Merge branch 'ZSV-11489@@2' into 'feature-zsv-5.0.0-vm-support-vtpm-and-secuceboot'

<feature>[keyprovider]: Add DEK provisioning for TPM

See merge request zstackio/zstack!9431

Author: gitlab

compute/src/main/java/org/zstack/compute/vm/devices/DummyEncryptedResourceKeyManager.java

@@ -0,0 +1,26 @@
+package org.zstack.compute.vm.devices;
+
+import org.zstack.header.keyprovider.EncryptedResourceKeyManager;
+import org.zstack.header.core.Completion;
+import org.zstack.header.core.ReturnValueCompletion;
+import org.zstack.utils.Utils;
+import org.zstack.utils.logging.CLogger;
+
+import static org.zstack.core.Platform.operr;
+
+public class DummyEncryptedResourceKeyManager implements EncryptedResourceKeyManager {
+    private static final CLogger logger = Utils.getLogger(DummyEncryptedResourceKeyManager.class);
+
+    @Override
+    public void getOrCreateKey(GetOrCreateResourceKeyContext ctx,
+                               ReturnValueCompletion<ResourceKeyResult> completion) {
+        logger.warn(String.format("crypto module not installed, cannot create resource key for %s[uuid:%s]",
+                ctx.getResourceType(), ctx.getResourceUuid()));
+        completion.fail(operr("crypto module is not installed, cannot manage resource encryption keys"));
+    }
+
+    @Override
+    public void rollbackCreatedKey(ResourceKeyResult result, Completion completion) {
+        completion.success();
+    }
+}

compute/src/main/java/org/zstack/compute/vm/devices/VmTpmExtensions.java

@@ -114,7 +114,6 @@ public void afterBuildVmSpec(VmInstanceSpec spec) {
 
             tpmSpec.setEnable(true);
             tpmSpec.setTpmUuid(tpmUuid);
-            tpmSpec.setKeyProviderUuid(resourceKeyBackend.findKeyProviderUuidByTpm(tpmUuid));
         }
     }
 }

conf/springConfigXml/VmInstanceManager.xml

@@ -297,4 +297,5 @@
     </bean>
 
     <bean id="DummyTpmEncryptedResourceKeyBackend" class="org.zstack.compute.vm.devices.DummyTpmEncryptedResourceKeyBackend"/>
+    <bean id="DummyEncryptedResourceKeyManager" class="org.zstack.compute.vm.devices.DummyEncryptedResourceKeyManager"/>
 </beans>

header/src/main/java/org/zstack/header/keyprovider/EncryptedResourceKeyManager.java

@@ -0,0 +1,150 @@
+package org.zstack.header.keyprovider;
+
+import org.zstack.header.core.ReturnValueCompletion;
+import org.zstack.header.core.Completion;
+
+/**
+ * Unified resource key management service.
+ * Business layers (TPM, volume encryption, etc.) call this to create/retrieve DEKs
+ * without knowing gRPC/key-tools protocol details.
+ */
+public interface EncryptedResourceKeyManager {
+
+    /**
+     * Get or create a resource encryption key.
+     * <p>
+     * Semantically reuses the existing key record for the same {@code (resourceType, resourceUuid)}
+     * when one is already available; otherwise creates a new one and returns the plaintext DEK.
+     * <p>
+     * This contract does not guarantee concurrent linearizability by itself. Callers must not assume
+     * the interface alone provides serialization, uniqueness enforcement, or transaction-level protection
+     * across concurrent create requests.
+     *
+     * @param ctx        context describing the resource and key provider
+     * @param completion returns {@link ResourceKeyResult} containing the plaintext DEK (base64)
+     */
+    void getOrCreateKey(GetOrCreateResourceKeyContext ctx,
+                        ReturnValueCompletion<ResourceKeyResult> completion);
+
+    /**
+     * Roll back a newly created resource key during upper-layer workflow rollback.
+     * <p>
+     * If the key record already existed before creation, implementation should restore it
+     * to its previous empty-placeholder state instead of deleting the relationship.
+     */
+    void rollbackCreatedKey(ResourceKeyResult result, Completion completion);
+
+    class GetOrCreateResourceKeyContext {
+        private String resourceUuid;
+        private String resourceType;
+        private String keyProviderUuid;
+        private String purpose;
+
+        public String getResourceUuid() {
+            return resourceUuid;
+        }
+
+        public void setResourceUuid(String resourceUuid) {
+            this.resourceUuid = resourceUuid;
+        }
+
+        public String getResourceType() {
+            return resourceType;
+        }
+
+        public void setResourceType(String resourceType) {
+            this.resourceType = resourceType;
+        }
+
+        public String getKeyProviderUuid() {
+            return keyProviderUuid;
+        }
+
+        public void setKeyProviderUuid(String keyProviderUuid) {
+            this.keyProviderUuid = keyProviderUuid;
+        }
+
+        public String getPurpose() {
+            return purpose;
+        }
+
+        public void setPurpose(String purpose) {
+            this.purpose = purpose;
+        }
+    }
+
+    class ResourceKeyResult {
+        private String resourceUuid;
+        private String resourceType;
+        private String keyProviderUuid;
+        private String keyProviderName;
+        private String dekBase64;
+        private String secretRef;
+        private boolean createdNewKey;
+        private boolean refExistedBeforeCreate;
+
+        public String getResourceUuid() {
+            return resourceUuid;
+        }
+
+        public void setResourceUuid(String resourceUuid) {
+            this.resourceUuid = resourceUuid;
+        }
+
+        public String getResourceType() {
+            return resourceType;
+        }
+
+        public void setResourceType(String resourceType) {
+            this.resourceType = resourceType;
+        }
+
+        public String getKeyProviderUuid() {
+            return keyProviderUuid;
+        }
+
+        public void setKeyProviderUuid(String keyProviderUuid) {
+            this.keyProviderUuid = keyProviderUuid;
+        }
+
+        public String getKeyProviderName() {
+            return keyProviderName;
+        }
+
+        public void setKeyProviderName(String keyProviderName) {
+            this.keyProviderName = keyProviderName;
+        }
+
+        public String getDekBase64() {
+            return dekBase64;
+        }
+
+        public void setDekBase64(String dekBase64) {
+            this.dekBase64 = dekBase64;
+        }
+
+        public String getSecretRef() {
+            return secretRef;
+        }
+
+        public void setSecretRef(String secretRef) {
+            this.secretRef = secretRef;
+        }
+
+        public boolean isCreatedNewKey() {
+            return createdNewKey;
+        }
+
+        public void setCreatedNewKey(boolean createdNewKey) {
+            this.createdNewKey = createdNewKey;
+        }
+
+        public boolean isRefExistedBeforeCreate() {
+            return refExistedBeforeCreate;
+        }
+
+        public void setRefExistedBeforeCreate(boolean refExistedBeforeCreate) {
+            this.refExistedBeforeCreate = refExistedBeforeCreate;
+        }
+    }
+}

header/src/main/java/org/zstack/header/tpm/entity/TpmSpec.java

@@ -9,6 +9,10 @@ public class TpmSpec {
     private String keyProviderUuid;
     @APINoSee
     private String secretUuid;
+    @APINoSee
+    private boolean resourceKeyCreatedNew;
+    @APINoSee
+    private String resourceKeyProviderUuid;
 
     public boolean isEnable() {
         return enable;
@@ -42,6 +46,22 @@ public void setSecretUuid(String secretUuid) {
         this.secretUuid = secretUuid;
     }
 
+    public boolean isResourceKeyCreatedNew() {
+        return resourceKeyCreatedNew;
+    }
+
+    public void setResourceKeyCreatedNew(boolean resourceKeyCreatedNew) {
+        this.resourceKeyCreatedNew = resourceKeyCreatedNew;
+    }
+
+    public String getResourceKeyProviderUuid() {
+        return resourceKeyProviderUuid;
+    }
+
+    public void setResourceKeyProviderUuid(String resourceKeyProviderUuid) {
+        this.resourceKeyProviderUuid = resourceKeyProviderUuid;
+    }
+
     public static TpmSpec __example__() {
         TpmSpec tpm = new TpmSpec();
         tpm.setKeyProviderUuid(StringDSL.createFixedUuid("keyProviderUuid"));