diff --git a/man/udev.xml b/man/udev.xml
index 332c7ac096..5533c68a0d 100644
--- a/man/udev.xml
+++ b/man/udev.xml
@@ -279,6 +279,14 @@
                     for possible values.</para>
                   </listitem>
                 </varlistentry>
+                <varlistentry>
+                  <term><literal>cvm</literal></term>
+                  <listitem>
+                    <para>System's confidential virtualization technology. See
+                    <citerefentry><refentrytitle>systemd-detect-virt</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+                    for possible values.</para>
+                  </listitem>
+                </varlistentry>
               </variablelist>
               <para>Unknown keys will never match.</para>
             </listitem>
diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c
index 6c1ac488e9..265d328cd3 100644
--- a/src/udev/udev-rules.c
+++ b/src/udev/udev-rules.c
@@ -6,6 +6,7 @@
 #include "architecture.h"
 #include "conf-files.h"
 #include "conf-parser.h"
+#include "confidential-virt.h"
 #include "constants.h"
 #include "device-private.h"
 #include "device-util.h"
@@ -1920,6 +1921,8 @@ static int udev_rule_apply_token_to_event(
                         val = architecture_to_string(uname_architecture());
                 else if (streq(k, "virt"))
                         val = virtualization_to_string(detect_virtualization());
+                else if (streq(k, "cvm"))
+                        val = confidential_virtualization_to_string(detect_confidential_virtualization());
                 else
                         assert_not_reached();
                 return token_match_string(token, val);