diff options
| author | Daniel P. Berrangé <berrange@redhat.com> | 2023-06-30 20:01:17 +0200 |
|---|---|---|
| committer | Luca Boccassi <bluca@debian.org> | 2023-07-06 13:20:04 +0200 |
| commit | 95d043b1595e7684163714aae46822b18cef0f65 (patch) | |
| tree | 54cf4b608880181496159d01b1105643477c9362 /src | |
| parent | detect-virt: add --list-cvm option (diff) | |
| download | systemd-95d043b1595e7684163714aae46822b18cef0f65.tar.xz systemd-95d043b1595e7684163714aae46822b18cef0f65.zip | |
unit: add "cvm" option for ConditionSecurity
The "cvm" flag indicates whether the OS is running inside a confidential
virtual machine.
Related: https://github.com/systemd/systemd/issues/27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/shared/condition.c | 3 | ||||
| -rw-r--r-- | src/test/test-condition.c | 9 |
2 files changed, 12 insertions, 0 deletions
diff --git a/src/shared/condition.c b/src/shared/condition.c index a79361e9e1..092f32a69e 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c @@ -24,6 +24,7 @@ #include "cgroup-util.h" #include "compare-operator.h" #include "condition.h" +#include "confidential-virt.h" #include "cpu-set-util.h" #include "creds-util.h" #include "efi-api.h" @@ -689,6 +690,8 @@ static int condition_test_security(Condition *c, char **env) { return is_efi_secure_boot(); if (streq(c->parameter, "tpm2")) return has_tpm2(); + if (streq(c->parameter, "cvm")) + return detect_confidential_virtualization() > 0; return false; } diff --git a/src/test/test-condition.c b/src/test/test-condition.c index 317a104f4e..6d57ba8da9 100644 --- a/src/test/test-condition.c +++ b/src/test/test-condition.c @@ -14,6 +14,7 @@ #include "battery-util.h" #include "cgroup-util.h" #include "condition.h" +#include "confidential-virt.h" #include "cpu-set-util.h" #include "efi-loader.h" #include "env-util.h" @@ -784,6 +785,12 @@ TEST(condition_test_security) { assert_se(condition); assert_se(condition_test(condition, environ) == is_efi_secure_boot()); condition_free(condition); + + condition = condition_new(CONDITION_SECURITY, "cvm", false, false); + assert_se(condition); + assert_se(condition_test(condition, environ) == + (detect_confidential_virtualization() != CONFIDENTIAL_VIRTUALIZATION_NONE)); + condition_free(condition); } TEST(print_securities) { @@ -795,6 +802,8 @@ TEST(print_securities) { log_info("SMACK: %s", yes_no(mac_smack_use())); log_info("Audit: %s", yes_no(use_audit())); log_info("UEFI secure boot: %s", yes_no(is_efi_secure_boot())); + log_info("Confidential VM: %s", yes_no + (detect_confidential_virtualization() != CONFIDENTIAL_VIRTUALIZATION_NONE)); log_info("-------------------------------------------"); } |