Add spec for emulated TPM support
Add the specification for emulated TPM support for OpenStack Charms. Change-Id: I95891c8b902cf8108160d75d1aadd038e51c479e
This commit is contained in:
Billy Olsen
parent
f8efd21030
commit
a2afd457f0
|
|
@ -0,0 +1,241 @@
|
|||
..
|
||||
Copyright 2022 Canonical Ltd.
|
||||
|
||||
This work is licensed under a Creative Commons Attribution 3.0
|
||||
Unported License.
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
..
|
||||
|
||||
======================
|
||||
Virtual TPM Enablement
|
||||
======================
|
||||
|
||||
Increasingly, applications and Operating Systems are using TPM devices to
|
||||
store secrets. In order to run these application in a virtual machine, it
|
||||
is necessary to be able to expose a virtual TPM device within the guest.
|
||||
|
||||
Problem Description
|
||||
===================
|
||||
|
||||
Guests requiring access to TPMs for secret storage are unable to do so in an
|
||||
OpenStack Charms deployed cloud.
|
||||
|
||||
Proposed Change
|
||||
===============
|
||||
|
||||
Nova is able to provide virtual TPM devices to guests starting in the Victoria
|
||||
release [1]_, [2]_. TPM devices are provided to libvirt/qemu guests via the
|
||||
swtpm library.
|
||||
|
||||
The ``nova-compute`` charm should be able to install and configure the
|
||||
necessary libraries for providing emulated TPM devices. It will do so by
|
||||
default for new installations and installations that upgrade to a version of
|
||||
the ``nova-compute`` charm which has the feature set enabled. This will cause
|
||||
the nova-compute service on the local machine to report that it has the
|
||||
``COMPUTE_SECURITY_TPM_1_2`` and ``COMPUTE_SECURITY_TPM_2_0`` traits.
|
||||
|
||||
While the compute nodes will report that they have the necessary traits, new
|
||||
instances will not have TPM devices attached unless the flavor and/or image has
|
||||
the appropriate properties configured. It is considered an administrative
|
||||
decision to determine which images or flavors should have TPM devices enabled
|
||||
and is out of scope for this implementation.
|
||||
|
||||
The above also makes it generally safe to enable by default for users who
|
||||
upgrade their charms to a version that has this capability enabled. While it
|
||||
may be safe to enable by default, a configuration option will be provided to
|
||||
disable it.
|
||||
|
||||
Charm Configuration Options
|
||||
---------------------------
|
||||
|
||||
The following configuration options will be available on the ``nova-compute``
|
||||
charm:
|
||||
|
||||
* A new config option will be introduced in order to enable or disable vTPM
|
||||
support::
|
||||
|
||||
enable-vtpm:
|
||||
type: boolean
|
||||
default: True
|
||||
description: |
|
||||
Enable emulated Trusted Platform Module support on the hypervisors.
|
||||
A key manager, e.g. Barbican, is a required service for this
|
||||
capability to be enabled.
|
||||
|
||||
|
||||
Configuration Files
|
||||
-------------------
|
||||
|
||||
The swtpm package in Ubuntu does not use the tss/tss user/group that is the
|
||||
default for qemu, nova, etc. Instead, the swtpm package configures the
|
||||
user/group as swtpm/swtpm as the swtpm user does not need the same level of
|
||||
permissions that the existing tss user has. This requires some additional
|
||||
changes to configuration files.
|
||||
|
||||
Enabling virtual TPM support using OpenStack charms will require the following
|
||||
configuration files to be updated:
|
||||
|
||||
* */etc/libvirt/qemu.conf* - the `swtpm_user` and `swtpm_group` values need to
|
||||
be set to the same users that the swtpm software package expects. This will
|
||||
cause the qemu configuration file to look as follows::
|
||||
|
||||
##########################################################################
|
||||
# [ WARNING ]
|
||||
# Configuration file maintained by Juju. Local changes may be overwritten.
|
||||
##########################################################################
|
||||
|
||||
# File installed by Juju nova-compute charm
|
||||
cgroup_device_acl = [
|
||||
"/dev/null", "/dev/full", "/dev/zero",
|
||||
"/dev/random", "/dev/urandom",
|
||||
"/dev/ptmx", "/dev/kvm", "/dev/kqemu",
|
||||
"/dev/rtc", "/dev/hpet", "/dev/net/tun",
|
||||
"/dev/vfio/vfio",
|
||||
]
|
||||
|
||||
swtpm_user = "swtpm"
|
||||
swtpm_group = "swtpm"
|
||||
|
||||
* */etc/nova/nova-compute.conf* - similar to the qemu config changes, the
|
||||
nova services need to specify which user and group should be configured in
|
||||
libvirt for qemu instances. It will also have the global flag for enabled
|
||||
or not enabled::
|
||||
|
||||
##########################################################################
|
||||
# [ WARNING ]
|
||||
# Configuration file maintained by Juju. Local changes may be overwritten.
|
||||
##########################################################################
|
||||
[DEFAULT]
|
||||
compute_driver=libvirt.LibvirtDriver
|
||||
swtpm_enabled=True
|
||||
swtpm_user=swtpm
|
||||
swtpm_group=swtpm
|
||||
|
||||
|
||||
Non-Charm Configuration
|
||||
-----------------------
|
||||
|
||||
Enabling vTPM support in the nova compute charm will cause the nova hypervisor
|
||||
to report the ``COMPUTE_SECURITY_TPM_1_2`` and ``COMPUTE_SECURITY_2_0``
|
||||
traits to the placement service. Additional steps need to be taken by the
|
||||
cloud operator/administrator in order to make this feature available to guests
|
||||
by configuring the appropriate properties on images or flavors.
|
||||
|
||||
Nova uses information from the extra specs configured on the flavor or
|
||||
properties set on an image in order to determine whether or not to add a vTPM
|
||||
device. As such, the hypervisor may be configured to have the necessary
|
||||
traits exposed to allow for a vTPM device, but the device will not be
|
||||
provisioned for a guest unless the operator appropriately configures the
|
||||
images and/or flavors.
|
||||
|
||||
Refer to the Nova documentation [2]_ for the specific extra specs and
|
||||
properties that need to be set to provide vTPM devices to guests.
|
||||
|
||||
Barbican
|
||||
--------
|
||||
|
||||
The swtpm library which provides emulated TPM devices encrypts secrets
|
||||
locally in files on the file system. Nova uses the Barbican key manager
|
||||
service for secret storage, which is already available as a charmed
|
||||
application.
|
||||
|
||||
Conveniently, the default configuration for Nova will use the barbican
|
||||
services from the keystone catalog to store the necessary secrets. These
|
||||
secrets are scoped per project and the interactions with the secret store will
|
||||
happen with appropriate context of the user. As such, there's no additional
|
||||
information that the ``nova-compute`` charm requires in order to configure
|
||||
the nova compute services so additional relations are unnecessary.
|
||||
|
||||
OpenStack Versions
|
||||
------------------
|
||||
|
||||
This feature will be enabled for Wallaby and newer OpenStack releases.
|
||||
|
||||
Operating System Versions
|
||||
-------------------------
|
||||
|
||||
This feature will be enabled for Ubuntu 20.04 (focal) and Ubuntu 22.04 (jammy).
|
||||
|
||||
Juju Version Dependencies
|
||||
-------------------------
|
||||
|
||||
This feature has no dependency on Juju versions.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
This is an optional section, where it does apply we'd just like a demonstration
|
||||
that some thought has been put into why the proposed approach is the best one.
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
billy-olsen
|
||||
|
||||
Gerrit Topic
|
||||
------------
|
||||
|
||||
Use Gerrit topic "charm-vtpm" for all patches related to this spec.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
git-review -t charm-vtpm
|
||||
|
||||
Work Items
|
||||
----------
|
||||
|
||||
- Add configuration changes to nova-compute charm
|
||||
- Add functional tests to zaza-openstack-tests
|
||||
- Provide user documentation around enabling the feature and how to use
|
||||
|
||||
Repositories
|
||||
------------
|
||||
|
||||
No new repositories are required for this work.
|
||||
|
||||
Documentation
|
||||
-------------
|
||||
|
||||
As part of this effort, the following documentation will need to be updated:
|
||||
|
||||
- Charm Deployment Guide
|
||||
- Charm Readme
|
||||
- Charm Guide
|
||||
- Release Notes
|
||||
|
||||
Security
|
||||
--------
|
||||
|
||||
The changes required in the charm do not introduce any security implications
|
||||
above and beyond what is outlined in the Nova specification for enabling
|
||||
emulated vTPM devices [1]_.
|
||||
|
||||
Testing
|
||||
-------
|
||||
|
||||
Unit tests and functional tests will be implemented for this feature. The
|
||||
functional tests will validate the various TPM device configurations and
|
||||
validate that the TPM device is available within the guest.
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
* Nova Wallaby version or greater.
|
||||
|
||||
* swtpm TPM emulator [3]_ [4]_
|
||||
|
||||
* Focal-Wallaby support depends on swtpm package being backported to either
|
||||
the Wallaby Ubuntu Cloud Archive or Focal. Ubuntu developers have indicated
|
||||
a willingness to backport swtpm to Focal.
|
||||
|
||||
|
||||
|
||||
.. [1] https://specs.openstack.org/openstack/nova-specs/specs/victoria/implemented/add-emulated-virtual-tpm.html
|
||||
.. [2] https://docs.openstack.org/nova/latest/admin/emulated-tpm.html
|
||||
.. [3] https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/1948748
|
||||
.. [4] https://github.com/stefanberger/swtpm
|
||||
Loading…
Reference in New Issue