diff --git a/docs/usage/customization-guide.md b/docs/usage/customization-guide.md index 4a13f79068..a9dc3a7006 100644 --- a/docs/usage/customization-guide.md +++ b/docs/usage/customization-guide.md @@ -607,6 +607,7 @@ The following features are available for matching: | | | **`sgx.enabled`** | bool | `true` if Intel SGX (Software Guard Extensions) has been enabled, otherwise does not exist | | | **`se.enabled`** | bool | `true` if IBM Secure Execution for Linux is available and has been enabled, otherwise does not exist | | | **`tdx.enabled`** | bool | `true` if Intel TDX (Trusted Domain Extensions) is available on the host and has been enabled, otherwise does not exist +| | | **`tdx.total_keys`** | int | The total amount of keys an Intel TDX (Trusted Domain Extensions) host can provide. It's only present if `tdx.enabled` is `true`. | | | **`sev.enabled`** | bool | `true` if AMD SEV (Secure Encrypted Virtualization) is available on the host and has been enabled, otherwise does not exist | | | **`sev.es.enabled`** | bool | `true` if AMD SEV-ES (Encrypted State supported) is available on the host and has been enabled, otherwise does not exist | | | **`sev.snp.enabled`** | bool | `true` if AMD SEV-SNP (Secure Nested Paging supported) is available on the host and has been enabled, otherwise does not exist diff --git a/docs/usage/features.md b/docs/usage/features.md index 464f9208c0..180e4899c0 100644 --- a/docs/usage/features.md +++ b/docs/usage/features.md @@ -58,6 +58,7 @@ option of nfd-worker. | **`cpu-security.sgx.enabled`** | true | Set to 'true' if Intel SGX is enabled in BIOS (based a non-zero sum value of SGX EPC section sizes). | **`cpu-security.se.enabled`** | true | Set to 'true' if IBM Secure Execution for Linux (IBM Z & LinuxONE) is available and enabled (requires `/sys/firmware/uv/prot_virt_host` facility) | **`cpu-security.tdx.enabled`** | true | Set to 'true' if Intel TDX is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/tdx`). +| **`cpu-security.tdx.total_keys`** | int | The total amount of keys an Intel TDX enabled host can provide, based on the `/sys/fs/cgroup/misc.capacity` information. | **`cpu-security.sev.enabled`** | true | Set to 'true' if ADM SEV is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/sev`). | **`cpu-security.sev.es.enabled`** | true | Set to 'true' if ADM SEV-ES is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/sev_es`). | **`cpu-security.sev.snp.enabled`**| true | Set to 'true' if ADM SEV-SNP is available on the host and has been enabled (requires `/sys/module/kvm_intel/parameters/sev_snp`). diff --git a/source/cpu/security_amd64.go b/source/cpu/security_amd64.go index 1735a6b7f5..9f3437c55b 100644 --- a/source/cpu/security_amd64.go +++ b/source/cpu/security_amd64.go @@ -20,7 +20,11 @@ limitations under the License. package cpu import ( + "bufio" + "io" "os" + "strconv" + "strings" "github.com/klauspost/cpuid/v2" @@ -36,6 +40,11 @@ func discoverSecurity() map[string]string { if tdxEnabled() { elems["tdx.enabled"] = "true" + + tdxTotalKeys := getCgroupMiscCapacity("tdx") + if tdxTotalKeys > -1 { + elems["tdx.total_keys"] = strconv.FormatInt(int64(tdxTotalKeys), 10) + } } if sevParameterEnabled("sev") { @@ -97,3 +106,40 @@ func sevParameterEnabled(parameter string) bool { } return false } + +func getCgroupMiscCapacity(resource string) int64 { + var totalResources int64 = -1 + + miscCgroups := hostpath.SysfsDir.Path("fs/cgroup/misc.capacity") + f, err := os.Open(miscCgroups) + if err != nil { + return totalResources + } + defer f.Close() + + r := bufio.NewReader(f) + for { + line, _, err := r.ReadLine() + if err != nil { + if err == io.EOF { + break + } + return totalResources + } + + if !strings.HasPrefix(string(line), resource) { + continue + } + + s := strings.Split(string(line), " ") + resources, err := strconv.ParseInt(s[1], 10, 64) + if err != nil { + return totalResources + } + + totalResources = resources + break + } + + return totalResources +}