unit: add "cvm" option for ConditionSecurity

The "cvm" flag indicates whether the OS is running inside a confidential virtual machine. Related: https://github.com/systemd/systemd/issues/27604 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2024-07-21 18:24:38 +00:00 · 2023-06-30 19:01:17 +01:00 · 2023-06-30 19:01:17 +01:00 · 95d043b159
parent f460fec915
commit 95d043b159
3 changed files with 14 additions and 2 deletions
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@ -1404,8 +1404,8 @@
          security technology is enabled on the system. Currently, the recognized values are
          <literal>selinux</literal>, <literal>apparmor</literal>, <literal>tomoyo</literal>,
          <literal>ima</literal>, <literal>smack</literal>, <literal>audit</literal>,
-          <literal>uefi-secureboot</literal> and <literal>tpm2</literal>. The test may be negated by prepending
-          an exclamation mark.</para>
+          <literal>uefi-secureboot</literal>, <literal>tpm2</literal> and <literal>cvm</literal>.
+          The test may be negated by prepending an exclamation mark.</para>
          </listitem>
        </varlistentry>

--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@ -24,6 +24,7 @@
 #include "cgroup-util.h"
 #include "compare-operator.h"
 #include "condition.h"
+#include "confidential-virt.h"
 #include "cpu-set-util.h"
 #include "creds-util.h"
 #include "efi-api.h"
@ -689,6 +690,8 @@ static int condition_test_security(Condition *c, char **env) {
                return is_efi_secure_boot();
        if (streq(c->parameter, "tpm2"))
                return has_tpm2();
+        if (streq(c->parameter, "cvm"))
+                return detect_confidential_virtualization() > 0;

        return false;
 }
--- a/src/test/test-condition.c
+++ b/src/test/test-condition.c
@ -14,6 +14,7 @@
 #include "battery-util.h"
 #include "cgroup-util.h"
 #include "condition.h"
+#include "confidential-virt.h"
 #include "cpu-set-util.h"
 #include "efi-loader.h"
 #include "env-util.h"
@ -784,6 +785,12 @@ TEST(condition_test_security) {
        assert_se(condition);
        assert_se(condition_test(condition, environ) == is_efi_secure_boot());
        condition_free(condition);
+
+        condition = condition_new(CONDITION_SECURITY, "cvm", false, false);
+        assert_se(condition);
+        assert_se(condition_test(condition, environ) ==
+                  (detect_confidential_virtualization() != CONFIDENTIAL_VIRTUALIZATION_NONE));
+        condition_free(condition);
 }

 TEST(print_securities) {
@ -795,6 +802,8 @@ TEST(print_securities) {
        log_info("SMACK: %s", yes_no(mac_smack_use()));
        log_info("Audit: %s", yes_no(use_audit()));
        log_info("UEFI secure boot: %s", yes_no(is_efi_secure_boot()));
+        log_info("Confidential VM: %s", yes_no
+                 (detect_confidential_virtualization() != CONFIDENTIAL_VIRTUALIZATION_NONE));
        log_info("-------------------------------------------");
 }