Merge pull request #833 from marquiz/devel/security-refactor

cpu: re-organize security features
2025-03-28 18:57:10 +00:00 · 2022-09-01 05:29:06 -07:00 · 2022-09-01 05:29:06 -07:00 · 81da164b7f
commit 81da164b7f
parent 778c897345 f62b057bcd
7 changed files with 61 additions and 47 deletions
--- a/docs/advanced/customization-guide.md
+++ b/docs/advanced/customization-guide.md
@ -488,12 +488,15 @@ The following features are available for matching:
 |                  |              | **`scaling`** | string | Active scaling_governor, possible values are 'powersave' or 'performance'.
 | **`cpu.rdt`**    | flag         |          |            | Intel RDT capabilities supported by the system
 |                  |              | **`<rdt-flag>`** |    | RDT capability is supported, see [RDT flags](../get-started/features#intel-rdt-flags) for details
-| **`cpu.sgx`**    | attribute    |          |            | Intel SGX (Software Guard Extensions) capabilities
-|                  |              | **`enabled`** | bool  | `true` if Intel SGX has been enabled, otherwise does not exist
+| **`cpu.security`** | attribute  |          |            | Features related to security and trusted execution environments
+|                  |              | **`sgx.enabled`** | bool | `true` if Intel SGX (Software Guard Extensions) has been enabled, otherwise does not exist
+|                  |              | **`se.enabled`** | bool  | `true` if IBM Secure Execution for Linux is available and has been enabled, otherwise does not exist
+| **`cpu.sgx`**    | attribute    |          |            | **DEPRECATED**: replaced by **`cpu.security`** feature
+|                  |              | **`enabled`** | bool  | **DEPRECATED**: use **`sgx.enabled`** from **`cpu.security`** instead
 | **`cpu.sst`**    | attribute    |          |            | Intel SST (Speed Select Technology) capabilities
 |                  |              | **`bf.enabled`** | bool | `true` if Intel SST-BF (Intel Speed Select Technology - Base frequency) has been enabled, otherwise does not exist
-| **`cpu.se`**     | attribute    |          |            | IBM Secure Execution for Linux (IBM Z & LinuxONE)
-|                  |              | **`enabled`** | bool  | `true` if IBM Secure Execution for Linux is available and has been enabled, otherwise does not exist
+| **`cpu.se`**     | attribute    |          |            | **DEPRECATED**: replaced by **`cpu.security`** feature
+|                  |              | **`enabled`** | bool  | **DEPRECATED**: use **`se.enabled`** from **`cpu.security`** instead
 | **`cpu.topology`** | attribute  |          |            | CPU topology related features
 | | |          **`hardware_multithreading`** | bool       | Hardware multithreading, such as Intel HTT, is enabled
 | **`kernel.config`** | attribute |          |            | Kernel configuration options
--- a/docs/get-started/features.md
+++ b/docs/get-started/features.md
@ -50,8 +50,10 @@ such as restricting discovered features with the -label-whitelist option.*
 | **`cpu-pstate.scaling_governor`** | string | The value of the Intel pstate scaling_governor when in use, either 'powersave' or 'performance'.
 | **`cpu-cstate.enabled`**          | bool   | Set to 'true' if cstates are set in the intel_idle driver, otherwise set to 'false'. Unset if intel_idle cpuidle driver is not active.
 | **`cpu-rdt.<rdt-flag>`**          | true   | [Intel RDT][intel-rdt] capability is supported. See [RDT flags](#intel-rdt-flags) for details.
-| **`cpu-sgx.enabled`**             | true   | Set to 'true' if Intel SGX is enabled in BIOS (based a non-zero sum value of SGX EPC section sizes).
-| **`cpu-se.enabled`**              | true   | Set to 'true' if IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and enabled (requires `/sys/firmware/uv/prot_virt_host` facility)
+| **`cpu-security.sgx.enabled`**    | true   | Set to 'true' if Intel SGX is enabled in BIOS (based a non-zero sum value of SGX EPC section sizes).
+| **`cpu-security.se.enabled`**     | true   | Set to 'true' if IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and enabled (requires `/sys/firmware/uv/prot_virt_host` facility)
+| **`cpu-sgx.enabled`**             | true   | **DEPRECATED**: use **`cpu-security.sgx.enabled`** instead.
+| **`cpu-se.enabled`**              | true   | **DEPRECATED**: use **`cpu-security.se.enabled`** instead.
 | **`cpu-model.vendor_id`**         | string | Comparable CPU vendor ID.
 | **`cpu-model.family`**            | int    | CPU family.
 | **`cpu-model.id`**                | int    | CPU model number.
--- a/source/cpu/cpu.go
+++ b/source/cpu/cpu.go
@ -38,8 +38,9 @@ const (
 	CstateFeature   = "cstate"
 	PstateFeature   = "pstate"
 	RdtFeature      = "rdt"
-	SeFeature       = "se"
-	SgxFeature      = "sgx"
+	SeFeature       = "se" // DEPRECATED in v0.12: will be removed in the future
+	SecurityFeature = "security"
+	SgxFeature      = "sgx" // DEPRECATED in v0.12: will be removed in the future
 	SstFeature      = "sst"
 	TopologyFeature = "topology"
 )
@ -165,6 +166,11 @@ func (s *cpuSource) GetLabels() (source.FeatureLabels, error) {
 		labels["rdt."+k] = true
 	}

+	// Security
+	for k, v := range features.Values[SecurityFeature].Elements {
+		labels["security."+k] = v
+	}
+
 	// SGX
 	for k, v := range features.Values[SgxFeature].Elements {
 		labels["sgx."+k] = v
@ -217,10 +223,21 @@ func (s *cpuSource) Discover() error {
 	s.features.Keys[RdtFeature] = feature.NewKeyFeatures(discoverRDT()...)

 	// Detect SGX features
-	s.features.Values[SgxFeature] = feature.NewValueFeatures(discoverSGX())
+	s.features.Values[SecurityFeature] = feature.NewValueFeatures(discoverSecurity())
+
+	// Detect SGX features
+	//
+	// DEPRECATED in v0.12: will be removed in the future
+	if val, ok := s.features.Values[SecurityFeature].Elements["sgx.enabled"]; ok {
+		s.features.Values[SgxFeature] = feature.NewValueFeatures(map[string]string{"enabled": val})
+	}

 	// Detect Secure Execution features
-	s.features.Values[SeFeature] = feature.NewValueFeatures(discoverSE())
+	//
+	// DEPRECATED in v0.12: will be removed in the future
+	if val, ok := s.features.Values[SecurityFeature].Elements["se.enabled"]; ok {
+		s.features.Values[SeFeature] = feature.NewValueFeatures(map[string]string{"enabled": val})
+	}

 	// Detect SST features
 	s.features.Values[SstFeature] = feature.NewValueFeatures(discoverSST())
--- a/source/cpu/se_stub.go
+++ b/source/cpu/se_stub.go
@ -1,25 +0,0 @@
-//go:build !s390x
-// +build !s390x
-
-/*
-Copyright 2022 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package cpu
-
-// Secure Execution is exclusive to s390x
-func discoverSE() map[string]string {
-	return nil
-}
--- a/source/cpu/security_amd64.go
+++ b/source/cpu/security_amd64.go
@ -23,10 +23,18 @@ import (
 	"github.com/klauspost/cpuid/v2"
 )

-func discoverSGX() map[string]string {
-	var epcSize uint64
-	sgx := make(map[string]string)
+func discoverSecurity() map[string]string {
+	elems := make(map[string]string)

+	if sgxEnabled() {
+		elems["sgx.enabled"] = "true"
+	}
+
+	return elems
+}
+
+func sgxEnabled() bool {
+	var epcSize uint64
 	if cpuid.CPU.SGX.Available {
 		for _, s := range cpuid.CPU.SGX.EPCSections {
 			epcSize += s.EPCSize
@ -39,8 +47,8 @@ func discoverSGX() map[string]string {
 	// allocates "Processor Reserved Memory" for SGX EPC so we rely on > 0
 	// size here to set "SGX = enabled".
 	if epcSize > 0 {
-		sgx["enabled"] = "true"
+		return true
 	}

-	return sgx
+	return false
 }
--- a/source/cpu/security_s390x.go
+++ b/source/cpu/security_s390x.go
@ -25,16 +25,25 @@ import (
 	"sigs.k8s.io/node-feature-discovery/source"
 )

-func discoverSE() map[string]string {
-	se := make(map[string]string)
+func discoverSecurity() map[string]string {
+	elems := make(map[string]string)
+
+	if seEnabled() {
+		elems["se.enabled"] = "true"
+	}
+
+	return elems
+}
+
+func seEnabled() bool {
 	// This file is available in kernels >=5.12 + backports. Skip specifically
 	// checking facilities and kernel command lines and just assume Secure
 	// Execution to be unavailable or disabled if the file is not present.
 	protVirtHost := source.SysfsDir.Path("firmware/uv/prot_virt_host")
 	if content, err := os.ReadFile(protVirtHost); err == nil {
 		if string(content) == "1\n" {
-			se["enabled"] = "true"
+			return true
 		}
 	}
-	return se
+	return false
 }
--- a/source/cpu/security_stub.go
+++ b/source/cpu/security_stub.go
@ -1,5 +1,5 @@
-//go:build !amd64
-// +build !amd64
+//go:build !(amd64 || s390x)
+// +build !amd64,!s390x

 /*
 Copyright 2021 The Kubernetes Authors.
@ -19,6 +19,6 @@ limitations under the License.

 package cpu

-func discoverSGX() map[string]string {
+func discoverSecurity() map[string]string {
 	return nil
 }