Go back to two control flags

stunes-ms · stunes-ms · commit 0f1db6a90337 · 2025-11-03T12:04:02.000-08:00
diff --git a/openhcl/underhill_core/src/worker.rs b/openhcl/underhill_core/src/worker.rs
@@ -1268,6 +1268,9 @@ async fn new_underhill_vm(
 
         if let Some(value) = env_cfg.attempt_ak_cert_callback {
             tracing::info!("using HCL_ATTEMPT_AK_CERT_CALLBACK={value} from cmdline");
+            dps.general
+                .management_vtl_features
+                .set_control_ak_cert_callback(true);
             dps.general
                 .management_vtl_features
                 .set_attempt_ak_cert_callback(value);
@@ -2661,9 +2664,16 @@ async fn new_underhill_vm(
                     if dps
                         .general
                         .management_vtl_features
-                        .attempt_ak_cert_callback() =>
+                        .control_ak_cert_provisioning() =>
                 {
-                    TpmAkCertTypeResource::Trusted(request_ak_cert, Some(true))
+                    TpmAkCertTypeResource::Trusted(
+                        request_ak_cert,
+                        Some(
+                            dps.general
+                                .management_vtl_features
+                                .attempt_ak_cert_callback(),
+                        ),
+                    )
                 }
                 AttestationType::Host => TpmAkCertTypeResource::Trusted(request_ak_cert, None),
             }
diff --git a/vm/devices/get/get_protocol/src/dps_json.rs b/vm/devices/get/get_protocol/src/dps_json.rs
@@ -155,8 +155,9 @@ open_enum! {
 pub struct ManagementVtlFeatures {
     pub strict_encryption_policy: bool,
     pub _reserved1: bool,
+    pub control_ak_cert_provisioning: bool,
     pub attempt_ak_cert_callback: bool,
-    #[bits(61)]
+    #[bits(60)]
     pub _reserved2: u64,
 }
 
