import-creds: don't import creds from SMBIOS/qemu in confidential VMs

diff --git a/src/core/import-creds.c b/src/core/import-creds.c
index 40cbf10dad8d4c74f7607c921fa2c1792cf71a8f..0e0bb06dc476de7efbdc495306ba98da94170920 100644 (file)
--- a/src/core/import-creds.c
+++ b/src/core/import-creds.c
@@ -2,6 +2,7 @@
 
 #include <sys/mount.h>
 
+#include "confidential-virt.h"
 #include "copy.h"
 #include "creds-util.h"
 #include "escape.h"
@@ -9,8 +10,8 @@
 #include "format-util.h"
 #include "fs-util.h"
 #include "hexdecoct.h"
-#include "initrd-util.h"
 #include "import-creds.h"
+#include "initrd-util.h"
 #include "io-util.h"
 #include "mkdir-label.h"
 #include "mount-util.h"
@@ -376,6 +377,9 @@ static int import_credentials_qemu(ImportCredentialContext *c) {
         if (detect_container() > 0) /* don't access /sys/ in a container */
                 return 0;
 
+        if (detect_confidential_virtualization() > 0) /* don't trust firmware if confidential VMs */
+                return 0;
+
         source_dir_fd = open(QEMU_FWCFG_PATH, O_RDONLY|O_DIRECTORY|O_CLOEXEC);
         if (source_dir_fd < 0) {
                 if (errno == ENOENT) {
@@ -570,6 +574,9 @@ static int import_credentials_smbios(ImportCredentialContext *c) {
         if (detect_container() > 0) /* don't access /sys/ in a container */
                 return 0;
 
+        if (detect_confidential_virtualization() > 0) /* don't trust firmware if confidential VMs */
+                return 0;
+
         for (unsigned i = 0;; i++) {
                 struct dmi_field_header {
                         uint8_t type;