Merge branch 'zsv-ldap@@2' into 'feature-zsv-5.0.0-vm-support-vtpm-and-secuceboot'

<feature>[compute]: persist resource key when creating VM

See merge request zstackio/zstack!9366

Author: gitlab

compute/src/main/java/org/zstack/compute/vm/VmInstanceManagerImpl.java

@@ -1214,16 +1214,22 @@ public void setup() {
 
                 flow(new Flow() {
                     String __name__ = "call-after-persist-vm-extensions";
+                    List<VmInstanceCreateExtensionPoint> done = new ArrayList<>();
+
                     @Override
                     public void run(FlowTrigger trigger, Map data) {
-                        pluginRgty.getExtensionList(VmInstanceCreateExtensionPoint.class).forEach(
-                                extensionPoint -> extensionPoint.afterPersistVmInstanceVO(finalVo, msg));
+                        for (VmInstanceCreateExtensionPoint extension : pluginRgty.getExtensionList(VmInstanceCreateExtensionPoint.class)) {
+                            done.add(extension);
+                            extension.afterPersistVmInstanceVO(finalVo, msg);
+                        }
                         trigger.next();
                     }
 
                     @Override
                     public void rollback(FlowRollback trigger, Map data) {
-                        // do nothing
+                        Collections.reverse(done);
+                        CollectionUtils.safeForEach(done,
+                                extension -> extension.afterRollbackPersistVmInstanceVO(finalVo, msg));
                         trigger.rollback();
                     }
                 });
@@ -1315,7 +1321,7 @@ public void run(FlowTrigger trigger, Map data) {
                                 smsg.setRootDiskOfferingUuid(rootDisk.getDiskOfferingUuid());
                             } else if (rootDisk.getSize() > 0) {
                                 dvo = new DiskOfferingVO();
-                                dvo.setUuid(Platform.getUuid());
+                                dvo.setUuid(getUuid());
                                 dvo.setAccountUuid(msg.getAccountUuid());
                                 dvo.setDiskSize(rootDisk.getSize());
                                 dvo.setName("for-create-vm-" + finalVo.getUuid());
@@ -1381,7 +1387,7 @@ public void rollback(FlowRollback chain, Map data) {
                         }
                         DestroyVmInstanceMsg dmsg = new DestroyVmInstanceMsg();
                         dmsg.setVmInstanceUuid(finalVo.getUuid());
-                        dmsg.setDeletionPolicy(VmInstanceDeletionPolicyManager.VmInstanceDeletionPolicy.Direct);
+                        dmsg.setDeletionPolicy(VmInstanceDeletionPolicy.Direct);
                         bus.makeTargetServiceIdByResourceUuid(dmsg, VmInstanceConstant.SERVICE_ID, finalVo.getUuid());
                         bus.send(dmsg, new CloudBusCallBack(null) {
                             @Override

…DummyTpmEncryptedResourceKeyBackend.java …DummyTpmEncryptedResourceKeyBackend.javaplugin/kvm/src/main/java/org/zstack/kvm/tpm/DummyTpmEncryptedResourceKeyBackend.java renamed to compute/src/main/java/org/zstack/compute/vm/devices/DummyTpmEncryptedResourceKeyBackend.java plugin/kvm/src/main/java/org/zstack/kvm/tpm/DummyTpmEncryptedResourceKeyBackend.java renamed to compute/src/main/java/org/zstack/compute/vm/devices/DummyTpmEncryptedResourceKeyBackend.java

@@ -1,4 +1,4 @@
-package org.zstack.kvm.tpm;
+package org.zstack.compute.vm.devices;
 
 import org.zstack.header.core.Completion;
 import org.zstack.utils.Utils;
@@ -7,6 +7,22 @@
 public class DummyTpmEncryptedResourceKeyBackend implements TpmEncryptedResourceKeyBackend {
     private static final CLogger logger = Utils.getLogger(DummyTpmEncryptedResourceKeyBackend.class);
 
+    @Override
+    public void attachKeyProviderToTpm(String tpmUuid, String keyProviderUuid) {
+        logger.debug("ignore attach key provider to TPM request for TPM uuid " + tpmUuid +
+                " and key provider uuid " + keyProviderUuid);
+    }
+
+    @Override
+    public void detachKeyProviderFromTpm(String tpmUuid) {
+        logger.debug("ignore detach key provider from TPM request for TPM uuid " + tpmUuid);
+    }
+
+    @Override
+    public String findKeyProviderUuidByTpm(String tpmUuid) {
+        return null;
+    }
+
     @Override
     public void cloneEncryptedResourceKey(CloneEncryptedResourceKeyContext context, Completion completion) {
         // do nothing

…/tpm/TpmEncryptedResourceKeyBackend.java …ices/TpmEncryptedResourceKeyBackend.javaplugin/kvm/src/main/java/org/zstack/kvm/tpm/TpmEncryptedResourceKeyBackend.java renamed to compute/src/main/java/org/zstack/compute/vm/devices/TpmEncryptedResourceKeyBackend.java plugin/kvm/src/main/java/org/zstack/kvm/tpm/TpmEncryptedResourceKeyBackend.java renamed to compute/src/main/java/org/zstack/compute/vm/devices/TpmEncryptedResourceKeyBackend.java

@@ -1,4 +1,4 @@
-package org.zstack.kvm.tpm;
+package org.zstack.compute.vm.devices;
 
 import org.zstack.header.core.Completion;
 
@@ -7,6 +7,24 @@
  * and other tasks in VM TPM cloning scenarios.
  */
 public interface TpmEncryptedResourceKeyBackend {
+
+    /**
+     * Build relationship from {@link org.zstack.header.tpm.entity.TpmVO} to EncryptedResourceKeyRefVO
+     * Non-async call.
+     */
+    void attachKeyProviderToTpm(String tpmUuid, String keyProviderUuid);
+
+    /**
+     * Clean relationship from {@link org.zstack.header.tpm.entity.TpmVO} to EncryptedResourceKeyRefVO
+     * Non-async call.
+     */
+    void detachKeyProviderFromTpm(String tpmUuid);
+
+    /**
+     * maybe null (when crypto module is not installed)
+     */
+    String findKeyProviderUuidByTpm(String tpmUuid);
+
     static class CloneEncryptedResourceKeyContext {
         public String srcTpmUuid;
         public String dstTpmUuid;

compute/src/main/java/org/zstack/compute/vm/devices/VmTpmExtensions.java

@@ -4,6 +4,7 @@
 import org.zstack.compute.vm.BuildVmSpecExtensionPoint;
 import org.zstack.compute.vm.VmSystemTags;
 import org.zstack.core.db.Q;
+import org.zstack.core.db.SQLBatch;
 import org.zstack.header.tpm.entity.TpmSpec;
 import org.zstack.header.tpm.entity.TpmVO;
 import org.zstack.header.tpm.entity.TpmVO_;
@@ -25,6 +26,8 @@ public class VmTpmExtensions implements VmInstanceCreateExtensionPoint,
     private VmTpmManager vmTpmManager;
     @Autowired
     private ResourceConfigFacade resourceConfigFacade;
+    @Autowired
+    private TpmEncryptedResourceKeyBackend resourceKeyBackend;
 
     @Override
     public void preCreateVmInstance(CreateVmInstanceMsg msg) {
@@ -38,17 +41,49 @@ public void afterPersistVmInstanceVO(VmInstanceVO vo, CreateVmInstanceMsg msg) {
             return;
         }
 
-        vmTpmManager.persistTpmVO(null, vo.getUuid());
+        new SQLBatch() {
+            @Override
+            protected void scripts() {
+                final TpmVO tpm = vmTpmManager.persistTpmVO(null, vo.getUuid());
+                final String keyProviderUuid = spec.getTpm().getKeyProviderUuid();
+                if (keyProviderUuid != null) {
+                    resourceKeyBackend.attachKeyProviderToTpm(tpm.getUuid(), keyProviderUuid);
+                }
+            }
+        }.execute();
+    }
+
+    @Override
+    public void afterRollbackPersistVmInstanceVO(VmInstanceVO vo, CreateVmInstanceMsg msg) {
+        String tpmUuid = Q.New(TpmVO.class)
+                .eq(TpmVO_.vmInstanceUuid, vo.getUuid())
+                .select(TpmVO_.uuid)
+                .findValue();
+        if (tpmUuid == null) {
+            return;
+        }
+
+        new SQLBatch() {
+            @Override
+            protected void scripts() {
+                try {
+                    resourceKeyBackend.detachKeyProviderFromTpm(tpmUuid);
+                } finally {
+                    vmTpmManager.deleteTpmVO(tpmUuid);
+                }
+            }
+        }.execute();
     }
 
     @Override
     public void afterBuildVmSpec(VmInstanceSpec spec) {
         String vmUuid = spec.getVmInventory().getUuid();
 
-        boolean tpmExists = Q.New(TpmVO.class)
+        String tpmUuid = Q.New(TpmVO.class)
                 .eq(TpmVO_.vmInstanceUuid, vmUuid)
-                .isExists();
-        boolean needRegisterNvRam = tpmExists;
+                .select(TpmVO_.uuid)
+                .findValue();
+        boolean needRegisterNvRam = tpmUuid != null;
         if (!needRegisterNvRam) {
             String bootMode = VmSystemTags.BOOT_MODE.getTokenByResourceUuid(vmUuid, VmSystemTags.BOOT_MODE_TOKEN);
             if (vmTpmManager.isUefiBootMode(bootMode)) {
@@ -64,12 +99,13 @@ public void afterBuildVmSpec(VmInstanceSpec spec) {
             spec.setNvRamSpec(nvRamSpec);
         }
 
-        if (tpmExists && (spec.getDevicesSpec() == null || spec.getDevicesSpec().getTpm() == null)) {
+        if (tpmUuid != null && (spec.getDevicesSpec() == null || spec.getDevicesSpec().getTpm() == null)) {
             VmDevicesSpec devicesSpec = spec.getDevicesSpec() == null ? new VmDevicesSpec() : spec.getDevicesSpec();
             spec.setDevicesSpec(devicesSpec);
 
             devicesSpec.setTpm(new TpmSpec());
             devicesSpec.getTpm().setEnable(true);
+            devicesSpec.getTpm().setKeyProviderUuid(resourceKeyBackend.findKeyProviderUuidByTpm(tpmUuid));
         }
     }
 }

compute/src/main/java/org/zstack/compute/vm/devices/VmTpmManager.java

@@ -38,6 +38,10 @@ public TpmVO persistTpmVO(String tpmUuid, String vmUuid) {
         return tpm;
     }
 
+    public void deleteTpmVO(String tpmUuid) {
+        databaseFacade.removeByPrimaryKey(tpmUuid, TpmVO.class);
+    }
+
     /**
      * @param bootMode boot mode, null is Legacy
      */

conf/errorCodes/keyProvider.xml

@@ -0,0 +1,108 @@
+<error>
+    <prefix>KP</prefix>
+
+    <code>
+        <id>1000</id>
+        <description>ok</description>
+    </code>
+
+    <code>
+        <id>1001</id>
+        <description>invalid content</description>
+    </code>
+
+    <code>
+        <id>1002</id>
+        <description>internal error</description>
+    </code>
+
+    <code>
+        <id>1500</id>
+        <description>backend unavailable</description>
+    </code>
+
+    <code>
+        <id>1506</id>
+        <description>socket not found</description>
+    </code>
+
+    <code>
+        <id>1507</id>
+        <description>socket not socket</description>
+    </code>
+
+    <code>
+        <id>1700</id>
+        <description>kmip connect failed</description>
+    </code>
+
+    <code>
+        <id>1701</id>
+        <description>kmip timeout</description>
+    </code>
+
+    <code>
+        <id>1702</id>
+        <description>kmip tls handshake failed</description>
+    </code>
+
+    <code>
+        <id>1703</id>
+        <description>kmip cert invalid</description>
+    </code>
+
+    <code>
+        <id>1704</id>
+        <description>kmip operation failed</description>
+    </code>
+
+    <code>
+        <id>1600</id>
+        <description>root key sha256 mismatch</description>
+    </code>
+
+    <code>
+        <id>1601</id>
+        <description>root key sha256 file missing</description>
+    </code>
+
+    <code>
+        <id>1602</id>
+        <description>zip data required</description>
+    </code>
+
+    <code>
+        <id>1603</id>
+        <description>checksum mismatch</description>
+    </code>
+
+    <code>
+        <id>1604</id>
+        <description>password invalid</description>
+    </code>
+
+    <code>
+        <id>1605</id>
+        <description>root key extension missing</description>
+    </code>
+
+    <code>
+        <id>1900</id>
+        <description>name duplicate</description>
+    </code>
+
+    <code>
+        <id>1901</id>
+        <description>uuid duplicate</description>
+    </code>
+
+    <code>
+        <id>2000</id>
+        <description>TPM related errors</description>
+    </code>
+
+    <code>
+        <id>2101</id>
+        <description>TPM already attached key provider</description>
+    </code>
+</error>

conf/springConfigXml/Kvm.xml

@@ -273,6 +273,4 @@
             <zstack:extension interface="org.zstack.header.vm.VmInstanceDestroyExtensionPoint" />
         </zstack:plugin>
     </bean>
-
-    <bean id="DummyTpmEncryptedResourceKeyBackend" class="org.zstack.kvm.tpm.DummyTpmEncryptedResourceKeyBackend"/>
 </beans>

conf/springConfigXml/VmInstanceManager.xml

@@ -283,16 +283,18 @@
 
     <bean id="VmTpmManager" class="org.zstack.compute.vm.devices.VmTpmManager"/>
 
-    <bean id="VmTpmExtensions" class="org.zstack.compute.vm.devices.VmTpmExtensions">
-        <zstack:plugin>
-            <zstack:extension interface="org.zstack.header.vm.VmInstanceCreateExtensionPoint" />
-            <zstack:extension interface="org.zstack.compute.vm.BuildVmSpecExtensionPoint" />
-        </zstack:plugin>
-    </bean>
-
-    <bean id="VmTpmRekeyAssociation" class="org.zstack.compute.vm.devices.VmTpmRekeyAssociation">
-        <zstack:plugin>
-            <zstack:extension interface="org.zstack.header.keyprovider.KeyProviderRekeyAssociationExtensionPoint" />
-        </zstack:plugin>
-    </bean>
-</beans>
+    <bean id="VmTpmExtensions" class="org.zstack.compute.vm.devices.VmTpmExtensions">
+        <zstack:plugin>
+            <zstack:extension interface="org.zstack.header.vm.VmInstanceCreateExtensionPoint" />
+            <zstack:extension interface="org.zstack.compute.vm.BuildVmSpecExtensionPoint" />
+        </zstack:plugin>
+    </bean>
+
+    <bean id="VmTpmRekeyAssociation" class="org.zstack.compute.vm.devices.VmTpmRekeyAssociation">
+        <zstack:plugin>
+            <zstack:extension interface="org.zstack.header.keyprovider.KeyProviderRekeyAssociationExtensionPoint" />
+        </zstack:plugin>
+    </bean>
+
+    <bean id="DummyTpmEncryptedResourceKeyBackend" class="org.zstack.compute.vm.devices.DummyTpmEncryptedResourceKeyBackend"/>
+</beans>

header/src/main/java/org/zstack/header/vm/VmInstanceCreateExtensionPoint.java

@@ -9,4 +9,11 @@ public interface VmInstanceCreateExtensionPoint {
     void preCreateVmInstance(CreateVmInstanceMsg msg);
 
     default void afterPersistVmInstanceVO(VmInstanceVO vo, CreateVmInstanceMsg msg) {}
+
+    /**
+     * Invoked when VM creation rolls back after
+     * {`@link` `#afterPersistVmInstanceVO`(VmInstanceVO, CreateVmInstanceMsg)} so extensions can
+     * clean up any state created in that hook. Implementations should be idempotent.
+     */
+    default void afterRollbackPersistVmInstanceVO(VmInstanceVO vo, CreateVmInstanceMsg msg) {}
 }

plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmManager.java

@@ -1,6 +1,7 @@
 package org.zstack.kvm.tpm;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.zstack.compute.vm.devices.TpmEncryptedResourceKeyBackend;
 import org.zstack.compute.vm.devices.VmTpmManager;
 import org.zstack.core.asyncbatch.While;
 import org.zstack.core.cloudbus.CloudBus;