cpu: re-organize security features

Move existing security/trusted-execution related features (i.e. SGX and SE) under the same "security" feature, deprecating the old features. The motivation for the change is to keep the source code and user interface more organized as we experience a constant inflow of similar security related features. This change will affect the user interface so it is less painful to do it early on. New feature labels will be: feature.node.kubernetes.io/cpu-security.se.enabled feature.node.kubernetes.io/cpu-security.sgx.enabled and correspondingly new "cpu.security" feature with "se.enabled" and "sgx.enabled" elements will be available for custom rules, for example: - name: "sample sgx rule" labels: sgx.sample.feature: "true" matchFeatures: - feature: cpu.security matchExpressions: "sgx.enabled": {op: IsTrue} At the same time deprecate old labels "cpu-sgx.enabled" and "cpu-se.enabled" feature labels and the corresponding features for custom rules. These will be removed in the future causing an effective change in NFDs user interface.
2024-12-14 11:57:51 +00:00 · 2022-06-28 11:44:21 +03:00 · 2022-06-28 11:44:21 +03:00 · f62b057bcd
commit f62b057bcd
parent 3b4c1b1793
7 changed files with 61 additions and 47 deletions
--- a/docs/advanced/customization-guide.md
+++ b/docs/advanced/customization-guide.md
@ -488,12 +488,15 @@ The following features are available for matching:
 |                  |              | **`scaling`** | string | Active scaling_governor, possible values are 'powersave' or 'performance'.
 | **`cpu.rdt`**    | flag         |          |            | Intel RDT capabilities supported by the system
 |                  |              | **`<rdt-flag>`** |    | RDT capability is supported, see [RDT flags](../get-started/features#intel-rdt-flags) for details
-| **`cpu.sgx`**    | attribute    |          |            | Intel SGX (Software Guard Extensions) capabilities
-|                  |              | **`enabled`** | bool  | `true` if Intel SGX has been enabled, otherwise does not exist
+| **`cpu.security`** | attribute  |          |            | Features related to security and trusted execution environments
+|                  |              | **`sgx.enabled`** | bool | `true` if Intel SGX (Software Guard Extensions) has been enabled, otherwise does not exist
+|                  |              | **`se.enabled`** | bool  | `true` if IBM Secure Execution for Linux is available and has been enabled, otherwise does not exist
+| **`cpu.sgx`**    | attribute    |          |            | **DEPRECATED**: replaced by **`cpu.security`** feature
+|                  |              | **`enabled`** | bool  | **DEPRECATED**: use **`sgx.enabled`** from **`cpu.security`** instead
 | **`cpu.sst`**    | attribute    |          |            | Intel SST (Speed Select Technology) capabilities
 |                  |              | **`bf.enabled`** | bool | `true` if Intel SST-BF (Intel Speed Select Technology - Base frequency) has been enabled, otherwise does not exist
-| **`cpu.se`**     | attribute    |          |            | IBM Secure Execution for Linux (IBM Z & LinuxONE)
-|                  |              | **`enabled`** | bool  | `true` if IBM Secure Execution for Linux is available and has been enabled, otherwise does not exist
+| **`cpu.se`**     | attribute    |          |            | **DEPRECATED**: replaced by **`cpu.security`** feature
+|                  |              | **`enabled`** | bool  | **DEPRECATED**: use **`se.enabled`** from **`cpu.security`** instead
 | **`cpu.topology`** | attribute  |          |            | CPU topology related features
 | | |          **`hardware_multithreading`** | bool       | Hardware multithreading, such as Intel HTT, is enabled
 | **`kernel.config`** | attribute |          |            | Kernel configuration options
--- a/docs/get-started/features.md
+++ b/docs/get-started/features.md
@ -50,8 +50,10 @@ such as restricting discovered features with the -label-whitelist option.*
 | **`cpu-pstate.scaling_governor`** | string | The value of the Intel pstate scaling_governor when in use, either 'powersave' or 'performance'.
 | **`cpu-cstate.enabled`**          | bool   | Set to 'true' if cstates are set in the intel_idle driver, otherwise set to 'false'. Unset if intel_idle cpuidle driver is not active.
 | **`cpu-rdt.<rdt-flag>`**          | true   | [Intel RDT][intel-rdt] capability is supported. See [RDT flags](#intel-rdt-flags) for details.
-| **`cpu-sgx.enabled`**             | true   | Set to 'true' if Intel SGX is enabled in BIOS (based a non-zero sum value of SGX EPC section sizes).
-| **`cpu-se.enabled`**              | true   | Set to 'true' if IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and enabled (requires `/sys/firmware/uv/prot_virt_host` facility)
+| **`cpu-security.sgx.enabled`**    | true   | Set to 'true' if Intel SGX is enabled in BIOS (based a non-zero sum value of SGX EPC section sizes).
+| **`cpu-security.se.enabled`**     | true   | Set to 'true' if IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and enabled (requires `/sys/firmware/uv/prot_virt_host` facility)
+| **`cpu-sgx.enabled`**             | true   | **DEPRECATED**: use **`cpu-security.sgx.enabled`** instead.
+| **`cpu-se.enabled`**              | true   | **DEPRECATED**: use **`cpu-security.se.enabled`** instead.
 | **`cpu-model.vendor_id`**         | string | Comparable CPU vendor ID.
 | **`cpu-model.family`**            | int    | CPU family.
 | **`cpu-model.id`**                | int    | CPU model number.
--- a/source/cpu/cpu.go
+++ b/source/cpu/cpu.go
@ -38,8 +38,9 @@ const (
 	CstateFeature   = "cstate"
 	PstateFeature   = "pstate"
 	RdtFeature      = "rdt"
-	SeFeature       = "se"
-	SgxFeature      = "sgx"
+	SeFeature       = "se" // DEPRECATED in v0.12: will be removed in the future
+	SecurityFeature = "security"
+	SgxFeature      = "sgx" // DEPRECATED in v0.12: will be removed in the future
 	SstFeature      = "sst"
 	TopologyFeature = "topology"
 )
@ -165,6 +166,11 @@ func (s *cpuSource) GetLabels() (source.FeatureLabels, error) {
 		labels["rdt."+k] = true
 	}

+	// Security
+	for k, v := range features.Values[SecurityFeature].Elements {
+		labels["security."+k] = v
+	}
+
 	// SGX
 	for k, v := range features.Values[SgxFeature].Elements {
 		labels["sgx."+k] = v
@ -217,10 +223,21 @@ func (s *cpuSource) Discover() error {
 	s.features.Keys[RdtFeature] = feature.NewKeyFeatures(discoverRDT()...)

 	// Detect SGX features
-	s.features.Values[SgxFeature] = feature.NewValueFeatures(discoverSGX())
+	s.features.Values[SecurityFeature] = feature.NewValueFeatures(discoverSecurity())
+
+	// Detect SGX features
+	//
+	// DEPRECATED in v0.12: will be removed in the future
+	if val, ok := s.features.Values[SecurityFeature].Elements["sgx.enabled"]; ok {
+		s.features.Values[SgxFeature] = feature.NewValueFeatures(map[string]string{"enabled": val})
+	}

 	// Detect Secure Execution features
-	s.features.Values[SeFeature] = feature.NewValueFeatures(discoverSE())
+	//
+	// DEPRECATED in v0.12: will be removed in the future
+	if val, ok := s.features.Values[SecurityFeature].Elements["se.enabled"]; ok {
+		s.features.Values[SeFeature] = feature.NewValueFeatures(map[string]string{"enabled": val})
+	}

 	// Detect SST features
 	s.features.Values[SstFeature] = feature.NewValueFeatures(discoverSST())
--- a/source/cpu/se_stub.go
+++ b/source/cpu/se_stub.go
@ -1,25 +0,0 @@
-//go:build !s390x
-// +build !s390x
-
-/*
-Copyright 2022 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package cpu
-
-// Secure Execution is exclusive to s390x
-func discoverSE() map[string]string {
-	return nil
-}
--- a/source/cpu/security_amd64.go
+++ b/source/cpu/security_amd64.go
@ -23,10 +23,18 @@ import (
 	"github.com/klauspost/cpuid/v2"
 )

-func discoverSGX() map[string]string {
-	var epcSize uint64
-	sgx := make(map[string]string)
+func discoverSecurity() map[string]string {
+	elems := make(map[string]string)

+	if sgxEnabled() {
+		elems["sgx.enabled"] = "true"
+	}
+
+	return elems
+}
+
+func sgxEnabled() bool {
+	var epcSize uint64
 	if cpuid.CPU.SGX.Available {
 		for _, s := range cpuid.CPU.SGX.EPCSections {
 			epcSize += s.EPCSize
@ -39,8 +47,8 @@ func discoverSGX() map[string]string {
 	// allocates "Processor Reserved Memory" for SGX EPC so we rely on > 0
 	// size here to set "SGX = enabled".
 	if epcSize > 0 {
-		sgx["enabled"] = "true"
+		return true
 	}

-	return sgx
+	return false
 }
--- a/source/cpu/security_s390x.go
+++ b/source/cpu/security_s390x.go
@ -25,16 +25,25 @@ import (
 	"sigs.k8s.io/node-feature-discovery/source"
 )

-func discoverSE() map[string]string {
-	se := make(map[string]string)
+func discoverSecurity() map[string]string {
+	elems := make(map[string]string)
+
+	if seEnabled() {
+		elems["se.enabled"] = "true"
+	}
+
+	return elems
+}
+
+func seEnabled() bool {
 	// This file is available in kernels >=5.12 + backports. Skip specifically
 	// checking facilities and kernel command lines and just assume Secure
 	// Execution to be unavailable or disabled if the file is not present.
 	protVirtHost := source.SysfsDir.Path("firmware/uv/prot_virt_host")
 	if content, err := os.ReadFile(protVirtHost); err == nil {
 		if string(content) == "1\n" {
-			se["enabled"] = "true"
+			return true
 		}
 	}
-	return se
+	return false
 }
--- a/source/cpu/security_stub.go
+++ b/source/cpu/security_stub.go
@ -1,5 +1,5 @@
-//go:build !amd64
-// +build !amd64
+//go:build !(amd64 || s390x)
+// +build !amd64,!s390x

 /*
 Copyright 2021 The Kubernetes Authors.
@ -19,6 +19,6 @@ limitations under the License.

 package cpu

-func discoverSGX() map[string]string {
+func discoverSecurity() map[string]string {
 	return nil
 }