Add vTPM specification

stefanberger · stefanberger · commit 3bd60716f273 · 2017-09-11T22:35:16.000+02:00
Add the vTPM specification to the documentation, config.go, and
schema description. The following is an example of a vTPM description
that is found under the path /linux/resources/vtpms:

    "vtpms": [
        {
            "statePath": "/var/run/runc/ubuntu/tpm12_1",
            "vtpmVersion": "1.2",
            "createCerts": false
        }
    ]

Signed-off-by: Stefan Berger &lt;stefanb@linux.vnet.ibm.com&gt;
diff --git a/config-linux.md b/config-linux.md
@@ -384,6 +384,30 @@ The following parameters can be specified to set up the controller:
     }
 ```
 
+### <a name="configLinuxVTPMs" />vTPMs
+
+**`vtpms`** (array of objects, OPTIONAL) lists a number of emulated TPMs that will be made available to the container.
+
+Each entry has the following structure:
+
+* **`statePath`** *(string, REQUIRED)* - a directory for persisting vTPM state. This value MUST be an absolute path.
+* **`vtpmVersion`** *(string, OPTIONAL)* - The version of TPM to emulate, either 1.2 or 2; default is 1.2.
+* **`createCerts`** *(boolean, OPTIONAL)* - If true then create certificates for the vTPM, defaults to false.
+
+The `statePath` MUST be unique per container. If the `vtpms` array contains duplicate entries with the same `statePath`, the runtime MUST generate an error.
+
+#### Example
+
+```json
+    "vtpms": [
+        {
+            "statePath": "/var/run/runc/ubuntu/tpm12_1",
+            "vtpmVersion": "1.2",
+            "createCerts": false
+        }
+    ]
+```
+
 ### <a name="configLinuxHugePageLimits" />Huge page limits
 
 **`hugepageLimits`** (array of objects, OPTIONAL) represents the `hugetlb` controller which allows to limit the
diff --git a/config.md b/config.md
@@ -772,7 +772,14 @@ Here is a full example `config.json` for reference.
                         "rate": 300
                     }
                 ]
-            }
+            },
+            "vtpms": [
+                {
+                    "statePath": "/var/run/runc/ubuntu/tpm12_1",
+                    "vtpmVersion": "1.2",
+                    "createCerts": false
+                }
+            ]
         },
         "rootfsPropagation": "slave",
         "seccomp": {
diff --git a/schema/config-linux.json b/schema/config-linux.json
@@ -47,6 +47,13 @@
                             "$ref": "defs-linux.json#/definitions/DeviceCgroup"
                         }
                     },
+                    "vtpms" : {
+                        "id": "https://opencontainers.org/schema/bundle/linux/resources/vtpms",
+                        "type": "array",
+                        "items": {
+                            "$ref": "defs-linux.json#/definitions/VTPM"
+                        }
+                    },
                     "pids": {
                         "id": "https://opencontainers.org/schema/bundle/linux/resources/pids",
                         "type": "object",
diff --git a/schema/defs-linux.json b/schema/defs-linux.json
@@ -109,6 +109,14 @@
             "description": "minor device number",
             "$ref": "defs.json#/definitions/int64"
         },
+        "TPMVersion": {
+            "description": "The TPM version",
+            "type": "string",
+            "enum": [
+                "1.2",
+                "2"
+            ]
+        },
         "FileMode": {
             "description": "File permissions mode (typically an octal value)",
             "type": "integer",
@@ -202,6 +210,23 @@
                 }
             ]
         },
+        "VTPM" : {
+            "type": "object",
+            "properties" : {
+                "statePath": {
+                    "type": "string"
+                },
+                "vtpmVersion": {
+                    "$ref": "#/definitions/TPMVersion"
+                },
+                "createCerts": {
+                    "type": "boolean"
+                }
+            },
+            "required": [
+                "statePath"
+            ]
+        },
         "DeviceCgroup": {
             "type": "object",
             "properties": {
diff --git a/schema/test/config/good/spec-example.json b/schema/test/config/good/spec-example.json
@@ -303,7 +303,14 @@
                         "rate": 300
                     }
                 ]
-            }
+            },
+            "vtpms": [
+                {
+                    "statePath": "/var/run/runc/ubuntu/tpm12_1",
+                    "vtpmVersion": "1.2",
+                    "createCerts": false
+                }
+            ]
         },
         "rootfsPropagation": "slave",
         "seccomp": {
diff --git a/specs-go/config.go b/specs-go/config.go
@@ -161,6 +161,8 @@ type Linux struct {
 	// IntelRdt contains Intel Resource Director Technology (RDT) information
 	// for handling resource constraints (e.g., L3 cache) for the container
 	IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"`
+	// VTPM configuration
+	VTPMS []LinuxVTPM `json:"vtpms"`
 }
 
 // LinuxNamespace is the configuration for a Linux namespace
@@ -568,3 +570,13 @@ type LinuxIntelRdt struct {
 	// Format: "L3:<cache_id0>=<cbm0>;<cache_id1>=<cbm1>;..."
 	L3CacheSchema string `json:"l3CacheSchema,omitempty"`
 }
+
+// VTPM is used to hold the configuration state of a VTPM
+type LinuxVTPM struct {
+	// The directory where the TPM emulator writes the TPM state to
+	StatePath string `json:"statePath"`
+	// Whether to create a certificate for the VTPM
+	CreateCerts bool `json:"createCerts,omitempty"`
+	// Version of the TPM
+	VTPMversion string `json:"vtpmVersion,omitempty"`
+}
