diff --git a/docs/advanced/customization-guide.md b/docs/advanced/customization-guide.md index ab55a3fe4..f506ee2fd 100644 --- a/docs/advanced/customization-guide.md +++ b/docs/advanced/customization-guide.md @@ -488,12 +488,15 @@ The following features are available for matching: | | | **`scaling`** | string | Active scaling_governor, possible values are 'powersave' or 'performance'. | **`cpu.rdt`** | flag | | | Intel RDT capabilities supported by the system | | | **``** | | RDT capability is supported, see [RDT flags](../get-started/features#intel-rdt-flags) for details -| **`cpu.sgx`** | attribute | | | Intel SGX (Software Guard Extensions) capabilities -| | | **`enabled`** | bool | `true` if Intel SGX has been enabled, otherwise does not exist +| **`cpu.security`** | attribute | | | Features related to security and trusted execution environments +| | | **`sgx.enabled`** | bool | `true` if Intel SGX (Software Guard Extensions) has been enabled, otherwise does not exist +| | | **`se.enabled`** | bool | `true` if IBM Secure Execution for Linux is available and has been enabled, otherwise does not exist +| **`cpu.sgx`** | attribute | | | **DEPRECATED**: replaced by **`cpu.security`** feature +| | | **`enabled`** | bool | **DEPRECATED**: use **`sgx.enabled`** from **`cpu.security`** instead | **`cpu.sst`** | attribute | | | Intel SST (Speed Select Technology) capabilities | | | **`bf.enabled`** | bool | `true` if Intel SST-BF (Intel Speed Select Technology - Base frequency) has been enabled, otherwise does not exist -| **`cpu.se`** | attribute | | | IBM Secure Execution for Linux (IBM Z & LinuxONE) -| | | **`enabled`** | bool | `true` if IBM Secure Execution for Linux is available and has been enabled, otherwise does not exist +| **`cpu.se`** | attribute | | | **DEPRECATED**: replaced by **`cpu.security`** feature +| | | **`enabled`** | bool | **DEPRECATED**: use **`se.enabled`** from **`cpu.security`** instead | **`cpu.topology`** | attribute | | | CPU topology related features | | | **`hardware_multithreading`** | bool | Hardware multithreading, such as Intel HTT, is enabled | **`kernel.config`** | attribute | | | Kernel configuration options diff --git a/docs/get-started/features.md b/docs/get-started/features.md index ad6841f7a..29e4f21d7 100644 --- a/docs/get-started/features.md +++ b/docs/get-started/features.md @@ -50,8 +50,10 @@ such as restricting discovered features with the -label-whitelist option.* | **`cpu-pstate.scaling_governor`** | string | The value of the Intel pstate scaling_governor when in use, either 'powersave' or 'performance'. | **`cpu-cstate.enabled`** | bool | Set to 'true' if cstates are set in the intel_idle driver, otherwise set to 'false'. Unset if intel_idle cpuidle driver is not active. | **`cpu-rdt.`** | true | [Intel RDT][intel-rdt] capability is supported. See [RDT flags](#intel-rdt-flags) for details. -| **`cpu-sgx.enabled`** | true | Set to 'true' if Intel SGX is enabled in BIOS (based a non-zero sum value of SGX EPC section sizes). -| **`cpu-se.enabled`** | true | Set to 'true' if IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and enabled (requires `/sys/firmware/uv/prot_virt_host` facility) +| **`cpu-security.sgx.enabled`** | true | Set to 'true' if Intel SGX is enabled in BIOS (based a non-zero sum value of SGX EPC section sizes). +| **`cpu-security.se.enabled`** | true | Set to 'true' if IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and enabled (requires `/sys/firmware/uv/prot_virt_host` facility) +| **`cpu-sgx.enabled`** | true | **DEPRECATED**: use **`cpu-security.sgx.enabled`** instead. +| **`cpu-se.enabled`** | true | **DEPRECATED**: use **`cpu-security.se.enabled`** instead. | **`cpu-model.vendor_id`** | string | Comparable CPU vendor ID. | **`cpu-model.family`** | int | CPU family. | **`cpu-model.id`** | int | CPU model number. diff --git a/source/cpu/cpu.go b/source/cpu/cpu.go index b77f9ea38..26f424da1 100644 --- a/source/cpu/cpu.go +++ b/source/cpu/cpu.go @@ -38,8 +38,9 @@ const ( CstateFeature = "cstate" PstateFeature = "pstate" RdtFeature = "rdt" - SeFeature = "se" - SgxFeature = "sgx" + SeFeature = "se" // DEPRECATED in v0.12: will be removed in the future + SecurityFeature = "security" + SgxFeature = "sgx" // DEPRECATED in v0.12: will be removed in the future SstFeature = "sst" TopologyFeature = "topology" ) @@ -165,6 +166,11 @@ func (s *cpuSource) GetLabels() (source.FeatureLabels, error) { labels["rdt."+k] = true } + // Security + for k, v := range features.Values[SecurityFeature].Elements { + labels["security."+k] = v + } + // SGX for k, v := range features.Values[SgxFeature].Elements { labels["sgx."+k] = v @@ -217,10 +223,21 @@ func (s *cpuSource) Discover() error { s.features.Keys[RdtFeature] = feature.NewKeyFeatures(discoverRDT()...) // Detect SGX features - s.features.Values[SgxFeature] = feature.NewValueFeatures(discoverSGX()) + s.features.Values[SecurityFeature] = feature.NewValueFeatures(discoverSecurity()) + + // Detect SGX features + // + // DEPRECATED in v0.12: will be removed in the future + if val, ok := s.features.Values[SecurityFeature].Elements["sgx.enabled"]; ok { + s.features.Values[SgxFeature] = feature.NewValueFeatures(map[string]string{"enabled": val}) + } // Detect Secure Execution features - s.features.Values[SeFeature] = feature.NewValueFeatures(discoverSE()) + // + // DEPRECATED in v0.12: will be removed in the future + if val, ok := s.features.Values[SecurityFeature].Elements["se.enabled"]; ok { + s.features.Values[SeFeature] = feature.NewValueFeatures(map[string]string{"enabled": val}) + } // Detect SST features s.features.Values[SstFeature] = feature.NewValueFeatures(discoverSST()) diff --git a/source/cpu/se_stub.go b/source/cpu/se_stub.go deleted file mode 100644 index 436efa5a0..000000000 --- a/source/cpu/se_stub.go +++ /dev/null @@ -1,25 +0,0 @@ -//go:build !s390x -// +build !s390x - -/* -Copyright 2022 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package cpu - -// Secure Execution is exclusive to s390x -func discoverSE() map[string]string { - return nil -} diff --git a/source/cpu/sgx_amd64.go b/source/cpu/security_amd64.go similarity index 84% rename from source/cpu/sgx_amd64.go rename to source/cpu/security_amd64.go index a94d5bdb5..10854c896 100644 --- a/source/cpu/sgx_amd64.go +++ b/source/cpu/security_amd64.go @@ -23,10 +23,18 @@ import ( "github.com/klauspost/cpuid/v2" ) -func discoverSGX() map[string]string { - var epcSize uint64 - sgx := make(map[string]string) +func discoverSecurity() map[string]string { + elems := make(map[string]string) + if sgxEnabled() { + elems["sgx.enabled"] = "true" + } + + return elems +} + +func sgxEnabled() bool { + var epcSize uint64 if cpuid.CPU.SGX.Available { for _, s := range cpuid.CPU.SGX.EPCSections { epcSize += s.EPCSize @@ -39,8 +47,8 @@ func discoverSGX() map[string]string { // allocates "Processor Reserved Memory" for SGX EPC so we rely on > 0 // size here to set "SGX = enabled". if epcSize > 0 { - sgx["enabled"] = "true" + return true } - return sgx + return false } diff --git a/source/cpu/se_s390x.go b/source/cpu/security_s390x.go similarity index 84% rename from source/cpu/se_s390x.go rename to source/cpu/security_s390x.go index 88f202f6a..f54752dbb 100644 --- a/source/cpu/se_s390x.go +++ b/source/cpu/security_s390x.go @@ -25,16 +25,25 @@ import ( "sigs.k8s.io/node-feature-discovery/source" ) -func discoverSE() map[string]string { - se := make(map[string]string) +func discoverSecurity() map[string]string { + elems := make(map[string]string) + + if seEnabled() { + elems["se.enabled"] = "true" + } + + return elems +} + +func seEnabled() bool { // This file is available in kernels >=5.12 + backports. Skip specifically // checking facilities and kernel command lines and just assume Secure // Execution to be unavailable or disabled if the file is not present. protVirtHost := source.SysfsDir.Path("firmware/uv/prot_virt_host") if content, err := os.ReadFile(protVirtHost); err == nil { if string(content) == "1\n" { - se["enabled"] = "true" + return true } } - return se + return false } diff --git a/source/cpu/sgx_stub.go b/source/cpu/security_stub.go similarity index 86% rename from source/cpu/sgx_stub.go rename to source/cpu/security_stub.go index 99e4c046b..ffbf83ae0 100644 --- a/source/cpu/sgx_stub.go +++ b/source/cpu/security_stub.go @@ -1,5 +1,5 @@ -//go:build !amd64 -// +build !amd64 +//go:build !(amd64 || s390x) +// +build !amd64,!s390x /* Copyright 2021 The Kubernetes Authors. @@ -19,6 +19,6 @@ limitations under the License. package cpu -func discoverSGX() map[string]string { +func discoverSecurity() map[string]string { return nil }