Backport CVM fixes from upstream
This commit is contained in:
parent
72e2fa7d8d
commit
50e45c878a
97
0001-Fix-CVM-detection-on-Azure-with-TDX.patch
Normal file
97
0001-Fix-CVM-detection-on-Azure-with-TDX.patch
Normal file
@ -0,0 +1,97 @@
|
|||||||
|
From 059cbff66740ef74cd663f88c5f96a80a8d6d6ea Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
||||||
|
Date: Tue, 30 Jul 2024 10:46:46 +0100
|
||||||
|
Subject: [PATCH] Fix CVM detection on Azure with TDX
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
The current TDX support was tested on Azure, however, since that time
|
||||||
|
they now block the CPUID leaf we were using. Instead it is required to
|
||||||
|
issue the Azure specific CPUID calls as we were already doing for SNP.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||||
|
---
|
||||||
|
virt-what-cvm.c | 14 +++++++++-----
|
||||||
|
virt-what-cvm.pod | 4 ++--
|
||||||
|
2 files changed, 11 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/virt-what-cvm.c b/virt-what-cvm.c
|
||||||
|
index 52b3426bc..0daa6ac35 100644
|
||||||
|
--- a/virt-what-cvm.c
|
||||||
|
+++ b/virt-what-cvm.c
|
||||||
|
@@ -92,6 +92,7 @@ static bool dodebug = false;
|
||||||
|
|
||||||
|
#define CPUID_HYPERV_ISOLATION_TYPE_MASK 0xf
|
||||||
|
#define CPUID_HYPERV_ISOLATION_TYPE_SNP 2
|
||||||
|
+#define CPUID_HYPERV_ISOLATION_TYPE_TDX 3
|
||||||
|
|
||||||
|
#if defined(__x86_64__)
|
||||||
|
|
||||||
|
@@ -147,7 +148,7 @@ msr (off_t index)
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool
|
||||||
|
-cpu_sig_amd_hyperv (void)
|
||||||
|
+cpu_sig_cvm_hyperv (uint32_t isoltype)
|
||||||
|
{
|
||||||
|
uint32_t eax, ebx, ecx, edx;
|
||||||
|
char sig[13];
|
||||||
|
@@ -175,8 +176,7 @@ cpu_sig_amd_hyperv (void)
|
||||||
|
ebx = ecx = edx = 0;
|
||||||
|
cpuid(&eax, &ebx, &ecx, &edx);
|
||||||
|
|
||||||
|
- if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) ==
|
||||||
|
- CPUID_HYPERV_ISOLATION_TYPE_SNP) {
|
||||||
|
+ if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == isoltype) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -212,7 +212,7 @@ cpu_sig_amd (void)
|
||||||
|
if (!(eax & (1 << 1))) {
|
||||||
|
debug ("No sev in CPUID, try hyperv CPUID\n");
|
||||||
|
|
||||||
|
- if (cpu_sig_amd_hyperv ()) {
|
||||||
|
+ if (cpu_sig_cvm_hyperv (CPUID_HYPERV_ISOLATION_TYPE_SNP)) {
|
||||||
|
puts ("amd-sev-snp");
|
||||||
|
puts ("hyperv-hcl");
|
||||||
|
} else {
|
||||||
|
@@ -252,8 +252,12 @@ cpu_sig_intel (void)
|
||||||
|
memset (sig, 0, sizeof sig);
|
||||||
|
cpuid_leaf (CPUID_INTEL_TDX_ENUMERATION, sig, true);
|
||||||
|
|
||||||
|
- if (memcmp (sig, CPUID_SIG_INTEL_TDX, sizeof(sig)) == 0)
|
||||||
|
+ if (memcmp (sig, CPUID_SIG_INTEL_TDX, sizeof(sig)) == 0) {
|
||||||
|
puts ("intel-tdx");
|
||||||
|
+ } else if (cpu_sig_cvm_hyperv (CPUID_HYPERV_ISOLATION_TYPE_TDX)) {
|
||||||
|
+ puts ("intel-tdx");
|
||||||
|
+ puts ("hyperv-hcl");
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool
|
||||||
|
diff --git a/virt-what-cvm.pod b/virt-what-cvm.pod
|
||||||
|
index 0f9076569..70213abd7 100644
|
||||||
|
--- a/virt-what-cvm.pod
|
||||||
|
+++ b/virt-what-cvm.pod
|
||||||
|
@@ -50,7 +50,7 @@ Status: tested on Fedora 38 QEMU+KVM SEV-SNP (devel snapshot)
|
||||||
|
|
||||||
|
This is a confidential guest running with Intel TDX technology
|
||||||
|
|
||||||
|
-Status: tested on Microsoft Azure TDX CVM (preview)
|
||||||
|
+Status: tested on Microsoft Azure TDX CVM
|
||||||
|
|
||||||
|
=item B<hyperv-hcl>
|
||||||
|
|
||||||
|
@@ -58,7 +58,7 @@ This is a confidential guest running unenlightened under the
|
||||||
|
HyperV (Azure) HCL (Host Compatibility Layer). This will be
|
||||||
|
paired with B<amd-sev-snp>.
|
||||||
|
|
||||||
|
-Status: tested on Microsoft Azure SEV-SNP CVM
|
||||||
|
+Status: tested on Microsoft Azure SEV-SNP & TDX CVM
|
||||||
|
|
||||||
|
=back
|
||||||
|
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -0,0 +1,65 @@
|
|||||||
|
From 037689fbe95e403b050c1eb736ebc8fdc2e601a5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
||||||
|
Date: Fri, 2 Aug 2024 16:07:46 +0100
|
||||||
|
Subject: [PATCH] Add support for detecting protected virtualization on s390x
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||||
|
---
|
||||||
|
virt-what-cvm.c | 21 ++++++++++++++++++++-
|
||||||
|
virt-what-cvm.pod | 5 +++++
|
||||||
|
2 files changed, 25 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/virt-what-cvm.c b/virt-what-cvm.c
|
||||||
|
index 0daa6ac35..320df478b 100644
|
||||||
|
--- a/virt-what-cvm.c
|
||||||
|
+++ b/virt-what-cvm.c
|
||||||
|
@@ -295,7 +295,26 @@ cpu_sig (void)
|
||||||
|
cpu_sig_intel ();
|
||||||
|
}
|
||||||
|
|
||||||
|
-#else /* !x86_64 */
|
||||||
|
+#elif defined(__s390x__)
|
||||||
|
+
|
||||||
|
+#define SYSFS_PROT_VIRT "/sys/firmware/uv/prot_virt_guest"
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+cpu_sig (void)
|
||||||
|
+{
|
||||||
|
+ int fd = open("/sys/firmware/uv/prot_virt_guest", O_RDONLY);
|
||||||
|
+ char c;
|
||||||
|
+ if (fd < 0)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
+ if (read(fd, &c, 1) == 1 && c == '1')
|
||||||
|
+ puts("s390-protvirt");
|
||||||
|
+
|
||||||
|
+ close(fd);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+#else /* ! x86_64 && ! s390x */
|
||||||
|
|
||||||
|
static void
|
||||||
|
cpu_sig (void)
|
||||||
|
diff --git a/virt-what-cvm.pod b/virt-what-cvm.pod
|
||||||
|
index 70213abd7..00e21cb70 100644
|
||||||
|
--- a/virt-what-cvm.pod
|
||||||
|
+++ b/virt-what-cvm.pod
|
||||||
|
@@ -60,6 +60,11 @@ paired with B<amd-sev-snp>.
|
||||||
|
|
||||||
|
Status: tested on Microsoft Azure SEV-SNP & TDX CVM
|
||||||
|
|
||||||
|
+=item B<s390x-protvirt>
|
||||||
|
+
|
||||||
|
+This is a confidential guest running on s390x with the
|
||||||
|
+Protected Virtualization (Secure Execution) technology
|
||||||
|
+
|
||||||
|
=back
|
||||||
|
|
||||||
|
=head1 EXIT STATUS
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -8,7 +8,7 @@ set -e
|
|||||||
# ./copy-patches.sh
|
# ./copy-patches.sh
|
||||||
|
|
||||||
project=virt-what
|
project=virt-what
|
||||||
rhel_version=9.1
|
rhel_version=10.0
|
||||||
|
|
||||||
# Check we're in the right directory.
|
# Check we're in the right directory.
|
||||||
if [ ! -f $project.spec ]; then
|
if [ ! -f $project.spec ]; then
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
Name: virt-what
|
Name: virt-what
|
||||||
Version: 1.26
|
Version: 1.26
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: Detect if we are running in a virtual machine
|
Summary: Detect if we are running in a virtual machine
|
||||||
License: GPL-2.0-or-later
|
License: GPL-2.0-or-later
|
||||||
|
|
||||||
@ -10,6 +10,13 @@ Source0: http://people.redhat.com/~rjones/virt-what/files/%{name}-%{versi
|
|||||||
# Maintainer script which helps with handling patches.
|
# Maintainer script which helps with handling patches.
|
||||||
Source1: copy-patches.sh
|
Source1: copy-patches.sh
|
||||||
|
|
||||||
|
# Patches are maintained in the following repository:
|
||||||
|
# http://git.annexia.org/?p=virt-what.git;a=shortlog;h=refs/heads/rhel-10.0
|
||||||
|
|
||||||
|
# Patches.
|
||||||
|
Patch0001: 0001-Fix-CVM-detection-on-Azure-with-TDX.patch
|
||||||
|
Patch0002: 0002-Add-support-for-detecting-protected-virtualization-o.patch
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: git
|
BuildRequires: git
|
||||||
@ -113,6 +120,9 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Aug 12 2024 Richard W.M. Jones <rjones@redhat.com> - 1.26-2
|
||||||
|
- Backport CVM fixes from upstream
|
||||||
|
|
||||||
* Tue Jul 02 2024 Richard W.M. Jones <rjones@redhat.com> - 1.26-1
|
* Tue Jul 02 2024 Richard W.M. Jones <rjones@redhat.com> - 1.26-1
|
||||||
- New upstream version 1.26
|
- New upstream version 1.26
|
||||||
- Add new binary virt-what-cvm (for confidential VMs).
|
- Add new binary virt-what-cvm (for confidential VMs).
|
||||||
|
Loading…
Reference in New Issue
Block a user