Merge branch 'zsv-ldap-2@@2' into 'feature-zsv-5.0.0-vm-support-vtpm-and-secuceboot'

gitlab · gitlab · commit 34ae4159d914 · 2026-03-27T16:02:36.000Z
&lt;feature&gt;[kvm]: support TPM key provider restore from snapshot group

See merge request zstackio/zstack!9481
diff --git a/compute/src/main/java/org/zstack/compute/vm/devices/DummyTpmEncryptedResourceKeyBackend.java b/compute/src/main/java/org/zstack/compute/vm/devices/DummyTpmEncryptedResourceKeyBackend.java
@@ -23,11 +23,21 @@ public String findKeyProviderUuidByTpm(String tpmUuid) {
         return null;
     }
 
+    @Override
+    public String findKeyProviderUuidByName(String providerName) {
+        return null;
+    }
+
     @Override
     public String findKeyProviderNameByTpm(String tpmUuid) {
         return null;
     }
 
+    @Override
+    public String defaultKeyProviderUuid() {
+        return null;
+    }
+
     @Override
     public void cloneEncryptedResourceKey(CloneEncryptedResourceKeyContext context, Completion completion) {
         // do nothing
diff --git a/compute/src/main/java/org/zstack/compute/vm/devices/TpmEncryptedResourceKeyBackend.java b/compute/src/main/java/org/zstack/compute/vm/devices/TpmEncryptedResourceKeyBackend.java
@@ -25,11 +25,21 @@ public interface TpmEncryptedResourceKeyBackend {
      */
     String findKeyProviderUuidByTpm(String tpmUuid);
 
+    /**
+     * maybe null (when crypto module is not installed)
+     */
+    String findKeyProviderUuidByName(String providerName);
+
     /**
      * maybe null (when crypto module is not installed)
      */
     String findKeyProviderNameByTpm(String tpmUuid);
 
+    /**
+     * maybe null (when crypto module is not installed)
+     */
+    String defaultKeyProviderUuid();
+
     static class CloneEncryptedResourceKeyContext {
         public String srcTpmUuid;
         public String dstTpmUuid;
diff --git a/plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java b/plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java
@@ -1,5 +1,6 @@
 package org.zstack.kvm.efi;
 
+import org.apache.commons.lang.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.zstack.compute.vm.VmGlobalConfig;
 import org.zstack.compute.vm.VmSystemTags;
@@ -272,6 +273,7 @@ public static class PrepareHostFileContext {
         public String hostUuid;
         public String vmUuid;
         public VmHostFileType type;
+        public String backupUuid;
         public String syncReason;
 
         public String path;
@@ -281,8 +283,10 @@ public static class PrepareHostFileContext {
         private VmHostFileVO vmHostFile;
         private VmHostBackupFileVO vmBackupFileVO;
 
-        // property:  VmHostFileVO (read success) > VmHostFileVO (read fail) > VmHostBackupFileVO
-        // Note: read VmHostBackupFileVO only if VmHostFileVO is not exist
+        // property: VmHostBackupFileVO (when "backupUuid" is set)
+        //             > VmHostFileVO (read success)
+        //             > VmHostFileVO (read fail)
+        //             > VmHostBackupFileVO (vmInstanceUuid matched)  <-  read this only if VmHostFileVO is not exist
     }
 
     @SuppressWarnings("rawtypes")
@@ -292,6 +296,11 @@ public void prepareHostFileOnHost(PrepareHostFileContext context, Completion com
         chain.then(new NoRollbackFlow() {
             String __name__ = "read-vm-host-file-from-origin-host";
 
+            @Override
+            public boolean skip(Map data) {
+                return StringUtils.isNotBlank(context.backupUuid);
+            }
+
             @Override
             public void run(FlowTrigger trigger, Map data) {
                 VmHostFileVO vmHostFile = Q.New(VmHostFileVO.class)
@@ -347,12 +356,23 @@ public boolean skip(Map data) {
 
             @Override
             public void run(FlowTrigger trigger, Map data) {
-                context.vmBackupFileVO = Q.New(VmHostBackupFileVO.class)
-                        .eq(VmHostBackupFileVO_.type, context.type)
-                        .eq(VmHostBackupFileVO_.resourceUuid, context.vmUuid)
-                        .orderByDesc(VmHostBackupFileVO_.lastOpDate)
-                        .limit(1)
-                        .find();
+                if (context.backupUuid == null) {
+                    context.vmBackupFileVO = Q.New(VmHostBackupFileVO.class)
+                            .eq(VmHostBackupFileVO_.type, context.type)
+                            .eq(VmHostBackupFileVO_.resourceUuid, context.vmUuid)
+                            .orderByDesc(VmHostBackupFileVO_.lastOpDate)
+                            .limit(1)
+                            .find();
+                } else {
+                    context.vmBackupFileVO = Q.New(VmHostBackupFileVO.class)
+                            .eq(VmHostBackupFileVO_.uuid, context.backupUuid)
+                            .find();
+                    if (context.vmBackupFileVO == null) {
+                        trigger.fail(operr("cannot find matched vm-host backup file[backupUuid:%s]",
+                                context.backupUuid));
+                        return;
+                    }
+                }
                 if (context.vmBackupFileVO != null) {
                     logger.debug(String.format("use %s[type=%s] VM-host backup file for VM[uuid=%s]",
                             context.vmBackupFileVO.getUuid(), context.type, context.vmUuid));
diff --git a/plugin/kvm/src/main/java/org/zstack/kvm/tpm/SnapshotGroupRevertTpmHelper.java b/plugin/kvm/src/main/java/org/zstack/kvm/tpm/SnapshotGroupRevertTpmHelper.java
@@ -4,6 +4,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Configurable;
 import org.zstack.compute.vm.VmGlobalConfig;
+import org.zstack.compute.vm.devices.TpmEncryptedResourceKeyBackend;
 import org.zstack.core.db.Q;
 import org.zstack.header.storage.snapshot.group.VolumeSnapshotGroupVO;
 import org.zstack.header.storage.snapshot.group.VolumeSnapshotGroupVO_;
@@ -15,6 +16,7 @@
 import org.zstack.header.vm.additions.VmHostFileType;
 import org.zstack.header.vm.devices.NvRamSpec;
 import org.zstack.header.vm.devices.VmDevicesSpec;
+import org.zstack.kvm.KVMSystemTags;
 import org.zstack.resourceconfig.ResourceConfigFacade;
 import org.zstack.utils.Utils;
 import org.zstack.utils.logging.CLogger;
@@ -26,7 +28,9 @@ public class SnapshotGroupRevertTpmHelper {
     private static final CLogger logger = Utils.getLogger(SnapshotGroupRevertTpmHelper.class);
 
     @Autowired
-    ResourceConfigFacade resourceConfigFacade;
+    private ResourceConfigFacade resourceConfigFacade;
+    @Autowired
+    private TpmEncryptedResourceKeyBackend tpmKeyBackend;
 
     public void setupFromApi(APICreateVmInstanceFromVolumeSnapshotGroupMsg apiMsg, CreateVmInstanceMsg cmsg) {
         String snapshotGroupUuid = apiMsg.getVolumeSnapshotGroupUuid();
@@ -87,17 +91,31 @@ public void setupFromApi(APICreateVmInstanceFromVolumeSnapshotGroupMsg apiMsg, C
             tpmSpec.setEnable(true);
 
             if (resetTpm) {
-                // resetTpm=true: reset secretUuid, generate a new one during VM creation
+                // resetTpm=true: reset generate a new one during VM creation
                 logger.debug(String.format("resetTpm is true for volume snapshot group[uuid:%s], " +
-                        "will reset secretUuid, tpmBackupFileUuid:%s", snapshotGroupUuid, tpmBackupFile.getUuid()));
+                        "will reset tpmBackupFileUuid:%s", snapshotGroupUuid, tpmBackupFile.getUuid()));
             } else {
                 tpmSpec.setBackupFileUuid(tpmBackupFile.getUuid());
-                // resetTpm=false: should reuse secretUuid + keyProviderUuid recorded in VolumeSnapshotGroup,
-                // but the recording step is not yet implemented, leave them empty for now
-                // TODO: retrieve secretUuid and keyProviderUuid from VolumeSnapshotGroup and set them here
-                logger.warn(String.format("resetTpm is false for volume snapshot group[uuid:%s], " +
-                        "should restore secretUuid and keyProviderUuid but they are not yet recorded in snapshot group, " +
-                        "leaving empty. tpmBackupFileUuid:%s", snapshotGroupUuid, tpmBackupFile.getUuid()));
+            }
+
+            String keyProviderName = KVMSystemTags.TPM_KEY_PROVIDER_NAME
+                    .getTokenByResourceUuid(tpmBackupFile.getUuid(), KVMSystemTags.TPM_KEY_PROVIDER_NAME_TOKEN);
+            if (keyProviderName == null) {
+                logger.warn(String.format(
+                        "failed to find keyProvider from snapshotGroup[uuid:%s] by tpmBackupFile[uuid:%s]",
+                        snapshotGroupUuid, tpmBackupFile.getUuid()));
+                if (tpmSpec.getKeyProviderUuid() == null) {
+                    tpmSpec.setKeyProviderUuid(tpmKeyBackend.defaultKeyProviderUuid()); // maybe null
+                }
+            } else {
+                String keyProviderUuid = tpmKeyBackend.findKeyProviderUuidByName(keyProviderName);
+                if (keyProviderUuid == null) {
+                    logger.warn(String.format(
+                            "failed to resolve keyProvider[name:%s] from snapshotGroup[uuid:%s] by tpmBackupFile[uuid:%s], keep keyProviderUuid unset",
+                            keyProviderName, snapshotGroupUuid, tpmBackupFile.getUuid()));
+                } else {
+                    tpmSpec.setKeyProviderUuid(keyProviderUuid);
+                }
             }
         }
 
