configuration pipeline from the host to the UEFI firmware. This flag controls whether the Azure Identity HSM driver is enabled in UEFI. The changes are comprehensive, touching all layers of the stack from CLI arguments to the UEFI config blob format, and includes VMM tests for both enabled and disabled scenarios.

Changes:

• Added azi_hsm_enabled boolean flag through the entire configuration pipeline (CLI → OpenVMM config → GED → DPS JSON → UEFI config blob)
• Added two new VMM tests to verify AziHsm driver presence/absence based on the flag
• Updated Flags bitfield in UEFI config to include the new field and adjusted reserved bits from 35 to 34

Reviewed changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
vm/loader/src/uefi/config.rs	Added azi_hsm_enabled bit to UEFI Flags bitfield, reduced reserved bits from 35 to 34
openvmm/openvmm_entry/src/cli_args.rs	Added --azi-hsm-enabled CLI flag
openvmm/openvmm_defs/src/config.rs	Added azi_hsm_enabled field to LoadMode::Uefi variant
openvmm/openvmm_entry/src/lib.rs	Plumbed CLI flag to LoadMode config
openvmm/openvmm_core/src/worker/dispatch.rs	Extracted and passed azi_hsm_enabled from LoadMode to UEFI loader
openvmm/openvmm_core/src/worker/vm_loaders/uefi.rs	Added flag to UefiLoadSettings and builder chain
vm/devices/get/get_protocol/src/dps_json.rs	Added azi_hsm_enabled to DPS JSON schema with #[serde(default)]
vm/devices/get/get_resources/src/lib.rs	Added field to GED resource definition
vm/devices/get/guest_emulation_device/src/lib.rs	Added field to GuestConfig struct and DPS message construction
vm/devices/get/guest_emulation_device/src/resolver.rs	Plumbed resource field to GuestConfig
vm/devices/get/guest_emulation_device/src/test_utilities.rs	Set default value to false in test helper
vm/devices/get/guest_emulation_transport/src/api.rs	Added field to General settings struct
vm/devices/get/guest_emulation_transport/src/client.rs	Mapped JSON field to API struct
openhcl/underhill_core/src/worker.rs	Added to validated configuration fields (marked as needing TODO decision)
openhcl/underhill_core/src/loader/mod.rs	Set flag in UEFI config blob based on platform config
petri/src/vm/mod.rs	Added with_azi_hsm_enabled() builder method and UefiConfig field
petri/src/vm/openvmm/construct.rs	Plumbed flag from petri config to OpenVMM backend
petri/src/vm/hyperv/mod.rs	Ignored flag for Hyper-V backend (not supported)
vmm_tests/vmm_tests/tests/tests/multiarch.rs	Added azi_hsm_present and azi_hsm_absent tests

[mebersol]

we need to maintain the reserved bit here, otherwise the bits don't agree

[maheeraeron]

oh ok, let me plumb that in

[maheeraeron]

hmm so the UefiConfigBlob will need it, but dpsv2 on the host equivalent PR removes this-- so i figure i should just make this PR line up with your changes?

[maheeraeron]

i left the reserved bit here-- but lmk if it needs to be maintained anywhere else.

[mebersol]

🕐

[github-actions]

At least one Petri test failed.