node-feature-discovery/source/cpu/security_s390x.go

//go:build s390x
// +build s390x

/*
Copyright 2022 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package cpu

import (
	"os"

	"sigs.k8s.io/node-feature-discovery/pkg/utils/hostpath"
)

func discoverSecurity() map[string]string {
	elems := make(map[string]string)

	if seEnabled() {
		elems["se.enabled"] = "true"
	}

	return elems
}

func seEnabled() bool {
	// This file is available in kernels >=5.12 + backports. Skip specifically
	// checking facilities and kernel command lines and just assume Secure
	// Execution to be unavailable or disabled if the file is not present.
	protVirtHost := hostpath.SysfsDir.Path("firmware/uv/prot_virt_host")
	if content, err := os.ReadFile(protVirtHost); err == nil {
		if string(content) == "1\n" {
			return true
		}
	}
	return false
}
cpu: Discover IBM Secure Execution Set `cpu.se-enabled` to `true` when IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and has been enabled. Uses `/sys/firmware/uv/prot_virt_host`, which is available in kernels >=5.12 + backports. For simplicity, skip more complicated facility & kernel cmdline lookups. 2022-03-18 13:40:03 +00:00			`//go:build s390x`
			`// +build s390x`

			`/*`
			`Copyright 2022 The Kubernetes Authors.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`package cpu`

			`import (`
			`"os"`

pkg/utils: move hostpath helpers from source to utils Refactor the code, moving the hostpath helper functionality to new "pkg/utils/hostpath" package. This breaks odd-ish dependency "pkg/utils" -> "source". 2022-10-06 11:05:11 +00:00			`"sigs.k8s.io/node-feature-discovery/pkg/utils/hostpath"`
cpu: Discover IBM Secure Execution Set `cpu.se-enabled` to `true` when IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and has been enabled. Uses `/sys/firmware/uv/prot_virt_host`, which is available in kernels >=5.12 + backports. For simplicity, skip more complicated facility & kernel cmdline lookups. 2022-03-18 13:40:03 +00:00			`)`

cpu: re-organize security features Move existing security/trusted-execution related features (i.e. SGX and SE) under the same "security" feature, deprecating the old features. The motivation for the change is to keep the source code and user interface more organized as we experience a constant inflow of similar security related features. This change will affect the user interface so it is less painful to do it early on. New feature labels will be: feature.node.kubernetes.io/cpu-security.se.enabled feature.node.kubernetes.io/cpu-security.sgx.enabled and correspondingly new "cpu.security" feature with "se.enabled" and "sgx.enabled" elements will be available for custom rules, for example: - name: "sample sgx rule" labels: sgx.sample.feature: "true" matchFeatures: - feature: cpu.security matchExpressions: "sgx.enabled": {op: IsTrue} At the same time deprecate old labels "cpu-sgx.enabled" and "cpu-se.enabled" feature labels and the corresponding features for custom rules. These will be removed in the future causing an effective change in NFDs user interface. 2022-06-28 08:44:21 +00:00			`func discoverSecurity() map[string]string {`
			`elems := make(map[string]string)`

			`if seEnabled() {`
			`elems["se.enabled"] = "true"`
			`}`

			`return elems`
			`}`

			`func seEnabled() bool {`
cpu: Discover IBM Secure Execution Set `cpu.se-enabled` to `true` when IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and has been enabled. Uses `/sys/firmware/uv/prot_virt_host`, which is available in kernels >=5.12 + backports. For simplicity, skip more complicated facility & kernel cmdline lookups. 2022-03-18 13:40:03 +00:00			`// This file is available in kernels >=5.12 + backports. Skip specifically`
			`// checking facilities and kernel command lines and just assume Secure`
			`// Execution to be unavailable or disabled if the file is not present.`
pkg/utils: move hostpath helpers from source to utils Refactor the code, moving the hostpath helper functionality to new "pkg/utils/hostpath" package. This breaks odd-ish dependency "pkg/utils" -> "source". 2022-10-06 11:05:11 +00:00			`protVirtHost := hostpath.SysfsDir.Path("firmware/uv/prot_virt_host")`
cpu: Discover IBM Secure Execution Set `cpu.se-enabled` to `true` when IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and has been enabled. Uses `/sys/firmware/uv/prot_virt_host`, which is available in kernels >=5.12 + backports. For simplicity, skip more complicated facility & kernel cmdline lookups. 2022-03-18 13:40:03 +00:00			`if content, err := os.ReadFile(protVirtHost); err == nil {`
			`if string(content) == "1\n" {`
cpu: re-organize security features Move existing security/trusted-execution related features (i.e. SGX and SE) under the same "security" feature, deprecating the old features. The motivation for the change is to keep the source code and user interface more organized as we experience a constant inflow of similar security related features. This change will affect the user interface so it is less painful to do it early on. New feature labels will be: feature.node.kubernetes.io/cpu-security.se.enabled feature.node.kubernetes.io/cpu-security.sgx.enabled and correspondingly new "cpu.security" feature with "se.enabled" and "sgx.enabled" elements will be available for custom rules, for example: - name: "sample sgx rule" labels: sgx.sample.feature: "true" matchFeatures: - feature: cpu.security matchExpressions: "sgx.enabled": {op: IsTrue} At the same time deprecate old labels "cpu-sgx.enabled" and "cpu-se.enabled" feature labels and the corresponding features for custom rules. These will be removed in the future causing an effective change in NFDs user interface. 2022-06-28 08:44:21 +00:00			`return true`
cpu: Discover IBM Secure Execution Set `cpu.se-enabled` to `true` when IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and has been enabled. Uses `/sys/firmware/uv/prot_virt_host`, which is available in kernels >=5.12 + backports. For simplicity, skip more complicated facility & kernel cmdline lookups. 2022-03-18 13:40:03 +00:00			`}`
			`}`
cpu: re-organize security features Move existing security/trusted-execution related features (i.e. SGX and SE) under the same "security" feature, deprecating the old features. The motivation for the change is to keep the source code and user interface more organized as we experience a constant inflow of similar security related features. This change will affect the user interface so it is less painful to do it early on. New feature labels will be: feature.node.kubernetes.io/cpu-security.se.enabled feature.node.kubernetes.io/cpu-security.sgx.enabled and correspondingly new "cpu.security" feature with "se.enabled" and "sgx.enabled" elements will be available for custom rules, for example: - name: "sample sgx rule" labels: sgx.sample.feature: "true" matchFeatures: - feature: cpu.security matchExpressions: "sgx.enabled": {op: IsTrue} At the same time deprecate old labels "cpu-sgx.enabled" and "cpu-se.enabled" feature labels and the corresponding features for custom rules. These will be removed in the future causing an effective change in NFDs user interface. 2022-06-28 08:44:21 +00:00			`return false`
cpu: Discover IBM Secure Execution Set `cpu.se-enabled` to `true` when IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and has been enabled. Uses `/sys/firmware/uv/prot_virt_host`, which is available in kernels >=5.12 + backports. For simplicity, skip more complicated facility & kernel cmdline lookups. 2022-03-18 13:40:03 +00:00			`}`