Skip to content

sgx: add two special resources for quoting daemon and SGX platform registration #2103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 21, 2025
Merged

sgx: add two special resources for quoting daemon and SGX platform registration #2103

merged 1 commit into from
Aug 21, 2025

Conversation

mythi
Copy link
Contributor

@mythi mythi commented Aug 13, 2025

Adds new special resources for TDX QGS and PCK-ID-Retrieval-Tool daemonsets to run without privileges.

@mythi mythi force-pushed the PR-2025-013 branch 4 times, most recently from 33b54e9 to bb1c488 Compare August 19, 2025 14:13
@mythi mythi changed the title WIP: sgx: add new special resources for TDX QGS and SGX platform registration sgx: add two special resources for quoting daemon and SGX platform registration Aug 19, 2025
@mythi mythi marked this pull request as ready for review August 19, 2025 14:14
@mythi mythi requested review from kad, bart0sh and tkatila as code owners August 19, 2025 14:14
@mythi
Copy link
Contributor Author

mythi commented Aug 19, 2025

I split my work in two stages. This is for the plugin modifications and the changes are ready for review. The rest will follow

eero-t
eero-t reviewed Aug 20, 2025
View reviewed changes
eero-t
eero-t reviewed Aug 20, 2025
View reviewed changes
@mythi
sgx: add two special resources for quoting daemon and SGX platform re…
cf9f776 
…gistration

`qe` and `registration` resources are intended for a very specific use-case: every
SGX enabled node gets only one such resource and they are consumed by a quoting
daemon (e.g., `aesmd` or `tdx-qgs`) and a platform registration tool (e.g.,
PCK-ID-Retrieval-Tool), respectively. This is done so that these containers can run
without any elevated privileges.

Signed-off-by: Mikko Ylinen <[email protected]>
@mythi
Copy link
Contributor Author

mythi commented Aug 21, 2025

@eero-t thanks for the improvements, I merged those. I also added more info on that efivarfs and maskedPaths case.

tkatila
tkatila approved these changes Aug 21, 2025
View reviewed changes
@tkatila tkatila merged commit f6ee4f3 into intel:main Aug 21, 2025
56 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eero-t eero-t eero-t left review comments

@tkatila tkatila tkatila approved these changes

@kad kad Awaiting requested review from kad kad is a code owner

@bart0sh bart0sh Awaiting requested review from bart0sh bart0sh is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mythi @eero-t @tkatila