Add vTPM support for Linux

stefanberger · stefanberger · commit a50c7669df43 · 2016-09-28T14:50:12.000-04:00
This patch adds vTPM support for Linux to libcontainer. The functionality is based on a recently added vtpm_proxy driver, which is becoming available in Linux 4.8. The driver provides /dev/vtpmx, on which an ioctl is called that spawns a TPM device in the host's /dev directory and returns an anonymous file- descriptor on which a TPM emulator can listen for TPM commands. If we for example created /dev/tpm12 on the host we make this device available as /dev/tpm0 inside the container. We also add its major and minor numbers to the device cgroup. We implement a VTPM class that allows us to create the device and starts a TPM emulator 'swtpm', to which it passes the anonymous file descriptor. Besides that, the user can choose to have the vTPM create certificates in a step that simulates TPM manufacturing. We do this by calling the external swtpm_setup program, which is part of the swtpm project. VTPM support is added inside the JSON configuration as follows: [...] "linux": { "resources": { "devices": [ { "allow": false, "access": "rwm" } ] , "vtpms": [ { "Statepath": "/tmp/tpm-1", "CreateCertificates": true, }, ] }, [...] This JSON markup makes a single TPM available inside the created container. o The Statpath parameter indicates the directory where the TPM emulator 'swtpm' writes the state of the TPM device to. o The CreateCertificates parameter indicates that certificates for the TPM are to be created. The swtpm project is available here : https://github.com/stefanberger/swtpm The libtpms project is available here: https://github.com/stefanberger/libtpms Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
diff --git a/Godeps/_workspace/src/github.com/opencontainers/runtime-spec/specs-go/config.go b/Godeps/_workspace/src/github.com/opencontainers/runtime-spec/specs-go/config.go
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
@@ -8,6 +8,8 @@ import (
 	"time"
 
 	"github.com/Sirupsen/logrus"
+
+	"github.com/opencontainers/runc/libcontainer/vtpm"
 )
 
 type Rlimit struct {
@@ -187,6 +189,9 @@ type Config struct {
 	// NoNewKeyring will not allocated a new session keyring for the container.  It will use the
 	// callers keyring in this case.
 	NoNewKeyring bool `json:"no_new_keyring"`
+
+	// VTPM configuration
+	VTPMs []*vtpm.VTPM `json:"vtpms"`
 }
 
 type Hooks struct {
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
@@ -15,6 +15,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
+	"github.com/opencontainers/runc/libcontainer/vtpm/vtpm-helper"
 	"github.com/opencontainers/runtime-spec/specs-go"
 )
 
@@ -202,6 +203,9 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
 	if err := createDevices(spec, config); err != nil {
 		return nil, err
 	}
+	if err := createVTPMs(spec, config); err != nil {
+		return nil, err
+	}
 	if err := setupUserNamespace(spec, config); err != nil {
 		return nil, err
 	}
@@ -473,6 +477,37 @@ func stringToDeviceRune(s string) (rune, error) {
 	}
 }
 
+func createVTPMs(spec *specs.Spec, config *configs.Config) error {
+	r := spec.Linux.Resources
+	if r == nil {
+		return nil
+	}
+
+	rootUID, err := config.HostUID()
+	if err != nil {
+		return err
+	}
+	rootGID, err := config.HostGID()
+	if err != nil {
+		return err
+	}
+
+	devnum := 0
+	for _, vtpm := range r.VTPMs {
+		err = vtpmhelper.CreateVTPM(spec, config, &vtpm, devnum, rootUID, rootGID)
+		if err != nil {
+			DestroyVTPMs(config)
+			return err
+		}
+		devnum++
+	}
+	return nil
+}
+
+func DestroyVTPMs(config *configs.Config) {
+	vtpmhelper.DestroyVTPMs(config)
+}
+
 func createDevices(spec *specs.Spec, config *configs.Config) error {
 	// add whitelisted devices
 	config.Devices = []*configs.Device{
diff --git a/libcontainer/state_linux.go b/libcontainer/state_linux.go
@@ -11,6 +11,7 @@ import (
 	"github.com/Sirupsen/logrus"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/utils"
+	"github.com/opencontainers/runc/libcontainer/vtpm/vtpm-helper"
 )
 
 func newStateTransitionError(from, to containerState) error {
@@ -38,6 +39,7 @@ type containerState interface {
 }
 
 func destroy(c *linuxContainer) error {
+	vtpmhelper.DestroyVTPMs(c.config)
 	if !c.config.Namespaces.Contains(configs.NEWPID) {
 		if err := killCgroupProcesses(c.cgroupManager); err != nil {
 			logrus.Warn(err)
diff --git a/libcontainer/vtpm/vtpm-helper/vtpm_helper.go b/libcontainer/vtpm/vtpm-helper/vtpm_helper.go
@@ -0,0 +1,90 @@
+// + build linux
+
+package vtpmhelper
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/vtpm"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// Create a VTPM
+func CreateVTPM(spec *specs.Spec, config *configs.Config, vtpmdev *specs.VTPM, devnum int, uid int, gid int) error {
+	debug := false
+
+	vtpm, err := vtpm.NewVTPM(vtpmdev.Statepath, vtpmdev.TPMVersion, vtpmdev.CreateCertificates, debug)
+	if err != nil {
+		return err
+	}
+
+	// Start the vTPM process; once stopped, the device pair will
+	// also disappear
+	err = vtpm.Start()
+	if err != nil {
+		return err
+	}
+
+	hostdev := vtpm.GetTPMDevname()
+	major, minor := vtpm.GetMajorMinor()
+
+	if debug {
+		logrus.Infof("Device %s has major %d and minor %d; err: %v", hostdev, major, minor, err)
+	}
+
+	device := &configs.Device{
+		Type:        'c',
+		Path:        fmt.Sprintf("/dev/tpm%d", devnum),
+		Major:       int64(major),
+		Minor:       int64(minor),
+		Permissions: "rwm",
+		FileMode:    0600,
+		Allow:       true,
+		Uid:         0,
+		Gid:         0,
+	}
+
+	config.Devices = append(config.Devices, device)
+
+	dtype := string("c")
+	major_p := new(int64)
+	*major_p = int64(major)
+	minor_p := new(int64)
+	*minor_p = int64(minor)
+	access := string("rwm")
+
+	ld := &specs.DeviceCgroup{
+		Allow:  true,
+		Type:   &dtype,
+		Major:  major_p,
+		Minor:  minor_p,
+		Access: &access,
+	}
+	spec.Linux.Resources.Devices = append(spec.Linux.Resources.Devices, *ld)
+
+	config.VTPMs = append(config.VTPMs, vtpm)
+
+	if uid != 0 {
+		// adapt ownership of the device since only root can access it
+		if err := os.Chown(hostdev, uid, gid); err != nil {
+			vtpm.Stop()
+			return err
+		}
+		if debug {
+			logrus.Infof("Changed ownership of %s for access by non-root", hostdev)
+		}
+	}
+
+	return nil
+}
+
+func DestroyVTPMs(config *configs.Config) {
+	for _, vtpm := range config.VTPMs {
+		vtpm.Stop()
+	}
+	config.VTPMs = make([]*vtpm.VTPM, 0)
+}
diff --git a/libcontainer/vtpm/vtpm.go b/libcontainer/vtpm/vtpm.go

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ import (`
`11`	`11`	`"github.com/Sirupsen/logrus"`
`12`	`12`	`"github.com/opencontainers/runc/libcontainer/configs"`
`13`	`13`	`"github.com/opencontainers/runc/libcontainer/utils"`
	`14`	`+ "github.com/opencontainers/runc/libcontainer/vtpm/vtpm-helper"`
`14`	`15`	`)`
`15`	`16`
`16`	`17`	`func newStateTransitionError(from, to containerState) error {`
`@@ -38,6 +39,7 @@ type containerState interface {`
`38`	`39`	`}`
`39`	`40`
`40`	`41`	`func destroy(c *linuxContainer) error {`
	`42`	`+ vtpmhelper.DestroyVTPMs(c.config)`
`41`	`43`	`if !c.config.Namespaces.Contains(configs.NEWPID) {`
`42`	`44`	`if err := killCgroupProcesses(c.cgroupManager); err != nil {`
`43`	`45`	`logrus.Warn(err)`