From 3fe2e644eb0ab80990c214f83b86d03a06fcef7d Mon Sep 17 00:00:00 2001
From: importbot <releng@rockylinux.org>
Date: Tue, 15 Oct 2024 16:34:33 +0000
Subject: [PATCH] import systemd-256-15.el10
---
...e-beta-branch-to-match-dist-git-name.patch | 25 ++++
...device-symlink-properly-on-udev-acti.patch | 41 ++++++
...-TDX-confidential-VM-on-Azure-platfo.patch | 121 ++++++++++++++++++
...t-split-caching-of-CVM-detection-int.patch | 76 +++++++++++
...-virt-add-detection-for-s390x-target.patch | 90 +++++++++++++
...ct-virt-fix-row-spanning-for-VM-head.patch | 37 ++++++
...ect-virt-list-known-CVM-technologies.patch | 74 +++++++++++
SPECS/systemd.spec | 20 ++-
8 files changed, 482 insertions(+), 2 deletions(-)
create mode 100644 SOURCES/0091-ci-rename-beta-branch-to-match-dist-git-name.patch
create mode 100644 SOURCES/0092-udev-Handle-PTP-device-symlink-properly-on-udev-acti.patch
create mode 100644 SOURCES/0093-Fix-detection-of-TDX-confidential-VM-on-Azure-platfo.patch
create mode 100644 SOURCES/0094-confidential-virt-split-caching-of-CVM-detection-int.patch
create mode 100644 SOURCES/0095-confidential-virt-add-detection-for-s390x-target.patch
create mode 100644 SOURCES/0096-man-systemd-detect-virt-fix-row-spanning-for-VM-head.patch
create mode 100644 SOURCES/0097-man-systemd-detect-virt-list-known-CVM-technologies.patch
diff --git a/SOURCES/0091-ci-rename-beta-branch-to-match-dist-git-name.patch b/SOURCES/0091-ci-rename-beta-branch-to-match-dist-git-name.patch
new file mode 100644
index 0000000..10eeca5
--- /dev/null
+++ b/SOURCES/0091-ci-rename-beta-branch-to-match-dist-git-name.patch
@@ -0,0 +1,25 @@
+From d6ed92f6f6bffbf98700002eeed231af3336b40e Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Thu, 5 Sep 2024 12:36:01 +0200
+Subject: [PATCH] ci: rename beta branch to match dist-git name
+
+rhel-only: ci
+
+Related: RHEL-57603
+---
+ .github/tracker-validator.yml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/.github/tracker-validator.yml b/.github/tracker-validator.yml
+index 2e858606ff..1226b8a92a 100644
+--- a/.github/tracker-validator.yml
++++ b/.github/tracker-validator.yml
+@@ -6,7 +6,7 @@ labels:
+ products:
+ - Red Hat Enterprise Linux 10
+ - CentOS Stream 10
+- - rhel-10.0.beta
++ - rhel-10.0-beta
+ - rhel-10.0
+ - rhel-10.0.z
+ - rhel-10.1
diff --git a/SOURCES/0092-udev-Handle-PTP-device-symlink-properly-on-udev-acti.patch b/SOURCES/0092-udev-Handle-PTP-device-symlink-properly-on-udev-acti.patch
new file mode 100644
index 0000000..3fa0ed7
--- /dev/null
+++ b/SOURCES/0092-udev-Handle-PTP-device-symlink-properly-on-udev-acti.patch
@@ -0,0 +1,41 @@
+From ab07d071227dd878a7376296ab4baaca4522e4fb Mon Sep 17 00:00:00 2001
+From: Chengen Du <chengen.du@canonical.com>
+Date: Mon, 12 Aug 2024 11:41:52 +0800
+Subject: [PATCH] udev: Handle PTP device symlink properly on udev action
+ 'change'
+
+PTP device symlink creation rules are currently executed only when the
+udev action is 'add'. If a user reloads the rules and runs the udevadm
+trigger command to reapply changes, the symlink may be deleted, which
+can prevent the chronyd service from restarting properly.
+
+Signed-off-by: Chengen Du <chengen.du@canonical.com>
+(cherry picked from commit 6bd12be3fa7761f190e17efdbdbff4440da7528b)
+
+Resolves: RHEL-59871
+---
+ rules.d/50-udev-default.rules.in | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/rules.d/50-udev-default.rules.in b/rules.d/50-udev-default.rules.in
+index 9b00c7037e..6f80feeecf 100644
+--- a/rules.d/50-udev-default.rules.in
++++ b/rules.d/50-udev-default.rules.in
+@@ -30,6 +30,9 @@ SUBSYSTEM=="pci|usb|platform", IMPORT{builtin}="path_id"
+
+ SUBSYSTEM=="net", IMPORT{builtin}="net_driver"
+
++SUBSYSTEM=="ptp", ATTR{clock_name}=="KVM virtual PTP", SYMLINK+="ptp_kvm"
++SUBSYSTEM=="ptp", ATTR{clock_name}=="hyperv", SYMLINK+="ptp_hyperv"
++
+ ACTION!="add", GOTO="default_end"
+
+ SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666"
+@@ -116,7 +119,4 @@ KERNEL=="vhost-net", GROUP="kvm", MODE="{{DEV_KVM_MODE}}", OPTIONS+="static_node
+
+ KERNEL=="udmabuf", GROUP="kvm"
+
+-SUBSYSTEM=="ptp", ATTR{clock_name}=="KVM virtual PTP", SYMLINK+="ptp_kvm"
+-SUBSYSTEM=="ptp", ATTR{clock_name}=="hyperv", SYMLINK+="ptp_hyperv"
+-
+ LABEL="default_end"
diff --git a/SOURCES/0093-Fix-detection-of-TDX-confidential-VM-on-Azure-platfo.patch b/SOURCES/0093-Fix-detection-of-TDX-confidential-VM-on-Azure-platfo.patch
new file mode 100644
index 0000000..a4616df
--- /dev/null
+++ b/SOURCES/0093-Fix-detection-of-TDX-confidential-VM-on-Azure-platfo.patch
@@ -0,0 +1,121 @@
+From 1fbfcb7d98c95e80e9332770b78613a803c15c20 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 30 Jul 2024 10:51:21 +0100
+Subject: [PATCH] Fix detection of TDX confidential VM on Azure platform
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The original CVM detection logic for TDX assumes that the guest can see
+the standard TDX CPUID leaf. This was true in Azure when this code was
+originally written, however, current Azure now blocks that leaf in the
+paravisor. Instead it is required to use the same Azure specific CPUID
+leaf that is used for SEV-SNP detection, which reports the VM isolation
+type.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 9d7be044cad1ae54e344daf8f2ec37da46faf0fd)
+
+Related: RHEL-56144
+---
+ src/basic/confidential-virt.c | 11 ++++++++---
+ src/boot/efi/vmm.c | 9 ++++++---
+ src/fundamental/confidential-virt-fundamental.h | 1 +
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/src/basic/confidential-virt.c b/src/basic/confidential-virt.c
+index b6521cf5bf..8a88a3eb83 100644
+--- a/src/basic/confidential-virt.c
++++ b/src/basic/confidential-virt.c
+@@ -76,7 +76,7 @@ static uint64_t msr(uint64_t index) {
+ return ret;
+ }
+
+-static bool detect_hyperv_sev(void) {
++static bool detect_hyperv_cvm(uint32_t isoltype) {
+ uint32_t eax, ebx, ecx, edx, feat;
+ char sig[13] = {};
+
+@@ -100,7 +100,7 @@ static bool detect_hyperv_sev(void) {
+ ebx = ecx = edx = 0;
+ cpuid(&eax, &ebx, &ecx, &edx);
+
+- if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == CPUID_HYPERV_ISOLATION_TYPE_SNP)
++ if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == isoltype)
+ return true;
+ }
+
+@@ -133,7 +133,7 @@ static ConfidentialVirtualization detect_sev(void) {
+ if (!(eax & EAX_SEV)) {
+ log_debug("No sev in CPUID, trying hyperv CPUID");
+
+- if (detect_hyperv_sev())
++ if (detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_SNP))
+ return CONFIDENTIAL_VIRTUALIZATION_SEV_SNP;
+
+ log_debug("No hyperv CPUID");
+@@ -171,6 +171,11 @@ static ConfidentialVirtualization detect_tdx(void) {
+ if (memcmp(sig, CPUID_SIG_INTEL_TDX, sizeof(sig)) == 0)
+ return CONFIDENTIAL_VIRTUALIZATION_TDX;
+
++ log_debug("No tdx in CPUID, trying hyperv CPUID");
++
++ if (detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_TDX))
++ return CONFIDENTIAL_VIRTUALIZATION_TDX;
++
+ return CONFIDENTIAL_VIRTUALIZATION_NONE;
+ }
+
+diff --git a/src/boot/efi/vmm.c b/src/boot/efi/vmm.c
+index 60e216d54c..3459461390 100644
+--- a/src/boot/efi/vmm.c
++++ b/src/boot/efi/vmm.c
+@@ -337,7 +337,7 @@ static uint64_t msr(uint32_t index) {
+ return val;
+ }
+
+-static bool detect_hyperv_sev(void) {
++static bool detect_hyperv_cvm(uint32_t isoltype) {
+ uint32_t eax, ebx, ecx, edx, feat;
+ char sig[13] = {};
+
+@@ -354,7 +354,7 @@ static bool detect_hyperv_sev(void) {
+ if (ebx & CPUID_HYPERV_ISOLATION && !(ebx & CPUID_HYPERV_CPU_MANAGEMENT)) {
+ __cpuid(CPUID_HYPERV_ISOLATION_CONFIG, eax, ebx, ecx, edx);
+
+- if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == CPUID_HYPERV_ISOLATION_TYPE_SNP)
++ if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == isoltype)
+ return true;
+ }
+
+@@ -379,7 +379,7 @@ static bool detect_sev(void) {
+ * specific CPUID checks.
+ */
+ if (!(eax & EAX_SEV))
+- return detect_hyperv_sev();
++ return detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_SNP);
+
+ msrval = msr(MSR_AMD64_SEV);
+
+@@ -403,6 +403,9 @@ static bool detect_tdx(void) {
+ if (memcmp(sig, CPUID_SIG_INTEL_TDX, sizeof(sig)) == 0)
+ return true;
+
++ if (detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_TDX))
++ return true;
++
+ return false;
+ }
+ #endif /* ! __i386__ && ! __x86_64__ */
+diff --git a/src/fundamental/confidential-virt-fundamental.h b/src/fundamental/confidential-virt-fundamental.h
+index 986923e1c2..618b5800ea 100644
+--- a/src/fundamental/confidential-virt-fundamental.h
++++ b/src/fundamental/confidential-virt-fundamental.h
+@@ -65,6 +65,7 @@
+
+ #define CPUID_HYPERV_ISOLATION_TYPE_MASK UINT32_C(0xf)
+ #define CPUID_HYPERV_ISOLATION_TYPE_SNP 2
++#define CPUID_HYPERV_ISOLATION_TYPE_TDX 3
+
+ #define EAX_SEV (UINT32_C(1) << 1)
+ #define MSR_SEV (UINT64_C(1) << 0)
diff --git a/SOURCES/0094-confidential-virt-split-caching-of-CVM-detection-int.patch b/SOURCES/0094-confidential-virt-split-caching-of-CVM-detection-int.patch
new file mode 100644
index 0000000..7dafb36
--- /dev/null
+++ b/SOURCES/0094-confidential-virt-split-caching-of-CVM-detection-int.patch
@@ -0,0 +1,76 @@
+From d697ad145aa564aff3ac5cb9b6a63667ce2b391c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Fri, 2 Aug 2024 16:26:00 +0100
+Subject: [PATCH] confidential-virt: split caching of CVM detection into
+ separate method
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We have different impls of detect_confidential_virtualization per
+architecture. The detection is cached in the x86_64 impl, and as we
+add support for more targets, we want to use caching for all. It thus
+makes sense to split caching out into an architecture independent
+method.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 1c4bd7adcc281af2a2dd40867f64f2ac54a43c7a)
+
+Related: RHEL-56144
+---
+ src/basic/confidential-virt.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/src/basic/confidential-virt.c b/src/basic/confidential-virt.c
+index 8a88a3eb83..0e05ecffbf 100644
+--- a/src/basic/confidential-virt.c
++++ b/src/basic/confidential-virt.c
+@@ -194,34 +194,37 @@ static bool detect_hypervisor(void) {
+ return is_hv;
+ }
+
+-ConfidentialVirtualization detect_confidential_virtualization(void) {
+- static thread_local ConfidentialVirtualization cached_found = _CONFIDENTIAL_VIRTUALIZATION_INVALID;
++static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
+ char sig[13] = {};
+- ConfidentialVirtualization cv = CONFIDENTIAL_VIRTUALIZATION_NONE;
+-
+- if (cached_found >= 0)
+- return cached_found;
+
+ /* Skip everything on bare metal */
+ if (detect_hypervisor()) {
+ cpuid_leaf(0, sig, true);
+
+ if (memcmp(sig, CPUID_SIG_AMD, sizeof(sig)) == 0)
+- cv = detect_sev();
++ return detect_sev();
+ else if (memcmp(sig, CPUID_SIG_INTEL, sizeof(sig)) == 0)
+- cv = detect_tdx();
++ return detect_tdx();
+ }
+
+- cached_found = cv;
+- return cv;
++ return CONFIDENTIAL_VIRTUALIZATION_NONE;
+ }
+ #else /* ! x86_64 */
+-ConfidentialVirtualization detect_confidential_virtualization(void) {
++static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
+ log_debug("No confidential virtualization detection on this architecture");
+ return CONFIDENTIAL_VIRTUALIZATION_NONE;
+ }
+ #endif /* ! x86_64 */
+
++ConfidentialVirtualization detect_confidential_virtualization(void) {
++ static thread_local ConfidentialVirtualization cached_found = _CONFIDENTIAL_VIRTUALIZATION_INVALID;
++
++ if (cached_found == _CONFIDENTIAL_VIRTUALIZATION_INVALID)
++ cached_found = detect_confidential_virtualization_impl();
++
++ return cached_found;
++}
++
+ static const char *const confidential_virtualization_table[_CONFIDENTIAL_VIRTUALIZATION_MAX] = {
+ [CONFIDENTIAL_VIRTUALIZATION_NONE] = "none",
+ [CONFIDENTIAL_VIRTUALIZATION_SEV] = "sev",
diff --git a/SOURCES/0095-confidential-virt-add-detection-for-s390x-target.patch b/SOURCES/0095-confidential-virt-add-detection-for-s390x-target.patch
new file mode 100644
index 0000000..bd6a577
--- /dev/null
+++ b/SOURCES/0095-confidential-virt-add-detection-for-s390x-target.patch
@@ -0,0 +1,90 @@
+From a9da2854f199bb3729b29ea4175858067313659e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Fri, 2 Aug 2024 11:03:10 +0100
+Subject: [PATCH] confidential-virt: add detection for s390x target
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The s390x platform provides confidential VMs using the "Secure Execution"
+technology, which is also referred to as "Protected Virtualization" or
+just "prot virt" in Linux / QEMU.
+
+This can be detected through a simple sysfs attribute.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 6c35e0a51cc6a852ce239ea46cd75c133212a68e)
+
+Resolves: RHEL-56144
+---
+ src/basic/confidential-virt.c | 30 +++++++++++++++++++++++++-----
+ src/basic/confidential-virt.h | 1 +
+ 2 files changed, 26 insertions(+), 5 deletions(-)
+
+diff --git a/src/basic/confidential-virt.c b/src/basic/confidential-virt.c
+index 0e05ecffbf..c246636c7c 100644
+--- a/src/basic/confidential-virt.c
++++ b/src/basic/confidential-virt.c
+@@ -11,6 +11,7 @@
+ #include "confidential-virt-fundamental.h"
+ #include "confidential-virt.h"
+ #include "fd-util.h"
++#include "fileio.h"
+ #include "missing_threads.h"
+ #include "string-table.h"
+ #include "utf8.h"
+@@ -209,6 +210,24 @@ static ConfidentialVirtualization detect_confidential_virtualization_impl(void)
+
+ return CONFIDENTIAL_VIRTUALIZATION_NONE;
+ }
++#elif defined(__s390x__)
++static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
++ _cleanup_free_ char *s = NULL;
++ size_t readsize;
++ int r;
++
++ r = read_full_virtual_file("/sys/firmware/uv/prot_virt_guest", &s, &readsize);
++ if (r < 0) {
++ log_debug_errno(r, "Unable to read /sys/firmware/uv/prot_virt_guest: %m");
++ return CONFIDENTIAL_VIRTUALIZATION_NONE;
++ }
++
++ if (readsize >= 1 && s[0] == '1')
++ return CONFIDENTIAL_VIRTUALIZATION_PROTVIRT;
++
++ return CONFIDENTIAL_VIRTUALIZATION_NONE;
++}
++
+ #else /* ! x86_64 */
+ static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
+ log_debug("No confidential virtualization detection on this architecture");
+@@ -226,11 +245,12 @@ ConfidentialVirtualization detect_confidential_virtualization(void) {
+ }
+
+ static const char *const confidential_virtualization_table[_CONFIDENTIAL_VIRTUALIZATION_MAX] = {
+- [CONFIDENTIAL_VIRTUALIZATION_NONE] = "none",
+- [CONFIDENTIAL_VIRTUALIZATION_SEV] = "sev",
+- [CONFIDENTIAL_VIRTUALIZATION_SEV_ES] = "sev-es",
+- [CONFIDENTIAL_VIRTUALIZATION_SEV_SNP] = "sev-snp",
+- [CONFIDENTIAL_VIRTUALIZATION_TDX] = "tdx",
++ [CONFIDENTIAL_VIRTUALIZATION_NONE] = "none",
++ [CONFIDENTIAL_VIRTUALIZATION_SEV] = "sev",
++ [CONFIDENTIAL_VIRTUALIZATION_SEV_ES] = "sev-es",
++ [CONFIDENTIAL_VIRTUALIZATION_SEV_SNP] = "sev-snp",
++ [CONFIDENTIAL_VIRTUALIZATION_TDX] = "tdx",
++ [CONFIDENTIAL_VIRTUALIZATION_PROTVIRT] = "protvirt",
+ };
+
+ DEFINE_STRING_TABLE_LOOKUP(confidential_virtualization, ConfidentialVirtualization);
+diff --git a/src/basic/confidential-virt.h b/src/basic/confidential-virt.h
+index c02f3b2321..f92e3e883d 100644
+--- a/src/basic/confidential-virt.h
++++ b/src/basic/confidential-virt.h
+@@ -13,6 +13,7 @@ typedef enum ConfidentialVirtualization {
+ CONFIDENTIAL_VIRTUALIZATION_SEV_ES,
+ CONFIDENTIAL_VIRTUALIZATION_SEV_SNP,
+ CONFIDENTIAL_VIRTUALIZATION_TDX,
++ CONFIDENTIAL_VIRTUALIZATION_PROTVIRT,
+
+ _CONFIDENTIAL_VIRTUALIZATION_MAX,
+ _CONFIDENTIAL_VIRTUALIZATION_INVALID = -EINVAL,
diff --git a/SOURCES/0096-man-systemd-detect-virt-fix-row-spanning-for-VM-head.patch b/SOURCES/0096-man-systemd-detect-virt-fix-row-spanning-for-VM-head.patch
new file mode 100644
index 0000000..06fdc49
--- /dev/null
+++ b/SOURCES/0096-man-systemd-detect-virt-fix-row-spanning-for-VM-head.patch
@@ -0,0 +1,37 @@
+From 776706c0b675a52ea83d1790e3598253592dd6a6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Fri, 2 Aug 2024 13:07:13 +0100
+Subject: [PATCH] man/systemd-detect-virt: fix row spanning for VM header
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes
+
+ commit 9b0688f491674b53ef7a52bdf561a430c53673d6
+ Author: Yu Watanabe <watanabe.yu+github@gmail.com>
+ Date: Tue Jan 9 10:52:49 2024 +0900
+
+ virt: add Google Compute Engine support
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 9ffdfc67c6aedcb66c2b18c2c61bc32e585e6d6e)
+
+Related: RHEL-56144
+---
+ man/systemd-detect-virt.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/man/systemd-detect-virt.xml b/man/systemd-detect-virt.xml
+index 2239294145..6b49e3a519 100644
+--- a/man/systemd-detect-virt.xml
++++ b/man/systemd-detect-virt.xml
+@@ -62,7 +62,7 @@
+ </thead>
+ <tbody>
+ <row>
+- <entry valign="top" morerows="16">VM</entry>
++ <entry valign="top" morerows="17">VM</entry>
+ <entry><varname>qemu</varname></entry>
+ <entry>QEMU software virtualization, without KVM</entry>
+ </row>
diff --git a/SOURCES/0097-man-systemd-detect-virt-list-known-CVM-technologies.patch b/SOURCES/0097-man-systemd-detect-virt-list-known-CVM-technologies.patch
new file mode 100644
index 0000000..092c06e
--- /dev/null
+++ b/SOURCES/0097-man-systemd-detect-virt-list-known-CVM-technologies.patch
@@ -0,0 +1,74 @@
+From 390217689905f0e12f080ddf8bd4fdefefcd38df Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Fri, 2 Aug 2024 13:17:56 +0100
+Subject: [PATCH] man/systemd-detect-virt: list known CVM technologies
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add a section which lists the known confidential virtual machine
+technologies.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit a8fb5d21fd6127a6d05757c793cc9ba47f65c893)
+
+Related: RHEL-56144
+---
+ man/systemd-detect-virt.xml | 44 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 44 insertions(+)
+
+diff --git a/man/systemd-detect-virt.xml b/man/systemd-detect-virt.xml
+index 6b49e3a519..a4fcdfbc9d 100644
+--- a/man/systemd-detect-virt.xml
++++ b/man/systemd-detect-virt.xml
+@@ -217,6 +217,50 @@
+ WSL is categorized as a container for practical purposes.
+ Multiple WSL environments share the same kernel and services
+ should generally behave like when being run in a container.</para>
++
++ <para>When executed with <option>--cvm</option>, instead of
++ printing the virtualization technology, it will display the
++ confidential virtual machine technology, if any. The
++ following technologies are currently identified:</para>
++
++ <table>
++ <title>Known confidential virtualization technologies</title>
++ <tgroup cols='2' align='left' colsep='1' rowsep='1'>
++ <colspec colname="id" />
++ <colspec colname="product" />
++ <thead>
++ <row>
++ <entry>Arch</entry>
++ <entry>ID</entry>
++ <entry>Technology</entry>
++ </row>
++ </thead>
++ <tbody>
++ <row>
++ <entry valign="top" morerows="3">x86_64</entry>
++ <entry><varname>sev</varname></entry>
++ <entry>AMD Secure Encrypted Virtualization</entry>
++ </row>
++ <row>
++ <entry><varname>sev-es</varname></entry>
++ <entry>AMD Secure Encrypted Virtualization - Encrypted State</entry>
++ </row>
++ <row>
++ <entry><varname>sev-snp</varname></entry>
++ <entry>AMD Secure Encrypted Virtualization - Secure Nested Paging</entry>
++ </row>
++ <row>
++ <entry><varname>tdx</varname></entry>
++ <entry>Intel Trust Domain Extensions</entry>
++ </row>
++ <row>
++ <entry>s390x</entry>
++ <entry><varname>protvirt</varname></entry>
++ <entry>IBM Protected Virtualization (Secure Execution)</entry>
++ </row>
++ </tbody>
++ </tgroup>
++ </table>
+ </refsect1>
+
+ <refsect1>
diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec
index 7619540..af1c0e1 100644
--- a/SPECS/systemd.spec
+++ b/SPECS/systemd.spec
@@ -48,7 +48,7 @@ Url: https://systemd.io
# Allow users to specify the version and release when building the rpm by
# setting the %%version_override and %%release_override macros.
Version: %{?version_override}%{!?version_override:256}
-Release: 14%{?dist}
+Release: 15%{?dist}
%global stable %(c="%version"; [ "$c" = "${c#*.*}" ]; echo $?)
@@ -196,6 +196,13 @@ Patch0087: 0087-net-naming-scheme-disable-NAMING_FIRMWARE_NODE_SUN.patch
Patch0088: 0088-net-naming-scheme-remove-NAMING_FIRMWARE_NODE_SUN-fr.patch
Patch0089: 0089-Revert-cgroup-util-Don-t-try-to-open-pidfd-for-kerne.patch
Patch0090: 0090-ukify-Skip-test-on-architectures-without-UEFI.patch
+Patch0091: 0091-ci-rename-beta-branch-to-match-dist-git-name.patch
+Patch0092: 0092-udev-Handle-PTP-device-symlink-properly-on-udev-acti.patch
+Patch0093: 0093-Fix-detection-of-TDX-confidential-VM-on-Azure-platfo.patch
+Patch0094: 0094-confidential-virt-split-caching-of-CVM-detection-int.patch
+Patch0095: 0095-confidential-virt-add-detection-for-s390x-target.patch
+Patch0096: 0096-man-systemd-detect-virt-fix-row-spanning-for-VM-head.patch
+Patch0097: 0097-man-systemd-detect-virt-list-known-CVM-technologies.patch
# Downstream-only patches (9000–9999)
@@ -582,7 +589,7 @@ License: LGPL-2.1-or-later
%description container
Systemd tools to spawn and manage containers and virtual machines.
-This package contains systemd-nspawn, systemd-vmspawn, machinectl,
+This package contains systemd-nspawn, machinectl,
systemd-machined, and systemd-importd.
%package journal-remote
@@ -1125,6 +1132,15 @@ rm -f .file-list-*
rm -f %{name}.lang
%changelog
+* Tue Oct 15 2024 systemd maintenance team <systemd-maint@redhat.com> - 256-15
+- ci: rename beta branch to match dist-git name (RHEL-57603)
+- udev: Handle PTP device symlink properly on udev action 'change' (RHEL-59871)
+- Fix detection of TDX confidential VM on Azure platform (RHEL-56144)
+- confidential-virt: split caching of CVM detection into separate method (RHEL-56144)
+- confidential-virt: add detection for s390x target (RHEL-56144)
+- man/systemd-detect-virt: fix row spanning for VM header (RHEL-56144)
+- man/systemd-detect-virt: list known CVM technologies (RHEL-56144)
+
* Fri Aug 30 2024 systemd maintenance team <systemd-maint@redhat.com> - 256-14
- Revert "cgroup-util: Don't try to open pidfd for kernel threads" (RHEL-52634)
- ukify: Skip test on architectures without UEFI (RHEL-52634)
--
GitLab