-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add vTPM support for Linux #1591
Conversation
This is a continuation of the PR #1082 that cannot be reopened anymore. |
Thanks for reopening. |
@@ -320,6 +320,13 @@ type LinuxNetwork struct { | |||
Priorities []LinuxInterfacePriority `json:"priorities,omitempty"` | |||
} | |||
|
|||
// VTPM definition | |||
type VTPM struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@crosbymichael How do you feel about including changes to vendor/
?
@stefanberger Is there a runtime-spec PR open about this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cyphar I opened opencontainers/runtime-spec#920 for vTPM support
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's current status of opencontainers/runtime-spec#920 ?
cc @vbatts
ca2dcb4
to
59daf73
Compare
are you working on this still @stefanberger ? I don't have reviewer access, but from what I have looked at, the patch looks in good shape. |
Seems there are merge conflicts here. Anybody working on this still? |
64e9c4c
to
23b636d
Compare
I rebased this on the latest master and am now creating the vTPM devices at higher layer in |
756521d
to
2a798ce
Compare
This now works right out of the box with a recent kernel on Fedora 31. The kernel-modules-extra package for Install the packages: Create a spec: Add the following modifications to the spec in
Run a container:
|
58eae95
to
a548859
Compare
I just extended the series with patches for running the TPM emulator |
1cb507d
to
98f315b
Compare
Running
|
b7e7aa7
to
d8f8e71
Compare
defer vtpmx.Close() | ||
|
||
if err := ioctl(uintptr(vtpmx.Fd()), cmd, msg); err != nil { | ||
return fmt.Errorf("VTPM: vtpmx ioctl failed: %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
errors.Wrap
Seems we need to wait to see how opencontainers/runtime-spec#920 will settle |
d34a3bb
to
8fa2643
Compare
Remove whitespace at EOL Signed-off-by: Kir Kolyshkin <[email protected]>
1. When using `runc`, we should check `$status` and not `$?`. 2. Before exit code check, let's (try to) show errors from CRIU log. Signed-off-by: Kir Kolyshkin <[email protected]>
Signed-off-by: Mrunal Patel <[email protected]>
Signed-off-by: Mrunal Patel <[email protected]>
full diff: cilium/ebpf@a9f01ed...1c8d4c9 drops support for go1.12, and removes dependency on the golang.org/x/xerrors transitional package. Signed-off-by: Sebastiaan van Stijn <[email protected]>
ab0db75
to
b8c570c
Compare
Signed-off-by: Stefan Berger <[email protected]>
This patch adds vTPM support for Linux to libcontainer. The functionality is based on a recently added vtpm_proxy driver, which is becoming available in Linux 4.8. The driver provides /dev/vtpmx, on which an ioctl is called that spawns a TPM device in the host's /dev directory and returns an anonymous file-descriptor on which a TPM emulator can listen for TPM commands. If we for example created /dev/tpm12 on the host we make this device available as /dev/tpm0 inside the container. We also add its major and minor numbers to the device cgroup. We implement a VTPM class that allows us to create the device and starts a TPM emulator 'swtpm', to which it passes the anonymous file descriptor. Besides that, the user can choose to have the vTPM create certificates in a step that simulates TPM manufacturing. We do this by calling the external swtpm_setup program, which is part of the swtpm project. VTPM support is added inside the JSON configuration as follows: [...] "linux": { "resources": { "devices": [ { "allow": false, "access": "rwm" } ] , "vtpms": [ { "statePath": "/tmp/tpm-1", "createCerts": true }, ] }, [...] This JSON markup makes a single TPM available inside the created container. o The statPath parameter indicates the directory where the TPM emulator 'swtpm' writes the state of the TPM device to. o The createCerts parameter indicates that certificates for the TPM are to be created. The current implementation does not support checkpointing, so checkpointing of a container with an attached vTPM is prevented. The swtpm project is available here : https://github.com/stefanberger/swtpm The libtpms project is available here: https://github.com/stefanberger/libtpms Signed-off-by: Stefan Berger <[email protected]>
We need to implement ApplyProfileThread() to apply a profile via /proc/self-thread/attr/exec rather than /proc/self/attr/exec otherwise we get (~50%) failures trying to write the profile to /proc/self/attr/exec. When using self-thread we get 100% success. Signed-off-by: Stefan Berger <[email protected]>
Create an AppArmor profile and apply it so that swtpm runs with an AppArmor profile. Signed-off-by: Stefan Berger <[email protected]>
On systems supporting SELinux run swtpm with an SELinux label applied. Also label the required files in the state directory. Signed-off-by: Stefan Berger <[email protected]>
Add test cases for testing TPM 1.2 and TPM 2 by creating, stopping, restarting, and destroying it. Signed-off-by: Stefan Berger <[email protected]>
Call 'swtpm chardev --print-capabilities' to get the supported capabilites from swtpm. An JSON object is printed by swtpm that we unmarshal and we pick the 'features' part from it that is an array of strings indicating what this version of swtpm supports. This option was added in v0.2. For older versions of swtpm we return an empty array. Signed-off-by: Stefan Berger <[email protected]>
We need to startup the TPM as part of starting swtpm so that the Linux driver can successfully send its initial command to the vTPM and does not log a failure and then do the startup itself. Signed-off-by: Stefan Berger <[email protected]>
This patch adds support for encrypting the vTPM state by allowing a user to pass a password to swtpm_setup and swtpm. Signed-off-by: Stefan Berger <[email protected]>
Add /sys/devices/virtual/tpm to the mask paths to avoid isolation issues via sysfs for TPM 1.2 Signed-off-by: Stefan Berger <[email protected]>
Put vTPMs into a container's cgroup to limit their CPU usage. Signed-off-by: Stefan Berger <[email protected]>
@stefanberger are you still working on this PR? |
Since opencontainers/runtime-spec#920 is closed, we should close this one as well. |
This patch series adds vTPM support for Linux to libcontainer.
The functionality is based on a recently added vtpm_proxy driver, which is becoming
available in Linux 4.8. The driver provides /dev/vtpmx, on which an ioctl is called
that spawns a TPM device in the host's /dev directory and returns an anonymous file-
descriptor on which a TPM emulator can listen for TPM commands. If we for example
created /dev/tpm12 on the host we make this device available as /dev/tpm0 inside the
container. We also add its major and minor numbers to the device cgroup.
We implement a VTPM class that allows us to create the device and starts a TPM
emulator 'swtpm', to which it passes the anonymous file descriptor.
Besides that, the user can choose to have the vTPM create certificates in a step
that simulates TPM manufacturing. We do this by calling the external swtpm_setup
program, which is part of the swtpm project.
VTPM support is added inside the JSON configuration as follows:
This JSON markup makes a single TPM available inside the created container.
o The statPath parameter indicates the directory where the TPM emulator 'swtpm'
writes the state of the TPM device to.
o The createCerts parameter indicates that certificates for the TPM are
to be created.
The swtpm project is available here : https://github.com/stefanberger/swtpm
The libtpms project is available here: https://github.com/stefanberger/libtpms
Signed-off-by: Stefan Berger [email protected]