core: set SYSTEMD_CONFIDENTIAL_VIRTUALIZATION env for generators

This reports the confidential virtualization type that was detected Related: https://github.com/systemd/systemd/issues/27604 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2025-02-25 21:57:32 +03:00 · 2023-07-03 10:21:07 +01:00 · 2023-07-03 10:21:07 +01:00 · 0895124572
commit 0895124572
parent 024469ddb9
2 changed files with 22 additions and 0 deletions
--- a/man/systemd.generator.xml
+++ b/man/systemd.generator.xml
@ -204,6 +204,17 @@
        <command>systemd-creds --system cat</command> command.</para></listitem>
      </varlistentry>

+      <varlistentry>
+        <term><varname>$SYSTEMD_CONFIDENTIAL_VIRTUALIZATION</varname></term>
+
+        <listitem><para>If the service manager is run in a confidential virtualized environment,
+        <varname>$SYSTEMD_CONFIDENTIAL_VIRTUALIZATION</varname> is set to a string that identifies
+        the confidential virtualization hardware technology. If no confidential virtualization is
+        detected this variable will not be set. This data is identical to what
+        <citerefentry><refentrytitle>systemd-detect-virt</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+        detects and reports, and uses the same vocabulary of confidential virtualization
+        technology identifiers.</para></listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/src/core/manager.c
+++ b/src/core/manager.c
@ -32,6 +32,7 @@
 #include "clean-ipc.h"
 #include "clock-util.h"
 #include "common-signal.h"
+#include "confidential-virt.h"
 #include "constants.h"
 #include "core-varlink.h"
 #include "creds-util.h"
@ -3887,6 +3888,7 @@ static int manager_run_environment_generators(Manager *m) {
 static int build_generator_environment(Manager *m, char ***ret) {
        _cleanup_strv_free_ char **nl = NULL;
        Virtualization v;
+        ConfidentialVirtualization cv;
        int r;

        assert(m);
@ -3935,6 +3937,15 @@ static int build_generator_environment(Manager *m, char ***ret) {
                        return r;
        }

+        cv = detect_confidential_virtualization();
+        if (cv < 0)
+                log_debug_errno(cv, "Failed to detect confidential virtualization, ignoring: %m");
+        else if (cv > 0) {
+                r = strv_env_assign(&nl, "SYSTEMD_CONFIDENTIAL_VIRTUALIZATION", confidential_virtualization_to_string(cv));
+                if (r < 0)
+                        return r;
+        }
+
        r = strv_env_assign(&nl, "SYSTEMD_ARCHITECTURE", architecture_to_string(uname_architecture()));
        if (r < 0)
                return r;