underhill_confidentiality/
getters.rs

1// Copyright (c) Microsoft Corporation.
2// Licensed under the MIT License.
3
4use std::sync::OnceLock;
5
6static CONFIDENTIAL: OnceLock<bool> = OnceLock::new();
7static CONFIDENTIAL_DEBUG: OnceLock<bool> = OnceLock::new();
8
9fn get_bool_env_var(name: &str) -> bool {
10    std::env::var_os(name).is_some_and(|v| !v.is_empty() && v != "0")
11}
12
13/// Gets whether the current VM is a confidential VM.
14///
15/// Generally, accessing this information through the HCL ioctl is preferred.
16pub fn is_confidential_vm() -> bool {
17    *CONFIDENTIAL.get_or_init(|| {
18        get_bool_env_var(crate::OPENHCL_CONFIDENTIAL_ENV_VAR_NAME)
19            || get_bool_env_var(crate::LEGACY_CONFIDENTIAL_ENV_VAR_NAME)
20    })
21}
22
23/// Gets whether confidential debugging is enabled. This is an IGVM-level setting,
24/// intended to allow for disabling diagnostic restrictions on CVMs.
25pub fn confidential_debug_enabled() -> bool {
26    *CONFIDENTIAL_DEBUG.get_or_init(|| {
27        get_bool_env_var(crate::OPENHCL_CONFIDENTIAL_DEBUG_ENV_VAR_NAME)
28            || get_bool_env_var(crate::LEGACY_CONFIDENTIAL_DEBUG_ENV_VAR_NAME)
29    })
30}
31
32/// Gets whether confidential filtering is enabled. This is the source of truth for
33/// whether diagnostic sources should filter their output to enforce confidentiality.
34pub fn confidential_filtering_enabled() -> bool {
35    is_confidential_vm() && !confidential_debug_enabled()
36}
underhill_confidentiality/getters.rs

underhill_confidentiality/
getters.rs
