Merge pull request #2 from edera-dev/bleggett/iommu-checks

bleggett · web-flow · commit aebd97b0142e · 2026-02-13T14:30:46.000-05:00
Add explicit IOMMU checking
diff --git a/.github/workflows/release-artifacts.yml b/.github/workflows/release-artifacts.yml
@@ -93,7 +93,7 @@ jobs:
         persist-credentials: false
 
     - name: 'Build and sign protect-${{ matrix.component }} image'
-      uses: edera-dev/actions/build-and-sign-image@v0.0.3
+      uses: edera-dev/actions/build-and-sign-image@v0.0.6
       with:
         component: '${{ matrix.component }}'
         event: '${{ github.event_name }}'
diff --git a/src/checkers/iommu.rs b/src/checkers/iommu.rs
@@ -0,0 +1,106 @@
+use crate::helpers::{
+    CheckGroup, CheckGroupResult, CheckResult,
+    CheckResultValue::{Errored, Failed, Passed, Skipped},
+    host_executor::HostNamespaceExecutor,
+};
+use async_trait::async_trait;
+use futures::{FutureExt, future::join_all};
+use log::debug;
+use std::path::Path;
+
+const GROUP_IDENTIFIER: &str = "IOMMUChecks";
+const NAME: &str = "IOMMU Checks";
+
+pub struct IOMMUChecks {
+    host_executor: HostNamespaceExecutor,
+}
+
+#[cfg(target_arch = "x86_64")]
+impl IOMMUChecks {
+    pub fn new(host_executor: HostNamespaceExecutor) -> Self {
+        IOMMUChecks { host_executor }
+    }
+
+    /// Run all the checkers asynchronously, then
+    /// join and collect the results.
+    pub async fn run_all(&self) -> CheckGroupResult {
+        let results = join_all([self.check_iommu().boxed()]).await;
+
+        let mut group_result = Skipped;
+        for res in results.iter() {
+            // Set group result to Failed if we failed and aren't already in an Errored state
+            if !matches!(group_result, Errored(_)) && matches!(res.result, Failed(_)) {
+                group_result = Failed(String::from("group failed"));
+            }
+
+            if matches!(res.result, Errored(_)) {
+                group_result = Errored(String::from("group errored"));
+            }
+        }
+
+        CheckGroupResult {
+            name: NAME.to_string(),
+            result: group_result,
+            results,
+        }
+    }
+
+    async fn check_iommu(&self) -> CheckResult {
+        let name = String::from("IOMMU Support");
+
+        match self
+            .host_executor
+            .spawn_in_host_ns(async {
+                if Path::new("/sys/firmware/acpi/tables/DMAR").exists() {
+                    debug!("Found Intel IOMMU");
+                    true
+                } else if Path::new("/sys/firmware/acpi/tables/IVRS").exists() {
+                    debug!("Found AMD IOMMU");
+                    true
+                } else {
+                    false
+                }
+            })
+            .await
+        {
+            Ok(true) => CheckResult::new(&name, Passed),
+            Ok(false) => CheckResult::new(&name, Failed("no IOMMU detected".to_string())),
+            Err(e) => {
+                debug!("Error: {}", e);
+                CheckResult::new(&name, Errored(e.to_string()))
+            }
+        }
+    }
+}
+
+// No-op for other archs
+// TODO(bml) arm64 IOMMU??
+#[cfg(not(target_arch = "x86_64"))]
+impl IOMMUChecks {
+    pub fn new(host_executor: HostNamespaceExecutor) -> Self {
+        IOMMUChecks { host_executor }
+    }
+
+    pub async fn run_all(&self) -> CheckGroupResult {
+        CheckGroupResult::new(NAME)
+    }
+}
+
+#[async_trait]
+impl CheckGroup for IOMMUChecks {
+    fn id(&self) -> &str {
+        GROUP_IDENTIFIER
+    }
+
+    fn name(&self) -> &str {
+        NAME
+    }
+
+    fn description(&self) -> &str {
+        "IOMMU capability checks"
+    }
+
+    async fn run(&self) -> CheckGroupResult {
+        self.run_all().await
+    }
+}
diff --git a/src/checkers/mod.rs b/src/checkers/mod.rs
@@ -1,3 +1,4 @@
+pub mod iommu;
 pub mod kernel;
 pub mod pvh;
 pub mod system;
diff --git a/src/checkers/pvh.rs b/src/checkers/pvh.rs
@@ -6,7 +6,7 @@ use crate::helpers::{
 use anyhow::{Result, bail};
 use async_trait::async_trait;
 use futures::{FutureExt, future::join_all};
-use log::{debug, warn};
+use log::{debug, error, warn};
 use std::{
     fs,
     fs::File,
@@ -87,7 +87,7 @@ impl PVHChecks {
                 )
             }
             Err(e) => {
-                eprintln!("Error: {}", e);
+                error!("Error: {}", e);
                 CheckResult::new(&name, Errored(e.to_string()))
             }
         }
@@ -106,7 +106,7 @@ impl PVHChecks {
             "GenuineIntel" => self.check_intel(&flags).await,
             "AuthenticAMD" => self.check_amd(&flags).await,
             _ => {
-                eprintln!("Unknown CPU vendor: {}", cpu_vendor);
+                error!("Unknown CPU vendor: {}", cpu_vendor);
                 Ok(VirtStatus::Disabled)
             }
         }
@@ -195,14 +195,12 @@ impl PVHChecks {
                             }
                         }
                         Err(e) => {
-                            eprintln!("WARN: Cannot read EFER: {}", e);
+                            debug!("Cannot read EFER: {}", e);
                             if has_svm {
-                                eprintln!(
-                                    "      Hardware supports AMD-V, assuming it can be enabled"
-                                );
+                                debug!("Hardware supports AMD-V, assuming it can be enabled");
                                 Ok(VirtStatus::CanBeEnabled)
                             } else {
-                                eprintln!("      Cannot determine if AMD-V can be used");
+                                debug!("Cannot determine if AMD-V can be used");
                                 Ok(VirtStatus::Disabled)
                             }
                         }
diff --git a/src/main.rs b/src/main.rs
@@ -21,6 +21,8 @@ use std::{
 };
 use tokio::task::JoinHandle;
 
+use crate::checkers::iommu::IOMMUChecks;
+
 // Skip certain groups. List is separated by ;
 fn skip_groups() -> Vec<String> {
     let skips = env::var("EDERA_PREFLIGHT_SKIP_GROUPS").unwrap_or_default();
@@ -110,6 +112,7 @@ async fn main() -> Result<()> {
     let groups: Vec<Box<dyn CheckGroup>> = vec![
         Box::new(SystemChecks::new(host_executor.clone())),
         Box::new(PVHChecks::new(host_executor.clone())),
+        Box::new(IOMMUChecks::new(host_executor.clone())),
         Box::new(KernelChecks::new(host_executor.clone())),
         Box::new(SystemRecorder::new(host_executor.clone())),
     ];

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ use crate::helpers::{`
`6`	`6`	`use anyhow::{Result, bail};`
`7`	`7`	`use async_trait::async_trait;`
`8`	`8`	`use futures::{FutureExt, future::join_all};`
`9`		`-use log::{debug, warn};`
	`9`	`+use log::{debug, error, warn};`
`10`	`10`	`use std::{`
`11`	`11`	`fs,`
`12`	`12`	`fs::File,`
`@@ -87,7 +87,7 @@ impl PVHChecks {`
`87`	`87`	`)`
`88`	`88`	`}`
`89`	`89`	`Err(e) => {`
`90`		`- eprintln!("Error: {}", e);`
	`90`	`+ error!("Error: {}", e);`
`91`	`91`	`CheckResult::new(&name, Errored(e.to_string()))`
`92`	`92`	`}`
`93`	`93`	`}`
`@@ -106,7 +106,7 @@ impl PVHChecks {`
`106`	`106`	`"GenuineIntel" => self.check_intel(&flags).await,`
`107`	`107`	`"AuthenticAMD" => self.check_amd(&flags).await,`
`108`	`108`	`_ => {`
`109`		`- eprintln!("Unknown CPU vendor: {}", cpu_vendor);`
	`109`	`+ error!("Unknown CPU vendor: {}", cpu_vendor);`
`110`	`110`	`Ok(VirtStatus::Disabled)`
`111`	`111`	`}`
`112`	`112`	`}`
`@@ -195,14 +195,12 @@ impl PVHChecks {`
`195`	`195`	`}`
`196`	`196`	`}`
`197`	`197`	`Err(e) => {`
`198`		`- eprintln!("WARN: Cannot read EFER: {}", e);`
	`198`	`+ debug!("Cannot read EFER: {}", e);`
`199`	`199`	`if has_svm {`
`200`		`- eprintln!(`
`201`		`- " Hardware supports AMD-V, assuming it can be enabled"`
`202`		`- );`
	`200`	`+ debug!("Hardware supports AMD-V, assuming it can be enabled");`
`203`	`201`	`Ok(VirtStatus::CanBeEnabled)`
`204`	`202`	`} else {`
`205`		`- eprintln!(" Cannot determine if AMD-V can be used");`
	`203`	`+ debug!("Cannot determine if AMD-V can be used");`
`206`	`204`	`Ok(VirtStatus::Disabled)`
`207`	`205`	`}`
`208`	`206`	`}`