<feature>[kvm]: support TPM key provider restore from snapshot group

Add findKeyProviderUuidByName and defaultKeyProviderUuid methods to
TpmEncryptedResourceKeyBackend interface for key provider lookup.
Implement these methods in DummyTpmEncryptedResourceKeyBackend.
Add backupUuid field to KvmSecureBootExtensions to support restoring
from specific backup files instead of default latest backup. Update
SnapshotGroupRevertTpmHelper to restore TPM key provider information
from system tags on backup files, with fallback to default provider.

Related: ZSV-11310
Resolves: ZSV-11441

Change-Id: I6d75766b6a6c616e73737a6d77626d6870706574

Author: Zhang Wenhao

compute/src/main/java/org/zstack/compute/vm/devices/DummyTpmEncryptedResourceKeyBackend.java

@@ -23,11 +23,21 @@ public String findKeyProviderUuidByTpm(String tpmUuid) {
         return null;
     }
 
+    @Override
+    public String findKeyProviderUuidByName(String providerName) {
+        return null;
+    }
+
     @Override
     public String findKeyProviderNameByTpm(String tpmUuid) {
         return null;
     }
 
+    @Override
+    public String defaultKeyProviderUuid() {
+        return null;
+    }
+
     @Override
     public void cloneEncryptedResourceKey(CloneEncryptedResourceKeyContext context, Completion completion) {
         // do nothing

compute/src/main/java/org/zstack/compute/vm/devices/TpmEncryptedResourceKeyBackend.java

@@ -25,11 +25,21 @@ public interface TpmEncryptedResourceKeyBackend {
      */
     String findKeyProviderUuidByTpm(String tpmUuid);
 
+    /**
+     * maybe null (when crypto module is not installed)
+     */
+    String findKeyProviderUuidByName(String providerName);
+
     /**
      * maybe null (when crypto module is not installed)
      */
     String findKeyProviderNameByTpm(String tpmUuid);
 
+    /**
+     * maybe null (when crypto module is not installed)
+     */
+    String defaultKeyProviderUuid();
+
     static class CloneEncryptedResourceKeyContext {
         public String srcTpmUuid;
         public String dstTpmUuid;

plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java

@@ -1,5 +1,6 @@
 package org.zstack.kvm.efi;
 
+import org.apache.commons.lang.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.zstack.compute.legacy.ComputeLegacyGlobalProperty;
 import org.zstack.compute.vm.VmGlobalConfig;
@@ -33,7 +34,6 @@
 import org.zstack.header.vm.PreVmInstantiateResourceExtensionPoint;
 import org.zstack.header.vm.VmInstanceConstant;
 import org.zstack.header.vm.AfterReimageVmInstanceExtensionPoint;
-import org.zstack.header.vm.VmInstanceDestroyExtensionPoint;
 import org.zstack.header.vm.VmInstanceInventory;
 import org.zstack.header.vm.VmInstanceMigrateExtensionPoint;
 import org.zstack.header.vm.VmInstanceSpec;
@@ -364,6 +364,7 @@ public static class PrepareHostFileContext {
         public String hostUuid;
         public String vmUuid;
         public VmHostFileType type;
+        public String backupUuid;
         public String syncReason;
 
         public String path;
@@ -373,8 +374,10 @@ public static class PrepareHostFileContext {
         private VmHostFileVO vmHostFile;
         private VmHostBackupFileVO vmBackupFileVO;
 
-        // property:  VmHostFileVO (read success) > VmHostFileVO (read fail) > VmHostBackupFileVO
-        // Note: read VmHostBackupFileVO only if VmHostFileVO is not exist
+        // property: VmHostBackupFileVO (when "backupUuid" is set)
+        //             > VmHostFileVO (read success)
+        //             > VmHostFileVO (read fail)
+        //             > VmHostBackupFileVO (vmInstanceUuid matched)  <-  read this only if VmHostFileVO is not exist
     }
 
     @SuppressWarnings("rawtypes")
@@ -384,6 +387,11 @@ public void prepareHostFileOnHost(PrepareHostFileContext context, Completion com
         chain.then(new NoRollbackFlow() {
             String __name__ = "read-vm-host-file-from-origin-host";
 
+            @Override
+            public boolean skip(Map data) {
+                return StringUtils.isNotBlank(context.backupUuid);
+            }
+
             @Override
             public void run(FlowTrigger trigger, Map data) {
                 VmHostFileVO vmHostFile = Q.New(VmHostFileVO.class)
@@ -439,12 +447,23 @@ public boolean skip(Map data) {
 
             @Override
             public void run(FlowTrigger trigger, Map data) {
-                context.vmBackupFileVO = Q.New(VmHostBackupFileVO.class)
-                        .eq(VmHostBackupFileVO_.type, context.type)
-                        .eq(VmHostBackupFileVO_.resourceUuid, context.vmUuid)
-                        .orderByDesc(VmHostBackupFileVO_.lastOpDate)
-                        .limit(1)
-                        .find();
+                if (context.backupUuid == null) {
+                    context.vmBackupFileVO = Q.New(VmHostBackupFileVO.class)
+                            .eq(VmHostBackupFileVO_.type, context.type)
+                            .eq(VmHostBackupFileVO_.resourceUuid, context.vmUuid)
+                            .orderByDesc(VmHostBackupFileVO_.lastOpDate)
+                            .limit(1)
+                            .find();
+                } else {
+                    context.vmBackupFileVO = Q.New(VmHostBackupFileVO.class)
+                            .eq(VmHostBackupFileVO_.uuid, context.backupUuid)
+                            .find();
+                    if (context.vmBackupFileVO == null) {
+                        trigger.fail(operr("cannot find matched vm-host backup file[backupUuid:%s]",
+                                context.backupUuid));
+                        return;
+                    }
+                }
                 if (context.vmBackupFileVO != null) {
                     logger.debug(String.format("use %s[type=%s] VM-host backup file for VM[uuid=%s]",
                             context.vmBackupFileVO.getUuid(), context.type, context.vmUuid));

plugin/kvm/src/main/java/org/zstack/kvm/tpm/SnapshotGroupRevertTpmHelper.java

@@ -4,6 +4,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Configurable;
 import org.zstack.compute.vm.VmGlobalConfig;
+import org.zstack.compute.vm.devices.TpmEncryptedResourceKeyBackend;
 import org.zstack.core.db.Q;
 import org.zstack.header.storage.snapshot.group.VolumeSnapshotGroupVO;
 import org.zstack.header.storage.snapshot.group.VolumeSnapshotGroupVO_;
@@ -15,6 +16,7 @@
 import org.zstack.header.vm.additions.VmHostFileType;
 import org.zstack.header.vm.devices.NvRamSpec;
 import org.zstack.header.vm.devices.VmDevicesSpec;
+import org.zstack.kvm.KVMSystemTags;
 import org.zstack.resourceconfig.ResourceConfigFacade;
 import org.zstack.utils.Utils;
 import org.zstack.utils.logging.CLogger;
@@ -26,7 +28,9 @@ public class SnapshotGroupRevertTpmHelper {
     private static final CLogger logger = Utils.getLogger(SnapshotGroupRevertTpmHelper.class);
 
     @Autowired
-    ResourceConfigFacade resourceConfigFacade;
+    private ResourceConfigFacade resourceConfigFacade;
+    @Autowired
+    private TpmEncryptedResourceKeyBackend tpmKeyBackend;
 
     public void setupFromApi(APICreateVmInstanceFromVolumeSnapshotGroupMsg apiMsg, CreateVmInstanceMsg cmsg) {
         String snapshotGroupUuid = apiMsg.getVolumeSnapshotGroupUuid();
@@ -87,17 +91,31 @@ public void setupFromApi(APICreateVmInstanceFromVolumeSnapshotGroupMsg apiMsg, C
             tpmSpec.setEnable(true);
 
             if (resetTpm) {
-                // resetTpm=true: reset secretUuid, generate a new one during VM creation
+                // resetTpm=true: reset generate a new one during VM creation
                 logger.debug(String.format("resetTpm is true for volume snapshot group[uuid:%s], " +
-                        "will reset secretUuid, tpmBackupFileUuid:%s", snapshotGroupUuid, tpmBackupFile.getUuid()));
+                        "will reset tpmBackupFileUuid:%s", snapshotGroupUuid, tpmBackupFile.getUuid()));
             } else {
                 tpmSpec.setBackupFileUuid(tpmBackupFile.getUuid());
-                // resetTpm=false: should reuse secretUuid + keyProviderUuid recorded in VolumeSnapshotGroup,
-                // but the recording step is not yet implemented, leave them empty for now
-                // TODO: retrieve secretUuid and keyProviderUuid from VolumeSnapshotGroup and set them here
-                logger.warn(String.format("resetTpm is false for volume snapshot group[uuid:%s], " +
-                        "should restore secretUuid and keyProviderUuid but they are not yet recorded in snapshot group, " +
-                        "leaving empty. tpmBackupFileUuid:%s", snapshotGroupUuid, tpmBackupFile.getUuid()));
+            }
+
+            String keyProviderName = KVMSystemTags.TPM_KEY_PROVIDER_NAME
+                    .getTokenByResourceUuid(tpmBackupFile.getUuid(), KVMSystemTags.TPM_KEY_PROVIDER_NAME_TOKEN);
+            if (keyProviderName == null) {
+                logger.warn(String.format(
+                        "failed to find keyProvider from snapshotGroup[uuid:%s] by tpmBackupFile[uuid:%s]",
+                        snapshotGroupUuid, tpmBackupFile.getUuid()));
+                if (tpmSpec.getKeyProviderUuid() == null) {
+                    tpmSpec.setKeyProviderUuid(tpmKeyBackend.defaultKeyProviderUuid()); // maybe null
+                }
+            } else {
+                String keyProviderUuid = tpmKeyBackend.findKeyProviderUuidByName(keyProviderName);
+                if (keyProviderUuid == null) {
+                    logger.warn(String.format(
+                            "failed to resolve keyProvider[name:%s] from snapshotGroup[uuid:%s] by tpmBackupFile[uuid:%s], keep keyProviderUuid unset",
+                            keyProviderName, snapshotGroupUuid, tpmBackupFile.getUuid()));
+                } else {
+                    tpmSpec.setKeyProviderUuid(keyProviderUuid);
+                }
             }
         }