sgx: add new special resources for TDX QGS and SGX platform registration

mythi · mythi · commit e21977d6b928 · 2025-08-13T16:44:31.000+03:00
Signed-off-by: Mikko Ylinen &lt;mikko.ylinen@intel.com&gt;
diff --git a/cmd/sgx_plugin/sgx_plugin.go b/cmd/sgx_plugin/sgx_plugin.go
@@ -25,6 +25,7 @@ import (
 	dpapi "github.com/intel/intel-device-plugins-for-kubernetes/pkg/deviceplugin"
 	"k8s.io/klog/v2"
 	pluginapi "k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1"
+	cdispec "tags.cncf.io/container-device-interface/specs-go"
 )
 
 const (
@@ -67,6 +68,24 @@ func (dp *devicePlugin) Scan(notifier dpapi.Notifier) error {
 	return nil
 }
 
+func createEFIMountsCDIDevice(name string) *cdispec.Spec {
+
+	return &cdispec.Spec{
+		Version: dpapi.CDIVersion,
+		Kind:    dpapi.CDIVendor + "/sgx",
+		Devices: []cdispec.Device{
+			{
+				Name: name,
+				ContainerEdits: cdispec.ContainerEdits{
+					Mounts: []*cdispec.Mount{
+						{HostPath: "efivarfs", ContainerPath: "/sys/firmware/efi/efivars", Type: "efivarfs", Options: []string{"rw", "nosuid", "nodev", "noexec", "relatime"}},
+					},
+				},
+			},
+		},
+	}
+}
+
 func (dp *devicePlugin) scan() (dpapi.DeviceTree, error) {
 	devTree := dpapi.NewDeviceTree()
 
@@ -96,6 +115,19 @@ func (dp *devicePlugin) scan() (dpapi.DeviceTree, error) {
 		devTree.AddDevice(deviceTypeProvision, devID, dpapi.NewDeviceInfoWithTopologyHints(pluginapi.Healthy, nodes, nil, nil, nil, nil, nil))
 	}
 
+	tdQeNodes := []pluginapi.DeviceSpec{
+		{HostPath: sgxEnclavePath, ContainerPath: sgxEnclavePath, Permissions: "rw"},
+		{HostPath: sgxProvisionPath, ContainerPath: sgxProvisionPath, Permissions: "rw"},
+	}
+
+	devTree.AddDevice("tdqe", "tdqe-1", dpapi.NewDeviceInfoWithTopologyHints(pluginapi.Healthy, tdQeNodes, nil, nil, nil, nil, nil))
+
+	regNodes := []pluginapi.DeviceSpec{
+		{HostPath: sgxEnclavePath, ContainerPath: sgxEnclavePath, Permissions: "rw"},
+	}
+
+	devTree.AddDevice("registration", "registration-1", dpapi.NewDeviceInfoWithTopologyHints(pluginapi.Healthy, regNodes, nil, nil, nil, nil, createEFIMountsCDIDevice("registration")))
+
 	return devTree, nil
 }
 
diff --git a/deployments/sgx_plugin/base/intel-sgx-plugin.yaml b/deployments/sgx_plugin/base/intel-sgx-plugin.yaml
@@ -49,6 +49,8 @@ spec:
         - name: sgx-provision
           mountPath: /dev/sgx_provision
           readOnly: true
+        - name: cdipath
+          mountPath: /var/run/cdi
       volumes:
       - name: kubeletsockets
         hostPath:
@@ -61,5 +63,9 @@ spec:
         hostPath:
           path: /dev/sgx_provision
           type: CharDevice
+      - name: cdipath
+        hostPath:
+          path: /var/run/cdi
+          type: DirectoryOrCreate
       nodeSelector:
         kubernetes.io/arch: amd64
