mirror of
https://github.com/systemd/systemd.git
synced 2024-10-26 17:27:41 +03:00
Merge pull request #33913 from berrange/cvm-s390x
Add detection of confidential virtualization on s390x architcture
This commit is contained in:
commit
c7d9925396
@ -62,7 +62,7 @@
|
||||
</thead>
|
||||
<tbody>
|
||||
<row>
|
||||
<entry valign="top" morerows="16">VM</entry>
|
||||
<entry valign="top" morerows="17">VM</entry>
|
||||
<entry><varname>qemu</varname></entry>
|
||||
<entry>QEMU software virtualization, without KVM</entry>
|
||||
</row>
|
||||
@ -217,6 +217,50 @@
|
||||
WSL is categorized as a container for practical purposes.
|
||||
Multiple WSL environments share the same kernel and services
|
||||
should generally behave like when being run in a container.</para>
|
||||
|
||||
<para>When executed with <option>--cvm</option>, instead of
|
||||
printing the virtualization technology, it will display the
|
||||
confidential virtual machine technology, if any. The
|
||||
following technologies are currently identified:</para>
|
||||
|
||||
<table>
|
||||
<title>Known confidential virtualization technologies</title>
|
||||
<tgroup cols='2' align='left' colsep='1' rowsep='1'>
|
||||
<colspec colname="id" />
|
||||
<colspec colname="product" />
|
||||
<thead>
|
||||
<row>
|
||||
<entry>Arch</entry>
|
||||
<entry>ID</entry>
|
||||
<entry>Technology</entry>
|
||||
</row>
|
||||
</thead>
|
||||
<tbody>
|
||||
<row>
|
||||
<entry valign="top" morerows="3">x86_64</entry>
|
||||
<entry><varname>sev</varname></entry>
|
||||
<entry>AMD Secure Encrypted Virtualization</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><varname>sev-es</varname></entry>
|
||||
<entry>AMD Secure Encrypted Virtualization - Encrypted State</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><varname>sev-snp</varname></entry>
|
||||
<entry>AMD Secure Encrypted Virtualization - Secure Nested Paging</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><varname>tdx</varname></entry>
|
||||
<entry>Intel Trust Domain Extensions</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>s390x</entry>
|
||||
<entry><varname>protvirt</varname></entry>
|
||||
<entry>IBM Protected Virtualization (Secure Execution)</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
|
@ -11,6 +11,7 @@
|
||||
#include "confidential-virt-fundamental.h"
|
||||
#include "confidential-virt.h"
|
||||
#include "fd-util.h"
|
||||
#include "fileio.h"
|
||||
#include "missing_threads.h"
|
||||
#include "string-table.h"
|
||||
#include "utf8.h"
|
||||
@ -194,40 +195,62 @@ static bool detect_hypervisor(void) {
|
||||
return is_hv;
|
||||
}
|
||||
|
||||
ConfidentialVirtualization detect_confidential_virtualization(void) {
|
||||
static thread_local ConfidentialVirtualization cached_found = _CONFIDENTIAL_VIRTUALIZATION_INVALID;
|
||||
static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
|
||||
char sig[13] = {};
|
||||
ConfidentialVirtualization cv = CONFIDENTIAL_VIRTUALIZATION_NONE;
|
||||
|
||||
if (cached_found >= 0)
|
||||
return cached_found;
|
||||
|
||||
/* Skip everything on bare metal */
|
||||
if (detect_hypervisor()) {
|
||||
cpuid_leaf(0, sig, true);
|
||||
|
||||
if (memcmp(sig, CPUID_SIG_AMD, sizeof(sig)) == 0)
|
||||
cv = detect_sev();
|
||||
return detect_sev();
|
||||
else if (memcmp(sig, CPUID_SIG_INTEL, sizeof(sig)) == 0)
|
||||
cv = detect_tdx();
|
||||
return detect_tdx();
|
||||
}
|
||||
|
||||
cached_found = cv;
|
||||
return cv;
|
||||
return CONFIDENTIAL_VIRTUALIZATION_NONE;
|
||||
}
|
||||
#elif defined(__s390x__)
|
||||
static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
|
||||
_cleanup_free_ char *s = NULL;
|
||||
size_t readsize;
|
||||
int r;
|
||||
|
||||
r = read_full_virtual_file("/sys/firmware/uv/prot_virt_guest", &s, &readsize);
|
||||
if (r < 0) {
|
||||
log_debug_errno(r, "Unable to read /sys/firmware/uv/prot_virt_guest: %m");
|
||||
return CONFIDENTIAL_VIRTUALIZATION_NONE;
|
||||
}
|
||||
|
||||
if (readsize >= 1 && s[0] == '1')
|
||||
return CONFIDENTIAL_VIRTUALIZATION_PROTVIRT;
|
||||
|
||||
return CONFIDENTIAL_VIRTUALIZATION_NONE;
|
||||
}
|
||||
|
||||
#else /* ! x86_64 */
|
||||
ConfidentialVirtualization detect_confidential_virtualization(void) {
|
||||
static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
|
||||
log_debug("No confidential virtualization detection on this architecture");
|
||||
return CONFIDENTIAL_VIRTUALIZATION_NONE;
|
||||
}
|
||||
#endif /* ! x86_64 */
|
||||
|
||||
ConfidentialVirtualization detect_confidential_virtualization(void) {
|
||||
static thread_local ConfidentialVirtualization cached_found = _CONFIDENTIAL_VIRTUALIZATION_INVALID;
|
||||
|
||||
if (cached_found == _CONFIDENTIAL_VIRTUALIZATION_INVALID)
|
||||
cached_found = detect_confidential_virtualization_impl();
|
||||
|
||||
return cached_found;
|
||||
}
|
||||
|
||||
static const char *const confidential_virtualization_table[_CONFIDENTIAL_VIRTUALIZATION_MAX] = {
|
||||
[CONFIDENTIAL_VIRTUALIZATION_NONE] = "none",
|
||||
[CONFIDENTIAL_VIRTUALIZATION_SEV] = "sev",
|
||||
[CONFIDENTIAL_VIRTUALIZATION_SEV_ES] = "sev-es",
|
||||
[CONFIDENTIAL_VIRTUALIZATION_SEV_SNP] = "sev-snp",
|
||||
[CONFIDENTIAL_VIRTUALIZATION_TDX] = "tdx",
|
||||
[CONFIDENTIAL_VIRTUALIZATION_NONE] = "none",
|
||||
[CONFIDENTIAL_VIRTUALIZATION_SEV] = "sev",
|
||||
[CONFIDENTIAL_VIRTUALIZATION_SEV_ES] = "sev-es",
|
||||
[CONFIDENTIAL_VIRTUALIZATION_SEV_SNP] = "sev-snp",
|
||||
[CONFIDENTIAL_VIRTUALIZATION_TDX] = "tdx",
|
||||
[CONFIDENTIAL_VIRTUALIZATION_PROTVIRT] = "protvirt",
|
||||
};
|
||||
|
||||
DEFINE_STRING_TABLE_LOOKUP(confidential_virtualization, ConfidentialVirtualization);
|
||||
|
@ -13,6 +13,7 @@ typedef enum ConfidentialVirtualization {
|
||||
CONFIDENTIAL_VIRTUALIZATION_SEV_ES,
|
||||
CONFIDENTIAL_VIRTUALIZATION_SEV_SNP,
|
||||
CONFIDENTIAL_VIRTUALIZATION_TDX,
|
||||
CONFIDENTIAL_VIRTUALIZATION_PROTVIRT,
|
||||
|
||||
_CONFIDENTIAL_VIRTUALIZATION_MAX,
|
||||
_CONFIDENTIAL_VIRTUALIZATION_INVALID = -EINVAL,
|
||||
|
Loading…
Reference in New Issue
Block a user