From: Lennart Poettering <lennart@amutable.com>
Date: Thu, 25 Jun 2026 20:08:08 +0000 (+0200)
Subject: vmspawn: deliver credentials via initrd cpio under SEV-SNP (#42272)
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=46ece03c997d92f242a26f2f7342a6d9da740406;p=thirdparty%2Fsystemd.git

vmspawn: deliver credentials via initrd cpio under SEV-SNP (#42272)

Re-enables `--set-credential=` / `--load-credential=` under
`--coco=sev-snp` by packaging credentials into a cpio appended to the
initrd, mirroring what `systemd-stub` does for ESP-sourced credentials.
The initrd is covered by the launch measurement via `kernel-hashes=on`,
so the credentials are too.

Tested end-to-end on an SNP-capable host: credentials passed via
`--set-credential=` land in `/run/credentials/@encrypted/` inside the
guest.
---

46ece03c997d92f242a26f2f7342a6d9da740406