From 50e45c878abb7516b8c5ad52f4de4f6571010e69 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Mon, 12 Aug 2024 13:39:59 +0100 Subject: [PATCH] Backport CVM fixes from upstream --- ...-Fix-CVM-detection-on-Azure-with-TDX.patch | 97 +++++++++++++++++++ ...detecting-protected-virtualization-o.patch | 65 +++++++++++++ copy-patches.sh | 2 +- virt-what.spec | 12 ++- 4 files changed, 174 insertions(+), 2 deletions(-) create mode 100644 0001-Fix-CVM-detection-on-Azure-with-TDX.patch create mode 100644 0002-Add-support-for-detecting-protected-virtualization-o.patch diff --git a/0001-Fix-CVM-detection-on-Azure-with-TDX.patch b/0001-Fix-CVM-detection-on-Azure-with-TDX.patch new file mode 100644 index 0000000..8f81bbd --- /dev/null +++ b/0001-Fix-CVM-detection-on-Azure-with-TDX.patch @@ -0,0 +1,97 @@ +From 059cbff66740ef74cd663f88c5f96a80a8d6d6ea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 30 Jul 2024 10:46:46 +0100 +Subject: [PATCH] Fix CVM detection on Azure with TDX +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The current TDX support was tested on Azure, however, since that time +they now block the CPUID leaf we were using. Instead it is required to +issue the Azure specific CPUID calls as we were already doing for SNP. + +Signed-off-by: Daniel P. Berrangé +--- + virt-what-cvm.c | 14 +++++++++----- + virt-what-cvm.pod | 4 ++-- + 2 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/virt-what-cvm.c b/virt-what-cvm.c +index 52b3426bc..0daa6ac35 100644 +--- a/virt-what-cvm.c ++++ b/virt-what-cvm.c +@@ -92,6 +92,7 @@ static bool dodebug = false; + + #define CPUID_HYPERV_ISOLATION_TYPE_MASK 0xf + #define CPUID_HYPERV_ISOLATION_TYPE_SNP 2 ++#define CPUID_HYPERV_ISOLATION_TYPE_TDX 3 + + #if defined(__x86_64__) + +@@ -147,7 +148,7 @@ msr (off_t index) + } + + static bool +-cpu_sig_amd_hyperv (void) ++cpu_sig_cvm_hyperv (uint32_t isoltype) + { + uint32_t eax, ebx, ecx, edx; + char sig[13]; +@@ -175,8 +176,7 @@ cpu_sig_amd_hyperv (void) + ebx = ecx = edx = 0; + cpuid(&eax, &ebx, &ecx, &edx); + +- if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == +- CPUID_HYPERV_ISOLATION_TYPE_SNP) { ++ if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == isoltype) { + return true; + } + } +@@ -212,7 +212,7 @@ cpu_sig_amd (void) + if (!(eax & (1 << 1))) { + debug ("No sev in CPUID, try hyperv CPUID\n"); + +- if (cpu_sig_amd_hyperv ()) { ++ if (cpu_sig_cvm_hyperv (CPUID_HYPERV_ISOLATION_TYPE_SNP)) { + puts ("amd-sev-snp"); + puts ("hyperv-hcl"); + } else { +@@ -252,8 +252,12 @@ cpu_sig_intel (void) + memset (sig, 0, sizeof sig); + cpuid_leaf (CPUID_INTEL_TDX_ENUMERATION, sig, true); + +- if (memcmp (sig, CPUID_SIG_INTEL_TDX, sizeof(sig)) == 0) ++ if (memcmp (sig, CPUID_SIG_INTEL_TDX, sizeof(sig)) == 0) { + puts ("intel-tdx"); ++ } else if (cpu_sig_cvm_hyperv (CPUID_HYPERV_ISOLATION_TYPE_TDX)) { ++ puts ("intel-tdx"); ++ puts ("hyperv-hcl"); ++ } + } + + static bool +diff --git a/virt-what-cvm.pod b/virt-what-cvm.pod +index 0f9076569..70213abd7 100644 +--- a/virt-what-cvm.pod ++++ b/virt-what-cvm.pod +@@ -50,7 +50,7 @@ Status: tested on Fedora 38 QEMU+KVM SEV-SNP (devel snapshot) + + This is a confidential guest running with Intel TDX technology + +-Status: tested on Microsoft Azure TDX CVM (preview) ++Status: tested on Microsoft Azure TDX CVM + + =item B + +@@ -58,7 +58,7 @@ This is a confidential guest running unenlightened under the + HyperV (Azure) HCL (Host Compatibility Layer). This will be + paired with B. + +-Status: tested on Microsoft Azure SEV-SNP CVM ++Status: tested on Microsoft Azure SEV-SNP & TDX CVM + + =back + +-- +2.43.0 + diff --git a/0002-Add-support-for-detecting-protected-virtualization-o.patch b/0002-Add-support-for-detecting-protected-virtualization-o.patch new file mode 100644 index 0000000..c5efcfe --- /dev/null +++ b/0002-Add-support-for-detecting-protected-virtualization-o.patch @@ -0,0 +1,65 @@ +From 037689fbe95e403b050c1eb736ebc8fdc2e601a5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Fri, 2 Aug 2024 16:07:46 +0100 +Subject: [PATCH] Add support for detecting protected virtualization on s390x +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Daniel P. Berrangé +--- + virt-what-cvm.c | 21 ++++++++++++++++++++- + virt-what-cvm.pod | 5 +++++ + 2 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/virt-what-cvm.c b/virt-what-cvm.c +index 0daa6ac35..320df478b 100644 +--- a/virt-what-cvm.c ++++ b/virt-what-cvm.c +@@ -295,7 +295,26 @@ cpu_sig (void) + cpu_sig_intel (); + } + +-#else /* !x86_64 */ ++#elif defined(__s390x__) ++ ++#define SYSFS_PROT_VIRT "/sys/firmware/uv/prot_virt_guest" ++ ++static void ++cpu_sig (void) ++{ ++ int fd = open("/sys/firmware/uv/prot_virt_guest", O_RDONLY); ++ char c; ++ if (fd < 0) ++ return; ++ ++ if (read(fd, &c, 1) == 1 && c == '1') ++ puts("s390-protvirt"); ++ ++ close(fd); ++} ++ ++ ++#else /* ! x86_64 && ! s390x */ + + static void + cpu_sig (void) +diff --git a/virt-what-cvm.pod b/virt-what-cvm.pod +index 70213abd7..00e21cb70 100644 +--- a/virt-what-cvm.pod ++++ b/virt-what-cvm.pod +@@ -60,6 +60,11 @@ paired with B. + + Status: tested on Microsoft Azure SEV-SNP & TDX CVM + ++=item B ++ ++This is a confidential guest running on s390x with the ++Protected Virtualization (Secure Execution) technology ++ + =back + + =head1 EXIT STATUS +-- +2.43.0 + diff --git a/copy-patches.sh b/copy-patches.sh index af8f647..a06bf23 100755 --- a/copy-patches.sh +++ b/copy-patches.sh @@ -8,7 +8,7 @@ set -e # ./copy-patches.sh project=virt-what -rhel_version=9.1 +rhel_version=10.0 # Check we're in the right directory. if [ ! -f $project.spec ]; then diff --git a/virt-what.spec b/virt-what.spec index f84dfdf..a55e36f 100644 --- a/virt-what.spec +++ b/virt-what.spec @@ -1,6 +1,6 @@ Name: virt-what Version: 1.26 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Detect if we are running in a virtual machine License: GPL-2.0-or-later @@ -10,6 +10,13 @@ Source0: http://people.redhat.com/~rjones/virt-what/files/%{name}-%{versi # Maintainer script which helps with handling patches. Source1: copy-patches.sh +# Patches are maintained in the following repository: +# http://git.annexia.org/?p=virt-what.git;a=shortlog;h=refs/heads/rhel-10.0 + +# Patches. +Patch0001: 0001-Fix-CVM-detection-on-Azure-with-TDX.patch +Patch0002: 0002-Add-support-for-detecting-protected-virtualization-o.patch + BuildRequires: gcc BuildRequires: make BuildRequires: git @@ -113,6 +120,9 @@ fi %changelog +* Mon Aug 12 2024 Richard W.M. Jones - 1.26-2 +- Backport CVM fixes from upstream + * Tue Jul 02 2024 Richard W.M. Jones - 1.26-1 - New upstream version 1.26 - Add new binary virt-what-cvm (for confidential VMs).