TPM: Break dependency on underhill_confidentiality (#1884)

smalis-msft · web-flow · commit 2c51618b9b6a · 2025-08-19T13:07:05.000-07:00
underhill_confidentiality is an openhcl-specific crate, and should not
be depended on by a generic device. The TPM slipped this by. Fix it by
passing in the needed info at construction instead.
diff --git a/Cargo.lock b/Cargo.lock
@@ -7189,7 +7189,6 @@ dependencies = [
  "tpm_resources",
  "tracelimit",
  "tracing",
- "underhill_confidentiality",
  "vm_resource",
  "vmcore",
  "zerocopy 0.8.24",
diff --git a/openhcl/underhill_core/src/worker.rs b/openhcl/underhill_core/src/worker.rs
@@ -2575,6 +2575,7 @@ async fn new_underhill_vm(
                 register_layout,
                 guest_secret_key: platform_attestation_data.guest_secret_key,
                 logger: Some(GetTpmLoggerHandle.into_resource()),
+                is_confidential_vm: isolation.is_isolated(),
             }
             .into_resource(),
         });
diff --git a/openvmm/openvmm_entry/src/lib.rs b/openvmm/openvmm_entry/src/lib.rs
@@ -1018,6 +1018,7 @@ fn vm_config_from_command_line(
                 register_layout,
                 guest_secret_key: None,
                 logger: None,
+                is_confidential_vm: false,
             }
             .into_resource(),
         });
diff --git a/petri/src/vm/openvmm/modify.rs b/petri/src/vm/openvmm/modify.rs
@@ -55,6 +55,7 @@ impl PetriVmConfigOpenVmm {
                     register_layout: TpmRegisterLayout::IoPort,
                     guest_secret_key: None,
                     logger: None,
+                    is_confidential_vm: self.firmware.isolation().is_some(),
                 }
                 .into_resource(),
             });
diff --git a/vm/devices/tpm/Cargo.toml b/vm/devices/tpm/Cargo.toml
@@ -19,7 +19,6 @@ chipset_device.workspace = true
 chipset_device_resources.workspace = true
 cvm_tracing.workspace = true
 guestmem.workspace = true
-underhill_confidentiality = { workspace = true, features = ["std"] }
 vmcore.workspace = true
 vm_resource.workspace = true
 
diff --git a/vm/devices/tpm/src/lib.rs b/vm/devices/tpm/src/lib.rs
@@ -57,7 +57,6 @@ use tpm20proto::NV_INDEX_RANGE_BASE_TCG_ASSIGNED;
 use tpm20proto::ReservedHandle;
 use tpm20proto::TPM20_HT_PERSISTENT;
 use tpm20proto::TPM20_RH_PLATFORM;
-use underhill_confidentiality::is_confidential_vm;
 use vmcore::device_state::ChangeDeviceState;
 use vmcore::non_volatile_store::NonVolatileStore;
 use vmcore::non_volatile_store::NonVolatileStoreError;
@@ -347,6 +346,7 @@ impl Tpm {
         ak_cert_type: TpmAkCertType,
         guest_secret_key: Option<Vec<u8>>,
         logger: Option<Arc<dyn TpmLogger>>,
+        is_confidential_vm: bool,
     ) -> Result<Self, TpmError> {
         tracing::info!("initializing TPM");
 
@@ -428,7 +428,8 @@ impl Tpm {
         };
 
         if !is_restoring {
-            tpm.on_first_boot(guest_secret_key).await?;
+            tpm.on_first_boot(guest_secret_key, is_confidential_vm)
+                .await?;
         }
 
         tracing::info!("TPM initialized");
@@ -449,7 +450,11 @@ impl Tpm {
         Ok(())
     }
 
-    async fn on_first_boot(&mut self, guest_secret_key: Option<Vec<u8>>) -> Result<(), TpmError> {
+    async fn on_first_boot(
+        &mut self,
+        guest_secret_key: Option<Vec<u8>>,
+        is_confidential_vm: bool,
+    ) -> Result<(), TpmError> {
         use ms_tpm_20_ref::NvError;
         let mut force_ak_regen = false;
         let fixup_16k_ak_cert;
@@ -482,9 +487,8 @@ impl Tpm {
                 // If this is a confidential VM or has a vTPM blob size that indicates that it was
                 // HCL-provisioned, regenerate the AK from TPM seeds. This prevents an attack where
                 // the VTL0 admin can replace the AK and get an AKCert for it.
-                force_ak_regen = self.refresh_tpm_seeds
-                    || blob.len() != LEGACY_VTPM_SIZE
-                    || is_confidential_vm();
+                force_ak_regen =
+                    self.refresh_tpm_seeds || blob.len() != LEGACY_VTPM_SIZE || is_confidential_vm;
 
                 // If this is a small vTPM blob, potentially fixup the AK cert.
                 fixup_16k_ak_cert = blob.len() == LEGACY_VTPM_SIZE;
diff --git a/vm/devices/tpm/src/resolver.rs b/vm/devices/tpm/src/resolver.rs
@@ -117,6 +117,7 @@ impl AsyncResolveResource<ChipsetDeviceHandleKind, TpmDeviceHandle> for TpmDevic
             ak_cert_type,
             resource.guest_secret_key,
             logger,
+            resource.is_confidential_vm,
         )
         .await
         .map_err(ResolveTpmError::Tpm)?;
diff --git a/vm/devices/tpm/src/tpm_helper.rs b/vm/devices/tpm/src/tpm_helper.rs
@@ -3754,6 +3754,7 @@ mod tests {
             TpmAkCertType::Trusted(Arc::new(TestRequestAkCertHelper {})),
             None,
             None,
+            false,
         )
         .await
         .unwrap();
diff --git a/vm/devices/tpm_resources/src/lib.rs b/vm/devices/tpm_resources/src/lib.rs
@@ -30,6 +30,8 @@ pub struct TpmDeviceHandle {
     pub guest_secret_key: Option<Vec<u8>>,
     /// Optional logger to send event to the host
     pub logger: Option<Resource<TpmLoggerKind>>,
+    /// Whether or not the TPM is in a confidential VM
+    pub is_confidential_vm: bool,
 }
 
 impl ResourceId<ChipsetDeviceHandleKind> for TpmDeviceHandle {

Original file line number	Diff line number	Diff line change
`@@ -2575,6 +2575,7 @@ async fn new_underhill_vm(`
`2575`	`2575`	`register_layout,`
`2576`	`2576`	`guest_secret_key: platform_attestation_data.guest_secret_key,`
`2577`	`2577`	`logger: Some(GetTpmLoggerHandle.into_resource()),`
	`2578`	`+ is_confidential_vm: isolation.is_isolated(),`
`2578`	`2579`	`}`
`2579`	`2580`	`.into_resource(),`
`2580`	`2581`	`});`
Original file line number	Diff line number	Diff line change
`@@ -1018,6 +1018,7 @@ fn vm_config_from_command_line(`
`1018`	`1018`	`register_layout,`
`1019`	`1019`	`guest_secret_key: None,`
`1020`	`1020`	`logger: None,`
	`1021`	`+ is_confidential_vm: false,`
`1021`	`1022`	`}`
`1022`	`1023`	`.into_resource(),`
`1023`	`1024`	`});`
Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,7 @@ impl PetriVmConfigOpenVmm {`
`55`	`55`	`register_layout: TpmRegisterLayout::IoPort,`
`56`	`56`	`guest_secret_key: None,`
`57`	`57`	`logger: None,`
	`58`	`+ is_confidential_vm: self.firmware.isolation().is_some(),`
`58`	`59`	`}`
`59`	`60`	`.into_resource(),`
`60`	`61`	`});`
Original file line number	Diff line number	Diff line change
`@@ -117,6 +117,7 @@ impl AsyncResolveResource<ChipsetDeviceHandleKind, TpmDeviceHandle> for TpmDevic`
`117`	`117`	`ak_cert_type,`
`118`	`118`	`resource.guest_secret_key,`
`119`	`119`	`logger,`
	`120`	`+ resource.is_confidential_vm,`
`120`	`121`	`)`
`121`	`122`	`.await`
`122`	`123`	`.map_err(ResolveTpmError::Tpm)?;`
Original file line number	Diff line number	Diff line change
`@@ -3754,6 +3754,7 @@ mod tests {`
`3754`	`3754`	`TpmAkCertType::Trusted(Arc::new(TestRequestAkCertHelper {})),`
`3755`	`3755`	`None,`
`3756`	`3756`	`None,`
	`3757`	`+ false,`
`3757`	`3758`	`)`
`3758`	`3759`	`.await`
`3759`	`3760`	`.unwrap();`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,8 @@ pub struct TpmDeviceHandle {`
`30`	`30`	`pub guest_secret_key: Option<Vec<u8>>,`
`31`	`31`	`/// Optional logger to send event to the host`
`32`	`32`	`pub logger: Option<Resource<TpmLoggerKind>>,`
	`33`	`+ /// Whether or not the TPM is in a confidential VM`
	`34`	`+ pub is_confidential_vm: bool,`
`33`	`35`	`}`
`34`	`36`
`35`	`37`	`impl ResourceId<ChipsetDeviceHandleKind> for TpmDeviceHandle {`