Merge branch 'secret-get@@2' into 'feature-zsv-5.0.0-vm-support-vtpm-and-secuceboot'

<fix>[crypto]: secret get in vm pre instantiate

See merge request zstackio/zstack!9582

Author: gitlab

compute/src/main/java/org/zstack/compute/vm/devices/DummyTpmEncryptedResourceKeyBackend.java

@@ -33,6 +33,11 @@ public String findKeyProviderNameByTpm(String tpmUuid) {
         return null;
     }
 
+    @Override
+    public Integer findKeyVersionByTpm(String tpmUuid) {
+        return null;
+    }
+
     @Override
     public String defaultKeyProviderUuid() {
         return null;

compute/src/main/java/org/zstack/compute/vm/devices/TpmEncryptedResourceKeyBackend.java

@@ -35,6 +35,11 @@ public interface TpmEncryptedResourceKeyBackend {
      */
     String findKeyProviderNameByTpm(String tpmUuid);
 
+    /**
+     * maybe null (when crypto module is not installed)
+     */
+    Integer findKeyVersionByTpm(String tpmUuid);
+
     /**
      * maybe null (when crypto module is not installed)
      */

conf/springConfigXml/Kvm.xml

@@ -256,6 +256,9 @@
         <zstack:plugin>
             <zstack:extension interface="org.zstack.kvm.KVMStartVmExtensionPoint" />
             <zstack:extension interface="org.zstack.header.vm.PreVmInstantiateResourceExtensionPoint" />
+            <zstack:extension interface="org.zstack.header.vm.VmInstanceMigrateExtensionPoint" />
+            <zstack:extension interface="org.zstack.header.vm.VmAfterExpungeExtensionPoint" />
+            <zstack:extension interface="org.zstack.header.vm.VmStateChangedExtensionPoint" />
         </zstack:plugin>
     </bean>
 

header/src/main/java/org/zstack/header/keyprovider/EncryptedResourceKeyManager.java

@@ -87,6 +87,7 @@ class ResourceKeyResult {
         private String resourceType;
         private String keyProviderUuid;
         private String keyProviderName;
+        private Integer keyVersion;
         private String dekBase64;
         private String secretRef;
         private boolean createdNewKey;
@@ -124,6 +125,14 @@ public void setKeyProviderName(String keyProviderName) {
             this.keyProviderName = keyProviderName;
         }
 
+        public Integer getKeyVersion() {
+            return keyVersion;
+        }
+
+        public void setKeyVersion(Integer keyVersion) {
+            this.keyVersion = keyVersion;
+        }
+
         public String getDekBase64() {
             return dekBase64;
         }

header/src/main/java/org/zstack/header/secret/SecretHostDefineMsg.java

@@ -5,17 +5,17 @@
 import org.zstack.header.message.NeedReplyMessage;
 
 /**
- * Request to define secret on KVM host (for VM e.g. vTPM). Caller provides plaintext DEK (dekBase64).
- * Host seals it with host public key (HPKE) and sends envelope to agent.
- * vmUuid, purpose, providerName are required by key-agent for DEK cache key.
+ * Request to ensure secret on KVM host (for VM e.g. vTPM).
+ * Caller provides plaintext DEK (dekBase64), then host seals it with host public key
+ * and forwards the envelope to key-agent.
  */
 public class SecretHostDefineMsg extends NeedReplyMessage implements HostMessage {
     private String hostUuid;
     @NoLogging
     private String dekBase64;
     private String vmUuid;
     private String purpose;
-    private String providerName;
+    private Integer keyVersion;
     private String description;
 
     @Override
@@ -51,12 +51,12 @@ public void setPurpose(String purpose) {
         this.purpose = purpose;
     }
 
-    public String getProviderName() {
-        return providerName;
+    public Integer getKeyVersion() {
+        return keyVersion;
     }
 
-    public void setProviderName(String providerName) {
-        this.providerName = providerName;
+    public void setKeyVersion(Integer keyVersion) {
+        this.keyVersion = keyVersion;
     }
 
     public String getDescription() {

header/src/main/java/org/zstack/header/secret/SecretHostDeleteMsg.java

@@ -0,0 +1,44 @@
+package org.zstack.header.secret;
+
+import org.zstack.header.host.HostMessage;
+import org.zstack.header.message.NeedReplyMessage;
+
+public class SecretHostDeleteMsg extends NeedReplyMessage implements HostMessage {
+    private String hostUuid;
+    private String vmUuid;
+    private String purpose;
+    private Integer keyVersion;
+
+    @Override
+    public String getHostUuid() {
+        return hostUuid;
+    }
+
+    public void setHostUuid(String hostUuid) {
+        this.hostUuid = hostUuid;
+    }
+
+    public String getVmUuid() {
+        return vmUuid;
+    }
+
+    public void setVmUuid(String vmUuid) {
+        this.vmUuid = vmUuid;
+    }
+
+    public String getPurpose() {
+        return purpose;
+    }
+
+    public void setPurpose(String purpose) {
+        this.purpose = purpose;
+    }
+
+    public Integer getKeyVersion() {
+        return keyVersion;
+    }
+
+    public void setKeyVersion(Integer keyVersion) {
+        this.keyVersion = keyVersion;
+    }
+}

header/src/main/java/org/zstack/header/secret/SecretHostDeleteReply.java

@@ -0,0 +1,7 @@
+package org.zstack.header.secret;
+
+import org.zstack.header.message.MessageReply;
+
+/** Reply for SecretHostDeleteMsg. */
+public class SecretHostDeleteReply extends MessageReply {
+}

header/src/main/java/org/zstack/header/secret/SecretHostGetMsg.java

@@ -0,0 +1,47 @@
+package org.zstack.header.secret;
+
+import org.zstack.header.host.HostMessage;
+import org.zstack.header.message.NeedReplyMessage;
+
+/**
+ * Request to get an existing secret on KVM host by vmUuid, purpose and keyVersion.
+ */
+public class SecretHostGetMsg extends NeedReplyMessage implements HostMessage {
+    private String hostUuid;
+    private String vmUuid;
+    private String purpose;
+    private Integer keyVersion;
+
+    @Override
+    public String getHostUuid() {
+        return hostUuid;
+    }
+
+    public void setHostUuid(String hostUuid) {
+        this.hostUuid = hostUuid;
+    }
+
+    public String getVmUuid() {
+        return vmUuid;
+    }
+
+    public void setVmUuid(String vmUuid) {
+        this.vmUuid = vmUuid;
+    }
+
+    public String getPurpose() {
+        return purpose;
+    }
+
+    public void setPurpose(String purpose) {
+        this.purpose = purpose;
+    }
+
+    public Integer getKeyVersion() {
+        return keyVersion;
+    }
+
+    public void setKeyVersion(Integer keyVersion) {
+        this.keyVersion = keyVersion;
+    }
+}

header/src/main/java/org/zstack/header/secret/SecretHostGetReply.java

@@ -0,0 +1,18 @@
+package org.zstack.header.secret;
+
+import org.zstack.header.message.MessageReply;
+
+/** Reply for SecretHostGetMsg. */
+public class SecretHostGetReply extends MessageReply {
+    public static final String ERROR_CODE_SECRET_NOT_FOUND = "KEY_AGENT_SECRET_NOT_FOUND";
+
+    private String secretUuid;
+
+    public String getSecretUuid() {
+        return secretUuid;
+    }
+
+    public void setSecretUuid(String secretUuid) {
+        this.secretUuid = secretUuid;
+    }
+}

plugin/kvm/src/main/java/org/zstack/kvm/KVMAgentCommands.java

@@ -410,8 +410,9 @@ public static class SecretHostDefineCmd extends AgentCommand {
         private String encryptedDek;
         private String vmUuid;
         private String purpose;
-        private String providerName;
+        private Integer keyVersion;
         private String description;
+        private String usageInstance;
 
         public String getEncryptedDek() {
             return encryptedDek;
@@ -437,12 +438,12 @@ public void setPurpose(String purpose) {
             this.purpose = purpose;
         }
 
-        public String getProviderName() {
-            return providerName;
+        public Integer getKeyVersion() {
+            return keyVersion;
         }
 
-        public void setProviderName(String providerName) {
-            this.providerName = providerName;
+        public void setKeyVersion(Integer keyVersion) {
+            this.keyVersion = keyVersion;
         }
 
         public String getDescription() {
@@ -452,6 +453,14 @@ public String getDescription() {
         public void setDescription(String description) {
             this.description = description;
         }
+
+        public String getUsageInstance() {
+            return usageInstance;
+        }
+
+        public void setUsageInstance(String usageInstance) {
+            this.usageInstance = usageInstance;
+        }
     }
 
     public static class SecretHostDefineResponse extends AgentResponse {
@@ -466,6 +475,99 @@ public void setSecretUuid(String secretUuid) {
         }
     }
 
+    public static class SecretHostGetCmd extends AgentCommand {
+        private String vmUuid;
+        private String purpose;
+        private Integer keyVersion;
+        private String usageInstance;
+
+        public String getVmUuid() {
+            return vmUuid;
+        }
+
+        public void setVmUuid(String vmUuid) {
+            this.vmUuid = vmUuid;
+        }
+
+        public String getPurpose() {
+            return purpose;
+        }
+
+        public void setPurpose(String purpose) {
+            this.purpose = purpose;
+        }
+
+        public Integer getKeyVersion() {
+            return keyVersion;
+        }
+
+        public void setKeyVersion(Integer keyVersion) {
+            this.keyVersion = keyVersion;
+        }
+
+        public String getUsageInstance() {
+            return usageInstance;
+        }
+
+        public void setUsageInstance(String usageInstance) {
+            this.usageInstance = usageInstance;
+        }
+    }
+
+    public static class SecretHostGetResponse extends AgentResponse {
+        private String secretUuid;
+
+        public String getSecretUuid() {
+            return secretUuid;
+        }
+
+        public void setSecretUuid(String secretUuid) {
+            this.secretUuid = secretUuid;
+        }
+    }
+
+    public static class SecretHostDeleteCmd extends AgentCommand {
+        private String vmUuid;
+        private String purpose;
+        private Integer keyVersion;
+        private String usageInstance;
+
+        public String getVmUuid() {
+            return vmUuid;
+        }
+
+        public void setVmUuid(String vmUuid) {
+            this.vmUuid = vmUuid;
+        }
+
+        public String getPurpose() {
+            return purpose;
+        }
+
+        public void setPurpose(String purpose) {
+            this.purpose = purpose;
+        }
+
+        public Integer getKeyVersion() {
+            return keyVersion;
+        }
+
+        public void setKeyVersion(Integer keyVersion) {
+            this.keyVersion = keyVersion;
+        }
+
+        public String getUsageInstance() {
+            return usageInstance;
+        }
+
+        public void setUsageInstance(String usageInstance) {
+            this.usageInstance = usageInstance;
+        }
+    }
+
+    public static class SecretHostDeleteResponse extends AgentResponse {
+    }
+
     public static class PingCmd extends AgentCommand {
         public String hostUuid;
         public Map<String, Object> configs;