mirror of
https://github.com/kubernetes-sigs/node-feature-discovery.git
synced 2024-12-14 11:57:51 +00:00
cpu: Discover TDX guests based on cpuid information
NFD already has the capability to discover whether baremetal / host machines support Intel TDX. Now, the next step is to add support for discovering whether a node is TDX protected (as in, a virtual machine started using Intel TDX). In order to do so, we've decided to go for a new `cpu-security.tdx` property, called `protected` (`cpu-security.tdx.protected`). Signed-off-by: Hairong Chen <hairong.chen@intel.com> Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This commit is contained in:
parent
8a65d8f5a1
commit
e8a00ba7da
7 changed files with 15 additions and 2 deletions
|
@ -47,6 +47,7 @@
|
|||
# - "SSE4"
|
||||
# - "SSE42"
|
||||
# - "SSSE3"
|
||||
# - "TDX_GUEST"
|
||||
# attributeWhitelist:
|
||||
# kernel:
|
||||
# kconfigFile: "/path/to/kconfig"
|
||||
|
|
|
@ -164,6 +164,7 @@ worker:
|
|||
# - "SSE4"
|
||||
# - "SSE42"
|
||||
# - "SSSE3"
|
||||
# - "TDX_GUEST"
|
||||
# attributeWhitelist:
|
||||
# kernel:
|
||||
# kconfigFile: "/path/to/kconfig"
|
||||
|
|
|
@ -268,7 +268,7 @@ Note: overridden by `sources.cpu.cpuid.attributeWhitelist` (if specified)
|
|||
|
||||
Default: `[BMI1, BMI2, CLMUL, CMOV, CX16, ERMS, F16C, HTT, LZCNT, MMX, MMXEXT,
|
||||
NX, POPCNT, RDRAND, RDSEED, RDTSCP, SGX, SGXLC, SSE, SSE2, SSE3, SSE4.1,
|
||||
SSE4.2, SSSE3]`
|
||||
SSE4.2, SSSE3, TDX_GUEST]`
|
||||
|
||||
Example:
|
||||
|
||||
|
|
|
@ -711,6 +711,7 @@ The following features are available for matching:
|
|||
| | | **`se.enabled`** | bool | `true` if IBM Secure Execution for Linux is available and has been enabled, otherwise does not exist
|
||||
| | | **`tdx.enabled`** | bool | `true` if Intel TDX (Trusted Domain Extensions) is available on the host and has been enabled, otherwise does not exist
|
||||
| | | **`tdx.total_keys`** | int | The total amount of keys an Intel TDX (Trusted Domain Extensions) host can provide. It's only present if `tdx.enabled` is `true`.
|
||||
| | | **`tdx.protected`** | bool | `true` if a guest VM was started using Intel TDX (Trusted Domain Extensions), otherwise does not exist.
|
||||
| | | **`sev.enabled`** | bool | `true` if AMD SEV (Secure Encrypted Virtualization) is available on the host and has been enabled, otherwise does not exist
|
||||
| | | **`sev.es.enabled`** | bool | `true` if AMD SEV-ES (Encrypted State supported) is available on the host and has been enabled, otherwise does not exist
|
||||
| | | **`sev.snp.enabled`** | bool | `true` if AMD SEV-SNP (Secure Nested Paging supported) is available on the host and has been enabled, otherwise does not exist
|
||||
|
|
|
@ -58,6 +58,7 @@ option of nfd-worker.
|
|||
| **`cpu-security.sgx.enabled`** | true | Set to 'true' if Intel SGX is enabled in BIOS (based on a non-zero sum value of SGX EPC section sizes).
|
||||
| **`cpu-security.se.enabled`** | true | Set to 'true' if IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and enabled (requires `/sys/firmware/uv/prot_virt_host` facility)
|
||||
| **`cpu-security.tdx.enabled`** | true | Set to 'true' if Intel TDX is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/tdx`).
|
||||
| **`cpu-security.tdx.protected`** | true | Set to 'true' if Intel TDX was used to start the guest node, based on the existence of the "TDX_GUEST" information as part of cpuid features.
|
||||
| **`cpu-security.sev.enabled`** | true | Set to 'true' if ADM SEV is available on the host and has been enabled (requires `/sys/module/kvm_amd/parameters/sev`).
|
||||
| **`cpu-security.sev.es.enabled`** | true | Set to 'true' if ADM SEV-ES is available on the host and has been enabled (requires `/sys/module/kvm_amd/parameters/sev_es`).
|
||||
| **`cpu-security.sev.snp.enabled`**| true | Set to 'true' if ADM SEV-SNP is available on the host and has been enabled (requires `/sys/module/kvm_amd/parameters/sev_snp`).
|
||||
|
@ -124,7 +125,7 @@ configuration options for details.
|
|||
|
||||
By default, the following CPUID flags have been blacklisted: BMI1, BMI2, CLMUL,
|
||||
CMOV, CX16, ERMS, F16C, HTT, LZCNT, MMX, MMXEXT, NX, POPCNT, RDRAND, RDSEED,
|
||||
RDTSCP, SGX, SSE, SSE2, SSE3, SSE4, SSE42 and SSSE3. See
|
||||
RDTSCP, SGX, SSE, SSE2, SSE3, SSE4, SSE42, SSSE3 and TDX_GUEST. See
|
||||
[`sources.cpu`](../reference/worker-configuration-reference.md#sourcescpu)
|
||||
configuration options to change the behavior.
|
||||
|
||||
|
|
|
@ -89,6 +89,7 @@ func newDefaultConfig() *Config {
|
|||
"SSE4",
|
||||
"SSE42",
|
||||
"SSSE3",
|
||||
"TDX_GUEST",
|
||||
},
|
||||
AttributeWhitelist: []string{},
|
||||
},
|
||||
|
|
|
@ -53,6 +53,10 @@ func discoverSecurity() map[string]string {
|
|||
}
|
||||
}
|
||||
|
||||
if tdxProtected() {
|
||||
elems["tdx.protected"] = "true"
|
||||
}
|
||||
|
||||
if sevParameterEnabled("sev") {
|
||||
elems["sev.enabled"] = "true"
|
||||
|
||||
|
@ -102,6 +106,10 @@ func tdxEnabled() bool {
|
|||
return false
|
||||
}
|
||||
|
||||
func tdxProtected() bool {
|
||||
return cpuid.CPU.Has(cpuid.TDX_GUEST)
|
||||
}
|
||||
|
||||
func sevParameterEnabled(parameter string) bool {
|
||||
// SEV-SNP is supported and enabled when the kvm module `sev_snp` parameter is set to `Y`
|
||||
// SEV-SNP support infers SEV (-ES) support
|
||||
|
|
Loading…
Reference in a new issue