Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(RHEL-50651) Add support for confidential virtualization #291

Merged
merged 12 commits into from
Aug 22, 2024
Merged

(RHEL-50651) Add support for confidential virtualization #291

merged 12 commits into from
Aug 22, 2024

Conversation

dtardon
Copy link
Member

@dtardon dtardon commented Aug 1, 2024
edited by github-actions bot
Loading

Resolves: RHEL-50651

crrodriguez and others added 9 commits August 1, 2024 14:36
@crrodriguez @dtardon
Include <threads.h> if possible to get thread_local definition
a3745bc 
IN C23, thread_local is a reserved keyword and we shall therefore
do nothing to redefine it. glibc has it defined for older standard
version with the right conditions.

v2 by Yu Watanabe:
Move the definition to missing_threads.h like the way we define e.g.
missing syscalls or missing definitions, and include it by the users.

Co-authored-by: Yu Watanabe <watanabe.yu+github@gmail.com>
(cherry picked from commit 5545f33)

Related: RHEL-50651
@berrange @dtardon
add APIs for detecting confidential virtualization
560c277 
This code uses various CPUID checks to be able to identify

 * AMD SEV
 * AMD SEV-ES
 * AMD SEV-SNP
 * Intel TDX

On HyperV/Azure, it has special checks for detecting SEV-SNP
since the normal CPUID is blocked.

Related: systemd/systemd#27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit a577a61)

Related: RHEL-50651
@berrange @dtardon
detect-virt: add --cvm option
8411bc1 
The --cvm option detects whether the OS is running inside a confidential
virtual machine.

Related: systemd/systemd#27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 5e0c61f)

Resolves: RHEL-50651
@berrange @dtardon
detect-virt: add --list-cvm option
ed24127 
The --list-cvm option reports the known types of confidential virtualization
technology that can be detected.

Related: systemd/systemd#27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit f460fec)

Related: RHEL-50651
@berrange @dtardon
unit: add "cvm" option for ConditionSecurity
633a7dd 
The "cvm" flag indicates whether the OS is running inside a confidential
virtual machine.

Related: systemd/systemd#27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 95d043b)

Related: RHEL-50651
@berrange @dtardon
dbus: add 'ConfidentialVirtualization' property to manager object
132a6d4 
This property reports whether the system is running inside a confidential
virtual machine.

Related: systemd/systemd#27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 1257274)

Related: RHEL-50651
@berrange @dtardon
core: log detected confidential virtualization type
087f72b 
Related: systemd/systemd#27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 024469d)

Related: RHEL-50651
@berrange @dtardon
core: set SYSTEMD_CONFIDENTIAL_VIRTUALIZATION env for generators
27a7bd2 
This reports the confidential virtualization type that was detected

Related: systemd/systemd#27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 0895124)

Related: RHEL-50651
@berrange @dtardon
udev: add 'conf-virt' constant for confidential virtualization tech
e580333 
Related: systemd/systemd#27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 6e2e83b)

Related: RHEL-50651
@dtardon dtardon changed the title Add support for confidential cirtualization Add support for confidential virtualization Aug 1, 2024
@github-actions github-actions bot changed the title Add support for confidential virtualization (RHEL-50651) Add support for confidential virtualization Aug 1, 2024
@github-actions github-actions bot added tracker/invalid-product tracker/unapproved Formerly needs-acks pr/needs-ci Formerly needs-ci pr/needs-review Formerly needs-review labels Aug 1, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 1, 2024
edited
Loading

Commit validation

Tracker - RHEL-50651

The following commits meet all requirements

commit upstream
a3745bc - Include <threads.h> if possible to get thread_local definition systemd/systemd@5545f33
560c277 - add APIs for detecting confidential virtualization systemd/systemd@a577a61
8411bc1 - detect-virt: add --cvm option systemd/systemd@5e0c61f
ed24127 - detect-virt: add --list-cvm option systemd/systemd@f460fec
633a7dd - unit: add "cvm" option for ConditionSecurity systemd/systemd@95d043b
132a6d4 - dbus: add 'ConfidentialVirtualization' property to manager object systemd/systemd@1257274
087f72b - core: log detected confidential virtualization type systemd/systemd@024469d
27a7bd2 - core: set SYSTEMD_CONFIDENTIAL_VIRTUALIZATION env for generators systemd/systemd@0895124
e580333 - udev: add 'conf-virt' constant for confidential virtualization tech systemd/systemd@6e2e83b
4add85f - confidential-virt: split caching of CVM detection into separate method… systemd/systemd@1c4bd7a
b39c39b - confidential-virt: add detection for s390x target systemd/systemd@6c35e0a
19609a2 - man/systemd-detect-virt: list known CVM technologies systemd/systemd@a8fb5d2

Tracker validation

Success

🟢 Tracker RHEL-50651 has set desired product: rhel-9.5
🟢 Tracker RHEL-50651 has set desired component: systemd
🟢 Tracker RHEL-50651 has been approved

Pull Request validation

Failed

🔴 Review - Missing review from a member

Success

🟢 CI - All checks have passed

@jamacku jamacku added this to the RHEL-9.5.0 milestone Aug 1, 2024
@github-actions github-actions bot removed tracker/invalid-product tracker/unapproved Formerly needs-acks pr/needs-ci Formerly needs-ci labels Aug 1, 2024
berrange added 3 commits August 5, 2024 10:46
@berrange @dtardon
confidential-virt: split caching of CVM detection into separate method
4add85f 
We have different impls of detect_confidential_virtualization per
architecture. The detection is cached in the x86_64 impl, and as we
add support for more targets, we want to use caching for all. It thus
makes sense to split caching out into an architecture independent
method.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 1c4bd7adcc281af2a2dd40867f64f2ac54a43c7a)

Related: RHEL-50651
@berrange @dtardon
confidential-virt: add detection for s390x target
b39c39b 
The s390x platform provides confidential VMs using the "Secure Execution"
technology, which is also referred to as "Protected Virtualization" or
just "prot virt" in Linux / QEMU.

This can be detected through a simple sysfs attribute.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 6c35e0a51cc6a852ce239ea46cd75c133212a68e)

Related: RHEL-50651
@berrange @dtardon
man/systemd-detect-virt: list known CVM technologies
19609a2 
Add a section which lists the known confidential virtual machine
technologies.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit a8fb5d21fd6127a6d05757c793cc9ba47f65c893)

Related: RHEL-50651
@dtardon dtardon removed the dont-merge label Aug 5, 2024
@github-actions github-actions bot added pr/needs-ci Formerly needs-ci and removed pr/needs-ci Formerly needs-ci labels Aug 5, 2024
lnykryn
lnykryn approved these changes Aug 22, 2024
View reviewed changes
Copy link
Member

@lnykryn lnykryn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I have not checked if this works, but at least nothing seems to be broken.

@lnykryn lnykryn merged commit 11992ca into redhat-plumbers:main Aug 22, 2024
30 checks passed
@dtardon dtardon deleted the RHEL-50651-detect-virt-cvm branch August 22, 2024 13:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lnykryn lnykryn lnykryn approved these changes

Assignees
No one assigned
Labels
pr/needs-review Formerly needs-review released
Projects
None yet
Milestone
RHEL-9.5.0
Development

Successfully merging this pull request may close these issues.
5 participants
@dtardon @lnykryn @jamacku @crrodriguez @berrange