Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discussion: Support detecting confidential guests (TDX, SNP, SEV) running on Azure nodes #137

Closed
fidencio opened this issue Nov 6, 2023 · 3 comments
Closed

Discussion: Support detecting confidential guests (TDX, SNP, SEV) running on Azure nodes #137

fidencio opened this issue Nov 6, 2023 · 3 comments

Comments

@fidencio
Copy link
Contributor

fidencio commented Nov 6, 2023

@klauspost, I'm creating this issue here as I really would like to hear your opinion on what could be done, and mainly if something should be done on cpuid in order to properly detect those.

We've had access to Azure Intel TDX preview, and we noticed that the TDX guest cpuid leaf was not exposed there. This is a huge situation, as it seems Azure is not willing to expose all the necessary bits, and there's already discussions that happened on the kernel land about this, like: https://lore.kernel.org/linux-hyperv/20231020202158.GHZTLhZpmes+uiHOE2@fat_crate.local/T/#t

Meanwhile, I've gotten to do some tests on the created TDX VM, and a "simple patch" like the one shown below could do the trick:

intel-coco@tdvm:~/fidencio/cpuid/cmd/cpuid$ git diff
diff --git a/cpuid.go b/cpuid.go
index b5fdc6e..0021df1 100644
--- a/cpuid.go
+++ b/cpuid.go
@@ -1418,6 +1418,11 @@ func support() flagSet {
                fs.setIf((a>>24)&1 == 1, VMSA_REGPROT)
        }
 
+       if mfi >= 0x20 {
+               _, ebx, _, _ := cpuid(0x4000000C)
+               fs.setIf(ebx == 0xbe3, TDX_GUEST)
+       }
+
        if mfi >= 0x21 {
                // Intel Trusted Domain Extensions Guests have their own cpuid leaf (0x21).
                _, ebx, ecx, edx := cpuid(0x21)

While this of TDX_GUEST, supporting things like SNP / SEV guest would basically be the matter of checking the ebx's value, as show here https://github.com/torvalds/linux/blob/master/arch/x86/kernel/cpu/mshyperv.c#L429-L445

At this point I'm rather unsure on whether this is an acceptable approach, but I'm confident we'd need something, at least something coming from cpuid side, so NFD could properly do the detection.

With everything written above, @klauspost, I'm super interested in your take on whether to accept a patch like the one above, or any other suggestsion on how to address this.

Let me cc some folks from Intel, Azure, and NVIDIA side here as well, just so they can add something that I may have missed and / or follow up in your suggestions.

/cc @mythi @jepio @zvonkok
@klauspost
Copy link
Owner

I have no opinion on the matter to be honest.

@fidencio
Copy link
Contributor Author

fidencio commented Nov 6, 2023

I have no opinion on the matter to be honest.

So, I will go ahead and propose the patch. :-)

@fidencio
Copy link
Contributor Author

fidencio commented Nov 6, 2023

I'm closing this one as all the discussions can be taken to #138, instead.

@fidencio fidencio closed this as completed Nov 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fidencio @klauspost