-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cpu: Discover Intel TDX #830
cpu: Discover Intel TDX #830
Conversation
|
Welcome @fidencio! |
Hi @fidencio. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
/assign |
/lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM,
one small typo
ac9f6de
to
dd5e28e
Compare
/lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Thanks @fidencio for the PR and sorry for the silence 😇 I think this PR basically looks good when looking at it in isolation. However, in broader perspective I'm growing nervous about the organization of all the somewhat cluttered features regarding security/trusted-execution. No need to solve it as part of this PR, though 😊 I created #832 to track the "re-organization issue". I'd really want to get that resolved before the next release. In terms of code it's not a huge deal (if we decide to do that) but I'd definitely like to hear your opinion on that. What it comes to this PR (#830), I'd prolly keep it open for now, just to incentivize us to get #832 resolved (sorry about that 🙄) |
@marquiz Agree, see my comment on #790 (comment) enabling PEF for Power. We need to come up with more structure, especially when starting to add ARM CCA and AMD SNP support :) Especially SNP has some sub-features that will extend the list of labels quite a lot. |
dd5e28e
to
e282ed2
Compare
e282ed2
to
78f3ae0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @fidencio for working on this. Took a bit longer than expected because of the "security label resuffling" 😊 But now I think we could get this in
docs/advanced/customization-guide.md
Outdated
@@ -491,6 +491,7 @@ The following features are available for matching: | |||
| **`cpu.security`** | attribute | | | Features related to security and trusted execution environments | |||
| | | **`sgx.enabled`** | bool | `true` if Intel SGX (Software Guard Extensions) has been enabled, otherwise does not exist | |||
| | | **`se.enabled`** | bool | `true` if IBM Secure Execution for Linux is available and has been enabled, otherwise does not exist | |||
| | | **`tdx.enabled`** | bool | `true` if Intel TDX (Trusted Domain Extensions) is available and has been enabled, otherwise does not exist |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
while this follows how it's written for se.enabled
, I think it'd be good to clarify this label is available on the host and not that it's a "node is a TD":
| | | **`tdx.enabled`** | bool | `true` if Intel TDX (Trusted Domain Extensions) is available and has been enabled, otherwise does not exist | |
| | | **`tdx.enabled`** | bool | `true` if Intel TDX (Trusted Domain Extensions) is available on the host and has been enabled, otherwise does not exist |
ditto for features.md
.
Set `cpu-security.tdx.enable` to `true` when TDX is avialable and has been enabled. otherwise it'll be set to `false`. `/sys/module/kvm_intel/parameters/tdx` presence and content is used to detect whether a CPU is Intel TDX capable. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
78f3ae0
to
d5db1cf
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks @fidencio
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ArangoGutierrez, fidencio, marquiz, mythi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
1 similar comment
/retest |
Set
cpu.tdx-enable
totrue
when TDX is avialable and has beenenabled.
/sys/module/kvm_intel/parameters/tdx
presence and content is used todetect whether a CPU is Intel TDX capable.
Signed-off-by: Fabiano Fidêncio fabiano.fidencio@intel.com