Skip to content

Commit 95b9e1a

Browse files
shyamradhakrishnanshyamradhakrishnan
authored
Add support for confidential compute (#211)
1 parent 9588961 commit 95b9e1a

12 files changed

+235
-28
lines changed

api/v1beta1/types.go

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -261,6 +261,9 @@ type AmdMilanBmPlatformConfig struct {
261261
// Whether the Measured Boot feature is enabled on the instance.
262262
IsMeasuredBootEnabled *bool `json:"isMeasuredBootEnabled,omitempty"`
263263

264+
// Whether the instance is a confidential instance. If this value is `true`, the instance is a confidential instance. The default value is `false`.
265+
IsMemoryEncryptionEnabled *bool `json:"isMemoryEncryptionEnabled,omitempty"`
266+
264267
// Whether symmetric multithreading is enabled on the instance. Symmetric multithreading is also
265268
// called simultaneous multithreading (SMT) or Intel Hyper-Threading.
266269
// Intel and AMD processors have two hardware execution threads per core (OCPU). SMT permits multiple
@@ -319,6 +322,9 @@ type AmdRomeBmPlatformConfig struct {
319322
// Whether the Measured Boot feature is enabled on the instance.
320323
IsMeasuredBootEnabled *bool `json:"isMeasuredBootEnabled,omitempty"`
321324

325+
// Whether the instance is a confidential instance. If this value is `true`, the instance is a confidential instance. The default value is `false`.
326+
IsMemoryEncryptionEnabled *bool `json:"isMemoryEncryptionEnabled,omitempty"`
327+
322328
// Whether symmetric multithreading is enabled on the instance. Symmetric multithreading is also
323329
// called simultaneous multithreading (SMT) or Intel Hyper-Threading.
324330
// Intel and AMD processors have two hardware execution threads per core (OCPU). SMT permits multiple
@@ -366,6 +372,9 @@ type IntelSkylakeBmPlatformConfig struct {
366372

367373
// Whether the Measured Boot feature is enabled on the instance.
368374
IsMeasuredBootEnabled *bool `json:"isMeasuredBootEnabled,omitempty"`
375+
376+
// Whether the instance is a confidential instance. If this value is `true`, the instance is a confidential instance. The default value is `false`.
377+
IsMemoryEncryptionEnabled *bool `json:"isMemoryEncryptionEnabled,omitempty"`
369378
}
370379

371380
// AmdRomeBmGpuPlatformConfigNumaNodesPerSocketEnum Enum with underlying type: string
@@ -391,6 +400,9 @@ type AmdRomeBmGpuPlatformConfig struct {
391400
// Whether the Measured Boot feature is enabled on the instance.
392401
IsMeasuredBootEnabled *bool `json:"isMeasuredBootEnabled,omitempty"`
393402

403+
// Whether the instance is a confidential instance. If this value is `true`, the instance is a confidential instance. The default value is `false`.
404+
IsMemoryEncryptionEnabled *bool `json:"isMemoryEncryptionEnabled,omitempty"`
405+
394406
// Whether symmetric multithreading is enabled on the instance. Symmetric multithreading is also
395407
// called simultaneous multithreading (SMT) or Intel Hyper-Threading.
396408
// Intel and AMD processors have two hardware execution threads per core (OCPU). SMT permits multiple
@@ -440,6 +452,9 @@ type IntelIcelakeBmPlatformConfig struct {
440452
// Whether the Measured Boot feature is enabled on the instance.
441453
IsMeasuredBootEnabled *bool `json:"isMeasuredBootEnabled,omitempty"`
442454

455+
// Whether the instance is a confidential instance. If this value is `true`, the instance is a confidential instance. The default value is `false`.
456+
IsMemoryEncryptionEnabled *bool `json:"isMemoryEncryptionEnabled,omitempty"`
457+
443458
// Whether symmetric multithreading is enabled on the instance. Symmetric multithreading is also
444459
// called simultaneous multithreading (SMT) or Intel Hyper-Threading.
445460
// Intel and AMD processors have two hardware execution threads per core (OCPU). SMT permits multiple
@@ -476,6 +491,9 @@ type IntelVmPlatformConfig struct {
476491

477492
// Whether the Measured Boot feature is enabled on the instance.
478493
IsMeasuredBootEnabled *bool `json:"isMeasuredBootEnabled,omitempty"`
494+
495+
// Whether the instance is a confidential instance. If this value is `true`, the instance is a confidential instance. The default value is `false`.
496+
IsMemoryEncryptionEnabled *bool `json:"isMemoryEncryptionEnabled,omitempty"`
479497
}
480498

481499
// AmdVmPlatformConfig The platform configuration of a virtual machine instance that uses the AMD platform.
@@ -488,6 +506,9 @@ type AmdVmPlatformConfig struct {
488506

489507
// Whether the Measured Boot feature is enabled on the instance.
490508
IsMeasuredBootEnabled *bool `json:"isMeasuredBootEnabled,omitempty"`
509+
510+
// Whether the instance is a confidential instance. If this value is `true`, the instance is a confidential instance. The default value is `false`.
511+
IsMemoryEncryptionEnabled *bool `json:"isMemoryEncryptionEnabled,omitempty"`
491512
}
492513

493514
// InstanceOptions Optional mutable instance options

api/v1beta1/zz_generated.deepcopy.go

Lines changed: 35 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

cloud/scope/machine.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -767,6 +767,7 @@ func (m *MachineScope) getPlatformConfig() core.PlatformConfig {
767767
IsSecureBootEnabled: platformConfig.AmdRomeBmGpuPlatformConfig.IsSecureBootEnabled,
768768
IsTrustedPlatformModuleEnabled: platformConfig.AmdRomeBmGpuPlatformConfig.IsTrustedPlatformModuleEnabled,
769769
IsMeasuredBootEnabled: platformConfig.AmdRomeBmGpuPlatformConfig.IsMeasuredBootEnabled,
770+
IsMemoryEncryptionEnabled: platformConfig.AmdRomeBmGpuPlatformConfig.IsMemoryEncryptionEnabled,
770771
IsSymmetricMultiThreadingEnabled: platformConfig.AmdRomeBmGpuPlatformConfig.IsSymmetricMultiThreadingEnabled,
771772
IsAccessControlServiceEnabled: platformConfig.AmdRomeBmGpuPlatformConfig.IsAccessControlServiceEnabled,
772773
AreVirtualInstructionsEnabled: platformConfig.AmdRomeBmGpuPlatformConfig.AreVirtualInstructionsEnabled,
@@ -779,6 +780,7 @@ func (m *MachineScope) getPlatformConfig() core.PlatformConfig {
779780
IsSecureBootEnabled: platformConfig.AmdRomeBmPlatformConfig.IsSecureBootEnabled,
780781
IsTrustedPlatformModuleEnabled: platformConfig.AmdRomeBmPlatformConfig.IsTrustedPlatformModuleEnabled,
781782
IsMeasuredBootEnabled: platformConfig.AmdRomeBmPlatformConfig.IsMeasuredBootEnabled,
783+
IsMemoryEncryptionEnabled: platformConfig.AmdRomeBmPlatformConfig.IsMemoryEncryptionEnabled,
782784
IsSymmetricMultiThreadingEnabled: platformConfig.AmdRomeBmPlatformConfig.IsSymmetricMultiThreadingEnabled,
783785
IsAccessControlServiceEnabled: platformConfig.AmdRomeBmPlatformConfig.IsAccessControlServiceEnabled,
784786
AreVirtualInstructionsEnabled: platformConfig.AmdRomeBmPlatformConfig.AreVirtualInstructionsEnabled,
@@ -792,6 +794,7 @@ func (m *MachineScope) getPlatformConfig() core.PlatformConfig {
792794
IsSecureBootEnabled: platformConfig.IntelIcelakeBmPlatformConfig.IsSecureBootEnabled,
793795
IsTrustedPlatformModuleEnabled: platformConfig.IntelIcelakeBmPlatformConfig.IsTrustedPlatformModuleEnabled,
794796
IsMeasuredBootEnabled: platformConfig.IntelIcelakeBmPlatformConfig.IsMeasuredBootEnabled,
797+
IsMemoryEncryptionEnabled: platformConfig.IntelIcelakeBmPlatformConfig.IsMemoryEncryptionEnabled,
795798
IsSymmetricMultiThreadingEnabled: platformConfig.IntelIcelakeBmPlatformConfig.IsSymmetricMultiThreadingEnabled,
796799
PercentageOfCoresEnabled: platformConfig.IntelIcelakeBmPlatformConfig.PercentageOfCoresEnabled,
797800
IsInputOutputMemoryManagementUnitEnabled: platformConfig.IntelIcelakeBmPlatformConfig.IsInputOutputMemoryManagementUnitEnabled,
@@ -802,25 +805,29 @@ func (m *MachineScope) getPlatformConfig() core.PlatformConfig {
802805
IsSecureBootEnabled: platformConfig.AmdVmPlatformConfig.IsSecureBootEnabled,
803806
IsTrustedPlatformModuleEnabled: platformConfig.AmdVmPlatformConfig.IsTrustedPlatformModuleEnabled,
804807
IsMeasuredBootEnabled: platformConfig.AmdVmPlatformConfig.IsMeasuredBootEnabled,
808+
IsMemoryEncryptionEnabled: platformConfig.AmdVmPlatformConfig.IsMemoryEncryptionEnabled,
805809
}
806810
case infrastructurev1beta1.PlatformConfigTypeIntelVm:
807811
return core.IntelVmPlatformConfig{
808812
IsSecureBootEnabled: platformConfig.IntelVmPlatformConfig.IsSecureBootEnabled,
809813
IsTrustedPlatformModuleEnabled: platformConfig.IntelVmPlatformConfig.IsTrustedPlatformModuleEnabled,
810814
IsMeasuredBootEnabled: platformConfig.IntelVmPlatformConfig.IsMeasuredBootEnabled,
815+
IsMemoryEncryptionEnabled: platformConfig.IntelVmPlatformConfig.IsMemoryEncryptionEnabled,
811816
}
812817
case infrastructurev1beta1.PlatformConfigTypeIntelSkylakeBm:
813818
return core.IntelSkylakeBmPlatformConfig{
814819
IsSecureBootEnabled: platformConfig.IntelSkylakeBmPlatformConfig.IsSecureBootEnabled,
815820
IsTrustedPlatformModuleEnabled: platformConfig.IntelSkylakeBmPlatformConfig.IsTrustedPlatformModuleEnabled,
816821
IsMeasuredBootEnabled: platformConfig.IntelSkylakeBmPlatformConfig.IsMeasuredBootEnabled,
822+
IsMemoryEncryptionEnabled: platformConfig.IntelSkylakeBmPlatformConfig.IsMemoryEncryptionEnabled,
817823
}
818824
case infrastructurev1beta1.PlatformConfigTypeAmdMilanBm:
819825
numaNodesPerSocket, _ := core.GetMappingAmdMilanBmPlatformConfigNumaNodesPerSocketEnum(string(platformConfig.AmdMilanBmPlatformConfig.NumaNodesPerSocket))
820826
return core.AmdMilanBmPlatformConfig{
821827
IsSecureBootEnabled: platformConfig.AmdMilanBmPlatformConfig.IsSecureBootEnabled,
822828
IsTrustedPlatformModuleEnabled: platformConfig.AmdMilanBmPlatformConfig.IsTrustedPlatformModuleEnabled,
823829
IsMeasuredBootEnabled: platformConfig.AmdMilanBmPlatformConfig.IsMeasuredBootEnabled,
830+
IsMemoryEncryptionEnabled: platformConfig.AmdMilanBmPlatformConfig.IsMemoryEncryptionEnabled,
824831
IsSymmetricMultiThreadingEnabled: platformConfig.AmdMilanBmPlatformConfig.IsSymmetricMultiThreadingEnabled,
825832
IsAccessControlServiceEnabled: platformConfig.AmdMilanBmPlatformConfig.IsAccessControlServiceEnabled,
826833
AreVirtualInstructionsEnabled: platformConfig.AmdMilanBmPlatformConfig.AreVirtualInstructionsEnabled,

cloud/scope/machine_pool.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -762,6 +762,7 @@ func (m *MachinePoolScope) getPlatformConfig() core.PlatformConfig {
762762
IsSecureBootEnabled: platformConfig.AmdRomeBmGpuPlatformConfig.IsSecureBootEnabled,
763763
IsTrustedPlatformModuleEnabled: platformConfig.AmdRomeBmGpuPlatformConfig.IsTrustedPlatformModuleEnabled,
764764
IsMeasuredBootEnabled: platformConfig.AmdRomeBmGpuPlatformConfig.IsMeasuredBootEnabled,
765+
IsMemoryEncryptionEnabled: platformConfig.AmdRomeBmGpuPlatformConfig.IsMemoryEncryptionEnabled,
765766
IsSymmetricMultiThreadingEnabled: platformConfig.AmdRomeBmGpuPlatformConfig.IsSymmetricMultiThreadingEnabled,
766767
IsAccessControlServiceEnabled: platformConfig.AmdRomeBmGpuPlatformConfig.IsAccessControlServiceEnabled,
767768
AreVirtualInstructionsEnabled: platformConfig.AmdRomeBmGpuPlatformConfig.AreVirtualInstructionsEnabled,
@@ -774,6 +775,7 @@ func (m *MachinePoolScope) getPlatformConfig() core.PlatformConfig {
774775
IsSecureBootEnabled: platformConfig.AmdRomeBmPlatformConfig.IsSecureBootEnabled,
775776
IsTrustedPlatformModuleEnabled: platformConfig.AmdRomeBmPlatformConfig.IsTrustedPlatformModuleEnabled,
776777
IsMeasuredBootEnabled: platformConfig.AmdRomeBmPlatformConfig.IsMeasuredBootEnabled,
778+
IsMemoryEncryptionEnabled: platformConfig.AmdRomeBmPlatformConfig.IsMemoryEncryptionEnabled,
777779
IsSymmetricMultiThreadingEnabled: platformConfig.AmdRomeBmPlatformConfig.IsSymmetricMultiThreadingEnabled,
778780
IsAccessControlServiceEnabled: platformConfig.AmdRomeBmPlatformConfig.IsAccessControlServiceEnabled,
779781
AreVirtualInstructionsEnabled: platformConfig.AmdRomeBmPlatformConfig.AreVirtualInstructionsEnabled,
@@ -787,6 +789,7 @@ func (m *MachinePoolScope) getPlatformConfig() core.PlatformConfig {
787789
IsSecureBootEnabled: platformConfig.IntelIcelakeBmPlatformConfig.IsSecureBootEnabled,
788790
IsTrustedPlatformModuleEnabled: platformConfig.IntelIcelakeBmPlatformConfig.IsTrustedPlatformModuleEnabled,
789791
IsMeasuredBootEnabled: platformConfig.IntelIcelakeBmPlatformConfig.IsMeasuredBootEnabled,
792+
IsMemoryEncryptionEnabled: platformConfig.IntelIcelakeBmPlatformConfig.IsMemoryEncryptionEnabled,
790793
IsSymmetricMultiThreadingEnabled: platformConfig.IntelIcelakeBmPlatformConfig.IsSymmetricMultiThreadingEnabled,
791794
PercentageOfCoresEnabled: platformConfig.IntelIcelakeBmPlatformConfig.PercentageOfCoresEnabled,
792795
IsInputOutputMemoryManagementUnitEnabled: platformConfig.IntelIcelakeBmPlatformConfig.IsInputOutputMemoryManagementUnitEnabled,
@@ -797,25 +800,29 @@ func (m *MachinePoolScope) getPlatformConfig() core.PlatformConfig {
797800
IsSecureBootEnabled: platformConfig.AmdVmPlatformConfig.IsSecureBootEnabled,
798801
IsTrustedPlatformModuleEnabled: platformConfig.AmdVmPlatformConfig.IsTrustedPlatformModuleEnabled,
799802
IsMeasuredBootEnabled: platformConfig.AmdVmPlatformConfig.IsMeasuredBootEnabled,
803+
IsMemoryEncryptionEnabled: platformConfig.AmdVmPlatformConfig.IsMemoryEncryptionEnabled,
800804
}
801805
case infrastructurev1beta1.PlatformConfigTypeIntelVm:
802806
return core.IntelVmPlatformConfig{
803807
IsSecureBootEnabled: platformConfig.IntelVmPlatformConfig.IsSecureBootEnabled,
804808
IsTrustedPlatformModuleEnabled: platformConfig.IntelVmPlatformConfig.IsTrustedPlatformModuleEnabled,
805809
IsMeasuredBootEnabled: platformConfig.IntelVmPlatformConfig.IsMeasuredBootEnabled,
810+
IsMemoryEncryptionEnabled: platformConfig.IntelVmPlatformConfig.IsMemoryEncryptionEnabled,
806811
}
807812
case infrastructurev1beta1.PlatformConfigTypeIntelSkylakeBm:
808813
return core.IntelSkylakeBmPlatformConfig{
809814
IsSecureBootEnabled: platformConfig.IntelSkylakeBmPlatformConfig.IsSecureBootEnabled,
810815
IsTrustedPlatformModuleEnabled: platformConfig.IntelSkylakeBmPlatformConfig.IsTrustedPlatformModuleEnabled,
811816
IsMeasuredBootEnabled: platformConfig.IntelSkylakeBmPlatformConfig.IsMeasuredBootEnabled,
817+
IsMemoryEncryptionEnabled: platformConfig.IntelSkylakeBmPlatformConfig.IsMemoryEncryptionEnabled,
812818
}
813819
case infrastructurev1beta1.PlatformConfigTypeAmdMilanBm:
814820
numaNodesPerSocket, _ := core.GetMappingAmdMilanBmPlatformConfigNumaNodesPerSocketEnum(string(platformConfig.AmdMilanBmPlatformConfig.NumaNodesPerSocket))
815821
return core.AmdMilanBmPlatformConfig{
816822
IsSecureBootEnabled: platformConfig.AmdMilanBmPlatformConfig.IsSecureBootEnabled,
817823
IsTrustedPlatformModuleEnabled: platformConfig.AmdMilanBmPlatformConfig.IsTrustedPlatformModuleEnabled,
818824
IsMeasuredBootEnabled: platformConfig.AmdMilanBmPlatformConfig.IsMeasuredBootEnabled,
825+
IsMemoryEncryptionEnabled: platformConfig.AmdMilanBmPlatformConfig.IsMemoryEncryptionEnabled,
819826
IsSymmetricMultiThreadingEnabled: platformConfig.AmdMilanBmPlatformConfig.IsSymmetricMultiThreadingEnabled,
820827
IsAccessControlServiceEnabled: platformConfig.AmdMilanBmPlatformConfig.IsAccessControlServiceEnabled,
821828
AreVirtualInstructionsEnabled: platformConfig.AmdMilanBmPlatformConfig.AreVirtualInstructionsEnabled,

cloud/scope/machine_pool_test.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -228,6 +228,7 @@ func TestInstanceConfigCreate(t *testing.T) {
228228
IsMeasuredBootEnabled: common.Bool(false),
229229
IsTrustedPlatformModuleEnabled: common.Bool(true),
230230
IsSecureBootEnabled: common.Bool(true),
231+
IsMemoryEncryptionEnabled: common.Bool(true),
231232
},
232233
},
233234
AgentConfig: &infrastructurev1beta1.LaunchInstanceAgentConfig{
@@ -272,6 +273,7 @@ func TestInstanceConfigCreate(t *testing.T) {
272273
IsMeasuredBootEnabled: common.Bool(false),
273274
IsTrustedPlatformModuleEnabled: common.Bool(true),
274275
IsSecureBootEnabled: common.Bool(true),
276+
IsMemoryEncryptionEnabled: common.Bool(true),
275277
},
276278
Metadata: map[string]string{"user_data": "dGVzdA=="},
277279
Shape: common.String("test-shape"),

0 commit comments

Comments
 (0)