detect-virt: add --cvm option

The --cvm option detects whether the OS is running inside a confidential
virtual machine.

Related: https://github.com/systemd/systemd/issues/27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

diff --git a/man/systemd-detect-virt.xml b/man/systemd-detect-virt.xml
index a92d83fe298bcb37b2379ce26a10843bf97d6284..cd7d512581af5b47ad820b372a5d3aa15300bc63 100644 (file)
--- a/man/systemd-detect-virt.xml
+++ b/man/systemd-detect-virt.xml
@@ -257,6 +257,16 @@
         for more information.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--cvm</option></term>
+
+        <listitem><para>Detect whether invoked in a confidential virtual machine.
+        The result of this detection may be used to disable features that should
+        not be used in confidential VMs. It must not be used to release security
+        sensitive information. The latter must only be released after attestation
+        of the confidential environment.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><option>-q</option></term>
         <term><option>--quiet</option></term>

diff --git a/shell-completion/bash/systemd-detect-virt b/shell-completion/bash/systemd-detect-virt
index 05e44903e0aeae4b9ee448b6636533ddbd509bb7..e67570e6748e2ed341018e4290932d1a4d57a045 100644 (file)
--- a/shell-completion/bash/systemd-detect-virt
+++ b/shell-completion/bash/systemd-detect-virt
@@ -28,7 +28,7 @@ _systemd_detect_virt() {
     local i verb comps
 
     local -A OPTS=(
-        [STANDALONE]='-h --help --version -c --container -v --vm -q --quiet
+        [STANDALONE]='-h --help --version -c --container -v --vm -q --quiet --cvm
                              --private-users'
     )
 

diff --git a/src/detect-virt/detect-virt.c b/src/detect-virt/detect-virt.c
index b75e3c34ca84c866268df61de105ddc1793b658c..61b7005e7f54384af94bdefd31318b051d8e6b77 100644 (file)
--- a/src/detect-virt/detect-virt.c
+++ b/src/detect-virt/detect-virt.c
@@ -7,6 +7,7 @@
 
 #include "alloc-util.h"
 #include "build.h"
+#include "confidential-virt.h"
 #include "main-func.h"
 #include "pretty-print.h"
 #include "string-table.h"
@@ -19,6 +20,7 @@ static enum {
         ONLY_CONTAINER,
         ONLY_CHROOT,
         ONLY_PRIVATE_USERS,
+        ONLY_CVM,
 } arg_mode = ANY_VIRTUALIZATION;
 
 static int help(void) {
@@ -37,6 +39,7 @@ static int help(void) {
                "  -v --vm               Only detect whether we are run in a VM\n"
                "  -r --chroot           Detect whether we are run in a chroot() environment\n"
                "     --private-users    Only detect whether we are running in a user namespace\n"
+               "     --cvm              Only detect whether we are run in a confidential VM\n"
                "  -q --quiet            Don't output anything, just set return value\n"
                "     --list             List all known and detectable types of virtualization\n"
                "\nSee the %s for details.\n",
@@ -52,6 +55,7 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_VERSION = 0x100,
                 ARG_PRIVATE_USERS,
                 ARG_LIST,
+                ARG_CVM,
         };
 
         static const struct option options[] = {
@@ -62,6 +66,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "chroot",        no_argument, NULL, 'r'               },
                 { "private-users", no_argument, NULL, ARG_PRIVATE_USERS },
                 { "quiet",         no_argument, NULL, 'q'               },
+                { "cvm",           no_argument, NULL, ARG_CVM           },
                 { "list",          no_argument, NULL, ARG_LIST          },
                 {}
         };
@@ -105,6 +110,10 @@ static int parse_argv(int argc, char *argv[]) {
                         DUMP_STRING_TABLE(virtualization, Virtualization, _VIRTUALIZATION_MAX);
                         return 0;
 
+                case ARG_CVM:
+                        arg_mode = ONLY_CVM;
+                        return 1;
+
                 case '?':
                         return -EINVAL;
 
@@ -122,6 +131,7 @@ static int parse_argv(int argc, char *argv[]) {
 
 static int run(int argc, char *argv[]) {
         Virtualization v;
+        ConfidentialVirtualization c;
         int r;
 
         /* This is mostly intended to be used for scripts which want
@@ -159,6 +169,14 @@ static int run(int argc, char *argv[]) {
                         return log_error_errno(r, "Failed to check for user namespace: %m");
                 return !r;
 
+        case ONLY_CVM:
+                c = detect_confidential_virtualization();
+                if (c < 0)
+                        return log_error_errno(c, "Failed to check for confidential virtualization: %m");
+                if (!arg_quiet)
+                        puts(confidential_virtualization_to_string(c));
+                return c == CONFIDENTIAL_VIRTUALIZATION_NONE;
+
         case ANY_VIRTUALIZATION:
         default:
                 v = detect_virtualization();