BLOG-7 - Added blog: Trusting Your VM from the First Instruction to the Last File

[jovan-djukic]

What type of PR is this?

https://medium.com/@djukicjovan56/f07fcbbe5ae6

What does this do?

Which issue(s) does this PR fix/relate to?

Have you included tests for your changes?

Did you document any new/modified features?

Notes

[Copilot]

Pull request overview

Adds a new Ultraviolet blog post on establishing a continuous chain of trust in confidential VMs (Secure Boot + Measured Boot + Linux IMA) and updates the static site artifacts so the post is discoverable and existing posts have richer metadata.

Changes:

• Added new blog Markdown source for “Trusting Your VM from the First Instruction to the Last File”.
• Updated blog listing / “Next Read” sections and generated post HTML.
• Updated sitemap.xml and .blogcache to reflect the new/updated content.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 13 comments.

Show a summary per file

File	Description
content/blogs/trusting-your-vm-from-the-first-instruction-to-the-last-file.md	New blog source content and frontmatter for the new article.
blog/trusting-your-vm-from-the-first-instruction-to-the-last-file/index.html	Generated HTML output for the new post page.
blog/index.html	Blog listing updated to include the new featured post and updated excerpts.
blog/confidential-computing-meets-ai/index.html	Generated HTML updated (meta description + “Next Read” card updates).
blog/cocos-prism-release/index.html	Generated HTML updated (meta description + “Next Read” card updates).
sitemap.xml	Adds the new blog URL and updates lastmod timestamps for blog entries.
.blogcache	Cache updated to include the new post and refreshed hashes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Section title and paragraph have typos ("Combing" and "wee"). These read as accidental and should be corrected for clarity.

Suggested change

	#### Combing OVMF\_VARS.fd and OVMF\_CODE.fd
	Now that we made changes to **OVMF\_VARS.fd** wee need to combine the
	#### Combining OVMF\_VARS.fd and OVMF\_CODE.fd
	Now that we made changes to **OVMF\_VARS.fd** we need to combine the

[Copilot]

The og:image / twitter:image values are malformed (https://www.ultraviolet.rs{https://www.ultraviolet.rs/img/header.avif}), which will break social previews. This should be a valid absolute URL (typically built from the site base URL + ogImage/cover image path) without braces or double-prefixing.

Suggested change

	<meta property="og:image" content="https://www.ultraviolet.rs{https://www.ultraviolet.rs/img/header.avif}" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:title" content="Trusting Your VM from the First Instruction to the Last File" />
	<meta name="twitter:description" content="Learn about secured bot, measured boot, TPM and Linux IMA in the context of COCOS AI." />
	<meta name="twitter:image" content="https://www.ultraviolet.rs{https://www.ultraviolet.rs/img/header.avif}" />
	<meta property="og:image" content="https://www.ultraviolet.rs/img/header.avif" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:title" content="Trusting Your VM from the First Instruction to the Last File" />
	<meta name="twitter:description" content="Learn about secured bot, measured boot, TPM and Linux IMA in the context of COCOS AI." />
	<meta name="twitter:image" content="https://www.ultraviolet.rs/img/header.avif" />

[Copilot]

The concatenation command uses the placeholder <path t OVMF_CODE.fd> (missing to). As written it’s easy to copy/paste and end up with a broken command; please correct the placeholder.

Suggested change

	cat <path to OVMF_VARS.fd with keys> <path t OVMF_CODE.fd> > <path to new OVMF.secure.fd>
	cat <path to OVMF_VARS.fd with keys> <path to OVMF_CODE.fd> > <path to new OVMF.secure.fd>

[Copilot]

Typo in VM privilege level: VPML0 should be VMPL0 (as used elsewhere in AMD SEV-SNP docs).

Suggested change

	the new VM. It will create a software **TPM** in **VPML0**.
	the new VM. It will create a software **TPM** in **VMPL0**.

[Copilot]

Typo in acronym: IGMV should be IGVM.

Suggested change

	This kernel can be used with generated IGMV file to start the VM.
	This kernel can be used with generated IGVM file to start the VM.

[Copilot]

Frontmatter fields image and ogImage (as a plain string) don’t match what the blog generator reads (coverImage and ogImage.url). With the current keys, the generator falls back to seo.default_og_image, which is why the generated og:image/twitter:image end up malformed and the Schema.org image is just the site URL. Please align this post’s frontmatter with WRITING.md / scripts/builder.go (use coverImage: and ogImage: { url: ... }).

Suggested change

	image: /img/trusting-your-vm-from-the-first-instruction-to-the-last-file/overview.png
	ogImage: /img/trusting-your-vm-from-the-first-instruction-to-the-last-file/overview.png
	coverImage: /img/trusting-your-vm-from-the-first-instruction-to-the-last-file/overview.png
	ogImage: { url: /img/trusting-your-vm-from-the-first-instruction-to-the-last-file/overview.png }

[Copilot]

Frontmatter excerpt/description contain typos: "several mechanism" should be "several mechanisms", "continous" should be "continuous", and "secured bot" should be "secure boot". Since these fields are used for listings/SEO, fixing them here and re-running the site build will update the generated HTML pages too.

Suggested change

	excerpt: "COCOS AI leverages several mechanism in order to build a continous chain of trust from the very first instruction executed during boot to the last file loaded into memory."
	description: "Learn about secured bot, measured boot, TPM and Linux IMA in the context of COCOS AI."
	excerpt: "COCOS AI leverages several mechanisms in order to build a continuous chain of trust from the very first instruction executed during boot to the last file loaded into memory."
	description: "Learn about secure boot, measured boot, TPM and Linux IMA in the context of COCOS AI."

[Copilot]

In YAML flow sequences, tag values containing spaces should be quoted to avoid parsing ambiguities and to match existing posts (e.g., content/blogs/confidential-computing-meets-ai.md uses "cube ai"). Consider quoting "secured boot", "measured boot", and "Linux IMA" (or switching to the multi-line list style).

Suggested change

	tags: [confidential-computing, secured boot, measured boot, TPM, Linux IMA, cocos]
	tags: [confidential-computing, "secured boot", "measured boot", TPM, "Linux IMA", cocos]

[Copilot]

The shell snippet defines UUDI=$uuidgen but then uses $UUID in subsequent commands. As written, $UUID will be empty and the command will fail; also uuidgen should be executed (e.g., command substitution) rather than assigned as a literal. Please make the variable name consistent and actually run uuidgen.

[Copilot]

This section explicitly enables the TPM SHA1 PCR bank and relies on SHA1-based measurements for Linux IMA, which uses a cryptographically weak hash function for a security‑critical integrity chain. An attacker who can craft SHA1 collisions could potentially produce binaries that match expected measurements, undermining the trust you are trying to establish from boot through runtime. Prefer a stronger algorithm such as SHA‑256 (and configure IMA/TPM accordingly) so that all integrity and attestation measurements avoid SHA1 entirely.