From 1af2d99c24e60b21f4c8e8ea63ed69523ebbbb16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 2 Jun 2023 17:11:24 +0200 Subject: [PATCH] Add TDX Guest detection (#132) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We need to be able to detect that a guest is running using Intel TDX (Trusted Domain Extensions). As the TDX Guests have their own cpuid leaf (0x21, 0), we can easily detected them by checking its cpuid. THe information provided here can be confirmed in the Intel TDX Module v1.5 Base Architecture Specificication[0], section 11.2 "Guest TD Run Time Environment Enumeration". What we're exposing, in the end, is a new feature called "TDX_GUEST", and this is the result of running cpuid with this patch applied on a TDX guest VM, and on a "vanilla" guest VM. TDX Guest VM: ``` Name: Vendor String: GenuineIntel Vendor ID: Intel PhysicalCores: 0 Threads Per Core: 1 Logical Cores: 0 CPU Family 6 Model: 143 Stepping: 4 Features: ADX,AESNI,AMXBF16,AMXINT8,AMXTILE,AVX,AVX2,AVX512BF16,AVX512BITALG,AVXX 512BW,AVX512CD,AVX512DQ,AVX512F,AVX512FP16,AVX512IFMA,AVX512VBMI,AVX512VBMI2,AVXX 512VL,AVX512VNNI,AVX512VPOPCNTDQ,AVXVNNI,AVXVNNIINT8,BMI1,BMI2,CLDEMOTE,CLMUL,CMM OV,CMPSB_SCADBS_SHORT,CMPXCHG8,CX16,ERMS,F16C,FLUSH_L1D,FMA3,FSRM,FXSR,FXSROPT,GG FNI,HLE,HYPERVISOR,IA32_ARCH_CAP,IA32_CORE_CAP,IBPB,LAHF,LZCNT,MD_CLEAR,MMX,MOVBB E,MOVDIR64B,MOVDIRI,MOVSB_ZL,NX,OSXSAVE,POPCNT,PREFETCHI,RDRAND,RDSEED,RDTSCP,RTT M,SERIALIZE,SHA,SPEC_CTRL_SSBD,SSE,SSE2,SSE3,SSE4,SSE42,SSSE3,STIBP,STOSB_SHORT,, SYSCALL,SYSEE,TDX_GUEST,TSXLDTRK,VAES,VPCLMULQDQ,WAITPKG,WBNOINVD,X87,XGETBV1,XSS AVE,XSAVEC,XSAVEOPT,XSAVES Microarchitecture level: 4 Cacheline bytes: 64 L1 Instruction Cache: 32768 bytes L1 Data Cache: 32768 bytes L2 Cache: 4194304 bytes L3 Cache: 16777216 bytes Frequency: 1000000000 Hz ``` Vanilla Guest VM: ``` Name: Genuine Intel(R) CPU 0000%@ Vendor String: GenuineIntel Vendor ID: Intel PhysicalCores: 1 Threads Per Core: 1 Logical Cores: 1 CPU Family 6 Model: 143 Stepping: 4 Features: ADX,AESNI,AMXBF16,AMXINT8,AMXTILE,AVX,AVX2,AVX512BF16,AVX512BITALG,AVXX 512BW,AVX512CD,AVX512DQ,AVX512F,AVX512FP16,AVX512IFMA,AVX512VBMI,AVX512VBMI2,AVXX 512VL,AVX512VNNI,AVX512VPOPCNTDQ,AVXVNNI,AVXVNNIINT8,BMI1,BMI2,CLDEMOTE,CLMUL,CMM OV,CMPXCHG8,CX16,ERMS,F16C,FMA3,FSRM,FXSR,FXSROPT,GFNI,HLE,HYPERVISOR,IA32_ARCH__ CAP,IBPB,IBRS,LAHF,LZCNT,MD_CLEAR,MMX,MOVBE,MOVDIR64B,MOVDIRI,NX,OSXSAVE,POPCNT,, PREFETCHI,RDRAND,RDSEED,RDTSCP,RTM,SERIALIZE,SGX,SGXLC,SHA,SPEC_CTRL_SSBD,SSE,SSS E2,SSE3,SSE4,SSE42,SSSE3,STIBP,SYSCALL,SYSEE,TSXLDTRK,VAES,VMX,VPCLMULQDQ,WAITPKK G,WBNOINVD,X87,XGETBV1,XSAVE,XSAVEC,XSAVEOPT,XSAVES Microarchitecture level: 4 Cacheline bytes: 64 L1 Instruction Cache: 32768 bytes L1 Data Cache: 32768 bytes L2 Cache: 4194304 bytes L3 Cache: 16777216 bytes SGX: {Available:true LaunchControl:true SGX1Supported:true SGX2Supported:true Maa xEnclaveSizeNot64:2147483648 MaxEnclaveSize64:72057594037927936 EPCSections:[]} ``` [0]: https://cdrdv2.intel.com/v1/dl/getContent/733575 Signed-off-by: Fabiano FidĂȘncio --- README.md | 1 + cpuid.go | 8 ++++ featureid_string.go | 99 +++++++++++++++++++++++---------------------- 3 files changed, 59 insertions(+), 49 deletions(-) diff --git a/README.md b/README.md index 37b5167..accd7ab 100644 --- a/README.md +++ b/README.md @@ -435,6 +435,7 @@ Exit Code 1 | SYSCALL | System-Call Extension (SCE): SYSCALL and SYSRET instructions. | | SYSEE | SYSENTER and SYSEXIT instructions | | TBM | AMD Trailing Bit Manipulation | +| TDX_GUEST | Intel Trust Domain Extensions Guest | | TLB_FLUSH_NESTED | AMD: Flushing includes all the nested translations for guest translations | | TME | Intel Total Memory Encryption. The following MSRs are supported: IA32_TME_CAPABILITY, IA32_TME_ACTIVATE, IA32_TME_EXCLUDE_MASK, and IA32_TME_EXCLUDE_BASE. | | TOPEXT | TopologyExtensions: topology extensions support. Indicates support for CPUID Fn8000_001D_EAX_x[N:0]-CPUID Fn8000_001E_EDX. | diff --git a/cpuid.go b/cpuid.go index f57ee25..d015c74 100644 --- a/cpuid.go +++ b/cpuid.go @@ -226,6 +226,7 @@ const ( SYSCALL // System-Call Extension (SCE): SYSCALL and SYSRET instructions. SYSEE // SYSENTER and SYSEXIT instructions TBM // AMD Trailing Bit Manipulation + TDX_GUEST // Intel Trust Domain Extensions Guest TLB_FLUSH_NESTED // AMD: Flushing includes all the nested translations for guest translations TME // Intel Total Memory Encryption. The following MSRs are supported: IA32_TME_CAPABILITY, IA32_TME_ACTIVATE, IA32_TME_EXCLUDE_MASK, and IA32_TME_EXCLUDE_BASE. TOPEXT // TopologyExtensions: topology extensions support. Indicates support for CPUID Fn8000_001D_EAX_x[N:0]-CPUID Fn8000_001E_EDX. @@ -1393,6 +1394,13 @@ func support() flagSet { fs.setIf((a>>24)&1 == 1, VMSA_REGPROT) } + if mfi >= 0x21 { + // Intel Trusted Domain Extensions Guests have their own cpuid leaf (0x21). + _, ebx, ecx, edx := cpuid(0x21) + identity := string(valAsString(ebx, edx, ecx)) + fs.setIf(identity == "IntelTDX ", TDX_GUEST) + } + return fs } diff --git a/featureid_string.go b/featureid_string.go index 2a27f44..024c706 100644 --- a/featureid_string.go +++ b/featureid_string.go @@ -166,59 +166,60 @@ func _() { _ = x[SYSCALL-156] _ = x[SYSEE-157] _ = x[TBM-158] - _ = x[TLB_FLUSH_NESTED-159] - _ = x[TME-160] - _ = x[TOPEXT-161] - _ = x[TSCRATEMSR-162] - _ = x[TSXLDTRK-163] - _ = x[VAES-164] - _ = x[VMCBCLEAN-165] - _ = x[VMPL-166] - _ = x[VMSA_REGPROT-167] - _ = x[VMX-168] - _ = x[VPCLMULQDQ-169] - _ = x[VTE-170] - _ = x[WAITPKG-171] - _ = x[WBNOINVD-172] - _ = x[WRMSRNS-173] - _ = x[X87-174] - _ = x[XGETBV1-175] - _ = x[XOP-176] - _ = x[XSAVE-177] - _ = x[XSAVEC-178] - _ = x[XSAVEOPT-179] - _ = x[XSAVES-180] - _ = x[AESARM-181] - _ = x[ARMCPUID-182] - _ = x[ASIMD-183] - _ = x[ASIMDDP-184] - _ = x[ASIMDHP-185] - _ = x[ASIMDRDM-186] - _ = x[ATOMICS-187] - _ = x[CRC32-188] - _ = x[DCPOP-189] - _ = x[EVTSTRM-190] - _ = x[FCMA-191] - _ = x[FP-192] - _ = x[FPHP-193] - _ = x[GPA-194] - _ = x[JSCVT-195] - _ = x[LRCPC-196] - _ = x[PMULL-197] - _ = x[SHA1-198] - _ = x[SHA2-199] - _ = x[SHA3-200] - _ = x[SHA512-201] - _ = x[SM3-202] - _ = x[SM4-203] - _ = x[SVE-204] - _ = x[lastID-205] + _ = x[TDX_GUEST-159] + _ = x[TLB_FLUSH_NESTED-160] + _ = x[TME-161] + _ = x[TOPEXT-162] + _ = x[TSCRATEMSR-163] + _ = x[TSXLDTRK-164] + _ = x[VAES-165] + _ = x[VMCBCLEAN-166] + _ = x[VMPL-167] + _ = x[VMSA_REGPROT-168] + _ = x[VMX-169] + _ = x[VPCLMULQDQ-170] + _ = x[VTE-171] + _ = x[WAITPKG-172] + _ = x[WBNOINVD-173] + _ = x[WRMSRNS-174] + _ = x[X87-175] + _ = x[XGETBV1-176] + _ = x[XOP-177] + _ = x[XSAVE-178] + _ = x[XSAVEC-179] + _ = x[XSAVEOPT-180] + _ = x[XSAVES-181] + _ = x[AESARM-182] + _ = x[ARMCPUID-183] + _ = x[ASIMD-184] + _ = x[ASIMDDP-185] + _ = x[ASIMDHP-186] + _ = x[ASIMDRDM-187] + _ = x[ATOMICS-188] + _ = x[CRC32-189] + _ = x[DCPOP-190] + _ = x[EVTSTRM-191] + _ = x[FCMA-192] + _ = x[FP-193] + _ = x[FPHP-194] + _ = x[GPA-195] + _ = x[JSCVT-196] + _ = x[LRCPC-197] + _ = x[PMULL-198] + _ = x[SHA1-199] + _ = x[SHA2-200] + _ = x[SHA3-201] + _ = x[SHA512-202] + _ = x[SM3-203] + _ = x[SM4-204] + _ = x[SVE-205] + _ = x[lastID-206] _ = x[firstID-0] } -const _FeatureID_name = "firstIDADXAESNIAMD3DNOWAMD3DNOWEXTAMXBF16AMXFP16AMXINT8AMXTILEAVXAVX2AVX512BF16AVX512BITALGAVX512BWAVX512CDAVX512DQAVX512ERAVX512FAVX512FP16AVX512IFMAAVX512PFAVX512VBMIAVX512VBMI2AVX512VLAVX512VNNIAVX512VP2INTERSECTAVX512VPOPCNTDQAVXIFMAAVXNECONVERTAVXSLOWAVXVNNIAVXVNNIINT8BHI_CTRLBMI1BMI2CETIBTCETSSCLDEMOTECLMULCLZEROCMOVCMPCCXADDCMPSB_SCADBS_SHORTCMPXCHG8CPBOOSTCPPCCX16EFER_LMSLE_UNSENQCMDERMSF16CFLUSH_L1DFMA3FMA4FP128FP256FSRMFXSRFXSROPTGFNIHLEHRESETHTTHWAHYBRID_CPUHYPERVISORIA32_ARCH_CAPIA32_CORE_CAPIBPBIBRSIBRS_PREFERREDIBRS_PROVIDES_SMPIBSIBSBRNTRGTIBSFETCHSAMIBSFFVIBSOPCNTIBSOPCNTEXTIBSOPSAMIBSRDWROPCNTIBSRIPINVALIDCHKIBS_FETCH_CTLXIBS_OPDATA4IBS_OPFUSEIBS_PREVENTHOSTIBS_ZEN4IDPRED_CTRLINT_WBINVDINVLPGBLAHFLAMLBRVIRTLZCNTMCAOVERFLOWMCDT_NOMCOMMITMD_CLEARMMXMMXEXTMOVBEMOVDIR64BMOVDIRIMOVSB_ZLMOVUMPXMSRIRCMSRLISTMSR_PAGEFLUSHNRIPSNXOSXSAVEPCONFIGPOPCNTPPINPREFETCHIPSFDRDPRURDRANDRDSEEDRDTSCPRRSBA_CTRLRTMRTM_ALWAYS_ABORTSERIALIZESEVSEV_64BITSEV_ALTERNATIVESEV_DEBUGSWAPSEV_ESSEV_RESTRICTEDSEV_SNPSGXSGXLCSHASMESME_COHERENTSPEC_CTRL_SSBDSRBDS_CTRLSSESSE2SSE3SSE4SSE42SSE4ASSSE3STIBPSTIBP_ALWAYSONSTOSB_SHORTSUCCORSVMSVMDASVMFBASIDSVMLSVMNPSVMPFSVMPFTSYSCALLSYSEETBMTLB_FLUSH_NESTEDTMETOPEXTTSCRATEMSRTSXLDTRKVAESVMCBCLEANVMPLVMSA_REGPROTVMXVPCLMULQDQVTEWAITPKGWBNOINVDWRMSRNSX87XGETBV1XOPXSAVEXSAVECXSAVEOPTXSAVESAESARMARMCPUIDASIMDASIMDDPASIMDHPASIMDRDMATOMICSCRC32DCPOPEVTSTRMFCMAFPFPHPGPAJSCVTLRCPCPMULLSHA1SHA2SHA3SHA512SM3SM4SVElastID" +const _FeatureID_name = "firstIDADXAESNIAMD3DNOWAMD3DNOWEXTAMXBF16AMXFP16AMXINT8AMXTILEAVXAVX2AVX512BF16AVX512BITALGAVX512BWAVX512CDAVX512DQAVX512ERAVX512FAVX512FP16AVX512IFMAAVX512PFAVX512VBMIAVX512VBMI2AVX512VLAVX512VNNIAVX512VP2INTERSECTAVX512VPOPCNTDQAVXIFMAAVXNECONVERTAVXSLOWAVXVNNIAVXVNNIINT8BHI_CTRLBMI1BMI2CETIBTCETSSCLDEMOTECLMULCLZEROCMOVCMPCCXADDCMPSB_SCADBS_SHORTCMPXCHG8CPBOOSTCPPCCX16EFER_LMSLE_UNSENQCMDERMSF16CFLUSH_L1DFMA3FMA4FP128FP256FSRMFXSRFXSROPTGFNIHLEHRESETHTTHWAHYBRID_CPUHYPERVISORIA32_ARCH_CAPIA32_CORE_CAPIBPBIBRSIBRS_PREFERREDIBRS_PROVIDES_SMPIBSIBSBRNTRGTIBSFETCHSAMIBSFFVIBSOPCNTIBSOPCNTEXTIBSOPSAMIBSRDWROPCNTIBSRIPINVALIDCHKIBS_FETCH_CTLXIBS_OPDATA4IBS_OPFUSEIBS_PREVENTHOSTIBS_ZEN4IDPRED_CTRLINT_WBINVDINVLPGBLAHFLAMLBRVIRTLZCNTMCAOVERFLOWMCDT_NOMCOMMITMD_CLEARMMXMMXEXTMOVBEMOVDIR64BMOVDIRIMOVSB_ZLMOVUMPXMSRIRCMSRLISTMSR_PAGEFLUSHNRIPSNXOSXSAVEPCONFIGPOPCNTPPINPREFETCHIPSFDRDPRURDRANDRDSEEDRDTSCPRRSBA_CTRLRTMRTM_ALWAYS_ABORTSERIALIZESEVSEV_64BITSEV_ALTERNATIVESEV_DEBUGSWAPSEV_ESSEV_RESTRICTEDSEV_SNPSGXSGXLCSHASMESME_COHERENTSPEC_CTRL_SSBDSRBDS_CTRLSSESSE2SSE3SSE4SSE42SSE4ASSSE3STIBPSTIBP_ALWAYSONSTOSB_SHORTSUCCORSVMSVMDASVMFBASIDSVMLSVMNPSVMPFSVMPFTSYSCALLSYSEETBMTDX_GUESTTLB_FLUSH_NESTEDTMETOPEXTTSCRATEMSRTSXLDTRKVAESVMCBCLEANVMPLVMSA_REGPROTVMXVPCLMULQDQVTEWAITPKGWBNOINVDWRMSRNSX87XGETBV1XOPXSAVEXSAVECXSAVEOPTXSAVESAESARMARMCPUIDASIMDASIMDDPASIMDHPASIMDRDMATOMICSCRC32DCPOPEVTSTRMFCMAFPFPHPGPAJSCVTLRCPCPMULLSHA1SHA2SHA3SHA512SM3SM4SVElastID" -var _FeatureID_index = [...]uint16{0, 7, 10, 15, 23, 34, 41, 48, 55, 62, 65, 69, 79, 91, 99, 107, 115, 123, 130, 140, 150, 158, 168, 179, 187, 197, 215, 230, 237, 249, 256, 263, 274, 282, 286, 290, 296, 301, 309, 314, 320, 324, 333, 351, 359, 366, 370, 374, 388, 394, 398, 402, 411, 415, 419, 424, 429, 433, 437, 444, 448, 451, 457, 460, 463, 473, 483, 496, 509, 513, 517, 531, 548, 551, 561, 572, 578, 586, 597, 605, 617, 633, 647, 658, 668, 683, 691, 702, 712, 719, 723, 726, 733, 738, 749, 756, 763, 771, 774, 780, 785, 794, 801, 809, 813, 816, 822, 829, 842, 847, 849, 856, 863, 869, 873, 882, 886, 891, 897, 903, 909, 919, 922, 938, 947, 950, 959, 974, 987, 993, 1007, 1014, 1017, 1022, 1025, 1028, 1040, 1054, 1064, 1067, 1071, 1075, 1079, 1084, 1089, 1094, 1099, 1113, 1124, 1130, 1133, 1138, 1147, 1151, 1156, 1161, 1167, 1174, 1179, 1182, 1198, 1201, 1207, 1217, 1225, 1229, 1238, 1242, 1254, 1257, 1267, 1270, 1277, 1285, 1292, 1295, 1302, 1305, 1310, 1316, 1324, 1330, 1336, 1344, 1349, 1356, 1363, 1371, 1378, 1383, 1388, 1395, 1399, 1401, 1405, 1408, 1413, 1418, 1423, 1427, 1431, 1435, 1441, 1444, 1447, 1450, 1456} +var _FeatureID_index = [...]uint16{0, 7, 10, 15, 23, 34, 41, 48, 55, 62, 65, 69, 79, 91, 99, 107, 115, 123, 130, 140, 150, 158, 168, 179, 187, 197, 215, 230, 237, 249, 256, 263, 274, 282, 286, 290, 296, 301, 309, 314, 320, 324, 333, 351, 359, 366, 370, 374, 388, 394, 398, 402, 411, 415, 419, 424, 429, 433, 437, 444, 448, 451, 457, 460, 463, 473, 483, 496, 509, 513, 517, 531, 548, 551, 561, 572, 578, 586, 597, 605, 617, 633, 647, 658, 668, 683, 691, 702, 712, 719, 723, 726, 733, 738, 749, 756, 763, 771, 774, 780, 785, 794, 801, 809, 813, 816, 822, 829, 842, 847, 849, 856, 863, 869, 873, 882, 886, 891, 897, 903, 909, 919, 922, 938, 947, 950, 959, 974, 987, 993, 1007, 1014, 1017, 1022, 1025, 1028, 1040, 1054, 1064, 1067, 1071, 1075, 1079, 1084, 1089, 1094, 1099, 1113, 1124, 1130, 1133, 1138, 1147, 1151, 1156, 1161, 1167, 1174, 1179, 1182, 1191, 1207, 1210, 1216, 1226, 1234, 1238, 1247, 1251, 1263, 1266, 1276, 1279, 1286, 1294, 1301, 1304, 1311, 1314, 1319, 1325, 1333, 1339, 1345, 1353, 1358, 1365, 1372, 1380, 1387, 1392, 1397, 1404, 1408, 1410, 1414, 1417, 1422, 1427, 1432, 1436, 1440, 1444, 1450, 1453, 1456, 1459, 1465} func (i FeatureID) String() string { if i < 0 || i >= FeatureID(len(_FeatureID_index)-1) {