From 32f2dc9b7a866019962234d3f0bf6d829d4e0108 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Mon, 6 Jul 2020 13:51:27 -0400 Subject: [PATCH 1/2] Add vTPM specification Add the vTPM specification to the documentation, config.go, and schema description. The following is an example of a vTPM description that is found under the path /linux/resources/vtpms: "vtpms": [ { "statePath": "/var/lib/runc/myvtpm1", "vtpmVersion": "2", "createCerts": false, "runAs": "tss", "pcrBanks": "sha1,sha512" } ] Signed-off-by: Stefan Berger --- config-linux.md | 30 ++++++++++++++++++ config.md | 11 ++++++- schema/config-linux.json | 6 ++++ schema/defs-linux.json | 37 +++++++++++++++++++++++ schema/test/config/good/spec-example.json | 20 +++++++++++- specs-go/config.go | 20 ++++++++++++ 6 files changed, 122 insertions(+), 2 deletions(-) diff --git a/config-linux.md b/config-linux.md index 6f710daf8..4f4f26a4e 100644 --- a/config-linux.md +++ b/config-linux.md @@ -387,6 +387,36 @@ The following parameters can be specified to set up the controller: } ``` +### vTPMs + +**`vtpms`** (array of objects, OPTIONAL) lists a number of emulated TPMs that will be made available to the container. + +Each entry has the following structure: + +* **`statePath`** *(string, REQUIRED)* - Unique path where vTPM writes its state into. +* **`statePathIsManaged`** *(string, OPTIONAL)* - Whether runc is allowed to delete the TPM's state path upon destroying the TPM, defaults to false. +* **`vtpmVersion`** *(string, OPTIONAL)* - The version of TPM to emulate, either 1.2 or 2, defaults to 1.2. +* **`createCerts`** *(boolean, OPTIONAL)* - If true then create certificates for the vTPM, defaults to false. +* **`runAs`** *(string, OPTIONAL)* - Under which user to run the vTPM, e.g. 'tss'. +* **`pcrBanks`** *(string, OPTIONAL)* - Comma-separated list of PCR banks to activate, default depends on `swtpm`. +* **`encryptionPassword`** *(string, OPTIONAL)* - Write state encrypted with a key derived from the password, defaults to not encrypted. + +#### Example + +```json + "vtpms": [ + { + "statePath": "/var/lib/runc/myvtpm1", + "statePathIsManaged": false, + "vtpmVersion": "2", + "createCerts": false, + "runAs": "tss", + "pcrBanks": "sha1,sha512", + "encryptionPassword": "mysecret" + } + ] +``` + ### Huge page limits **`hugepageLimits`** (array of objects, OPTIONAL) represents the `hugetlb` controller which allows to limit the diff --git a/config.md b/config.md index 667bbba58..5a45f1286 100644 --- a/config.md +++ b/config.md @@ -886,7 +886,16 @@ Here is a full example `config.json` for reference. "rate": 300 } ] - } + }, + "vtpms": [ + { + "statePath": "/var/lib/runc/myvtpm1", + "vtpmVersion": "2", + "createCerts": false, + "runAs": "tss", + "pcrBanks": "sha1,sha512" + } + ] }, "rootfsPropagation": "slave", "seccomp": { diff --git a/schema/config-linux.json b/schema/config-linux.json index 98295c4cf..a1838e95b 100644 --- a/schema/config-linux.json +++ b/schema/config-linux.json @@ -40,6 +40,12 @@ "$ref": "defs-linux.json#/definitions/DeviceCgroup" } }, + "vtpms" : { + "type": "array", + "items": { + "$ref": "defs-linux.json#/definitions/VTPM" + } + }, "pids": { "type": "object", "properties": { diff --git a/schema/defs-linux.json b/schema/defs-linux.json index 8b34ca94b..c91c74256 100644 --- a/schema/defs-linux.json +++ b/schema/defs-linux.json @@ -140,6 +140,14 @@ "description": "minor device number", "$ref": "defs.json#/definitions/int64" }, + "TPMVersion": { + "description": "The TPM version", + "type": "string", + "enum": [ + "1.2", + "2" + ] + }, "FileMode": { "description": "File permissions mode (typically an octal value)", "type": "integer", @@ -233,6 +241,35 @@ } ] }, + "VTPM" : { + "type": "object", + "properties" : { + "statePath": { + "type": "string" + }, + "statePathIsManaged": { + "type": "boolean" + }, + "vtpmVersion": { + "$ref": "#/definitions/TPMVersion" + }, + "createCerts": { + "type": "boolean" + }, + "runAs": { + "type": "string" + }, + "pcrBanks": { + "type": "string" + }, + "encryptionPassword": { + "type": "string" + } + }, + "required": [ + "statePath" + ] + }, "DeviceCgroup": { "type": "object", "properties": { diff --git a/schema/test/config/good/spec-example.json b/schema/test/config/good/spec-example.json index a784d1d74..631de3f58 100644 --- a/schema/test/config/good/spec-example.json +++ b/schema/test/config/good/spec-example.json @@ -330,7 +330,25 @@ "rate": 300 } ] - } + }, + "vtpms": [ + { + "statePath": "/var/lib/runc/myvtpm1", + "vtpmVersion": "2", + "createCerts": false, + "runAs": "tss", + "pcrBanks": "sha1,sha512" + }, + { + "statePath": "/var/lib/runc/myvtpm2", + "statePathIsManaged": true, + "vtpmVersion": "1.2", + "createCerts": true, + "runAs": "root", + "pcrBanks": "sha1,sha512", + "encryptionPassword": "mysecret" + } + ] }, "rootfsPropagation": "slave", "seccomp": { diff --git a/specs-go/config.go b/specs-go/config.go index 08af67798..1d42f8970 100644 --- a/specs-go/config.go +++ b/specs-go/config.go @@ -352,6 +352,24 @@ type LinuxRdma struct { HcaObjects *uint32 `json:"hcaObjects,omitempty"` } +// LinuxVTPM for vTPM definition +type LinuxVTPM struct { + // Path on host where vTPM writes state to + StatePath string `json:"statePath,omitempty"` + // Whether runc is allowed to delete the 'Statepath' once the TPM is destroyed + StatePathIsManaged bool `json:"statePathIsManaged,omitempty"` + // Version of the TPM that is emulated + TPMVersion string `json:"vtpmVersion,omitempty"` + // Whether to create certificates upon first start of vTPM + CreateCertificates bool `json:"createCerts,omitempty"` + // The PCR banks to enable + PcrBanks string `json:"pcrBanks,omitempty"` + // Under what user to run the vTPM process + RunAs string `json:"runAs,omitempty"` + // The password to derive the encryption key from + EncryptionPassword string `json:"encryptionPassword,omitempty"` +} + // LinuxResources has container runtime resource constraints type LinuxResources struct { // Devices configures the device whitelist. @@ -372,6 +390,8 @@ type LinuxResources struct { // Limits are a set of key value pairs that define RDMA resource limits, // where the key is device name and value is resource limits. Rdma map[string]LinuxRdma `json:"rdma,omitempty"` + // VTPM configuration + VTPMs []LinuxVTPM `json:"vtpms,omitempty"` } // LinuxDevice represents the mknod information for a Linux special device file From 4621d9a7c60841b7eb5daf20ef7c6b6e878bc36c Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Mon, 6 Jul 2020 14:50:04 -0400 Subject: [PATCH 2/2] Add Devpath to LinuxDevice for different dev path on host and container This extension of LinuxDevice adds support for making a device available under a different path than it is seen on the host. The device path on the host may for example be /dev/foo and it may be made available under /dev/bar inside a container. Signed-off-by: Stefan Berger --- specs-go/config.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/specs-go/config.go b/specs-go/config.go index 1d42f8970..ac597b90e 100644 --- a/specs-go/config.go +++ b/specs-go/config.go @@ -398,6 +398,8 @@ type LinuxResources struct { type LinuxDevice struct { // Path to the device. Path string `json:"path"` + // Path of passed-through device on host + Devpath string `json:"devpath"` // Device type, block, char, etc. Type string `json:"type"` // Major is the device's major number.