From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 7 Jul 2023 14:00:09 +0000 (+0200)
Subject: import-creds: don't import creds from SMBIOS/qemu in confidential VMs
X-Git-Tag: v254-rc2~45
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=738e807e40da5fe0f2ff612076fc04d4ee2ce061;p=thirdparty%2Fsystemd.git

import-creds: don't import creds from SMBIOS/qemu in confidential VMs
---

diff --git a/src/core/import-creds.c b/src/core/import-creds.c
index 40cbf10dad8..0e0bb06dc47 100644
--- a/src/core/import-creds.c
+++ b/src/core/import-creds.c
@@ -2,6 +2,7 @@
 
 #include <sys/mount.h>
 
+#include "confidential-virt.h"
 #include "copy.h"
 #include "creds-util.h"
 #include "escape.h"
@@ -9,8 +10,8 @@
 #include "format-util.h"
 #include "fs-util.h"
 #include "hexdecoct.h"
-#include "initrd-util.h"
 #include "import-creds.h"
+#include "initrd-util.h"
 #include "io-util.h"
 #include "mkdir-label.h"
 #include "mount-util.h"
@@ -376,6 +377,9 @@ static int import_credentials_qemu(ImportCredentialContext *c) {
         if (detect_container() > 0) /* don't access /sys/ in a container */
                 return 0;
 
+        if (detect_confidential_virtualization() > 0) /* don't trust firmware if confidential VMs */
+                return 0;
+
         source_dir_fd = open(QEMU_FWCFG_PATH, O_RDONLY|O_DIRECTORY|O_CLOEXEC);
         if (source_dir_fd < 0) {
                 if (errno == ENOENT) {
@@ -570,6 +574,9 @@ static int import_credentials_smbios(ImportCredentialContext *c) {
         if (detect_container() > 0) /* don't access /sys/ in a container */
                 return 0;
 
+        if (detect_confidential_virtualization() > 0) /* don't trust firmware if confidential VMs */
+                return 0;
+
         for (unsigned i = 0;; i++) {
                 struct dmi_field_header {
                         uint8_t type;