confidential-virt: add detection for aarch64 CCA

The arm confidential compute architecture (CCA) provides a platform design for confidential VMs running in a new realm context. This can be detected by the existence of a platform device exported for the arm-cca-guest driver, which provides attestation services via the realm services interface (RSI) to the Realm Management Monitor (RMM). Like the other methods systemd uses to detect Confidential VM's, checking the sysfs entry suggests that this is a confidential VM and should only be used for informative purposes, or to trigger further attestation. Like the s390 detection logic, the sysfs path being checked is not labeled as ABI, and may change in the future. It was chosen because its directly tied to the kernel's detection of the realm service interface rather to the Trusted Security Module (TSM) which is what is being triggered by the device entry. The TSM module has a provider string of 'arm-cca-guest' which could also be used, but that (IMHO) doesn't currently provide any additional benefit except that it can fail of the module isn't loaded. More information can be found here: https://developer.arm.com/documentation/den0125/0300 Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
2026-04-14 00:14:32 +09:00 · 2025-01-09 21:24:07 -06:00
parent 28425b73ee
commit 2572bf6a39
3 changed files with 19 additions and 0 deletions
--- a/man/systemd-detect-virt.xml
+++ b/man/systemd-detect-virt.xml
@@ -258,6 +258,11 @@
            <entry><varname>protvirt</varname></entry>
            <entry>IBM Protected Virtualization (Secure Execution)</entry>
          </row>
+          <row>
+            <entry>arm64</entry>
+            <entry><varname>cca</varname></entry>
+            <entry>Arm Confidential Compute Architecture</entry>
+          </row>
        </tbody>
      </tgroup>
    </table>
--- a/src/basic/confidential-virt.c
+++ b/src/basic/confidential-virt.c
@@ -10,6 +10,7 @@

 #include "confidential-virt-fundamental.h"
 #include "confidential-virt.h"
+#include "errno-util.h"
 #include "fd-util.h"
 #include "fileio.h"
 #include "missing_threads.h"
@@ -226,7 +227,18 @@ static ConfidentialVirtualization detect_confidential_virtualization_impl(void)

        return CONFIDENTIAL_VIRTUALIZATION_NONE;
 }
+#elif defined(__aarch64__)
+static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
+        int r;

+        r = RET_NERRNO(access("/sys/devices/platform/arm-cca-dev", F_OK));
+        if (r < 0) {
+                log_debug_errno(r, "Unable to check /sys/devices/platform/arm-cca-dev: %m");
+                return CONFIDENTIAL_VIRTUALIZATION_NONE;
+        }
+
+        return CONFIDENTIAL_VIRTUALIZATION_CCA;
+}
 #else /* ! x86_64 */
 static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
        log_debug("No confidential virtualization detection on this architecture");
@@ -250,6 +262,7 @@ static const char *const confidential_virtualization_table[_CONFIDENTIAL_VIRTUAL
        [CONFIDENTIAL_VIRTUALIZATION_SEV_SNP]  = "sev-snp",
        [CONFIDENTIAL_VIRTUALIZATION_TDX]      = "tdx",
        [CONFIDENTIAL_VIRTUALIZATION_PROTVIRT] = "protvirt",
+        [CONFIDENTIAL_VIRTUALIZATION_CCA]      = "cca",
 };

 DEFINE_STRING_TABLE_LOOKUP(confidential_virtualization, ConfidentialVirtualization);
--- a/src/basic/confidential-virt.h
+++ b/src/basic/confidential-virt.h
@@ -14,6 +14,7 @@ typedef enum ConfidentialVirtualization {
        CONFIDENTIAL_VIRTUALIZATION_SEV_SNP,
        CONFIDENTIAL_VIRTUALIZATION_TDX,
        CONFIDENTIAL_VIRTUALIZATION_PROTVIRT,
+        CONFIDENTIAL_VIRTUALIZATION_CCA,

        _CONFIDENTIAL_VIRTUALIZATION_MAX,
        _CONFIDENTIAL_VIRTUALIZATION_INVALID = -EINVAL,