diff --git a/docs/advanced/customization-guide.md b/docs/advanced/customization-guide.md index a1aead171..a308f9b07 100644 --- a/docs/advanced/customization-guide.md +++ b/docs/advanced/customization-guide.md @@ -501,6 +501,7 @@ The following features are available for matching: | **`cpu.security`** | attribute | | | Features related to security and trusted execution environments | | | **`sgx.enabled`** | bool | `true` if Intel SGX (Software Guard Extensions) has been enabled, otherwise does not exist | | | **`se.enabled`** | bool | `true` if IBM Secure Execution for Linux is available and has been enabled, otherwise does not exist +| | | **`tdx.enabled`** | bool | `true` if Intel TDX (Trusted Domain Extensions) is available on the host and has been enabled, otherwise does not exist | **`cpu.sgx`** | attribute | | | **DEPRECATED**: replaced by **`cpu.security`** feature | | | **`enabled`** | bool | **DEPRECATED**: use **`sgx.enabled`** from **`cpu.security`** instead | **`cpu.sst`** | attribute | | | Intel SST (Speed Select Technology) capabilities diff --git a/docs/get-started/features.md b/docs/get-started/features.md index 29e4f21d7..2a2499d33 100644 --- a/docs/get-started/features.md +++ b/docs/get-started/features.md @@ -52,6 +52,7 @@ such as restricting discovered features with the -label-whitelist option.* | **`cpu-rdt.`** | true | [Intel RDT][intel-rdt] capability is supported. See [RDT flags](#intel-rdt-flags) for details. | **`cpu-security.sgx.enabled`** | true | Set to 'true' if Intel SGX is enabled in BIOS (based a non-zero sum value of SGX EPC section sizes). | **`cpu-security.se.enabled`** | true | Set to 'true' if IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and enabled (requires `/sys/firmware/uv/prot_virt_host` facility) +| **`cpu-security.tdx.enabled`** | true | Set to 'true' if Intel TDX is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/tdx`). | **`cpu-sgx.enabled`** | true | **DEPRECATED**: use **`cpu-security.sgx.enabled`** instead. | **`cpu-se.enabled`** | true | **DEPRECATED**: use **`cpu-security.se.enabled`** instead. | **`cpu-model.vendor_id`** | string | Comparable CPU vendor ID. diff --git a/source/cpu/security_amd64.go b/source/cpu/security_amd64.go index 10854c896..27f82a800 100644 --- a/source/cpu/security_amd64.go +++ b/source/cpu/security_amd64.go @@ -20,7 +20,10 @@ limitations under the License. package cpu import ( + "os" + "github.com/klauspost/cpuid/v2" + "sigs.k8s.io/node-feature-discovery/source" ) func discoverSecurity() map[string]string { @@ -30,6 +33,10 @@ func discoverSecurity() map[string]string { elems["sgx.enabled"] = "true" } + if tdxEnabled() { + elems["tdx.enabled"] = "true" + } + return elems } @@ -52,3 +59,16 @@ func sgxEnabled() bool { return false } + +func tdxEnabled() bool { + // If /sys/module/kvm_intel/parameters/tdx is not present, or is present + // with a value different than "Y\n" assume TDX to be unavailable or + // disabled. + protVirtHost := source.SysfsDir.Path("module/kvm_intel/parameters/tdx") + if content, err := os.ReadFile(protVirtHost); err == nil { + if string(content) == "Y\n" { + return true + } + } + return false +}