Add TDX Guest detection (#132)

fidencio · web-flow · commit 1af2d99c24e6 · 2023-06-02T17:11:24.000+02:00
We need to be able to detect that a guest is running using Intel TDX (Trusted Domain Extensions). As the TDX Guests have their own cpuid leaf (0x21, 0), we can easily detected them by checking its cpuid. THe information provided here can be confirmed in the Intel TDX Module v1.5 Base Architecture Specificication[0], section 11.2 "Guest TD Run Time Environment Enumeration". What we're exposing, in the end, is a new feature called "TDX_GUEST", and this is the result of running cpuid with this patch applied on a TDX guest VM, and on a "vanilla" guest VM. TDX Guest VM: ``` Name: Vendor String: GenuineIntel Vendor ID: Intel PhysicalCores: 0 Threads Per Core: 1 Logical Cores: 0 CPU Family 6 Model: 143 Stepping: 4 Features: ADX,AESNI,AMXBF16,AMXINT8,AMXTILE,AVX,AVX2,AVX512BF16,AVX512BITALG,AVXX 512BW,AVX512CD,AVX512DQ,AVX512F,AVX512FP16,AVX512IFMA,AVX512VBMI,AVX512VBMI2,AVXX 512VL,AVX512VNNI,AVX512VPOPCNTDQ,AVXVNNI,AVXVNNIINT8,BMI1,BMI2,CLDEMOTE,CLMUL,CMM OV,CMPSB_SCADBS_SHORT,CMPXCHG8,CX16,ERMS,F16C,FLUSH_L1D,FMA3,FSRM,FXSR,FXSROPT,GG FNI,HLE,HYPERVISOR,IA32_ARCH_CAP,IA32_CORE_CAP,IBPB,LAHF,LZCNT,MD_CLEAR,MMX,MOVBB E,MOVDIR64B,MOVDIRI,MOVSB_ZL,NX,OSXSAVE,POPCNT,PREFETCHI,RDRAND,RDSEED,RDTSCP,RTT M,SERIALIZE,SHA,SPEC_CTRL_SSBD,SSE,SSE2,SSE3,SSE4,SSE42,SSSE3,STIBP,STOSB_SHORT,, SYSCALL,SYSEE,TDX_GUEST,TSXLDTRK,VAES,VPCLMULQDQ,WAITPKG,WBNOINVD,X87,XGETBV1,XSS AVE,XSAVEC,XSAVEOPT,XSAVES Microarchitecture level: 4 Cacheline bytes: 64 L1 Instruction Cache: 32768 bytes L1 Data Cache: 32768 bytes L2 Cache: 4194304 bytes L3 Cache: 16777216 bytes Frequency: 1000000000 Hz ``` Vanilla Guest VM: ``` Name: Genuine Intel(R) CPU 0000%@ Vendor String: GenuineIntel Vendor ID: Intel PhysicalCores: 1 Threads Per Core: 1 Logical Cores: 1 CPU Family 6 Model: 143 Stepping: 4 Features: ADX,AESNI,AMXBF16,AMXINT8,AMXTILE,AVX,AVX2,AVX512BF16,AVX512BITALG,AVXX 512BW,AVX512CD,AVX512DQ,AVX512F,AVX512FP16,AVX512IFMA,AVX512VBMI,AVX512VBMI2,AVXX 512VL,AVX512VNNI,AVX512VPOPCNTDQ,AVXVNNI,AVXVNNIINT8,BMI1,BMI2,CLDEMOTE,CLMUL,CMM OV,CMPXCHG8,CX16,ERMS,F16C,FMA3,FSRM,FXSR,FXSROPT,GFNI,HLE,HYPERVISOR,IA32_ARCH__ CAP,IBPB,IBRS,LAHF,LZCNT,MD_CLEAR,MMX,MOVBE,MOVDIR64B,MOVDIRI,NX,OSXSAVE,POPCNT,, PREFETCHI,RDRAND,RDSEED,RDTSCP,RTM,SERIALIZE,SGX,SGXLC,SHA,SPEC_CTRL_SSBD,SSE,SSS E2,SSE3,SSE4,SSE42,SSSE3,STIBP,SYSCALL,SYSEE,TSXLDTRK,VAES,VMX,VPCLMULQDQ,WAITPKK G,WBNOINVD,X87,XGETBV1,XSAVE,XSAVEC,XSAVEOPT,XSAVES Microarchitecture level: 4 Cacheline bytes: 64 L1 Instruction Cache: 32768 bytes L1 Data Cache: 32768 bytes L2 Cache: 4194304 bytes L3 Cache: 16777216 bytes SGX: {Available:true LaunchControl:true SGX1Supported:true SGX2Supported:true Maa xEnclaveSizeNot64:2147483648 MaxEnclaveSize64:72057594037927936 EPCSections:[]} ``` [0]: https://cdrdv2.intel.com/v1/dl/getContent/733575 Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
diff --git a/README.md b/README.md
@@ -435,6 +435,7 @@ Exit Code 1
 | SYSCALL            | System-Call Extension (SCE): SYSCALL and SYSRET instructions.                                                                                                                      |
 | SYSEE              | SYSENTER and SYSEXIT instructions                                                                                                                                                  |
 | TBM                | AMD Trailing Bit Manipulation                                                                                                                                                      |
+| TDX_GUEST          | Intel Trust Domain Extensions Guest                                                                                                                                                |
 | TLB_FLUSH_NESTED   | AMD: Flushing includes all the nested translations for guest translations                                                                                                          |
 | TME                | Intel Total Memory Encryption. The following MSRs are supported: IA32_TME_CAPABILITY, IA32_TME_ACTIVATE, IA32_TME_EXCLUDE_MASK, and IA32_TME_EXCLUDE_BASE.                         |
 | TOPEXT             | TopologyExtensions: topology extensions support. Indicates support for CPUID Fn8000_001D_EAX_x[N:0]-CPUID Fn8000_001E_EDX.                                                         |
diff --git a/cpuid.go b/cpuid.go
@@ -226,6 +226,7 @@ const (
 	SYSCALL                             // System-Call Extension (SCE): SYSCALL and SYSRET instructions.
 	SYSEE                               // SYSENTER and SYSEXIT instructions
 	TBM                                 // AMD Trailing Bit Manipulation
+	TDX_GUEST                           // Intel Trust Domain Extensions Guest
 	TLB_FLUSH_NESTED                    // AMD: Flushing includes all the nested translations for guest translations
 	TME                                 // Intel Total Memory Encryption. The following MSRs are supported: IA32_TME_CAPABILITY, IA32_TME_ACTIVATE, IA32_TME_EXCLUDE_MASK, and IA32_TME_EXCLUDE_BASE.
 	TOPEXT                              // TopologyExtensions: topology extensions support. Indicates support for CPUID Fn8000_001D_EAX_x[N:0]-CPUID Fn8000_001E_EDX.
@@ -1393,6 +1394,13 @@ func support() flagSet {
 		fs.setIf((a>>24)&1 == 1, VMSA_REGPROT)
 	}
 
+	if mfi >= 0x21 {
+		// Intel Trusted Domain Extensions Guests have their own cpuid leaf (0x21).
+		_, ebx, ecx, edx := cpuid(0x21)
+		identity := string(valAsString(ebx, edx, ecx))
+		fs.setIf(identity == "IntelTDX    ", TDX_GUEST)
+	}
+
 	return fs
 }
 
diff --git a/featureid_string.go b/featureid_string.go
