<fix>[kvm]: skip key provider attach when no KMS

Zhang Wenhao · Zhang Wenhao · commit 2785e194c5d6 · 2026-04-03T22:44:39.000+08:00
Split the "create-tpm-db-records" flow into two separate
flows: one for persisting TpmVO and another for attaching
the key provider to TPM.

The new "attach-key-provider-to-tpm" flow uses skipIf to
skip execution when ALLOWED_TPM_VM_WITHOUT_KMS global
config is set to true, so that
tpmKeyBackend.attachKeyProviderToTpm is not called.

Resolves: ZSV-11729
Related: ZSV-11310

Change-Id: I72757569696e73707a666b746d776a786e716574
diff --git a/plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmManager.java b/plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmManager.java
@@ -1,6 +1,7 @@
 package org.zstack.kvm.tpm;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.zstack.compute.vm.VmGlobalConfig;
 import org.zstack.compute.vm.devices.TpmEncryptedResourceKeyBackend;
 import org.zstack.compute.vm.devices.VmTpmManager;
 import org.zstack.core.asyncbatch.While;
@@ -230,28 +231,30 @@ private void addTpmToVm(AddTpmToVmContext context, Completion completion) {
                 .build())
             .then(Flow.of("create-tpm-db-records")
                 .handle(trigger -> {
-                    try {
-                        TpmVO tpm = vmTpmManager.persistTpmVO(context.tpmUuid, context.vmInstanceUuid);
-                        context.createdTpmUuid = tpm.getUuid();
-                        context.tpmCreated = true;
-                        if (context.keyProviderUuid != null) {
-                            tpmKeyBackend.attachKeyProviderToTpm(context.createdTpmUuid, context.keyProviderUuid);
-                            context.keyProviderAttached = true;
-                        }
-                        trigger.next();
-                    } catch (Exception e) {
-                        trigger.fail(operr("failed to add TPM to vm[uuid:%s]: %s", context.vmInstanceUuid, e.getMessage()));
+                    TpmVO tpm = vmTpmManager.persistTpmVO(context.tpmUuid, context.vmInstanceUuid);
+                    context.createdTpmUuid = tpm.getUuid();
+                    context.tpmCreated = true;
+                    trigger.next();
+                })
+                .rollback(trigger -> {
+                    if (context.tpmCreated && context.createdTpmUuid != null) {
+                        vmTpmManager.deleteTpmVO(context.createdTpmUuid);
+                    }
+                    trigger.rollback();
+                })
+                .build())
+            .then(Flow.of("attach-key-provider-to-tpm")
+                .skipIf(data -> VmGlobalConfig.ALLOWED_TPM_VM_WITHOUT_KMS.value(Boolean.class))
+                .handle(trigger -> {
+                    if (context.keyProviderUuid != null) {
+                        tpmKeyBackend.attachKeyProviderToTpm(context.createdTpmUuid, context.keyProviderUuid);
+                        context.keyProviderAttached = true;
                     }
+                    trigger.next();
                 })
                 .rollback(trigger -> {
-                    try {
-                        if (context.keyProviderAttached && context.createdTpmUuid != null) {
-                            tpmKeyBackend.detachKeyProviderFromTpm(context.createdTpmUuid);
-                        }
-                    } finally {
-                        if (context.tpmCreated && context.createdTpmUuid != null) {
-                            vmTpmManager.deleteTpmVO(context.createdTpmUuid);
-                        }
+                    if (context.keyProviderAttached && context.createdTpmUuid != null) {
+                        tpmKeyBackend.detachKeyProviderFromTpm(context.createdTpmUuid);
                     }
                     trigger.rollback();
                 })
