shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-10-26 17:27:41 +03:00
Code

Merge pull request #33913 from berrange/cvm-s390x

Browse Source 
Add detection of confidential virtualization on s390x architcture
This commit is contained in:
Yu Watanabe 2024-08-03 05:32:39 +09:00 committed by GitHub
commit c7d9925396
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 85 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
man/systemd-detect-virt.xml
View File

@ -62,7 +62,7 @@
</thead>
<tbody>
<row>
<entry valign="top" morerows="16">VM</entry>
<entry valign="top" morerows="17">VM</entry>
<entry><varname>qemu</varname></entry>
<entry>QEMU software virtualization, without KVM</entry>
</row>
@ -217,6 +217,50 @@
WSL is categorized as a container for practical purposes.
Multiple WSL environments share the same kernel and services
should generally behave like when being run in a container.</para>
<para>When executed with <option>--cvm</option>, instead of
printing the virtualization technology, it will display the
confidential virtual machine technology, if any. The
following technologies are currently identified:</para>
<table>
<title>Known confidential virtualization technologies</title>
<tgroup cols='2' align='left' colsep='1' rowsep='1'>
<colspec colname="id" />
<colspec colname="product" />
<thead>
<row>
<entry>Arch</entry>
<entry>ID</entry>
<entry>Technology</entry>
</row>
</thead>
<tbody>
<row>
<entry valign="top" morerows="3">x86_64</entry>
<entry><varname>sev</varname></entry>
<entry>AMD Secure Encrypted Virtualization</entry>
</row>
<row>
<entry><varname>sev-es</varname></entry>
<entry>AMD Secure Encrypted Virtualization - Encrypted State</entry>
</row>
<row>
<entry><varname>sev-snp</varname></entry>
<entry>AMD Secure Encrypted Virtualization - Secure Nested Paging</entry>
</row>
<row>
<entry><varname>tdx</varname></entry>
<entry>Intel Trust Domain Extensions</entry>
</row>
<row>
<entry>s390x</entry>
<entry><varname>protvirt</varname></entry>
<entry>IBM Protected Virtualization (Secure Execution)</entry>
</row>
</tbody>
</tgroup>
</table>
</refsect1>
<refsect1>

55
src/basic/confidential-virt.c
View File

@ -11,6 +11,7 @@
#include "confidential-virt-fundamental.h"
#include "confidential-virt.h"
#include "fd-util.h"
#include "fileio.h"
#include "missing_threads.h"
#include "string-table.h"
#include "utf8.h"
@ -194,40 +195,62 @@ static bool detect_hypervisor(void) {
return is_hv;
}
ConfidentialVirtualization detect_confidential_virtualization(void) {
static thread_local ConfidentialVirtualization cached_found = _CONFIDENTIAL_VIRTUALIZATION_INVALID;
static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
char sig[13] = {};
ConfidentialVirtualization cv = CONFIDENTIAL_VIRTUALIZATION_NONE;
if (cached_found >= 0)
return cached_found;
/* Skip everything on bare metal */
if (detect_hypervisor()) {
cpuid_leaf(0, sig, true);
if (memcmp(sig, CPUID_SIG_AMD, sizeof(sig)) == 0)
cv = detect_sev();
return detect_sev();
else if (memcmp(sig, CPUID_SIG_INTEL, sizeof(sig)) == 0)
cv = detect_tdx();
return detect_tdx();
}
cached_found = cv;
return cv;
return CONFIDENTIAL_VIRTUALIZATION_NONE;
}
#elif defined(__s390x__)
static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
_cleanup_free_ char *s = NULL;
size_t readsize;
int r;
r = read_full_virtual_file("/sys/firmware/uv/prot_virt_guest", &s, &readsize);
if (r < 0) {
log_debug_errno(r, "Unable to read /sys/firmware/uv/prot_virt_guest: %m");
return CONFIDENTIAL_VIRTUALIZATION_NONE;
}
if (readsize >= 1 && s[0] == '1')
return CONFIDENTIAL_VIRTUALIZATION_PROTVIRT;
return CONFIDENTIAL_VIRTUALIZATION_NONE;
}
#else /* ! x86_64 */
ConfidentialVirtualization detect_confidential_virtualization(void) {
static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
log_debug("No confidential virtualization detection on this architecture");
return CONFIDENTIAL_VIRTUALIZATION_NONE;
}
#endif /* ! x86_64 */
ConfidentialVirtualization detect_confidential_virtualization(void) {
static thread_local ConfidentialVirtualization cached_found = _CONFIDENTIAL_VIRTUALIZATION_INVALID;
if (cached_found == _CONFIDENTIAL_VIRTUALIZATION_INVALID)
cached_found = detect_confidential_virtualization_impl();
return cached_found;
}
static const char *const confidential_virtualization_table[_CONFIDENTIAL_VIRTUALIZATION_MAX] = {
[CONFIDENTIAL_VIRTUALIZATION_NONE] = "none",
[CONFIDENTIAL_VIRTUALIZATION_SEV] = "sev",
[CONFIDENTIAL_VIRTUALIZATION_SEV_ES] = "sev-es",
[CONFIDENTIAL_VIRTUALIZATION_SEV_SNP] = "sev-snp",
[CONFIDENTIAL_VIRTUALIZATION_TDX] = "tdx",
[CONFIDENTIAL_VIRTUALIZATION_NONE] = "none",
[CONFIDENTIAL_VIRTUALIZATION_SEV] = "sev",
[CONFIDENTIAL_VIRTUALIZATION_SEV_ES] = "sev-es",
[CONFIDENTIAL_VIRTUALIZATION_SEV_SNP] = "sev-snp",
[CONFIDENTIAL_VIRTUALIZATION_TDX] = "tdx",
[CONFIDENTIAL_VIRTUALIZATION_PROTVIRT] = "protvirt",
};
DEFINE_STRING_TABLE_LOOKUP(confidential_virtualization, ConfidentialVirtualization);

1
src/basic/confidential-virt.h
View File

@ -13,6 +13,7 @@ typedef enum ConfidentialVirtualization {
CONFIDENTIAL_VIRTUALIZATION_SEV_ES,
CONFIDENTIAL_VIRTUALIZATION_SEV_SNP,
CONFIDENTIAL_VIRTUALIZATION_TDX,
CONFIDENTIAL_VIRTUALIZATION_PROTVIRT,
_CONFIDENTIAL_VIRTUALIZATION_MAX,
_CONFIDENTIAL_VIRTUALIZATION_INVALID = -EINVAL,