Skip to content

Commit 5d6e978

Browse files
stefanbergerstefanberger
committed
Create TPM device manager device if available on host
Create the TPM device manager device inside the container if it is available on the host. Signed-off-by: Stefan Berger <[email protected]>
1 parent fc8f772 commit 5d6e978

File tree

1 file changed

+43
-19
lines changed

1 file changed

+43
-19
lines changed

libcontainer/vtpm/vtpm-helper/vtpm_helper.go

Lines changed: 43 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -5,34 +5,19 @@ package vtpmhelper
55
import (
66
"fmt"
77
"os"
8+
"syscall"
89

910
"github.com/opencontainers/runc/libcontainer/configs"
11+
"github.com/opencontainers/runc/libcontainer/devices"
1012
"github.com/opencontainers/runc/libcontainer/vtpm"
1113

1214
"github.com/opencontainers/runtime-spec/specs-go"
1315
)
1416

15-
// Create a VTPM
16-
func CreateVTPM(spec *specs.Spec, config *configs.Config, vtpmdev *specs.VTPM, devnum int, uid int, gid int) error {
17-
18-
vtpm, err := vtpm.NewVTPM(vtpmdev.Statepath, vtpmdev.TPMVersion, vtpmdev.CreateCertificates)
19-
if err != nil {
20-
return err
21-
}
22-
23-
// Start the vTPM process; once stopped, the device pair will
24-
// also disappear
25-
err, createdStatepath := vtpm.Start()
26-
if err != nil {
27-
return err
28-
}
29-
30-
hostdev := vtpm.GetTPMDevname()
31-
major, minor := vtpm.GetMajorMinor()
32-
17+
func addVTPMDevice(spec *specs.Spec, config *configs.Config, devpath string, major, minor uint32) {
3318
device := &configs.Device{
3419
Type: 'c',
35-
Path: fmt.Sprintf("/dev/tpm%d", devnum),
20+
Path: devpath,
3621
Major: int64(major),
3722
Minor: int64(minor),
3823
Permissions: "rwm",
@@ -57,6 +42,28 @@ func CreateVTPM(spec *specs.Spec, config *configs.Config, vtpmdev *specs.VTPM, d
5742
Access: "rwm",
5843
}
5944
spec.Linux.Resources.Devices = append(spec.Linux.Resources.Devices, *ld)
45+
}
46+
47+
// Create a VTPM
48+
func CreateVTPM(spec *specs.Spec, config *configs.Config, vtpmdev *specs.VTPM, devnum int, uid int, gid int) error {
49+
50+
vtpm, err := vtpm.NewVTPM(vtpmdev.Statepath, vtpmdev.TPMVersion, vtpmdev.CreateCertificates)
51+
if err != nil {
52+
return err
53+
}
54+
55+
// Start the vTPM process; once stopped, the device pair will
56+
// also disappear
57+
err, createdStatepath := vtpm.Start()
58+
if err != nil {
59+
return err
60+
}
61+
62+
hostdev := vtpm.GetTPMDevname()
63+
major, minor := vtpm.GetMajorMinor()
64+
65+
devpath := fmt.Sprintf("/dev/tpm%d", devnum)
66+
addVTPMDevice(spec, config, devpath, major, minor)
6067

6168
config.VTPMs = append(config.VTPMs, vtpm)
6269

@@ -68,6 +75,23 @@ func CreateVTPM(spec *specs.Spec, config *configs.Config, vtpmdev *specs.VTPM, d
6875
}
6976
}
7077

78+
// check if /dev/vtpmrm%d is available
79+
host_tpmrm := fmt.Sprintf("/dev/tpmrm%d", vtpm.GetTPMDevNum())
80+
if fileInfo, err := os.Lstat(host_tpmrm); err == nil {
81+
if stat_t, ok := fileInfo.Sys().(*syscall.Stat_t); ok {
82+
devNumber := int(stat_t.Rdev)
83+
devpath = fmt.Sprintf("/dev/tpmrm%d", devnum)
84+
addVTPMDevice(spec, config, devpath, uint32(devices.Major(devNumber)), uint32(devices.Minor(devNumber)))
85+
}
86+
if uid != 0 {
87+
// adapt ownership of the device since only root can access it
88+
if err := os.Chown(host_tpmrm, uid, gid); err != nil {
89+
vtpm.Stop(createdStatepath)
90+
return err
91+
}
92+
}
93+
}
94+
7195
return nil
7296
}
7397

0 commit comments

Comments
 (0)