From e8a00ba7dac8ebdc7acb56d45454a2d09a6e88bf Mon Sep 17 00:00:00 2001
From: Hairong Chen <hairong.chen@intel.com>
Date: Fri, 2 Jun 2023 11:01:10 +0200
Subject: [PATCH] cpu: Discover TDX guests based on cpuid information
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

NFD already has the capability to discover whether baremetal / host
machines support Intel TDX.  Now, the next step is to add support for
discovering whether a node is TDX protected (as in, a virtual machine
started using Intel TDX).

In order to do so, we've decided to go for a new `cpu-security.tdx`
property, called `protected` (`cpu-security.tdx.protected`).

Signed-off-by: Hairong Chen <hairong.chen@intel.com>
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 .../components/worker-config/nfd-worker.conf.example      | 1 +
 deployment/helm/node-feature-discovery/values.yaml        | 1 +
 docs/reference/worker-configuration-reference.md          | 2 +-
 docs/usage/customization-guide.md                         | 1 +
 docs/usage/features.md                                    | 3 ++-
 source/cpu/cpu.go                                         | 1 +
 source/cpu/security_amd64.go                              | 8 ++++++++
 7 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/deployment/components/worker-config/nfd-worker.conf.example b/deployment/components/worker-config/nfd-worker.conf.example
index 45a3c7db2..0dfe03cba 100644
--- a/deployment/components/worker-config/nfd-worker.conf.example
+++ b/deployment/components/worker-config/nfd-worker.conf.example
@@ -47,6 +47,7 @@
 #        - "SSE4"
 #        - "SSE42"
 #        - "SSSE3"
+#        - "TDX_GUEST"
 #      attributeWhitelist:
 #  kernel:
 #    kconfigFile: "/path/to/kconfig"
diff --git a/deployment/helm/node-feature-discovery/values.yaml b/deployment/helm/node-feature-discovery/values.yaml
index 0c7d36d54..d2f5c965e 100644
--- a/deployment/helm/node-feature-discovery/values.yaml
+++ b/deployment/helm/node-feature-discovery/values.yaml
@@ -164,6 +164,7 @@ worker:
     #        - "SSE4"
     #        - "SSE42"
     #        - "SSSE3"
+    #        - "TDX_GUEST"
     #      attributeWhitelist:
     #  kernel:
     #    kconfigFile: "/path/to/kconfig"
diff --git a/docs/reference/worker-configuration-reference.md b/docs/reference/worker-configuration-reference.md
index 540172caf..05bf461fe 100644
--- a/docs/reference/worker-configuration-reference.md
+++ b/docs/reference/worker-configuration-reference.md
@@ -268,7 +268,7 @@ Note: overridden by `sources.cpu.cpuid.attributeWhitelist` (if specified)
 
 Default: `[BMI1, BMI2, CLMUL, CMOV, CX16, ERMS, F16C, HTT, LZCNT, MMX, MMXEXT,
 NX, POPCNT, RDRAND, RDSEED, RDTSCP, SGX, SGXLC, SSE, SSE2, SSE3, SSE4.1,
-SSE4.2, SSSE3]`
+SSE4.2, SSSE3, TDX_GUEST]`
 
 Example:
 
diff --git a/docs/usage/customization-guide.md b/docs/usage/customization-guide.md
index 531aa6cad..c614ab175 100644
--- a/docs/usage/customization-guide.md
+++ b/docs/usage/customization-guide.md
@@ -711,6 +711,7 @@ The following features are available for matching:
 |                  |              | **`se.enabled`** | bool  | `true` if IBM Secure Execution for Linux is available and has been enabled, otherwise does not exist
 |                  |              | **`tdx.enabled`** | bool | `true` if Intel TDX (Trusted Domain Extensions) is available on the host and has been enabled, otherwise does not exist
 |                  |              | **`tdx.total_keys`** | int | The total amount of keys an Intel TDX (Trusted Domain Extensions) host can provide.  It's only present if `tdx.enabled` is `true`.
+|                  |              | **`tdx.protected`** | bool | `true` if a guest VM was started using Intel TDX (Trusted Domain Extensions), otherwise does not exist.
 |                  |              | **`sev.enabled`** | bool | `true` if AMD SEV (Secure Encrypted Virtualization) is available on the host and has been enabled, otherwise does not exist
 |                  |              | **`sev.es.enabled`** | bool | `true` if AMD SEV-ES (Encrypted State supported) is available on the host and has been enabled, otherwise does not exist
 |                  |              | **`sev.snp.enabled`** | bool | `true` if AMD SEV-SNP (Secure Nested Paging supported) is available on the host and has been enabled, otherwise does not exist
diff --git a/docs/usage/features.md b/docs/usage/features.md
index 0e67e3d29..a214346fc 100644
--- a/docs/usage/features.md
+++ b/docs/usage/features.md
@@ -58,6 +58,7 @@ option of nfd-worker.
 | **`cpu-security.sgx.enabled`**    | true   | Set to 'true' if Intel SGX is enabled in BIOS (based on a non-zero sum value of SGX EPC section sizes).
 | **`cpu-security.se.enabled`**     | true   | Set to 'true' if IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and enabled (requires `/sys/firmware/uv/prot_virt_host` facility)
 | **`cpu-security.tdx.enabled`**    | true   | Set to 'true' if Intel TDX is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/tdx`).
+| **`cpu-security.tdx.protected`**  | true   | Set to 'true' if Intel TDX was used to start the guest node, based on the existence of the "TDX_GUEST" information as part of cpuid features.
 | **`cpu-security.sev.enabled`**    | true   | Set to 'true' if ADM SEV is available on the host and has been enabled (requires `/sys/module/kvm_amd/parameters/sev`).
 | **`cpu-security.sev.es.enabled`** | true   | Set to 'true' if ADM SEV-ES is available on the host and has been enabled (requires `/sys/module/kvm_amd/parameters/sev_es`).
 | **`cpu-security.sev.snp.enabled`**| true   | Set to 'true' if ADM SEV-SNP is available on the host and has been enabled (requires `/sys/module/kvm_amd/parameters/sev_snp`).
@@ -124,7 +125,7 @@ configuration options for details.
 
 By default, the following CPUID flags have been blacklisted: BMI1, BMI2, CLMUL,
 CMOV, CX16, ERMS, F16C, HTT, LZCNT, MMX, MMXEXT, NX, POPCNT, RDRAND, RDSEED,
-RDTSCP, SGX, SSE, SSE2, SSE3, SSE4, SSE42 and SSSE3. See
+RDTSCP, SGX, SSE, SSE2, SSE3, SSE4, SSE42, SSSE3 and TDX_GUEST. See
 [`sources.cpu`](../reference/worker-configuration-reference.md#sourcescpu)
 configuration options to change the behavior.
 
diff --git a/source/cpu/cpu.go b/source/cpu/cpu.go
index ae47bb266..b8ae08310 100644
--- a/source/cpu/cpu.go
+++ b/source/cpu/cpu.go
@@ -89,6 +89,7 @@ func newDefaultConfig() *Config {
 				"SSE4",
 				"SSE42",
 				"SSSE3",
+				"TDX_GUEST",
 			},
 			AttributeWhitelist: []string{},
 		},
diff --git a/source/cpu/security_amd64.go b/source/cpu/security_amd64.go
index 0017407a2..7422739f9 100644
--- a/source/cpu/security_amd64.go
+++ b/source/cpu/security_amd64.go
@@ -53,6 +53,10 @@ func discoverSecurity() map[string]string {
 		}
 	}
 
+	if tdxProtected() {
+		elems["tdx.protected"] = "true"
+	}
+
 	if sevParameterEnabled("sev") {
 		elems["sev.enabled"] = "true"
 
@@ -102,6 +106,10 @@ func tdxEnabled() bool {
 	return false
 }
 
+func tdxProtected() bool {
+	return cpuid.CPU.Has(cpuid.TDX_GUEST)
+}
+
 func sevParameterEnabled(parameter string) bool {
 	// SEV-SNP is supported and enabled when the kvm module `sev_snp` parameter is set to `Y`
 	// SEV-SNP support infers SEV (-ES) support