From 01bdacb4e4f94fd1c1d6aeebf3091b548d705c22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Fri, 13 Jan 2023 13:31:04 +0100
Subject: [PATCH] virtcontainers: Also check /sys/firmwares/tdx for TDX
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Let's make sure we also check /sys/firmwares/tdx for TDX guest
protection, as the location may depend on whether TDX Seam is being used
or not.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 .../virtcontainers/hypervisor_linux_amd64.go  | 25 ++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/src/runtime/virtcontainers/hypervisor_linux_amd64.go b/src/runtime/virtcontainers/hypervisor_linux_amd64.go
index 8cfc9aca9..304d0446a 100644
--- a/src/runtime/virtcontainers/hypervisor_linux_amd64.go
+++ b/src/runtime/virtcontainers/hypervisor_linux_amd64.go
@@ -8,7 +8,9 @@ package virtcontainers
 import "os"
 
 const (
-	tdxSysFirmwareDir = "/sys/firmware/tdx_seam/"
+	tdxSeamSysFirmwareDir = "/sys/firmware/tdx_seam/"
+
+	tdxSysFirmwareDir = "/sys/firmware/tdx/"
 
 	tdxCPUFlag = "tdx"
 
@@ -17,6 +19,23 @@ const (
 	snpKvmParameterPath = "/sys/module/kvm_amd/parameters/sev_snp"
 )
 
+// TDX is supported and properly loaded when the firmware directory (either tdx or tdx_seam) exists or `tdx` is part of the CPU flag
+func checkTdxGuestProtection(flags map[string]bool) bool {
+	if flags[tdxCPUFlag] {
+		return true
+	}
+
+	if d, err := os.Stat(tdxSysFirmwareDir); err == nil && d.IsDir() {
+		return true
+	}
+
+	if d, err := os.Stat(tdxSeamSysFirmwareDir); err == nil && d.IsDir() {
+		return true
+	}
+
+	return false
+}
+
 // Implementation of this function is architecture specific
 func availableGuestProtection() (guestProtection, error) {
 	flags, err := CPUFlags(procCPUInfo)
@@ -24,10 +43,10 @@ func availableGuestProtection() (guestProtection, error) {
 		return noneProtection, err
 	}
 
-	// TDX is supported and properly loaded when the firmware directory exists or `tdx` is part of the CPU flags
-	if d, err := os.Stat(tdxSysFirmwareDir); (err == nil && d.IsDir()) || flags[tdxCPUFlag] {
+	if checkTdxGuestProtection(flags) {
 		return tdxProtection, nil
 	}
+
 	// SEV-SNP is supported and enabled when the kvm module `sev_snp` parameter is set to `Y`
 	// SEV-SNP support infers SEV (-ES) support
 	if _, err := os.Stat(snpKvmParameterPath); err == nil {