[pve-devel] [RFC qemu-server 2/2] fix #3075: add TPM v1.2 and v2.0 support via swtpm

[Stefan Reiter <s.reiter@proxmox.com>]

Starts an instance of swtpm per VM in it's systemd scope, it will
terminate by itself if the VM exits, or be terminated manually if
startup fails.

Before first use, a TPM state is created via swtpm_setup. The state
lives in "/etc/pve/priv/tpm/<vmid>-<version>/".

TPM state is cleared if the 'tpm' config option is removed or the
version changed, effectively clearing any stored keys/data.

Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
---
 PVE/QemuServer.pm | 134 +++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 133 insertions(+), 1 deletion(-)

diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index b0fe257..76a25ae 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -686,6 +686,12 @@ EODESCR
 	description => "Configure a VirtIO-based Random Number Generator.",
 	optional => 1,
     },
+    tpm => {
+	optional => 1,
+	type => 'string',
+	enum => [ qw(v1.2 v2.0) ],
+	description => "Configure an emulated Trusted Platform Module.",
+    },
 };
 
 my $cicustom_fmt = {
@@ -2945,6 +2951,116 @@ sub audio_devs {
     return $devs;
 }
 
+sub get_tpm_paths {
+    my ($vmid, $version) = @_;
+    return {
+	state => "/etc/pve/priv/tpm/$vmid-$version/",
+	socket => "/var/run/qemu-server/$vmid.swtpm",
+	pid => "/var/run/qemu-server/$vmid.swtpm.pid",
+	filename => $version eq "v1.2" ? "tpm-00.permall" : "tpm2-00.permall",
+    };
+}
+
+sub print_tpm_device {
+    my ($vmid, $version) = @_;
+    my $paths = get_tpm_paths($vmid, $version);
+
+    my $devs = [];
+
+    push @$devs, "-chardev", "socket,id=tpmchar,path=$paths->{socket}";
+    push @$devs, "-tpmdev", "emulator,id=tpmdev,chardev=tpmchar";
+    push @$devs, "-device", "tpm-tis,tpmdev=tpmdev";
+
+    return $devs;
+}
+
+sub start_swtpm {
+    my ($vmid, $version, $migration) = @_;
+    my $paths = get_tpm_paths($vmid, $version);
+
+    if ($migration) {
+	# we will get migration state from remote, so remove any pre-existing
+	clear_tpm_states($vmid);
+	File::Path::make_path($paths->{state});
+    } else {
+	# run swtpm_setup to create a new TPM state if it doesn't exist yet
+	if (! -f "$paths->{state}/$paths->{filename}") {
+	    print "Creating new TPM state\n";
+
+	    # swtpm_setup does not like /etc/pve/priv, so create in tempdir
+	    my $tmppath = "/tmp/tpm-$vmid-$$";
+	    File::Path::make_path($tmppath, mode => 0600);
+	    my $setup_cmd = [
+		"swtpm_setup",
+		"--tpmstate",
+		"$tmppath",
+		"--createek",
+		"--create-ek-cert",
+		"--create-platform-cert",
+		"--lock-nvram",
+		"--config",
+		"/etc/swtpm_setup.conf", # do not use XDG configs
+		"--runas",
+		"0", # force creation as root, error if not possible
+	    ];
+
+	    push @$setup_cmd, "--tpm2" if $version eq 'v2.0';
+	    # TPM 2.0 supports ECC crypto, use if possible
+	    push @$setup_cmd, "--ecc" if $version eq 'v2.0';
+
+	    # produces a lot of verbose output, only show on error
+	    my $tpmout = "";
+	    run_command($setup_cmd, outfunc => sub {
+		$tpmout .= $1 . "\n";
+	    });
+
+	    File::Path::make_path($paths->{state});
+	    my $res = File::Copy::move("$tmppath/$paths->{filename}",
+		"$paths->{state}/$paths->{filename}");
+	    File::Path::rmtree($tmppath);
+	    if (!$res) {
+		my $err = $!;
+		File::Path::rmtree($tmppath);
+		print "swtpm_setup reported:\n$tpmout";
+		die "couldn't move TPM state into '$paths->{state}' - $err\n";
+	    }
+	}
+    }
+
+    my $emulator_cmd = [
+	"swtpm",
+	"socket",
+	"--tpmstate",
+	"dir=$paths->{state},mode=0600",
+	"--ctrl",
+	"type=unixio,path=$paths->{socket},mode=0600",
+	"--pid",
+	"file=$paths->{pid}",
+	"--terminate", # terminate on QEMU disconnect
+	"--daemon",
+    ];
+    push @$emulator_cmd, "--tpm2" if $version eq 'v2.0';
+    run_command($emulator_cmd);
+
+    # return untainted PID of swtpm daemon so it can be killed on error
+    file_read_firstline($paths->{pid}) =~ m/(\d+)/;
+    return $1;
+}
+
+# clear any TPM states other than the ones relevant for $version
+sub clear_tpm_states {
+    my ($vmid, $keep_version) = @_;
+
+    my $clear = sub {
+	my ($v) = @_;
+	my $paths = get_tpm_paths($vmid, $v);
+	rmtree $paths->{state};
+    };
+
+    &$clear("v1.2") if !$keep_version || $keep_version ne "v1.2";
+    &$clear("v2.0") if !$keep_version || $keep_version ne "v2.0";
+}
+
 sub vga_conf_has_spice {
     my ($vga) = @_;
 
@@ -3446,6 +3562,11 @@ sub config_to_command {
 	push @$devices, @$audio_devs;
     }
 
+    if (my $tpmver = $conf->{tpm}) {
+	my $tpmdev = print_tpm_device($vmid, $tpmver);
+	push @$devices, @$tpmdev;
+    }
+
     my $sockets = 1;
     $sockets = $conf->{smp} if $conf->{smp}; # old style - no longer iused
     $sockets = $conf->{sockets} if  $conf->{sockets};
@@ -4829,6 +4950,8 @@ sub vmconfig_apply_pending {
 	}
     }
 
+    PVE::QemuServer::clear_tpm_states($vmid, $conf->{tpm});
+
     # write all changes at once to avoid unnecessary i/o
     PVE::QemuConfig->write_config($vmid, $conf);
 }
@@ -5329,8 +5452,17 @@ sub vm_start_nolock {
 	PVE::Tools::run_fork sub {
 	    PVE::Systemd::enter_systemd_scope($vmid, "Proxmox VE VM $vmid", %properties);
 
+	    my $tpmpid;
+	    if (my $tpmver = $conf->{tpm}) {
+		# start the TPM emulator so QEMU can connect on start
+		$tpmpid = start_swtpm($vmid, $tpmver, $migratedfrom);
+	    }
+
 	    my $exitcode = run_command($cmd, %run_params);
-	    die "QEMU exited with code $exitcode\n" if $exitcode;
+	    if ($exitcode) {
+		kill 'TERM', $tpmpid if $tpmpid;
+		die "QEMU exited with code $exitcode\n";
+	    }
 	};
     };
 
-- 
2.30.2