OpenStack Compute (nova)

Add support for emulated virtual TPM

Registered by Chris Friesen

There are a class of applications which expect to use a TPM device to store
secrets. In order to run these applications in a virtual machine, it would be
useful to expose a virtual TPM device within the guest. Accordingly, the
suggestion is to add a placement resource which could be requested in the
flavor which would cause such a device to be added to the VM.

Blueprint information

Status:
Complete
Approver:
Stephen Finucane
Priority:
Low
Drafter:
Eric Fried
Direction:
Approved
Assignee:
Stephen Finucane
Definition:
Approved
Series goal:
Accepted for victoria
Implementation:
Implemented
Milestone target:
milestone icon victoria-3
Started by
melanie witt
Completed by
Balazs Gibizer

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/add-emulated-virtual-tpm,n,z

Addressed by: https://review.openstack.org/571111
    Add support for emulated virtual TPM

Approved for Stein. -- mriedem 20181106

Addressed by: https://review.openstack.org/631363
    Add emulated TPM support to Nova

Addressed by: https://review.openstack.org/639933
    Split up _is_storage_shared_with() in libvirt driver

Addressed by: https://review.openstack.org/639934
    Add support for resize and cold migration of emulated TPM files

Addressed by: https://review.openstack.org/641932
    Add emulated TPM support to Nova -- testcase test only

This did not complete in the Stein release so I am deferring to the Train release. Remember to re-propose the spec for Train as necessary: https://specs.openstack.org/openstack/nova-specs/readme.html#previously-approved-specifications -- mriedem 20190311

Addressed by: https://review.openstack.org/649463
    Re-propose emulated virtual TPM spec to train

efried 20190402 Fast-approved for train, spec unchanged

Gerrit topic: https://review.opendev.org/#/q/topic:bp/add-emulated-virtual-tpm

Addressed by: https://review.opendev.org/631363
    Add emulated TPM support to Nova

Addressed by: https://review.opendev.org/639934
    Add support for resize and cold migration of emulated TPM files

Addressed by: https://review.opendev.org/678325
    WIP: vTPM request_filter

Gerrit topic: https://review.opendev.org/#/q/topic:bp/add-emulated-virtual-tpm-patch25

[efried 20190905] This has seen no activity, and we're a week from feature freeze, so I'm deferring it to ussuri.

[efried 20191004] Reopening for Ussuri, changing ownership from cfriesen to efried.

Addressed by: https://review.opendev.org/686804
    WIP: Spec: Ussuri: Emulated Virtual TPM

[efried 20200114] Setting Definition:Approved as the spec has merged.

[efried 20200220] Agreed in the Nova meeting to Direction:Approve all Definition:Approved blueprints http://eavesdrop.openstack.org/meetings/nova/2020/nova.2020-02-20-14.00.log.html#l-131

[efried 20200220] Stephen has agreed to take over the implementation for Ussuri.

[gibi 20200414] we hit feature freeze in Ussuri, so it is deferred to Victoria

Addressed by: https://review.opendev.org/728505
    Encrypted Emulated Virtual TPM

Addressed by: https://review.opendev.org/730382
    virt: Add 'context', drop 'network_info' parameters for 'unrescue'

Addressed by: https://review.opendev.org/739207
    crypto: Add type hints

Addressed by: https://review.opendev.org/739208
    libvirt: Split '_create_domain' function

Addressed by: https://review.opendev.org/739209
    libvirt: Add vTPM config support

Addressed by: https://review.opendev.org/739210
    scheduler: Request vTPM trait based on flavor or image

Addressed by: https://review.opendev.org/739211
    crypto: Add support for creating, destroying vTPM secrets

Addressed by: https://review.opendev.org/739212
    manager: Prevent compute startup on invalid vTPM config

Addressed by: https://review.opendev.org/739213
    docs: Add docs for vTPM support

Addressed by: https://review.opendev.org/739996
    utils: Move 'get_bdm_image_metadata' to nova.block_device

Addressed by: https://review.opendev.org/740334
    libvirt: Re-enable live snapshot for paused instances

Addressed by: https://review.opendev.org/740335
    libvirt: Remove workaround for really old QEMU

Addressed by: https://review.opendev.org/740336
    WIP: Attempt to restore some sanity to snapshot

Addressed by: https://review.opendev.org/740464
    tests: Rename tests for '_create_guest_with_network'

Addressed by: https://review.opendev.org/740945
    libvirt: Use better variable names for '_create_guest'

Addressed by: https://review.opendev.org/741280
    tests: Move single use constants to their callers

Addressed by: https://review.opendev.org/741281
    tests: Define constants in '_IntegratedTestBase'

Addressed by: https://review.opendev.org/741282
    tests: Remove 'test_servers.ServersTestBase'

Addressed by: https://review.opendev.org/741283
    tests: Add 'PlacementHelperMixin', 'PlacementInstanceHelperMixin'

Addressed by: https://review.opendev.org/741284
    tests: Make '_IntegratedTestBase' subclass 'PlacementInstanceHelperMixin'

Addressed by: https://review.opendev.org/741285
    tests: Add helpers for suspend, resume and reboot of server

Addressed by: https://review.opendev.org/741286
    libvirt: Pass context, instance to '_create_domain'

Addressed by: https://review.opendev.org/741500
    api: Reject non-spawn operations for vTPM

Addressed by: https://review.opendev.org/741995
    Don't unset Instance.old_flavor, new_flavor until necessary

Addressed by: https://review.opendev.org/742650
    trivial: Test object backporting against correct version

Addressed by: https://review.opendev.org/742651
    scheduler: Default request group to None

Addressed by: https://review.opendev.org/742863
    Add type hints to 'nova.compute.manager'

Addressed by: https://review.opendev.org/742864
    privsep: Add support for recursive chown, move_tree operations

Addressed by: https://review.opendev.org/742865
    Add type hints to 'nova.virt.libvirt.utils'

Addressed by: https://review.opendev.org/743204
    tests: Further usage of new server helpers

Addressed by: https://review.opendev.org/744158
    tests: Define constants in '_IntegratedTestBase'

Addressed by: https://review.opendev.org/744280
    [Trivial] Remove wrong format_message() conversion

Addressed by: https://review.opendev.org/747792
    tests: Add helpers for rebuild, cold migrate, and shelve/unshelve

Addressed by: https://review.opendev.org/748215
    releasenotes: Detail support for server ops with vTPM

Addressed by: https://review.opendev.org/750186
    Expand generic reproducer for bug #1879878

Addressed by: https://review.opendev.org/750187
    Set 'old_flavor', 'new_flavor' on source before resize

Addressed by: https://review.opendev.org/750675
    docs: Remove resize, cold migration from vTPM limitations

[2020-09-10 gibi]: implemented in Victoria

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.