diff options
| author | Daniel P. Berrangé <berrange@redhat.com> | 2024-07-30 11:51:21 +0200 |
|---|---|---|
| committer | Luca Boccassi <luca.boccassi@gmail.com> | 2024-07-30 22:39:20 +0200 |
| commit | 9d7be044cad1ae54e344daf8f2ec37da46faf0fd (patch) | |
| tree | 76af42cbc88e65f8dbac6a9e24277fc1f7a56329 /src/basic | |
| parent | document how TimeoutStartSec= affects notify-reload (#33653) (diff) | |
| download | systemd-9d7be044cad1ae54e344daf8f2ec37da46faf0fd.tar.xz systemd-9d7be044cad1ae54e344daf8f2ec37da46faf0fd.zip | |
Fix detection of TDX confidential VM on Azure platform
The original CVM detection logic for TDX assumes that the guest can see
the standard TDX CPUID leaf. This was true in Azure when this code was
originally written, however, current Azure now blocks that leaf in the
paravisor. Instead it is required to use the same Azure specific CPUID
leaf that is used for SEV-SNP detection, which reports the VM isolation
type.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Diffstat (limited to 'src/basic')
| -rw-r--r-- | src/basic/confidential-virt.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/src/basic/confidential-virt.c b/src/basic/confidential-virt.c index b6521cf5bf..8a88a3eb83 100644 --- a/src/basic/confidential-virt.c +++ b/src/basic/confidential-virt.c @@ -76,7 +76,7 @@ static uint64_t msr(uint64_t index) { return ret; } -static bool detect_hyperv_sev(void) { +static bool detect_hyperv_cvm(uint32_t isoltype) { uint32_t eax, ebx, ecx, edx, feat; char sig[13] = {}; @@ -100,7 +100,7 @@ static bool detect_hyperv_sev(void) { ebx = ecx = edx = 0; cpuid(&eax, &ebx, &ecx, &edx); - if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == CPUID_HYPERV_ISOLATION_TYPE_SNP) + if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == isoltype) return true; } @@ -133,7 +133,7 @@ static ConfidentialVirtualization detect_sev(void) { if (!(eax & EAX_SEV)) { log_debug("No sev in CPUID, trying hyperv CPUID"); - if (detect_hyperv_sev()) + if (detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_SNP)) return CONFIDENTIAL_VIRTUALIZATION_SEV_SNP; log_debug("No hyperv CPUID"); @@ -171,6 +171,11 @@ static ConfidentialVirtualization detect_tdx(void) { if (memcmp(sig, CPUID_SIG_INTEL_TDX, sizeof(sig)) == 0) return CONFIDENTIAL_VIRTUALIZATION_TDX; + log_debug("No tdx in CPUID, trying hyperv CPUID"); + + if (detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_TDX)) + return CONFIDENTIAL_VIRTUALIZATION_TDX; + return CONFIDENTIAL_VIRTUALIZATION_NONE; } |