Add vTPM support for Linux

This patch adds vTPM support for Linux to libcontainer.

The functionality is based on a recently added vtpm_proxy driver, which is becoming
available in Linux 4.8. The driver provides /dev/vtpmx, on which an ioctl is called
that spawns a TPM device in the host's /dev directory and returns an anonymous file-
descriptor on which a TPM emulator can listen for TPM commands. If we for example
created /dev/tpm12 on the host we make this device available as /dev/tpm0 inside the
container. We also add its major and minor numbers to the device cgroup.

We implement a VTPM class that allows us to create the device and starts a TPM
emulator 'swtpm', to which it passes the anonymous file descriptor.
Besides that, the user can choose to have the vTPM create certificates in a step
that simulates TPM manufacturing. We do this by calling the external swtpm_setup
program, which is part of the swtpm project.

VTPM support is added inside the JSON configuration as follows:

[...]
	"linux": {
		"resources": {
			"devices": [
				{
					"allow": false,
					"access": "rwm"
				}
			] ,
			"vtpms": [
				{
					"Statepath": "/tmp/tpm-1",
					"CreateCertificates": true,
				},
			]
		},
[...]

This JSON markup makes a single TPM available inside the created container.

o The Statpath parameter indicates the directory where the TPM emulator 'swtpm'
  writes the state of the TPM device to.
o The CreateCertificates parameter indicates that certificates for the TPM are
  to be created.

The current implementation does not support checkpointing, so checkpointing
of a container with an attached vTPM is prevented.

The swtpm project is available here  : https://github.com/stefanberger/swtpm
The libtpms project is available here: https://github.com/stefanberger/libtpms

Signed-off-by: Stefan Berger <[email protected]>

Author: stefanberger

libcontainer/configs/config.go

@@ -9,6 +9,8 @@ import (
 
 	"github.com/Sirupsen/logrus"
 	"github.com/opencontainers/runtime-spec/specs-go"
+
+	"github.com/opencontainers/runc/libcontainer/vtpm"
 )
 
 type Rlimit struct {
@@ -186,6 +188,9 @@ type Config struct {
 
 	// Rootless specifies whether the container is a rootless container.
 	Rootless bool `json:"rootless"`
+
+	// VTPM configuration
+	VTPMs []*vtpm.VTPM `json:"vtpms"`
 }
 
 type Hooks struct {

libcontainer/container_linux.go

@@ -695,6 +695,10 @@ func (c *linuxContainer) Checkpoint(criuOpts *CriuOpts) error {
 		return fmt.Errorf("cannot checkpoint a rootless container")
 	}
 
+	if len(c.config.VTPMs) > 0 {
+		return fmt.Errorf("Checkpointing with attached vTPM is not supported")
+	}
+
 	if err := c.checkCriuVersion("1.5.2"); err != nil {
 		return err
 	}

libcontainer/specconv/spec_linux.go

@@ -14,6 +14,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
+	"github.com/opencontainers/runc/libcontainer/vtpm/vtpm-helper"
 	"github.com/opencontainers/runtime-spec/specs-go"
 
 	"golang.org/x/sys/unix"
@@ -211,6 +212,9 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
 	if err := createDevices(spec, config); err != nil {
 		return nil, err
 	}
+	if err := createVTPMs(spec, config); err != nil {
+		return nil, err
+	}
 	if err := setupUserNamespace(spec, config); err != nil {
 		return nil, err
 	}
@@ -507,6 +511,37 @@ func stringToDeviceRune(s string) (rune, error) {
 	}
 }
 
+func createVTPMs(spec *specs.Spec, config *configs.Config) error {
+	r := spec.Linux.Resources
+	if r == nil {
+		return nil
+	}
+
+	rootUID, err := config.HostUID(0)
+	if err != nil {
+		return err
+	}
+	rootGID, err := config.HostGID(0)
+	if err != nil {
+		return err
+	}
+
+	devnum := 0
+	for _, vtpm := range r.VTPMs {
+		err = vtpmhelper.CreateVTPM(spec, config, &vtpm, devnum, rootUID, rootGID)
+		if err != nil {
+			DestroyVTPMs(config)
+			return err
+		}
+		devnum++
+	}
+	return nil
+}
+
+func DestroyVTPMs(config *configs.Config) {
+	vtpmhelper.DestroyVTPMs(config)
+}
+
 func createDevices(spec *specs.Spec, config *configs.Config) error {
 	// add whitelisted devices
 	config.Devices = []*configs.Device{

libcontainer/state_linux.go

@@ -11,6 +11,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/utils"
 
+	"github.com/opencontainers/runc/libcontainer/vtpm/vtpm-helper"
 	"golang.org/x/sys/unix"
 )
 
@@ -39,6 +40,7 @@ type containerState interface {
 }
 
 func destroy(c *linuxContainer) error {
+	vtpmhelper.DestroyVTPMs(c.config)
 	if !c.config.Namespaces.Contains(configs.NEWPID) {
 		if err := signalAllProcesses(c.cgroupManager, unix.SIGKILL); err != nil {
 			logrus.Warn(err)

libcontainer/vtpm/vtpm-helper/vtpm_helper.go

@@ -0,0 +1,79 @@
+// + build linux
+
+package vtpmhelper
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/vtpm"
+
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// Create a VTPM
+func CreateVTPM(spec *specs.Spec, config *configs.Config, vtpmdev *specs.VTPM, devnum int, uid int, gid int) error {
+
+	vtpm, err := vtpm.NewVTPM(vtpmdev.Statepath, vtpmdev.TPMVersion, vtpmdev.CreateCertificates)
+	if err != nil {
+		return err
+	}
+
+	// Start the vTPM process; once stopped, the device pair will
+	// also disappear
+	err, createdStatepath := vtpm.Start()
+	if err != nil {
+		return err
+	}
+
+	hostdev := vtpm.GetTPMDevname()
+	major, minor := vtpm.GetMajorMinor()
+
+	device := &configs.Device{
+		Type:        'c',
+		Path:        fmt.Sprintf("/dev/tpm%d", devnum),
+		Major:       int64(major),
+		Minor:       int64(minor),
+		Permissions: "rwm",
+		FileMode:    0600,
+		Allow:       true,
+		Uid:         0,
+		Gid:         0,
+	}
+
+	config.Devices = append(config.Devices, device)
+
+	major_p := new(int64)
+	*major_p = int64(major)
+	minor_p := new(int64)
+	*minor_p = int64(minor)
+
+	ld := &specs.LinuxDeviceCgroup{
+		Allow:  true,
+		Type:   "c",
+		Major:  major_p,
+		Minor:  minor_p,
+		Access: "rwm",
+	}
+	spec.Linux.Resources.Devices = append(spec.Linux.Resources.Devices, *ld)
+
+	config.VTPMs = append(config.VTPMs, vtpm)
+
+	if uid != 0 {
+		// adapt ownership of the device since only root can access it
+		if err := os.Chown(hostdev, uid, gid); err != nil {
+			vtpm.Stop(createdStatepath)
+			return err
+		}
+	}
+
+	return nil
+}
+
+func DestroyVTPMs(config *configs.Config) {
+	for _, vtpm := range config.VTPMs {
+		vtpm.Stop(true)
+	}
+	config.VTPMs = make([]*vtpm.VTPM, 0)
+}