Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(RHEL-50651) Fix detection of TDX confidential VM on Azure platform #296

Merged
merged 4 commits into from
Aug 22, 2024
Merged

(RHEL-50651) Fix detection of TDX confidential VM on Azure platform #296

merged 4 commits into from
Aug 22, 2024

Conversation

dtardon
Copy link
Member

@dtardon dtardon commented Aug 22, 2024
edited by github-actions bot
Loading

Related: RHEL-50651

@berrange @dtardon
fundamental: share constants for confidential virt detection
5d90ada 
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 129b9e3)

Related: RHEL-50651
@berrange @dtardon
efi: add helper API for detecting confidential virtualization
f64a06e 
This helper is a simplified version of detect_confidential_virtualization()
that merely returns a boolean status flag reflecting whether we are believed
to be running inside a confidential VM.

This flag can be used for turning off features that are inappropriate to
use from a CVM, but must not be used for releasing sensitive data. The
latter must only be done in response to an attestation for the environment.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit b354a2c)

Related: RHEL-50651
@berrange @dtardon
efi: don't pull kernel cmdline from SMBIOS in a confidential VM
736c8a7 
In a confidential VM, the SMBIOS data is not trusted, as it is under the
control of the host OS/admin and not covered by attestation of the machine.

Fixes: systemd/systemd#27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 4b1153c)

Related: RHEL-50651
@berrange @dtardon
Fix detection of TDX confidential VM on Azure platform
ae8265e 
The original CVM detection logic for TDX assumes that the guest can see
the standard TDX CPUID leaf. This was true in Azure when this code was
originally written, however, current Azure now blocks that leaf in the
paravisor. Instead it is required to use the same Azure specific CPUID
leaf that is used for SEV-SNP detection, which reports the VM isolation
type.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 9d7be044cad1ae54e344daf8f2ec37da46faf0fd)

Related: RHEL-50651
msekletar
msekletar approved these changes Aug 22, 2024
View reviewed changes
Copy link
Member

@msekletar msekletar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions github-actions bot changed the title Fix detection of TDX confidential VM on Azure platform (RHEL-50651) Fix detection of TDX confidential VM on Azure platform Aug 22, 2024
@github-actions github-actions bot added the pr/needs-ci Formerly needs-ci label Aug 22, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 22, 2024
edited
Loading

Commit validation

Tracker - RHEL-50651

The following commits meet all requirements

commit upstream
5d90ada - fundamental: share constants for confidential virt detection systemd/systemd@129b9e3
f64a06e - efi: add helper API for detecting confidential virtualization systemd/systemd@b354a2c
736c8a7 - efi: don't pull kernel cmdline from SMBIOS in a confidential VM systemd/systemd@4b1153c
ae8265e - Fix detection of TDX confidential VM on Azure platform systemd/systemd@9d7be04

Tracker validation

Success

🟢 Tracker RHEL-50651 has set desired product: rhel-9.5
🟢 Tracker RHEL-50651 has set desired component: systemd
🟢 Tracker RHEL-50651 has been approved

Pull Request validation

Success

🟢 CI - All checks have passed
🟢 Review - Reviewed by a member
🟢 Approval - Changes were approved

Auto Merge

Success

🟢 Pull Request is not marked as draft and it's not blocked by dont-merge label
🟢 Pull Request meet requirements, title has correct form
🟢 Pull Request meet requirements, mergeable is true
🟢 Pull Request meet requirements, mergeable_state is clean
🟢 Pull Request has correct target branch main
🟢 Pull Request was merged

@github-actions github-actions bot removed the pr/needs-ci Formerly needs-ci label Aug 22, 2024
@github-actions github-actions bot merged commit adb6c21 into redhat-plumbers:main Aug 22, 2024
30 checks passed
@dtardon dtardon deleted the RHEL-50651-virt-cvm-azure branch August 24, 2024 05:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@msekletar msekletar msekletar approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dtardon @msekletar @jamacku @berrange