An interesting point that was brought up to me was "how does the user realize that the VM where he logged in is actually a CVM, and not a normal virtual machine?".

The idea is that ideally an user would like to have a tool that (when trusted) simply outputs a boolean saying "yes, we are in a CVM", without having to dig down into logs, MSRS and low level features. This is the same concept as SecureBoot, in `bootctl` there simply is a flag that displays if SB is enabled or not.

The best candidate that actually does this is `systemd-detect-virt --cvm`, which is actually not present in RHEL 9.x but will surely be in RHEL 10. The tool actually just analyzes if TDX/SEV-SNP cpu features are enabled, which is the hardware required for a CVM. Is that enough for a CVM? Probably yes, also because checking if attestation is performed is practically impossible because there is  an infinite amount of tools that can do it in different ways.

Is it worth backporting this feature also in RHEL 9.x?

Goal

• Have a systemd-detect-virt --cvm show if the user is in a CVM or not.

Acceptance Criteria

• systemd-detect-virt --cvm available on RHEL
• Boot a CVM, systemd-detect-virt --cvm says that we are in a CVM
• Boot a VM, systemd-detect-virt --cvm says that we are not in a CVM