cpu: Expose the total number of keys for TDX

The total amount of keys that can be used on a specific TDX system is exposed via the cgroups misc.capacity. See: ``` $ cat /sys/fs/cgroup/misc.capacity tdx 31 ``` The first step to properly manage the amount of keys present in a node is exposing it via the NFD, and that's exactly what this commit does. An example of how it ends up being exposed via the NFD: ``` $ kubectl get node 984fee00befb.jf.intel.com -o jsonpath='{.metadata.labels}' | jq | grep tdx.total_keys "feature.node.kubernetes.io/cpu-security.tdx.total_keys": "31", ``` Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-12-14 11:57:51 +00:00 · 2023-01-17 14:32:24 +01:00 · 2023-01-17 14:32:24 +01:00 · 10672e1bba
commit 10672e1bba
parent 243c05e329
3 changed files with 48 additions and 0 deletions
--- a/docs/usage/customization-guide.md
+++ b/docs/usage/customization-guide.md
@ -607,6 +607,7 @@ The following features are available for matching:
 |                  |              | **`sgx.enabled`** | bool | `true` if Intel SGX (Software Guard Extensions) has been enabled, otherwise does not exist
 |                  |              | **`se.enabled`** | bool  | `true` if IBM Secure Execution for Linux is available and has been enabled, otherwise does not exist
 |                  |              | **`tdx.enabled`** | bool | `true` if Intel TDX (Trusted Domain Extensions) is available on the host and has been enabled, otherwise does not exist
+|                  |              | **`tdx.total_keys`** | int | The total amount of keys an Intel TDX (Trusted Domain Extensions) host can provide.  It's only present if `tdx.enabled` is `true`.
 |                  |              | **`sev.enabled`** | bool | `true` if AMD SEV (Secure Encrypted Virtualization) is available on the host and has been enabled, otherwise does not exist
 |                  |              | **`sev.es.enabled`** | bool | `true` if AMD SEV-ES (Encrypted State supported) is available on the host and has been enabled, otherwise does not exist
 |                  |              | **`sev.snp.enabled`** | bool | `true` if AMD SEV-SNP (Secure Nested Paging supported) is available on the host and has been enabled, otherwise does not exist
--- a/docs/usage/features.md
+++ b/docs/usage/features.md
@ -58,6 +58,7 @@ option of nfd-worker.
 | **`cpu-security.sgx.enabled`**    | true   | Set to 'true' if Intel SGX is enabled in BIOS (based a non-zero sum value of SGX EPC section sizes).
 | **`cpu-security.se.enabled`**     | true   | Set to 'true' if IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and enabled (requires `/sys/firmware/uv/prot_virt_host` facility)
 | **`cpu-security.tdx.enabled`**    | true   | Set to 'true' if Intel TDX is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/tdx`).
+| **`cpu-security.tdx.total_keys`** | int    | The total amount of keys an Intel TDX enabled host can provide, based on the `/sys/fs/cgroup/misc.capacity` information.
 | **`cpu-security.sev.enabled`**    | true   | Set to 'true' if ADM SEV is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/sev`).
 | **`cpu-security.sev.es.enabled`** | true   | Set to 'true' if ADM SEV-ES is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/sev_es`).
 | **`cpu-security.sev.snp.enabled`**| true   | Set to 'true' if ADM SEV-SNP is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/sev_snp`).
--- a/source/cpu/security_amd64.go
+++ b/source/cpu/security_amd64.go
@ -20,7 +20,11 @@ limitations under the License.
 package cpu

 import (
+	"bufio"
+	"io"
 	"os"
+	"strconv"
+	"strings"

 	"github.com/klauspost/cpuid/v2"

@ -36,6 +40,11 @@ func discoverSecurity() map[string]string {

 	if tdxEnabled() {
 		elems["tdx.enabled"] = "true"
+
+		tdxTotalKeys := getCgroupMiscCapacity("tdx")
+		if tdxTotalKeys > -1 {
+			elems["tdx.total_keys"] = strconv.FormatInt(int64(tdxTotalKeys), 10)
+		}
 	}

 	if sevParameterEnabled("sev") {
@ -97,3 +106,40 @@ func sevParameterEnabled(parameter string) bool {
 	}
 	return false
 }
+
+func getCgroupMiscCapacity(resource string) int64 {
+	var totalResources int64 = -1
+
+	miscCgroups := hostpath.SysfsDir.Path("fs/cgroup/misc.capacity")
+	f, err := os.Open(miscCgroups)
+	if err != nil {
+		return totalResources
+	}
+	defer f.Close()
+
+	r := bufio.NewReader(f)
+	for {
+		line, _, err := r.ReadLine()
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			return totalResources
+		}
+
+		if !strings.HasPrefix(string(line), resource) {
+			continue
+		}
+
+		s := strings.Split(string(line), " ")
+		resources, err := strconv.ParseInt(s[1], 10, 64)
+		if err != nil {
+			return totalResources
+		}
+
+		totalResources = resources
+		break
+	}
+
+	return totalResources
+}