diff --git a/config-linux.md b/config-linux.md
index 6f710daf8..4f4f26a4e 100644
--- a/config-linux.md
+++ b/config-linux.md
@@ -387,6 +387,36 @@ The following parameters can be specified to set up the controller:
}
```
+### vTPMs
+
+**`vtpms`** (array of objects, OPTIONAL) lists a number of emulated TPMs that will be made available to the container.
+
+Each entry has the following structure:
+
+* **`statePath`** *(string, REQUIRED)* - Unique path where vTPM writes its state into.
+* **`statePathIsManaged`** *(string, OPTIONAL)* - Whether runc is allowed to delete the TPM's state path upon destroying the TPM, defaults to false.
+* **`vtpmVersion`** *(string, OPTIONAL)* - The version of TPM to emulate, either 1.2 or 2, defaults to 1.2.
+* **`createCerts`** *(boolean, OPTIONAL)* - If true then create certificates for the vTPM, defaults to false.
+* **`runAs`** *(string, OPTIONAL)* - Under which user to run the vTPM, e.g. 'tss'.
+* **`pcrBanks`** *(string, OPTIONAL)* - Comma-separated list of PCR banks to activate, default depends on `swtpm`.
+* **`encryptionPassword`** *(string, OPTIONAL)* - Write state encrypted with a key derived from the password, defaults to not encrypted.
+
+#### Example
+
+```json
+ "vtpms": [
+ {
+ "statePath": "/var/lib/runc/myvtpm1",
+ "statePathIsManaged": false,
+ "vtpmVersion": "2",
+ "createCerts": false,
+ "runAs": "tss",
+ "pcrBanks": "sha1,sha512",
+ "encryptionPassword": "mysecret"
+ }
+ ]
+```
+
### Huge page limits
**`hugepageLimits`** (array of objects, OPTIONAL) represents the `hugetlb` controller which allows to limit the
diff --git a/config.md b/config.md
index 667bbba58..5a45f1286 100644
--- a/config.md
+++ b/config.md
@@ -886,7 +886,16 @@ Here is a full example `config.json` for reference.
"rate": 300
}
]
- }
+ },
+ "vtpms": [
+ {
+ "statePath": "/var/lib/runc/myvtpm1",
+ "vtpmVersion": "2",
+ "createCerts": false,
+ "runAs": "tss",
+ "pcrBanks": "sha1,sha512"
+ }
+ ]
},
"rootfsPropagation": "slave",
"seccomp": {
diff --git a/schema/config-linux.json b/schema/config-linux.json
index 98295c4cf..a1838e95b 100644
--- a/schema/config-linux.json
+++ b/schema/config-linux.json
@@ -40,6 +40,12 @@
"$ref": "defs-linux.json#/definitions/DeviceCgroup"
}
},
+ "vtpms" : {
+ "type": "array",
+ "items": {
+ "$ref": "defs-linux.json#/definitions/VTPM"
+ }
+ },
"pids": {
"type": "object",
"properties": {
diff --git a/schema/defs-linux.json b/schema/defs-linux.json
index 8b34ca94b..c91c74256 100644
--- a/schema/defs-linux.json
+++ b/schema/defs-linux.json
@@ -140,6 +140,14 @@
"description": "minor device number",
"$ref": "defs.json#/definitions/int64"
},
+ "TPMVersion": {
+ "description": "The TPM version",
+ "type": "string",
+ "enum": [
+ "1.2",
+ "2"
+ ]
+ },
"FileMode": {
"description": "File permissions mode (typically an octal value)",
"type": "integer",
@@ -233,6 +241,35 @@
}
]
},
+ "VTPM" : {
+ "type": "object",
+ "properties" : {
+ "statePath": {
+ "type": "string"
+ },
+ "statePathIsManaged": {
+ "type": "boolean"
+ },
+ "vtpmVersion": {
+ "$ref": "#/definitions/TPMVersion"
+ },
+ "createCerts": {
+ "type": "boolean"
+ },
+ "runAs": {
+ "type": "string"
+ },
+ "pcrBanks": {
+ "type": "string"
+ },
+ "encryptionPassword": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "statePath"
+ ]
+ },
"DeviceCgroup": {
"type": "object",
"properties": {
diff --git a/schema/test/config/good/spec-example.json b/schema/test/config/good/spec-example.json
index a784d1d74..631de3f58 100644
--- a/schema/test/config/good/spec-example.json
+++ b/schema/test/config/good/spec-example.json
@@ -330,7 +330,25 @@
"rate": 300
}
]
- }
+ },
+ "vtpms": [
+ {
+ "statePath": "/var/lib/runc/myvtpm1",
+ "vtpmVersion": "2",
+ "createCerts": false,
+ "runAs": "tss",
+ "pcrBanks": "sha1,sha512"
+ },
+ {
+ "statePath": "/var/lib/runc/myvtpm2",
+ "statePathIsManaged": true,
+ "vtpmVersion": "1.2",
+ "createCerts": true,
+ "runAs": "root",
+ "pcrBanks": "sha1,sha512",
+ "encryptionPassword": "mysecret"
+ }
+ ]
},
"rootfsPropagation": "slave",
"seccomp": {
diff --git a/specs-go/config.go b/specs-go/config.go
index 08af67798..ac597b90e 100644
--- a/specs-go/config.go
+++ b/specs-go/config.go
@@ -352,6 +352,24 @@ type LinuxRdma struct {
HcaObjects *uint32 `json:"hcaObjects,omitempty"`
}
+// LinuxVTPM for vTPM definition
+type LinuxVTPM struct {
+ // Path on host where vTPM writes state to
+ StatePath string `json:"statePath,omitempty"`
+ // Whether runc is allowed to delete the 'Statepath' once the TPM is destroyed
+ StatePathIsManaged bool `json:"statePathIsManaged,omitempty"`
+ // Version of the TPM that is emulated
+ TPMVersion string `json:"vtpmVersion,omitempty"`
+ // Whether to create certificates upon first start of vTPM
+ CreateCertificates bool `json:"createCerts,omitempty"`
+ // The PCR banks to enable
+ PcrBanks string `json:"pcrBanks,omitempty"`
+ // Under what user to run the vTPM process
+ RunAs string `json:"runAs,omitempty"`
+ // The password to derive the encryption key from
+ EncryptionPassword string `json:"encryptionPassword,omitempty"`
+}
+
// LinuxResources has container runtime resource constraints
type LinuxResources struct {
// Devices configures the device whitelist.
@@ -372,12 +390,16 @@ type LinuxResources struct {
// Limits are a set of key value pairs that define RDMA resource limits,
// where the key is device name and value is resource limits.
Rdma map[string]LinuxRdma `json:"rdma,omitempty"`
+ // VTPM configuration
+ VTPMs []LinuxVTPM `json:"vtpms,omitempty"`
}
// LinuxDevice represents the mknod information for a Linux special device file
type LinuxDevice struct {
// Path to the device.
Path string `json:"path"`
+ // Path of passed-through device on host
+ Devpath string `json:"devpath"`
// Device type, block, char, etc.
Type string `json:"type"`
// Major is the device's major number.