From: Daniel P. Berrangé <berrange@redhat.com>
Date: Fri, 30 Jun 2023 18:01:17 +0000 (+0100)
Subject: unit: add "cvm" option for ConditionSecurity
X-Git-Tag: v254-rc1~9^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=95d043b1595e7684163714aae46822b18cef0f65;p=thirdparty%2Fsystemd.git

unit: add "cvm" option for ConditionSecurity

The "cvm" flag indicates whether the OS is running inside a confidential
virtual machine.

Related: https://github.com/systemd/systemd/issues/27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---

diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index 8c3329995d7..059df6fc125 100644
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -1404,8 +1404,8 @@
           security technology is enabled on the system. Currently, the recognized values are
           <literal>selinux</literal>, <literal>apparmor</literal>, <literal>tomoyo</literal>,
           <literal>ima</literal>, <literal>smack</literal>, <literal>audit</literal>,
-          <literal>uefi-secureboot</literal> and <literal>tpm2</literal>. The test may be negated by prepending
-          an exclamation mark.</para>
+          <literal>uefi-secureboot</literal>, <literal>tpm2</literal> and <literal>cvm</literal>.
+          The test may be negated by prepending an exclamation mark.</para>
           </listitem>
         </varlistentry>
 
diff --git a/src/shared/condition.c b/src/shared/condition.c
index a79361e9e18..092f32a69ed 100644
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -24,6 +24,7 @@
 #include "cgroup-util.h"
 #include "compare-operator.h"
 #include "condition.h"
+#include "confidential-virt.h"
 #include "cpu-set-util.h"
 #include "creds-util.h"
 #include "efi-api.h"
@@ -689,6 +690,8 @@ static int condition_test_security(Condition *c, char **env) {
                 return is_efi_secure_boot();
         if (streq(c->parameter, "tpm2"))
                 return has_tpm2();
+        if (streq(c->parameter, "cvm"))
+                return detect_confidential_virtualization() > 0;
 
         return false;
 }
diff --git a/src/test/test-condition.c b/src/test/test-condition.c
index 317a104f4ec..6d57ba8da9e 100644
--- a/src/test/test-condition.c
+++ b/src/test/test-condition.c
@@ -14,6 +14,7 @@
 #include "battery-util.h"
 #include "cgroup-util.h"
 #include "condition.h"
+#include "confidential-virt.h"
 #include "cpu-set-util.h"
 #include "efi-loader.h"
 #include "env-util.h"
@@ -784,6 +785,12 @@ TEST(condition_test_security) {
         assert_se(condition);
         assert_se(condition_test(condition, environ) == is_efi_secure_boot());
         condition_free(condition);
+
+        condition = condition_new(CONDITION_SECURITY, "cvm", false, false);
+        assert_se(condition);
+        assert_se(condition_test(condition, environ) ==
+                  (detect_confidential_virtualization() != CONFIDENTIAL_VIRTUALIZATION_NONE));
+        condition_free(condition);
 }
 
 TEST(print_securities) {
@@ -795,6 +802,8 @@ TEST(print_securities) {
         log_info("SMACK: %s", yes_no(mac_smack_use()));
         log_info("Audit: %s", yes_no(use_audit()));
         log_info("UEFI secure boot: %s", yes_no(is_efi_secure_boot()));
+        log_info("Confidential VM: %s", yes_no
+                 (detect_confidential_virtualization() != CONFIDENTIAL_VIRTUALIZATION_NONE));
         log_info("-------------------------------------------");
 }