Merge pull request #28242 from berrange/cond-sec-cvm

Detect and expose the confidential virtualization technology in various places

Author: bluca

man/org.freedesktop.systemd1.xml

@@ -305,6 +305,8 @@ node /org/freedesktop/systemd1 {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly s Virtualization = '...';
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+      readonly s ConfidentialVirtualization = '...';
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly s Architecture = '...';
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly s Tainted = '...';
@@ -1010,6 +1012,8 @@ node /org/freedesktop/systemd1 {
 
     <variablelist class="dbus-property" generated="True" extra-ref="Virtualization"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="ConfidentialVirtualization"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="Architecture"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="Tainted"/>
@@ -1765,6 +1769,12 @@ node /org/freedesktop/systemd1 {
       Note that only the "innermost" virtualization technology is exported here. This detects both
       full-machine virtualizations (VMs) and shared-kernel virtualization (containers).</para>
 
+      <para><varname>ConfidentialVirtualization</varname> contains a short ID string describing the confidential
+      virtualization technology the system runs in. On bare-metal hardware this is the empty string. Otherwise,
+      it contains an identifier such as <literal>sev</literal>, <literal>sev-es</literal>, <literal>sev-snp</literal>,
+      <literal>tdx</literal> and so on. For a full list of IDs see
+      <citerefentry><refentrytitle>systemd-detect-virt</refentrytitle><manvolnum>1</manvolnum></citerefentry></para>.
+
       <para><varname>Architecture</varname> contains a short ID string describing the architecture the
       systemd instance is running on. This follows the same vocabulary as
       <varname>ConditionArchitectures=</varname>.</para>

man/systemd-detect-virt.xml

@@ -257,6 +257,16 @@
         for more information.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--cvm</option></term>
+
+        <listitem><para>Detect whether invoked in a confidential virtual machine.
+        The result of this detection may be used to disable features that should
+        not be used in confidential VMs. It must not be used to release security
+        sensitive information. The latter must only be released after attestation
+        of the confidential environment.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><option>-q</option></term>
         <term><option>--quiet</option></term>
@@ -271,6 +281,12 @@
         <listitem><para>Output all currently known and detectable container and VM environments.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--list-cvm</option></term>
+
+        <listitem><para>Output all currently known and detectable confidential virtualization technologies.</para></listitem>
+      </varlistentry>
+
       <xi:include href="standard-options.xml" xpointer="help" />
       <xi:include href="standard-options.xml" xpointer="version" />
     </variablelist>

man/systemd.generator.xml

@@ -204,6 +204,17 @@
         <command>systemd-creds --system cat</command> command.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>$SYSTEMD_CONFIDENTIAL_VIRTUALIZATION</varname></term>
+
+        <listitem><para>If the service manager is run in a confidential virtualized environment,
+        <varname>$SYSTEMD_CONFIDENTIAL_VIRTUALIZATION</varname> is set to a string that identifies
+        the confidential virtualization hardware technology. If no confidential virtualization is
+        detected this variable will not be set. This data is identical to what
+        <citerefentry><refentrytitle>systemd-detect-virt</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+        detects and reports, and uses the same vocabulary of confidential virtualization
+        technology identifiers.</para></listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

man/systemd.unit.xml

@@ -1404,8 +1404,8 @@
           security technology is enabled on the system. Currently, the recognized values are
           <literal>selinux</literal>, <literal>apparmor</literal>, <literal>tomoyo</literal>,
           <literal>ima</literal>, <literal>smack</literal>, <literal>audit</literal>,
-          <literal>uefi-secureboot</literal> and <literal>tpm2</literal>. The test may be negated by prepending
-          an exclamation mark.</para>
+          <literal>uefi-secureboot</literal>, <literal>tpm2</literal> and <literal>cvm</literal>.
+          The test may be negated by prepending an exclamation mark.</para>
           </listitem>
         </varlistentry>
 

man/udev.xml

@@ -279,6 +279,14 @@
                     for possible values.</para>
                   </listitem>
                 </varlistentry>
+                <varlistentry>
+                  <term><literal>cvm</literal></term>
+                  <listitem>
+                    <para>System's confidential virtualization technology. See
+                    <citerefentry><refentrytitle>systemd-detect-virt</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+                    for possible values.</para>
+                  </listitem>
+                </varlistentry>
               </variablelist>
               <para>Unknown keys will never match.</para>
             </listitem>

shell-completion/bash/systemd-detect-virt

@@ -28,8 +28,8 @@ _systemd_detect_virt() {
     local i verb comps
 
     local -A OPTS=(
-        [STANDALONE]='-h --help --version -c --container -v --vm -q --quiet
-                             --private-users'
+        [STANDALONE]='-h --help --version -c --container -v --vm -q --quiet --cvm
+                             --private-users --list --list-cvm'
     )
 
     _init_completion || return