cpu: make SGX EPC resource available to NodeFeatureRules

Signed-off-by: Mikko Ylinen <[email protected]>
kubernetes-sigs · Apr 14, 2023 · de1b69a · de1b69a
1 parent cb604b8
commit de1b69a
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 14 deletions.
diff --git a/docs/usage/customization-guide.md b/docs/usage/customization-guide.md
@@ -675,6 +675,7 @@ The following features are available for matching:
 |                  |              | **`RDTL3CA_NUM_CLOSID`** | int  | The number or available CLOSID (Class of service ID) for Intel L3 Cache Allocation Technology
 | **`cpu.security`** | attribute  |          |            | Features related to security and trusted execution environments
 |                  |              | **`sgx.enabled`** | bool | `true` if Intel SGX (Software Guard Extensions) has been enabled, otherwise does not exist
+|                  |              | **`sgx.epc`** | int | The total amount Intel SGX Encrypted Page Cache memory in bytes. It's only present if `sgx.enabled` is `true`.
 |                  |              | **`se.enabled`** | bool  | `true` if IBM Secure Execution for Linux is available and has been enabled, otherwise does not exist
 |                  |              | **`tdx.enabled`** | bool | `true` if Intel TDX (Trusted Domain Extensions) is available on the host and has been enabled, otherwise does not exist
 |                  |              | **`tdx.total_keys`** | int | The total amount of keys an Intel TDX (Trusted Domain Extensions) host can provide.  It's only present if `tdx.enabled` is `true`.

diff --git a/docs/usage/features.md b/docs/usage/features.md
@@ -55,7 +55,7 @@ option of nfd-worker.
 | **`cpu-pstate.scaling_governor`** | string | The value of the Intel pstate scaling_governor when in use, either 'powersave' or 'performance'.
 | **`cpu-cstate.enabled`**          | bool   | Set to 'true' if cstates are set in the intel_idle driver, otherwise set to 'false'. Unset if intel_idle cpuidle driver is not active.
 | **`cpu-rdt.<rdt-flag>`**          | true   | **DEPRECATED** [Intel RDT][intel-rdt] capability is supported. See [RDT flags](customization-guide.md#intel-rdt-flags) for details.
-| **`cpu-security.sgx.enabled`**    | true   | Set to 'true' if Intel SGX is enabled in BIOS (based a non-zero sum value of SGX EPC section sizes).
+| **`cpu-security.sgx.enabled`**    | true   | Set to 'true' if Intel SGX is enabled in BIOS (based on a non-zero sum value of SGX EPC section sizes).
 | **`cpu-security.se.enabled`**     | true   | Set to 'true' if IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and enabled (requires `/sys/firmware/uv/prot_virt_host` facility)
 | **`cpu-security.tdx.enabled`**    | true   | Set to 'true' if Intel TDX is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/tdx`).
 | **`cpu-security.sev.enabled`**    | true   | Set to 'true' if ADM SEV is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/sev`).

diff --git a/source/cpu/cpu.go b/source/cpu/cpu.go
@@ -176,7 +176,7 @@ func (s *cpuSource) GetLabels() (source.FeatureLabels, error) {
 	// Security
 	// skipLabel lists features that will not have labels created but are only made available for
 	// NodeFeatureRules (e.g. to be published via extended resources instead)
-	skipLabel := sets.NewString("tdx.total_keys")
+	skipLabel := sets.NewString("tdx.total_keys", "sgx.epc")
 	for k, v := range features.Attributes[SecurityFeature].Elements {
 		if !skipLabel.Has(k) {
 			labels["security."+k] = v

diff --git a/source/cpu/security_amd64.go b/source/cpu/security_amd64.go
@@ -34,8 +34,14 @@ import (
 func discoverSecurity() map[string]string {
 	elems := make(map[string]string)
 
-	if sgxEnabled() {
+	// Set to 'true' based a non-zero sum value of SGX EPC section sizes. The
+	// kernel checks for IA32_FEATURE_CONTROL.SGX_ENABLE MSR bit but we can't
+	// do that as a normal user. Typically the BIOS, when enabling SGX,
+	// allocates "Processor Reserved Memory" for SGX EPC so we rely on > 0
+	// size here to set "SGX = enabled".
+	if epcSize := sgxEnabled(); epcSize > 0 {
 		elems["sgx.enabled"] = "true"
+		elems["sgx.epc"] = strconv.FormatUint(uint64(epcSize), 10)
 	}
 
 	if tdxEnabled() {
@@ -62,24 +68,15 @@ func discoverSecurity() map[string]string {
 	return elems
 }
 
-func sgxEnabled() bool {
+func sgxEnabled() uint64 {
 	var epcSize uint64
 	if cpuid.CPU.SGX.Available {
 		for _, s := range cpuid.CPU.SGX.EPCSections {
 			epcSize += s.EPCSize
 		}
 	}
 
-	// Set to 'true' based a non-zero sum value of SGX EPC section sizes. The
-	// kernel checks for IA32_FEATURE_CONTROL.SGX_ENABLE MSR bit but we can't
-	// do that as a normal user. Typically the BIOS, when enabling SGX,
-	// allocates "Processor Reserved Memory" for SGX EPC so we rely on > 0
-	// size here to set "SGX = enabled".
-	if epcSize > 0 {
-		return true
-	}
-
-	return false
+	return epcSize
 }
 
 func tdxEnabled() bool {