Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(RHEL-56144) Backport confidential virt. improvements #41

Merged

Conversation

dtardon
Copy link
Member

@dtardon dtardon commented Sep 9, 2024

Resolves: RHEL-56144

The original CVM detection logic for TDX assumes that the guest can see
the standard TDX CPUID leaf. This was true in Azure when this code was
originally written, however, current Azure now blocks that leaf in the
paravisor. Instead it is required to use the same Azure specific CPUID
leaf that is used for SEV-SNP detection, which reports the VM isolation
type.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 9d7be04)

Related: RHEL-56144
We have different impls of detect_confidential_virtualization per
architecture. The detection is cached in the x86_64 impl, and as we
add support for more targets, we want to use caching for all. It thus
makes sense to split caching out into an architecture independent
method.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 1c4bd7a)

Related: RHEL-56144
The s390x platform provides confidential VMs using the "Secure Execution"
technology, which is also referred to as "Protected Virtualization" or
just "prot virt" in Linux / QEMU.

This can be detected through a simple sysfs attribute.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 6c35e0a)

Resolves: RHEL-56144
This fixes

  commit 9b0688f
  Author: Yu Watanabe <watanabe.yu+github@gmail.com>
  Date:   Tue Jan 9 10:52:49 2024 +0900

    virt: add Google Compute Engine support

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 9ffdfc6)

Related: RHEL-56144
Add a section which lists the known confidential virtual machine
technologies.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit a8fb5d2)

Related: RHEL-56144
@dtardon dtardon added this to the RHEL-10.0 milestone Sep 9, 2024
@github-actions github-actions bot changed the title Backport confidential virt. improvements (RHEL-56144) Backport confidential virt. improvements Sep 9, 2024
Copy link

github-actions bot commented Sep 9, 2024

Commit validation

Tracker - RHEL-56144

The following commits meet all requirements

commit upstream
95637f7 - Fix detection of TDX confidential VM on Azure platform systemd/systemd@9d7be04
e96fb1b - confidential-virt: split caching of CVM detection into separate method… systemd/systemd@1c4bd7a
dc36fe2 - confidential-virt: add detection for s390x target systemd/systemd@6c35e0a
ba9c2da - man/systemd-detect-virt: fix row spanning for VM header systemd/systemd@9ffdfc6
5a5f23b - man/systemd-detect-virt: list known CVM technologies systemd/systemd@a8fb5d2

Tracker validation

Success

🟢 Tracker RHEL-56144 has set desired product: rhel-10.0
🟢 Tracker RHEL-56144 has set desired component: systemd
🟢 Tracker RHEL-56144 has been approved


Pull Request validation

Success

🟢 CI - All checks have passed
🟢 Review - Reviewed by a member
🟢 Approval - Changes were approved


Auto Merge

Success

🟢 Pull Request is not marked as draft and it's not blocked by dont-merge label
🟢 Pull Request meet requirements, title has correct form
🟢 Pull Request meet requirements, mergeable is true
🟢 Pull Request meet requirements, mergeable_state is clean
🟢 Pull Request has correct target branch main
🟢 Pull Request was merged

Copy link
Member

@jamacku jamacku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions github-actions bot merged commit 3902176 into redhat-plumbers:main Oct 1, 2024
27 checks passed
@dtardon dtardon deleted the RHEL-56144-confidential-virt branch October 1, 2024 08:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants