From ed8af8c97ff77461b4d1c9cc9b594a3ae94de2dc Mon Sep 17 00:00:00 2001
From: chuntaojun <liaochuntao@live.com>
Date: Mon, 6 May 2024 16:04:42 +0800
Subject: [PATCH 1/2] feat:support cpu type

---
 .../mtls/sds/{secret.go => secret_amd64.go}   |  2 +
 security/mtls/sds/secret_arm64.go             | 97 +++++++++++++++++++
 2 files changed, 99 insertions(+)
 rename security/mtls/sds/{secret.go => secret_amd64.go} (99%)
 create mode 100644 security/mtls/sds/secret_arm64.go

diff --git a/security/mtls/sds/secret.go b/security/mtls/sds/secret_amd64.go
similarity index 99%
rename from security/mtls/sds/secret.go
rename to security/mtls/sds/secret_amd64.go
index 84cee31..3aabe13 100644
--- a/security/mtls/sds/secret.go
+++ b/security/mtls/sds/secret_amd64.go
@@ -1,3 +1,5 @@
+//go:build amd64
+
 package sds
 
 import (
diff --git a/security/mtls/sds/secret_arm64.go b/security/mtls/sds/secret_arm64.go
new file mode 100644
index 0000000..32e68a6
--- /dev/null
+++ b/security/mtls/sds/secret_arm64.go
@@ -0,0 +1,97 @@
+//go:build arm64
+
+package sds
+
+import (
+	"time"
+
+	cryptomb "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha"
+	core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	envoytls "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
+	"github.com/envoyproxy/go-control-plane/pkg/cache/types"
+	"google.golang.org/protobuf/types/known/anypb"
+	"google.golang.org/protobuf/types/known/durationpb"
+
+	"github.com/polarismesh/polaris-sidecar/security/mtls/certificate"
+)
+
+// cryptombSupported indicate that whether the cpu can use crypto_mb library.
+// The crypto_mb library can accelerate tls in envoy by using AVX512 instructions.
+// So we should check the CPUID here.
+// See references:
+// 1. https://github.com/intel/ipp-crypto/blob/46944bd18e6dbad491ef9b9a3404303ef7680c09/sources/ippcp/crypto_mb/src/common/cpu_features.c#L227
+// 2. https://github.com/intel-go/cpuid/
+var cryptombSupported = false
+
+// makeSecrets make all secrets which should be pushed to envoy.
+// For now, just ROOTCA & default.
+func (s *Server) makeSecrets(bundle certificate.Bundle) []types.Resource {
+	results := []types.Resource{}
+
+	rootCA := s.makeCASecret("ROOTCA", bundle.ROOTCA)
+	def := s.makeSecret("default", bundle.PrivKey, bundle.CertChain, s.cryptombPollDelay)
+	results = append(results, rootCA, def)
+	return results
+}
+
+// makeSecret make secret object with the specified name.
+// key and cryptombPollDelay are optional parameters.
+// If key and cryptombPollDelay are provided, and the `cryptombSupported` is true,
+// secret will use the cryptomb PrivateKeyProvider.
+// See also https://www.envoyproxy.io/docs/envoy/v1.22.2/api-v3/extensions/private_key_providers/cryptomb/v3alpha/cryptomb.proto.html
+func (s *Server) makeSecret(name string, key, cert []byte, cryptombPollDelay time.Duration) *envoytls.Secret {
+	tlsCert := &envoytls.Secret_TlsCertificate{
+		TlsCertificate: &envoytls.TlsCertificate{
+			CertificateChain: &core.DataSource{
+				Specifier: &core.DataSource_InlineBytes{
+					InlineBytes: cert,
+				},
+			},
+		},
+	}
+
+	if key != nil {
+		if cryptombSupported && cryptombPollDelay != 0 {
+			cpc := &cryptomb.CryptoMbPrivateKeyMethodConfig{
+				PollDelay: durationpb.New(cryptombPollDelay),
+				PrivateKey: &core.DataSource{
+					Specifier: &core.DataSource_InlineBytes{
+						InlineBytes: key,
+					},
+				},
+			}
+			msg, _ := anypb.New(cpc)
+			tlsCert.TlsCertificate.PrivateKeyProvider = &envoytls.PrivateKeyProvider{
+				ProviderName: "cryptomb",
+				ConfigType: &envoytls.PrivateKeyProvider_TypedConfig{
+					TypedConfig: msg,
+				},
+			}
+		} else {
+			tlsCert.TlsCertificate.PrivateKey = &core.DataSource{
+				Specifier: &core.DataSource_InlineBytes{
+					InlineBytes: key,
+				},
+			}
+		}
+	}
+	return &envoytls.Secret{
+		Name: name,
+		Type: tlsCert,
+	}
+}
+
+func (s *Server) makeCASecret(name string, ca []byte) *envoytls.Secret {
+	return &envoytls.Secret{
+		Name: name,
+		Type: &envoytls.Secret_ValidationContext{
+			ValidationContext: &envoytls.CertificateValidationContext{
+				TrustedCa: &core.DataSource{
+					Specifier: &core.DataSource_InlineBytes{
+						InlineBytes: ca,
+					},
+				},
+			},
+		},
+	}
+}

From e170be8f9334268862c9460bd57418e5e50a0cec Mon Sep 17 00:00:00 2001
From: chuntaojun <liaochuntao@live.com>
Date: Mon, 6 May 2024 16:07:34 +0800
Subject: [PATCH 2/2] feat:support cpu type

---
 .github/workflows/package.yaml | 2 +-
 build_auto.sh => build_vm.sh   | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename build_auto.sh => build_vm.sh (100%)

diff --git a/.github/workflows/package.yaml b/.github/workflows/package.yaml
index cf44b0f..b48b2e0 100644
--- a/.github/workflows/package.yaml
+++ b/.github/workflows/package.yaml
@@ -38,7 +38,7 @@ jobs:
           VERSION: ${{ steps.get_version.outputs.VERSION }}
         run: |
           echo "version is $VERSION"
-          bash build_auto.sh $VERSION
+          bash build_vm.sh $VERSION
           PACKAGE_NAME=$(ls | grep polaris-sidecar-local*.zip | sed -n '1p')
           echo ::set-output name=name::${PACKAGE_NAME}
 
diff --git a/build_auto.sh b/build_vm.sh
similarity index 100%
rename from build_auto.sh
rename to build_vm.sh