mirrors/systemd
0
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-27 04:03:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

detect-virt: add --cvm option

Browse Source 
The --cvm option detects whether the OS is running inside a confidential
virtual machine.

Related: https://github.com/systemd/systemd/issues/27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2023-06-30 19:07:29 +01:00 committed by Luca Boccassi
parent a577a61625
commit 5e0c61f64d
3 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
man/systemd-detect-virt.xml
View File

@ -257,6 +257,16 @@
for more information.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--cvm</option></term>
<listitem><para>Detect whether invoked in a confidential virtual machine.
The result of this detection may be used to disable features that should
not be used in confidential VMs. It must not be used to release security
sensitive information. The latter must only be released after attestation
of the confidential environment.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>-q</option></term>
<term><option>--quiet</option></term>

2
shell-completion/bash/systemd-detect-virt
View File

@ -28,7 +28,7 @@ _systemd_detect_virt() {
local i verb comps
local -A OPTS=(
[STANDALONE]='-h --help --version -c --container -v --vm -q --quiet
[STANDALONE]='-h --help --version -c --container -v --vm -q --quiet --cvm
--private-users'
)

18
src/detect-virt/detect-virt.c
View File

@ -7,6 +7,7 @@
#include "alloc-util.h"
#include "build.h"
#include "confidential-virt.h"
#include "main-func.h"
#include "pretty-print.h"
#include "string-table.h"
@ -19,6 +20,7 @@ static enum {
ONLY_CONTAINER,
ONLY_CHROOT,
ONLY_PRIVATE_USERS,
ONLY_CVM,
} arg_mode = ANY_VIRTUALIZATION;
static int help(void) {
@ -37,6 +39,7 @@ static int help(void) {
" -v --vm Only detect whether we are run in a VM\n"
" -r --chroot Detect whether we are run in a chroot() environment\n"
" --private-users Only detect whether we are running in a user namespace\n"
" --cvm Only detect whether we are run in a confidential VM\n"
" -q --quiet Don't output anything, just set return value\n"
" --list List all known and detectable types of virtualization\n"
"\nSee the %s for details.\n",
@ -52,6 +55,7 @@ static int parse_argv(int argc, char *argv[]) {
ARG_VERSION = 0x100,
ARG_PRIVATE_USERS,
ARG_LIST,
ARG_CVM,
};
static const struct option options[] = {
@ -62,6 +66,7 @@ static int parse_argv(int argc, char *argv[]) {
{ "chroot", no_argument, NULL, 'r' },
{ "private-users", no_argument, NULL, ARG_PRIVATE_USERS },
{ "quiet", no_argument, NULL, 'q' },
{ "cvm", no_argument, NULL, ARG_CVM },
{ "list", no_argument, NULL, ARG_LIST },
{}
};
@ -105,6 +110,10 @@ static int parse_argv(int argc, char *argv[]) {
DUMP_STRING_TABLE(virtualization, Virtualization, _VIRTUALIZATION_MAX);
return 0;
case ARG_CVM:
arg_mode = ONLY_CVM;
return 1;
case '?':
return -EINVAL;
@ -122,6 +131,7 @@ static int parse_argv(int argc, char *argv[]) {
static int run(int argc, char *argv[]) {
Virtualization v;
ConfidentialVirtualization c;
int r;
/* This is mostly intended to be used for scripts which want
@ -159,6 +169,14 @@ static int run(int argc, char *argv[]) {
return log_error_errno(r, "Failed to check for user namespace: %m");
return !r;
case ONLY_CVM:
c = detect_confidential_virtualization();
if (c < 0)
return log_error_errno(c, "Failed to check for confidential virtualization: %m");
if (!arg_quiet)
puts(confidential_virtualization_to_string(c));
return c == CONFIDENTIAL_VIRTUALIZATION_NONE;
case ANY_VIRTUALIZATION:
default:
v = detect_virtualization();