cpu: Discover Intel TDX

Set `cpu-security.tdx.enable` to `true` when TDX is avialable and has been enabled. otherwise it'll be set to `false`. `/sys/module/kvm_intel/parameters/tdx` presence and content is used to detect whether a CPU is Intel TDX capable. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2025-03-05 08:17:04 +00:00 · 2022-09-02 12:20:21 +02:00 · 2022-09-02 12:20:21 +02:00 · d5db1cf907
commit d5db1cf907
parent dcc02b9787
3 changed files with 22 additions and 0 deletions
--- a/docs/advanced/customization-guide.md
+++ b/docs/advanced/customization-guide.md
@ -501,6 +501,7 @@ The following features are available for matching:
 | **`cpu.security`** | attribute  |          |            | Features related to security and trusted execution environments
 |                  |              | **`sgx.enabled`** | bool | `true` if Intel SGX (Software Guard Extensions) has been enabled, otherwise does not exist
 |                  |              | **`se.enabled`** | bool  | `true` if IBM Secure Execution for Linux is available and has been enabled, otherwise does not exist
+|                  |              | **`tdx.enabled`** | bool | `true` if Intel TDX (Trusted Domain Extensions) is available on the host and has been enabled, otherwise does not exist
 | **`cpu.sgx`**    | attribute    |          |            | **DEPRECATED**: replaced by **`cpu.security`** feature
 |                  |              | **`enabled`** | bool  | **DEPRECATED**: use **`sgx.enabled`** from **`cpu.security`** instead
 | **`cpu.sst`**    | attribute    |          |            | Intel SST (Speed Select Technology) capabilities
--- a/docs/get-started/features.md
+++ b/docs/get-started/features.md
@ -52,6 +52,7 @@ such as restricting discovered features with the -label-whitelist option.*
 | **`cpu-rdt.<rdt-flag>`**          | true   | [Intel RDT][intel-rdt] capability is supported. See [RDT flags](#intel-rdt-flags) for details.
 | **`cpu-security.sgx.enabled`**    | true   | Set to 'true' if Intel SGX is enabled in BIOS (based a non-zero sum value of SGX EPC section sizes).
 | **`cpu-security.se.enabled`**     | true   | Set to 'true' if IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and enabled (requires `/sys/firmware/uv/prot_virt_host` facility)
+| **`cpu-security.tdx.enabled`**    | true   | Set to 'true' if Intel TDX is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/tdx`).
 | **`cpu-sgx.enabled`**             | true   | **DEPRECATED**: use **`cpu-security.sgx.enabled`** instead.
 | **`cpu-se.enabled`**              | true   | **DEPRECATED**: use **`cpu-security.se.enabled`** instead.
 | **`cpu-model.vendor_id`**         | string | Comparable CPU vendor ID.
--- a/source/cpu/security_amd64.go
+++ b/source/cpu/security_amd64.go
@ -20,7 +20,10 @@ limitations under the License.
 package cpu

 import (
+	"os"
+
 	"github.com/klauspost/cpuid/v2"
+	"sigs.k8s.io/node-feature-discovery/source"
 )

 func discoverSecurity() map[string]string {
@ -30,6 +33,10 @@ func discoverSecurity() map[string]string {
 		elems["sgx.enabled"] = "true"
 	}

+	if tdxEnabled() {
+		elems["tdx.enabled"] = "true"
+	}
+
 	return elems
 }

@ -52,3 +59,16 @@ func sgxEnabled() bool {

 	return false
 }
+
+func tdxEnabled() bool {
+	// If /sys/module/kvm_intel/parameters/tdx is not present, or is present
+	// with a value different than "Y\n" assume TDX to be unavailable or
+	// disabled.
+	protVirtHost := source.SysfsDir.Path("module/kvm_intel/parameters/tdx")
+	if content, err := os.ReadFile(protVirtHost); err == nil {
+		if string(content) == "Y\n" {
+			return true
+		}
+	}
+	return false
+}