Merge branch 'zsv-ldap@@2' into 'feature-zsv-5.0.0-vm-support-vtpm-and-secuceboot'

<feature>[compute]: prepare DEK on instantiating VM resource

See merge request zstackio/zstack!9381

Author: gitlab

compute/src/main/java/org/zstack/compute/vm/devices/DummyTpmEncryptedResourceKeyBackend.java

@@ -23,6 +23,11 @@ public String findKeyProviderUuidByTpm(String tpmUuid) {
         return null;
     }
 
+    @Override
+    public String findKeyProviderNameByTpm(String tpmUuid) {
+        return null;
+    }
+
     @Override
     public void cloneEncryptedResourceKey(CloneEncryptedResourceKeyContext context, Completion completion) {
         // do nothing

compute/src/main/java/org/zstack/compute/vm/devices/TpmEncryptedResourceKeyBackend.java

@@ -25,6 +25,11 @@ public interface TpmEncryptedResourceKeyBackend {
      */
     String findKeyProviderUuidByTpm(String tpmUuid);
 
+    /**
+     * maybe null (when crypto module is not installed)
+     */
+    String findKeyProviderNameByTpm(String tpmUuid);
+
     static class CloneEncryptedResourceKeyContext {
         public String srcTpmUuid;
         public String dstTpmUuid;

compute/src/main/java/org/zstack/compute/vm/devices/VmTpmExtensions.java

@@ -99,13 +99,22 @@ public void afterBuildVmSpec(VmInstanceSpec spec) {
             spec.setNvRamSpec(nvRamSpec);
         }
 
-        if (tpmUuid != null && (spec.getDevicesSpec() == null || spec.getDevicesSpec().getTpm() == null)) {
-            VmDevicesSpec devicesSpec = spec.getDevicesSpec() == null ? new VmDevicesSpec() : spec.getDevicesSpec();
-            spec.setDevicesSpec(devicesSpec);
+        if (tpmUuid != null) {
+            VmDevicesSpec devicesSpec = spec.getDevicesSpec();
+            if (devicesSpec == null) {
+                devicesSpec = new VmDevicesSpec();
+                spec.setDevicesSpec(devicesSpec);
+            }
+
+            TpmSpec tpmSpec = devicesSpec.getTpm();
+            if (tpmSpec == null) {
+                tpmSpec = new TpmSpec();
+                devicesSpec.setTpm(tpmSpec);
+            }
 
-            devicesSpec.setTpm(new TpmSpec());
-            devicesSpec.getTpm().setEnable(true);
-            devicesSpec.getTpm().setKeyProviderUuid(resourceKeyBackend.findKeyProviderUuidByTpm(tpmUuid));
+            tpmSpec.setEnable(true);
+            tpmSpec.setTpmUuid(tpmUuid);
+            tpmSpec.setKeyProviderUuid(resourceKeyBackend.findKeyProviderUuidByTpm(tpmUuid));
         }
     }
 }

header/src/main/java/org/zstack/header/tpm/entity/TpmSpec.java

@@ -1,10 +1,14 @@
 package org.zstack.header.tpm.entity;
 
+import org.zstack.header.rest.APINoSee;
 import org.zstack.utils.StringDSL;
 
 public class TpmSpec {
     private boolean enable = true;
+    private String tpmUuid;
     private String keyProviderUuid;
+    @APINoSee
+    private String secretUuid;
 
     public boolean isEnable() {
         return enable;
@@ -14,6 +18,14 @@ public void setEnable(boolean enable) {
         this.enable = enable;
     }
 
+    public String getTpmUuid() {
+        return tpmUuid;
+    }
+
+    public void setTpmUuid(String tpmUuid) {
+        this.tpmUuid = tpmUuid;
+    }
+
     public String getKeyProviderUuid() {
         return keyProviderUuid;
     }
@@ -22,6 +34,14 @@ public void setKeyProviderUuid(String keyProviderUuid) {
         this.keyProviderUuid = keyProviderUuid;
     }
 
+    public String getSecretUuid() {
+        return secretUuid;
+    }
+
+    public void setSecretUuid(String secretUuid) {
+        this.secretUuid = secretUuid;
+    }
+
     public static TpmSpec __example__() {
         TpmSpec tpm = new TpmSpec();
         tpm.setKeyProviderUuid(StringDSL.createFixedUuid("keyProviderUuid"));

plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmExtensions.java

@@ -1,12 +1,24 @@
 package org.zstack.kvm.tpm;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.zstack.compute.vm.devices.TpmEncryptedResourceKeyBackend;
 import org.zstack.core.Platform;
+import org.zstack.core.cloudbus.CloudBus;
+import org.zstack.core.cloudbus.CloudBusCallBack;
 import org.zstack.core.db.DatabaseFacade;
 import org.zstack.core.db.Q;
 import org.zstack.core.db.SQL;
+import org.zstack.core.workflow.SimpleFlowChain;
 import org.zstack.header.core.Completion;
+import org.zstack.header.core.workflow.FlowDoneHandler;
+import org.zstack.header.core.workflow.FlowErrorHandler;
+import org.zstack.header.core.workflow.FlowTrigger;
+import org.zstack.header.core.workflow.NoRollbackFlow;
 import org.zstack.header.errorcode.ErrorCode;
+import org.zstack.header.host.HostConstant;
+import org.zstack.header.message.MessageReply;
+import org.zstack.header.secret.SecretHostDefineMsg;
+import org.zstack.header.secret.SecretHostDefineReply;
 import org.zstack.header.vm.PreVmInstantiateResourceExtensionPoint;
 import org.zstack.header.vm.VmInstanceSpec;
 import org.zstack.header.vm.VmInstantiateResourceException;
@@ -24,6 +36,7 @@
 
 import java.sql.Timestamp;
 import java.time.Instant;
+import java.util.Map;
 
 import static org.zstack.kvm.KVMConstant.*;
 
@@ -35,6 +48,10 @@ public class KvmTpmExtensions implements KVMStartVmExtensionPoint,
     private KvmSecureBootExtensions secureBootExtensions;
     @Autowired
     private DatabaseFacade databaseFacade;
+    @Autowired
+    private TpmEncryptedResourceKeyBackend resourceKeyBackend;
+    @Autowired
+    private CloudBus bus;
 
     private final Object hostFileLock = new Object();
 
@@ -47,6 +64,7 @@ public void beforeStartVmOnKvm(KVMHostInventory host, VmInstanceSpec spec, KVMAg
 
         TpmTO tpm = new TpmTO();
         tpm.setKeyProviderUuid(devicesSpec.getTpm().getKeyProviderUuid());
+        tpm.setSecretUuid(devicesSpec.getTpm().getSecretUuid());
         tpm.setInstallPath(buildTpmStateFilePath(cmd.getVmInstanceUuid()));
         cmd.setTpm(tpm);
 
@@ -91,34 +109,119 @@ public void preBeforeInstantiateVmResource(VmInstanceSpec spec) throws VmInstant
         // do-nothing
     }
 
-    @Override
-    public void preInstantiateVmResource(VmInstanceSpec spec, Completion completion) {
-        prepareTpmStateHostFileOnHost(spec, completion);
-    }
-
-    static class PrepareTpmStateHostFileContext {
+    static class PreInstantiateVmResourceContext {
         String hostUuid;
         String vmUuid;
-
-        // whether the NvRam is on the same host as before
-        boolean sameHost = false;
-        VmHostFileVO tpmStateFile;
+        String tpmUuid;
+        String providerName;
+        String dekBase64; // secret key
     }
 
-    private void prepareTpmStateHostFileOnHost(VmInstanceSpec spec, Completion completion) {
+    @Override
+    @SuppressWarnings("rawtypes")
+    public void preInstantiateVmResource(VmInstanceSpec spec, Completion completion) {
         final VmDevicesSpec devicesSpec = spec.getDevicesSpec();
         if (devicesSpec == null || devicesSpec.getTpm() == null || !devicesSpec.getTpm().isEnable()) {
             completion.success();
             return;
         }
 
-        PrepareHostFileContext context = new PrepareHostFileContext();
+        PreInstantiateVmResourceContext context = new PreInstantiateVmResourceContext();
         context.hostUuid = spec.getDestHost().getUuid();
         context.vmUuid = spec.getVmInventory().getUuid();
-        context.type = VmHostFileType.TpmState;
-        secureBootExtensions.prepareHostFileOnHost(context, completion);
+        context.tpmUuid = spec.getDevicesSpec().getTpm().getTpmUuid();
+        context.providerName = resourceKeyBackend.findKeyProviderNameByTpm(context.tpmUuid);
+
+        final SimpleFlowChain chain = new SimpleFlowChain();
+        chain.setName("prepare-tpm-resources-for-vm-" + spec.getVmInventory().getUuid());
+        chain.then(new NoRollbackFlow() {
+            String __name__ = "prepare-tpm-state-file-on-host";
+
+            @Override
+            public void run(FlowTrigger trigger, Map data) {
+                PrepareHostFileContext innerContext = new PrepareHostFileContext();
+                innerContext.hostUuid = context.hostUuid;
+                innerContext.vmUuid = context.vmUuid;
+                innerContext.type = VmHostFileType.TpmState;
+                secureBootExtensions.prepareHostFileOnHost(innerContext, new Completion(trigger) {
+                    @Override
+                    public void success() {
+                        trigger.next();
+                    }
+
+                    @Override
+                    public void fail(ErrorCode errorCode) {
+                        trigger.fail(errorCode);
+                    }
+                });
+            }
+        }).then(new NoRollbackFlow() {
+            String __name__ = "create-dek";
+
+            @Override
+            public boolean skip(Map data) {
+                return context.providerName == null;
+            }
+
+            @Override
+            public void run(FlowTrigger trigger, Map data) {
+                // TODO create DEK
+                context.dekBase64 = Platform.getUuid();
+                trigger.next();
+            }
+        }).then(new NoRollbackFlow() {
+            String __name__ = "define-secret-on-host";
+
+            @Override
+            public boolean skip(Map data) {
+                logger.warn("This is for test only, and coming soon"); // TODO
+                return true;
+            }
+
+            @Override
+            public void run(FlowTrigger trigger, Map data) {
+                SecretHostDefineMsg innerMsg = new SecretHostDefineMsg();
+                innerMsg.setHostUuid(context.hostUuid);
+                innerMsg.setVmUuid(context.vmUuid);
+                innerMsg.setDekBase64(context.dekBase64);
+                innerMsg.setPurpose("vtpm");
+                innerMsg.setProviderName(context.providerName);
+                innerMsg.setDescription("Define secret for VM " + context.vmUuid);
+                bus.makeTargetServiceIdByResourceUuid(innerMsg, HostConstant.SERVICE_ID, innerMsg.getHostUuid());
+                bus.send(innerMsg, new CloudBusCallBack(trigger) {
+                    @Override
+                    public void run(MessageReply reply) {
+                        if (reply.isSuccess()) {
+                            SecretHostDefineReply r = reply.castReply();
+                            spec.getDevicesSpec().getTpm().setSecretUuid(r.getSecretUuid());
+                            trigger.next();
+                        } else {
+                            trigger.fail(reply.getError());
+                        }
+                    }
+                });
+            }
+        }).done(new FlowDoneHandler(completion) {
+            @Override
+            public void handle(Map data) {
+                completion.success();
+            }
+        }).error(new FlowErrorHandler(completion) {
+            @Override
+            public void handle(ErrorCode errCode, Map data) {
+                completion.fail(errCode);
+            }
+        }).start();
     }
 
+    static class PrepareTpmStateHostFileContext {
+        String hostUuid;
+        String vmUuid;
+
+        // whether the NvRam is on the same host as before
+        boolean sameHost = false;
+        VmHostFileVO tpmStateFile;
+    }
 
     @Override
     public void preReleaseVmResource(VmInstanceSpec spec, Completion completion) {

plugin/kvm/src/main/java/org/zstack/kvm/tpm/TpmTO.java

@@ -4,6 +4,7 @@
 
 public class TpmTO implements Serializable {
     private String keyProviderUuid;
+    private String secretUuid;
     private String installPath;
 
     public String getKeyProviderUuid() {
@@ -14,6 +15,14 @@ public void setKeyProviderUuid(String keyProviderUuid) {
         this.keyProviderUuid = keyProviderUuid;
     }
 
+    public String getSecretUuid() {
+        return secretUuid;
+    }
+
+    public void setSecretUuid(String secretUuid) {
+        this.secretUuid = secretUuid;
+    }
+
     public String getInstallPath() {
         return installPath;
     }