diff --git a/deployment/components/worker-config/nfd-worker.conf.example b/deployment/components/worker-config/nfd-worker.conf.example index 45a3c7db2..0dfe03cba 100644 --- a/deployment/components/worker-config/nfd-worker.conf.example +++ b/deployment/components/worker-config/nfd-worker.conf.example @@ -47,6 +47,7 @@ # - "SSE4" # - "SSE42" # - "SSSE3" +# - "TDX_GUEST" # attributeWhitelist: # kernel: # kconfigFile: "/path/to/kconfig" diff --git a/deployment/helm/node-feature-discovery/values.yaml b/deployment/helm/node-feature-discovery/values.yaml index 0c7d36d54..d2f5c965e 100644 --- a/deployment/helm/node-feature-discovery/values.yaml +++ b/deployment/helm/node-feature-discovery/values.yaml @@ -164,6 +164,7 @@ worker: # - "SSE4" # - "SSE42" # - "SSSE3" + # - "TDX_GUEST" # attributeWhitelist: # kernel: # kconfigFile: "/path/to/kconfig" diff --git a/docs/reference/worker-configuration-reference.md b/docs/reference/worker-configuration-reference.md index 540172caf..05bf461fe 100644 --- a/docs/reference/worker-configuration-reference.md +++ b/docs/reference/worker-configuration-reference.md @@ -268,7 +268,7 @@ Note: overridden by `sources.cpu.cpuid.attributeWhitelist` (if specified) Default: `[BMI1, BMI2, CLMUL, CMOV, CX16, ERMS, F16C, HTT, LZCNT, MMX, MMXEXT, NX, POPCNT, RDRAND, RDSEED, RDTSCP, SGX, SGXLC, SSE, SSE2, SSE3, SSE4.1, -SSE4.2, SSSE3]` +SSE4.2, SSSE3, TDX_GUEST]` Example: diff --git a/docs/usage/customization-guide.md b/docs/usage/customization-guide.md index 531aa6cad..c614ab175 100644 --- a/docs/usage/customization-guide.md +++ b/docs/usage/customization-guide.md @@ -711,6 +711,7 @@ The following features are available for matching: | | | **`se.enabled`** | bool | `true` if IBM Secure Execution for Linux is available and has been enabled, otherwise does not exist | | | **`tdx.enabled`** | bool | `true` if Intel TDX (Trusted Domain Extensions) is available on the host and has been enabled, otherwise does not exist | | | **`tdx.total_keys`** | int | The total amount of keys an Intel TDX (Trusted Domain Extensions) host can provide. It's only present if `tdx.enabled` is `true`. +| | | **`tdx.protected`** | bool | `true` if a guest VM was started using Intel TDX (Trusted Domain Extensions), otherwise does not exist. | | | **`sev.enabled`** | bool | `true` if AMD SEV (Secure Encrypted Virtualization) is available on the host and has been enabled, otherwise does not exist | | | **`sev.es.enabled`** | bool | `true` if AMD SEV-ES (Encrypted State supported) is available on the host and has been enabled, otherwise does not exist | | | **`sev.snp.enabled`** | bool | `true` if AMD SEV-SNP (Secure Nested Paging supported) is available on the host and has been enabled, otherwise does not exist diff --git a/docs/usage/features.md b/docs/usage/features.md index 0e67e3d29..a214346fc 100644 --- a/docs/usage/features.md +++ b/docs/usage/features.md @@ -58,6 +58,7 @@ option of nfd-worker. | **`cpu-security.sgx.enabled`** | true | Set to 'true' if Intel SGX is enabled in BIOS (based on a non-zero sum value of SGX EPC section sizes). | **`cpu-security.se.enabled`** | true | Set to 'true' if IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and enabled (requires `/sys/firmware/uv/prot_virt_host` facility) | **`cpu-security.tdx.enabled`** | true | Set to 'true' if Intel TDX is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/tdx`). +| **`cpu-security.tdx.protected`** | true | Set to 'true' if Intel TDX was used to start the guest node, based on the existence of the "TDX_GUEST" information as part of cpuid features. | **`cpu-security.sev.enabled`** | true | Set to 'true' if ADM SEV is available on the host and has been enabled (requires `/sys/module/kvm_amd/parameters/sev`). | **`cpu-security.sev.es.enabled`** | true | Set to 'true' if ADM SEV-ES is available on the host and has been enabled (requires `/sys/module/kvm_amd/parameters/sev_es`). | **`cpu-security.sev.snp.enabled`**| true | Set to 'true' if ADM SEV-SNP is available on the host and has been enabled (requires `/sys/module/kvm_amd/parameters/sev_snp`). @@ -124,7 +125,7 @@ configuration options for details. By default, the following CPUID flags have been blacklisted: BMI1, BMI2, CLMUL, CMOV, CX16, ERMS, F16C, HTT, LZCNT, MMX, MMXEXT, NX, POPCNT, RDRAND, RDSEED, -RDTSCP, SGX, SSE, SSE2, SSE3, SSE4, SSE42 and SSSE3. See +RDTSCP, SGX, SSE, SSE2, SSE3, SSE4, SSE42, SSSE3 and TDX_GUEST. See [`sources.cpu`](../reference/worker-configuration-reference.md#sourcescpu) configuration options to change the behavior. diff --git a/source/cpu/cpu.go b/source/cpu/cpu.go index ae47bb266..b8ae08310 100644 --- a/source/cpu/cpu.go +++ b/source/cpu/cpu.go @@ -89,6 +89,7 @@ func newDefaultConfig() *Config { "SSE4", "SSE42", "SSSE3", + "TDX_GUEST", }, AttributeWhitelist: []string{}, }, diff --git a/source/cpu/security_amd64.go b/source/cpu/security_amd64.go index 0017407a2..7422739f9 100644 --- a/source/cpu/security_amd64.go +++ b/source/cpu/security_amd64.go @@ -53,6 +53,10 @@ func discoverSecurity() map[string]string { } } + if tdxProtected() { + elems["tdx.protected"] = "true" + } + if sevParameterEnabled("sev") { elems["sev.enabled"] = "true" @@ -102,6 +106,10 @@ func tdxEnabled() bool { return false } +func tdxProtected() bool { + return cpuid.CPU.Has(cpuid.TDX_GUEST) +} + func sevParameterEnabled(parameter string) bool { // SEV-SNP is supported and enabled when the kvm module `sev_snp` parameter is set to `Y` // SEV-SNP support infers SEV (-ES) support