diff --git a/man/systemd.generator.xml b/man/systemd.generator.xml
index 7b2501aa77..1455b8cdda 100644
--- a/man/systemd.generator.xml
+++ b/man/systemd.generator.xml
@@ -204,6 +204,17 @@
systemd-creds --system cat command.
+
+ $SYSTEMD_CONFIDENTIAL_VIRTUALIZATION
+
+ If the service manager is run in a confidential virtualized environment,
+ $SYSTEMD_CONFIDENTIAL_VIRTUALIZATION is set to a string that identifies
+ the confidential virtualization hardware technology. If no confidential virtualization is
+ detected this variable will not be set. This data is identical to what
+ systemd-detect-virt1
+ detects and reports, and uses the same vocabulary of confidential virtualization
+ technology identifiers.
+
diff --git a/src/core/manager.c b/src/core/manager.c
index cc4fc1679c..22ec6e79b1 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -32,6 +32,7 @@
#include "clean-ipc.h"
#include "clock-util.h"
#include "common-signal.h"
+#include "confidential-virt.h"
#include "constants.h"
#include "core-varlink.h"
#include "creds-util.h"
@@ -3887,6 +3888,7 @@ static int manager_run_environment_generators(Manager *m) {
static int build_generator_environment(Manager *m, char ***ret) {
_cleanup_strv_free_ char **nl = NULL;
Virtualization v;
+ ConfidentialVirtualization cv;
int r;
assert(m);
@@ -3935,6 +3937,15 @@ static int build_generator_environment(Manager *m, char ***ret) {
return r;
}
+ cv = detect_confidential_virtualization();
+ if (cv < 0)
+ log_debug_errno(cv, "Failed to detect confidential virtualization, ignoring: %m");
+ else if (cv > 0) {
+ r = strv_env_assign(&nl, "SYSTEMD_CONFIDENTIAL_VIRTUALIZATION", confidential_virtualization_to_string(cv));
+ if (r < 0)
+ return r;
+ }
+
r = strv_env_assign(&nl, "SYSTEMD_ARCHITECTURE", architecture_to_string(uname_architecture()));
if (r < 0)
return r;