From: Jeremy Linton Date: Fri, 10 Jan 2025 03:24:07 +0000 (-0600) Subject: confidential-virt: add detection for aarch64 CCA X-Git-Tag: v258-rc1~1615 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2572bf6a39b6c548acef07fd25f461c5a88560af;p=thirdparty%2Fsystemd.git confidential-virt: add detection for aarch64 CCA The arm confidential compute architecture (CCA) provides a platform design for confidential VMs running in a new realm context. This can be detected by the existence of a platform device exported for the arm-cca-guest driver, which provides attestation services via the realm services interface (RSI) to the Realm Management Monitor (RMM). Like the other methods systemd uses to detect Confidential VM's, checking the sysfs entry suggests that this is a confidential VM and should only be used for informative purposes, or to trigger further attestation. Like the s390 detection logic, the sysfs path being checked is not labeled as ABI, and may change in the future. It was chosen because its directly tied to the kernel's detection of the realm service interface rather to the Trusted Security Module (TSM) which is what is being triggered by the device entry. The TSM module has a provider string of 'arm-cca-guest' which could also be used, but that (IMHO) doesn't currently provide any additional benefit except that it can fail of the module isn't loaded. More information can be found here: https://developer.arm.com/documentation/den0125/0300 Signed-off-by: Jeremy Linton --- diff --git a/man/systemd-detect-virt.xml b/man/systemd-detect-virt.xml index a4fcdfbc9d5..e89f72bc229 100644 --- a/man/systemd-detect-virt.xml +++ b/man/systemd-detect-virt.xml @@ -258,6 +258,11 @@ protvirt IBM Protected Virtualization (Secure Execution) + + arm64 + cca + Arm Confidential Compute Architecture + diff --git a/src/basic/confidential-virt.c b/src/basic/confidential-virt.c index 986a57e0462..796ae6143c9 100644 --- a/src/basic/confidential-virt.c +++ b/src/basic/confidential-virt.c @@ -10,6 +10,7 @@ #include "confidential-virt-fundamental.h" #include "confidential-virt.h" +#include "errno-util.h" #include "fd-util.h" #include "fileio.h" #include "missing_threads.h" @@ -226,7 +227,18 @@ static ConfidentialVirtualization detect_confidential_virtualization_impl(void) return CONFIDENTIAL_VIRTUALIZATION_NONE; } +#elif defined(__aarch64__) +static ConfidentialVirtualization detect_confidential_virtualization_impl(void) { + int r; + r = RET_NERRNO(access("/sys/devices/platform/arm-cca-dev", F_OK)); + if (r < 0) { + log_debug_errno(r, "Unable to check /sys/devices/platform/arm-cca-dev: %m"); + return CONFIDENTIAL_VIRTUALIZATION_NONE; + } + + return CONFIDENTIAL_VIRTUALIZATION_CCA; +} #else /* ! x86_64 */ static ConfidentialVirtualization detect_confidential_virtualization_impl(void) { log_debug("No confidential virtualization detection on this architecture"); @@ -250,6 +262,7 @@ static const char *const confidential_virtualization_table[_CONFIDENTIAL_VIRTUAL [CONFIDENTIAL_VIRTUALIZATION_SEV_SNP] = "sev-snp", [CONFIDENTIAL_VIRTUALIZATION_TDX] = "tdx", [CONFIDENTIAL_VIRTUALIZATION_PROTVIRT] = "protvirt", + [CONFIDENTIAL_VIRTUALIZATION_CCA] = "cca", }; DEFINE_STRING_TABLE_LOOKUP(confidential_virtualization, ConfidentialVirtualization); diff --git a/src/basic/confidential-virt.h b/src/basic/confidential-virt.h index 07379bca7c9..097bbf7cfe2 100644 --- a/src/basic/confidential-virt.h +++ b/src/basic/confidential-virt.h @@ -14,6 +14,7 @@ typedef enum ConfidentialVirtualization { CONFIDENTIAL_VIRTUALIZATION_SEV_SNP, CONFIDENTIAL_VIRTUALIZATION_TDX, CONFIDENTIAL_VIRTUALIZATION_PROTVIRT, + CONFIDENTIAL_VIRTUALIZATION_CCA, _CONFIDENTIAL_VIRTUALIZATION_MAX, _CONFIDENTIAL_VIRTUALIZATION_INVALID = -EINVAL,