.\" -*- mode: troff; coding: utf-8 -*- .\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. .ie n \{\ . ds C` "" . ds C' "" 'br\} .el\{\ . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" ======================================================================== .\" .IX Title "VIRT-WHAT-CVM 1" .TH VIRT-WHAT-CVM 1 2024-09-28 virt-what-1.27 "Virtualization Support" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME virt\-what\-cvm \- detect if we are running in a confidential virtual machine .SH SUMMARY .IX Header "SUMMARY" virt-what-cvm [options] .SH DESCRIPTION .IX Header "DESCRIPTION" \&\f(CW\*(C`virt\-what\-cvm\*(C'\fR is a tool which can be used to detect if the program is running in a confidential virtual machine. .PP The program prints out a list of "facts" about the confidential virtual machine, derived from heuristics. One fact is printed per line. .PP If nothing is printed and the script exits with code 0 (no error), then it can mean \fIeither\fR that the program is running on bare-metal \&\fIor\fR the program is running inside a non-confidential virtual machine, \&\fIor\fR inside a type of confidential virtual machine which we don't know about or cannot detect. .SH FACTS .IX Header "FACTS" .IP \fBamd-sev\fR 4 .IX Item "amd-sev" This is a confidential guest running with AMD SEV technology .Sp Status: tested on Fedora 37 QEMU+KVM .IP \fBamd-sev-es\fR 4 .IX Item "amd-sev-es" This is a confidential guest running with AMD SEV-ES technology .Sp Status: tested on Fedora 37 QEMU+KVM .IP \fBamd-sev-snp\fR 4 .IX Item "amd-sev-snp" This is a confidential guest running with AMD SEV-SNP technology .Sp Status: tested on Microsoft Azure SEV-SNP CVM .Sp Status: tested on Fedora 38 QEMU+KVM SEV-SNP (devel snapshot) .IP \fBintel-tdx\fR 4 .IX Item "intel-tdx" This is a confidential guest running with Intel TDX technology .Sp Status: tested on Microsoft Azure TDX CVM .IP \fBhyperv-hcl\fR 4 .IX Item "hyperv-hcl" This is a confidential guest running unenlightened under the HyperV (Azure) HCL (Host Compatibility Layer). This will be paired with \fBamd-sev-snp\fR. .Sp Status: tested on Microsoft Azure SEV-SNP & TDX CVM .IP \fBs390\-protvirt\fR 4 .IX Item "s390-protvirt" This is a confidential guest running on s390x with the Protected Virtualization (Secure Execution) technology .SH "EXIT STATUS" .IX Header "EXIT STATUS" Programs that use or wrap \f(CW\*(C`virt\-what\-cvm\*(C'\fR should check that the exit status is 0 before they attempt to parse the output of the command. .PP A non-zero exit status indicates some error, for example, an unrecognized command line argument. If the exit status is non-zero then the output "facts" (if any were printed) cannot be guaranteed and should be ignored. .PP The exit status does \fInot\fR have anything to do with whether the program is running on baremetal or under confidential virtualization, nor with whether \f(CW\*(C`virt\-what\-cvm\*(C'\fR managed detection "correctly" (which is basically unknowable given the large variety of virtualization systems out there) .SH "RUNNING VIRT-WHAT-CVM FROM OTHER PROGRAMS" .IX Header "RUNNING VIRT-WHAT-CVM FROM OTHER PROGRAMS" \&\f(CW\*(C`virt\-what\-cvm\*(C'\fR is designed so that you can easily run it from other programs or wrap it up in a library. .PP Your program should check the exit status (see the section above). .SH "IMPORTANT NOTE" .IX Header "IMPORTANT NOTE" This program detects whether it is likely to be running within a known confidential VM, but does \fINOT\fR prove that the environment is trustworthy. To attain trust in the environment requires an attestation report for the virtual machine, which is then verified by an already trusted 3rd party. .PP The hardware features that this program relies on to establish facts about the confidential virtualization environment, are those features whose behaviour will be proved by verification of an attestation report. .PP This program \fIMAY\fR have false positives. ie it may report that it is a confidential VM when it is in fact a non-confidential VM faking it. .PP This program \fISHOULD NOT\fR have false negatives. ie it should not fail to report existance of a confidential VM. Caveat that this only applies to environments which have been explicitly tested. .PP If this program does print a fact, this can be used for enabling or disabling use of certain features, according to whether they are appropriate for a confidential environment. None the less, the VM \&\fIMUST NOT\fR be trusted until an attestation report is verified. .PP As a protection against false negatives from this tool, environments requiring high assurance should take one or more of these measures: .PP .Vb 7 \& * The facts reported by this program I should be measured \& into one of the TPM PCRs \& * The attestation report I cover the facts reported by \& this program \& * The attestation report I should cover the enablement \& status of any features affected by decisions involving facts \& reported by this tool .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" , , .SH AUTHORS .IX Header "AUTHORS" Daniel P. Berrangé .SH COPYRIGHT .IX Header "COPYRIGHT" (C) Copyright 2023 Red Hat Inc., .PP This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. .PP This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. .PP You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. .SH "REPORTING BUGS" .IX Header "REPORTING BUGS" Bugs can be viewed on the Red Hat Bugzilla page: . .PP If you find a bug in virt-what-cvm, please follow these steps to report it: .IP "1. Check for existing bug reports" 4 .IX Item "1. Check for existing bug reports" Go to and search for similar bugs. Someone may already have reported the same bug, and they may even have fixed it. .IP "2. Capture debug and error messages" 4 .IX Item "2. Capture debug and error messages" Run .Sp .Vb 1 \& virt\-what\-cvm \-d > virt\-what\-cvm.log 2>&1 .Ve .Sp and keep \fIvirt\-what\-cvm.log\fR. It may contain error messages which you should submit with your bug report. .IP "3. Get version of virt-what-cvm." 4 .IX Item "3. Get version of virt-what-cvm." Run .Sp .Vb 1 \& virt\-what\-cvm \-\-version .Ve .IP "4. Submit a bug report." 4 .IX Item "4. Submit a bug report." Go to and enter a new bug. Please describe the problem in as much detail as possible. .Sp Remember to include the version numbers (step 3) and the debug messages file (step 2) and as much other detail as possible. .IP "5. Assign the bug to rjones @ redhat.com" 4 .IX Item "5. Assign the bug to rjones @ redhat.com" Assign or reassign the bug to \fBrjones @ redhat.com\fR (without the spaces). You can also send me an email with the bug number if you want a faster response.