mirrors/node-feature-discovery
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/node-feature-discovery.git synced 2024-12-15 17:50:49 +00:00
Code Activity

cpu: expose AMD SEV support

Browse source 
Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>
Co-authored-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>
Co-authored-by: Markus Lehtonen <markus.lehtonen@intel.com>
This commit is contained in:
Carlos Eduardo Arango Gutierrez 2023-03-27 13:24:44 +02:00
parent 821e042dbf
commit 7171cfd4eb
No known key found for this signature in database
GPG key ID: 5697017E44D90737
4 changed files with 31 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
docs/usage/customization-guide.md
View file

@ -607,6 +607,9 @@ The following features are available for matching:
| | | **`sgx.enabled`** | bool | `true` if Intel SGX (Software Guard Extensions) has been enabled, otherwise does not exist | | | **`sgx.enabled`** | bool | `true` if Intel SGX (Software Guard Extensions) has been enabled, otherwise does not exist
| | | **`se.enabled`** | bool | `true` if IBM Secure Execution for Linux is available and has been enabled, otherwise does not exist | | | **`se.enabled`** | bool | `true` if IBM Secure Execution for Linux is available and has been enabled, otherwise does not exist
| | | **`tdx.enabled`** | bool | `true` if Intel TDX (Trusted Domain Extensions) is available on the host and has been enabled, otherwise does not exist | | | **`tdx.enabled`** | bool | `true` if Intel TDX (Trusted Domain Extensions) is available on the host and has been enabled, otherwise does not exist
| | | **`sev.enabled`** | bool | `true` if AMD SEV (Secure Encrypted Virtualization) is available on the host and has been enabled, otherwise does not exist
| | | **`sev.es.enabled`** | bool | `true` if AMD SEV-ES (Encrypted State supported) is available on the host and has been enabled, otherwise does not exist
| | | **`sev.snp.enabled`** | bool | `true` if AMD SEV-SNP (Secure Nested Paging supported) is available on the host and has been enabled, otherwise does not exist
| **`cpu.sgx`** | attribute | | | **DEPRECATED**: replaced by **`cpu.security`** feature | **`cpu.sgx`** | attribute | | | **DEPRECATED**: replaced by **`cpu.security`** feature
| | | **`enabled`** | bool | **DEPRECATED**: use **`sgx.enabled`** from **`cpu.security`** instead | | | **`enabled`** | bool | **DEPRECATED**: use **`sgx.enabled`** from **`cpu.security`** instead
| **`cpu.sst`** | attribute | | | Intel SST (Speed Select Technology) capabilities | **`cpu.sst`** | attribute | | | Intel SST (Speed Select Technology) capabilities

3
docs/usage/features.md
View file

@ -58,6 +58,9 @@ option of nfd-worker.
| **`cpu-security.sgx.enabled`** | true | Set to 'true' if Intel SGX is enabled in BIOS (based a non-zero sum value of SGX EPC section sizes). | **`cpu-security.sgx.enabled`** | true | Set to 'true' if Intel SGX is enabled in BIOS (based a non-zero sum value of SGX EPC section sizes).
| **`cpu-security.se.enabled`** | true | Set to 'true' if IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and enabled (requires `/sys/firmware/uv/prot_virt_host` facility) | **`cpu-security.se.enabled`** | true | Set to 'true' if IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and enabled (requires `/sys/firmware/uv/prot_virt_host` facility)
| **`cpu-security.tdx.enabled`** | true | Set to 'true' if Intel TDX is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/tdx`). | **`cpu-security.tdx.enabled`** | true | Set to 'true' if Intel TDX is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/tdx`).
| **`cpu-security.sev.enabled`** | true | Set to 'true' if ADM SEV is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/sev`).
| **`cpu-security.sev.es.enabled`** | true | Set to 'true' if ADM SEV-ES is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/sev_es`).
| **`cpu-security.sev.snp.enabled`**| true | Set to 'true' if ADM SEV-SNP is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/sev_snp`).
| **`cpu-sgx.enabled`** | true | **DEPRECATED**: use **`cpu-security.sgx.enabled`** instead. | **`cpu-sgx.enabled`** | true | **DEPRECATED**: use **`cpu-security.sgx.enabled`** instead.
| **`cpu-se.enabled`** | true | **DEPRECATED**: use **`cpu-security.se.enabled`** instead. | **`cpu-se.enabled`** | true | **DEPRECATED**: use **`cpu-security.se.enabled`** instead.
| **`cpu-model.vendor_id`** | string | Comparable CPU vendor ID. | **`cpu-model.vendor_id`** | string | Comparable CPU vendor ID.

2
source/cpu/cpu.go
View file

@ -229,7 +229,7 @@ func (s *cpuSource) Discover() error {
// Detect RDT features // Detect RDT features
s.features.Flags[RdtFeature] = nfdv1alpha1.NewFlagFeatures(discoverRDT()...) s.features.Flags[RdtFeature] = nfdv1alpha1.NewFlagFeatures(discoverRDT()...)
// Detect SGX features // Detect available guest protection(SGX,TDX,SEV) features
s.features.Attributes[SecurityFeature] = nfdv1alpha1.NewAttributeFeatures(discoverSecurity()) s.features.Attributes[SecurityFeature] = nfdv1alpha1.NewAttributeFeatures(discoverSecurity())
// Detect SGX features // Detect SGX features

24
source/cpu/security_amd64.go
View file

@ -38,6 +38,18 @@ func discoverSecurity() map[string]string {
elems["tdx.enabled"] = "true" elems["tdx.enabled"] = "true"
} }
if sevParameterEnabled("sev") {
elems["sev.enabled"] = "true"
}
if sevParameterEnabled("sev_es") {
elems["sev.es.enabled"] = "true"
}
if sevParameterEnabled("sev_snp") {
elems["sev.snp.enabled"] = "true"
}
return elems return elems
} }
@ -73,3 +85,15 @@ func tdxEnabled() bool {
} }
return false return false
} }
func sevParameterEnabled(parameter string) bool {
// SEV-SNP is supported and enabled when the kvm module `sev_snp` parameter is set to `Y`
// SEV-SNP support infers SEV (-ES) support
sevKvmParameterPath := hostpath.SysfsDir.Path("module/kvm_amd/parameters/", parameter)
if _, err := os.Stat(sevKvmParameterPath); err == nil {
if c, err := os.ReadFile(sevKvmParameterPath); err == nil && len(c) > 0 && (c[0] == '1' || c[0] == 'Y') {
return true
}
}
return false
}