Merge branch 'remove-resource-keyref@@2' into 'feature-zsv-5.0.0-vm-support-vtpm-and-secuceboot'

<fix>[crypto]: keep TPM key ref until VM removed from DB

See merge request zstackio/zstack!9540

Author: gitlab

compute/src/main/java/org/zstack/compute/vm/VmInstanceBase.java

@@ -7,6 +7,8 @@
 import org.springframework.dao.DataIntegrityViolationException;
 import org.springframework.transaction.annotation.Transactional;
 import org.zstack.compute.allocator.HostAllocatorManager;
+import org.zstack.compute.vm.devices.TpmEncryptedResourceKeyBackend;
+import org.zstack.compute.vm.devices.VmTpmManager;
 import org.zstack.core.Platform;
 import org.zstack.core.asyncbatch.While;
 import org.zstack.core.cascade.CascadeConstant;
@@ -142,13 +144,28 @@ public class VmInstanceBase extends AbstractVmInstance {
     private VmInstanceResourceMetadataManager vidm;
     @Autowired
     private NetworkServiceManager nwServiceMgr;
+    @Autowired
+    private TpmEncryptedResourceKeyBackend tpmKeyBackend;
 
     protected VmInstanceVO self;
     protected VmInstanceVO originalCopy;
     protected String syncThreadName;
     private final static StaticIpOperator ipOperator = new StaticIpOperator();
     private final static VmConfigSyncHelper vmConfigSyncHelper = new VmConfigSyncHelper();
 
+    private void detachTpmKeyProviderBestEffort(String tpmUuid) {
+        if (tpmUuid == null) {
+            return;
+        }
+        try {
+            tpmKeyBackend.detachKeyProviderFromTpm(tpmUuid);
+        } catch (Throwable t) {
+            logger.warn(String.format(
+                    "failed to detach key provider from TPM[uuid:%s]: %s",
+                    tpmUuid, t.getMessage()), t);
+        }
+    }
+
     protected void checkState(final String hostUuid, final NoErrorCompletion completion) {
         CheckVmStateOnHypervisorMsg msg = new CheckVmStateOnHypervisorMsg();
         msg.setVmInstanceUuids(list(self.getUuid()));
@@ -1272,6 +1289,8 @@ public void handle(Map data) {
                 CollectionUtils.safeForEach(pluginRgty.getExtensionList(VmAfterExpungeExtensionPoint.class),
                         arg -> arg.vmAfterExpunge(inv));
 
+                final String tpmUuidForEncryptedKeyRef = VmTpmManager.findTpmUuidForVmOrNull(self.getUuid());
+
                 callVmJustBeforeDeleteFromDbExtensionPoint();
 
                 dbf.reload(self);
@@ -1283,6 +1302,7 @@ public void handle(Map data) {
                 if (inv.getRootVolumeUuid() != null) {
                     dbf.eoCleanup(VolumeVO.class, inv.getRootVolumeUuid());
                 }
+                detachTpmKeyProviderBestEffort(tpmUuidForEncryptedKeyRef);
                 completion.success();
             }
         }).error(new FlowErrorHandler(completion) {
@@ -2582,12 +2602,15 @@ public void success() {
                     if (self.getState() != VmInstanceState.Destroyed) {
                         changeVmStateInDb(VmInstanceStateEvent.destroyed);
                     }
+                    final String tpmUuidForEncryptedKeyRef = VmTpmManager.findTpmUuidForVmOrNull(self.getUuid());
                     callVmJustBeforeDeleteFromDbExtensionPoint();
                     dbf.removeCollection(self.getVmCdRoms(), VmCdRomVO.class);
                     dbf.remove(getSelf());
                     dbf.eoCleanup(VmInstanceVO.class, self.getUuid());
+                    detachTpmKeyProviderBestEffort(tpmUuidForEncryptedKeyRef);
                 } else if (deletionPolicy == VmInstanceDeletionPolicy.DBOnly || deletionPolicy == VmInstanceDeletionPolicy.KeepVolume) {
                     String accountUuid = acntMgr.getOwnerAccountUuidOfResource(inv.getUuid());
+                    final String tpmUuidForEncryptedKeyRef = VmTpmManager.findTpmUuidForVmOrNull(self.getUuid());
                     new SQLBatch() {
                         @Override
                         protected void scripts() {
@@ -2601,6 +2624,7 @@ protected void scripts() {
                             sql(VmInstanceVO.class).eq(VmInstanceVO_.uuid, self.getUuid()).hardDelete();
                         }
                     }.execute();
+                    detachTpmKeyProviderBestEffort(tpmUuidForEncryptedKeyRef);
                     callVmJustAfterDeleteFromDbExtensionPoint(inv, accountUuid);
                 } else if (deletionPolicy == VmInstanceDeletionPolicy.Delay) {
                     changeVmStateInDb(VmInstanceStateEvent.destroyed);

compute/src/main/java/org/zstack/compute/vm/devices/VmTpmManager.java

@@ -42,6 +42,13 @@ public void deleteTpmVO(String tpmUuid) {
         databaseFacade.removeByPrimaryKey(tpmUuid, TpmVO.class);
     }
 
+    public static String findTpmUuidForVmOrNull(String vmInstanceUuid) {
+        return Q.New(TpmVO.class)
+                .eq(TpmVO_.vmInstanceUuid, vmInstanceUuid)
+                .select(TpmVO_.uuid)
+                .findValue();
+    }
+
     /**
      * @param bootMode boot mode, null is Legacy
      */

header/src/main/java/org/zstack/header/keyprovider/EncryptedResourceKeyManager.java

@@ -38,6 +38,7 @@ class GetOrCreateResourceKeyContext {
         private String resourceUuid;
         private String resourceType;
         private String keyProviderUuid;
+        private String keyProviderName;
         private String purpose;
 
         public String getResourceUuid() {
@@ -64,6 +65,14 @@ public void setKeyProviderUuid(String keyProviderUuid) {
             this.keyProviderUuid = keyProviderUuid;
         }
 
+        public String getKeyProviderName() {
+            return keyProviderName;
+        }
+
+        public void setKeyProviderName(String keyProviderName) {
+            this.keyProviderName = keyProviderName;
+        }
+
         public String getPurpose() {
             return purpose;
         }

plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmExtensions.java

@@ -173,7 +173,7 @@ public void fail(ErrorCode errorCode) {
             @Override
             public boolean skip(Map data) {
                 boolean shouldSkip = VmGlobalConfig.ALLOWED_TPM_VM_WITHOUT_KMS.value(Boolean.class) &&
-                        (StringUtils.isBlank(context.providerUuid) || StringUtils.isBlank(context.providerName));
+                        (StringUtils.isBlank(context.providerUuid) && StringUtils.isBlank(context.providerName));
                 if (shouldSkip) {
                     logger.info("skip create-dek: allowed.tpm.vm.without.kms is enabled and no KMS provider bound");
                 }
@@ -182,7 +182,7 @@ public boolean skip(Map data) {
 
             @Override
             public void run(FlowTrigger trigger, Map data) {
-                if (StringUtils.isBlank(context.providerUuid) || StringUtils.isBlank(context.providerName)) {
+                if (StringUtils.isBlank(context.providerUuid) && StringUtils.isBlank(context.providerName)) {
                     trigger.fail(operr("missing TPM resource key binding for tpm[uuid:%s], attachKeyProviderToTpm must run before create-dek", context.tpmUuid));
                     return;
                 }
@@ -191,13 +191,15 @@ public void run(FlowTrigger trigger, Map data) {
                 keyCtx.setResourceUuid(context.tpmUuid);
                 keyCtx.setResourceType(TpmVO.class.getSimpleName());
                 keyCtx.setKeyProviderUuid(context.providerUuid);
+                keyCtx.setKeyProviderName(context.providerName);
                 keyCtx.setPurpose("vtpm");
 
                 resourceKeyManager.getOrCreateKey(keyCtx, new ReturnValueCompletion<ResourceKeyResult>(trigger) {
                     @Override
                     public void success(ResourceKeyResult result) {
                         tpmSpec.setResourceKeyCreatedNew(result.isCreatedNewKey());
                         tpmSpec.setResourceKeyProviderUuid(result.getKeyProviderUuid());
+                        context.providerUuid = result.getKeyProviderUuid();
                         context.providerName = result.getKeyProviderName();
                         context.dekBase64 = result.getDekBase64();
                         trigger.next();

sdk/src/main/java/SourceClassMap.java

@@ -70,6 +70,7 @@ public class SourceClassMap {
 			put("org.zstack.core.jsonlabel.JsonLabelInventory", "org.zstack.sdk.JsonLabelInventory");
 			put("org.zstack.crypto.ccs.CCSCertificateAccountRefInventory", "org.zstack.sdk.CCSCertificateAccountRefInventory");
 			put("org.zstack.crypto.ccs.CCSCertificateInventory", "org.zstack.sdk.CCSCertificateInventory");
+			put("org.zstack.crypto.keyprovider.api.RekeyFailedResource", "org.zstack.sdk.keyprovider.api.RekeyFailedResource");
 			put("org.zstack.crypto.keyprovider.api.RekeySkippedResource", "org.zstack.sdk.keyprovider.api.RekeySkippedResource");
 			put("org.zstack.crypto.securitymachine.thirdparty.aisino.AiSiNoSecretResourcePoolInventory", "org.zstack.sdk.AiSiNoSecretResourcePoolInventory");
 			put("org.zstack.crypto.securitymachine.thirdparty.flkSec.FlkSecSecretResourcePoolInventory", "org.zstack.sdk.FlkSecSecretResourcePoolInventory");
@@ -1267,6 +1268,7 @@ public class SourceClassMap {
 			put("org.zstack.sdk.identity.ldap.entity.LdapServerInventory", "org.zstack.ldap.entity.LdapServerInventory");
 			put("org.zstack.sdk.identity.role.RoleAccountRefInventory", "org.zstack.header.identity.role.RoleAccountRefInventory");
 			put("org.zstack.sdk.identity.role.RoleInventory", "org.zstack.header.identity.role.RoleInventory");
+			put("org.zstack.sdk.keyprovider.api.RekeyFailedResource", "org.zstack.crypto.keyprovider.api.RekeyFailedResource");
 			put("org.zstack.sdk.keyprovider.api.RekeySkippedResource", "org.zstack.crypto.keyprovider.api.RekeySkippedResource");
 			put("org.zstack.sdk.license.entity.LicenseHistoryInventory", "org.zstack.license.entity.LicenseHistoryInventory");
 			put("org.zstack.sdk.license.entity.LicenseUsageView", "org.zstack.license.entity.LicenseUsageView");

sdk/src/main/java/org/zstack/sdk/keyprovider/api/RekeyFailedResource.java

@@ -0,0 +1,39 @@
+package org.zstack.sdk.keyprovider.api;
+
+
+
+public class RekeyFailedResource  {
+
+    public java.lang.Long keyRefId;
+    public void setKeyRefId(java.lang.Long keyRefId) {
+        this.keyRefId = keyRefId;
+    }
+    public java.lang.Long getKeyRefId() {
+        return this.keyRefId;
+    }
+
+    public java.lang.String resourceType;
+    public void setResourceType(java.lang.String resourceType) {
+        this.resourceType = resourceType;
+    }
+    public java.lang.String getResourceType() {
+        return this.resourceType;
+    }
+
+    public java.lang.String resourceUuid;
+    public void setResourceUuid(java.lang.String resourceUuid) {
+        this.resourceUuid = resourceUuid;
+    }
+    public java.lang.String getResourceUuid() {
+        return this.resourceUuid;
+    }
+
+    public java.lang.String reason;
+    public void setReason(java.lang.String reason) {
+        this.reason = reason;
+    }
+    public java.lang.String getReason() {
+        return this.reason;
+    }
+
+}

sdk/src/main/java/org/zstack/sdk/keyprovider/api/RekeyKeyProviderRefsResult.java

@@ -27,6 +27,14 @@ public int getSkippedCount() {
         return this.skippedCount;
     }
 
+    public int failedCount;
+    public void setFailedCount(int failedCount) {
+        this.failedCount = failedCount;
+    }
+    public int getFailedCount() {
+        return this.failedCount;
+    }
+
     public java.util.List skippedResources;
     public void setSkippedResources(java.util.List skippedResources) {
         this.skippedResources = skippedResources;
@@ -35,4 +43,12 @@ public java.util.List getSkippedResources() {
         return this.skippedResources;
     }
 
+    public java.util.List failedResources;
+    public void setFailedResources(java.util.List failedResources) {
+        this.failedResources = failedResources;
+    }
+    public java.util.List getFailedResources() {
+        return this.failedResources;
+    }
+
 }