Add additional vTPM fields to the config to be able to run runtime in the container

Signed-off-by: Efim Verzakov <efimverzakov@gmail.com>

Author: everzakov

config-linux.md

@@ -592,13 +592,19 @@ The following parameters can be specified to set up the controller:
 Each entry has the following structure:
 
 * **`statePath`** *(string, REQUIRED)* - Unique path where vTPM writes its state into.
-* **`statePathIsManaged`** *(string, OPTIONAL)* - Whether runc is allowed to delete the TPM's state path upon destroying the TPM, defaults to false.
-* **`vtpmVersion`** *(string, OPTIONAL)* - The version of TPM to emulate, either 1.2 or 2, defaults to 1.2.
+* **`statePathIsManaged`** *(boolean, OPTIONAL)* - Whether runtime is not allowed to delete the TPM's state path upon destroying the TPM, e.g. if we do not want to recreate vTPM with the previous state. Defaults to false.
+* **`vtpmVersion`** *(string, OPTIONAL)* - The version of TPM to emulate, either 1.2 or 2, defaults to 2.
 * **`createCerts`** *(boolean, OPTIONAL)* - If true then create certificates for the vTPM, defaults to false.
-* **`runAs`** *(string, OPTIONAL)* - Under which user to run the vTPM, e.g.  'tss'.
+* **`runAs`** *(string, OPTIONAL)* - Under which user to run the vTPM, e.g. 'tss'.
 * **`pcrBanks`** *(string, OPTIONAL)* - Comma-separated list of PCR banks to activate, default depends on `swtpm`.
 * **`encryptionPassword`** *(string, OPTIONAL)* - Write state encrypted with a key derived from the password, defaults to not encrypted.
+* **`vtpmName`** *(string, REQUIRED)* - The name of vTPM device to emulate in the container. The devpath will have the format `/dev/tpm` + `vtpmName`. `vtpmName` should be unique among the container's `vtpms` devices.
 
+Note that some runtimes can use different commands to pass device in the container (e.g. bind if the container will be running in the non-default user namespace and mknod otherwise). Runtime can adopt a device path to the format `/dev/generated-host-path` + `vtpmName`. This can be essential if we want to create different containers with non-shared VTPM devices under the same device path.
+* **`vtpmMajor`** *(int64, OPTIONAL) - The major of vTPM device to emulate in the container. This is required when runtime is running in the container and tmpfs is mounted on `/dev` path.
+* **`vtpmMinor`** *(int64, OPTIONAL) - The minor of vTPM device to emulate in the container. This is required when runtime is running in the container and tmpfs is mounted on `/dev` path.
+
+Note that a vTPM device should be precreated with Endorsement Key Pair. Another main commands e.g. TakeOwnership for TPM 1.2 can be called in the createContainer hooks.
 #### Example
 
 ```json
@@ -610,7 +616,10 @@ Each entry has the following structure:
             "createCerts": false,
             "runAs": "tss",
             "pcrBanks": "sha1,sha512",
-            "encryptionPassword": "mysecret"
+            "encryptionPassword": "mysecret",
+            "vtpmName": "tpm0",
+            "vtpmMajor": 100,
+            "vtpmMinor": 1
         }
     ]
 ```

config.md

@@ -1083,7 +1083,10 @@ Here is a full example `config.json` for reference.
                     "vtpmVersion": "2",
                     "createCerts": false,
                     "runAs": "tss",
-                    "pcrBanks": "sha1,sha512"
+                    "pcrBanks": "sha1,sha512",
+                    "vtpmName": "tpm0",
+                    "vtpmMajor": 100,
+                    "vtpmMinor": 1
                 }
             ]
         },

schema/defs-linux.json

@@ -280,10 +280,20 @@
                 },
                 "encryptionPassword": {
                     "type": "string"
+                },
+                "vtpmName": {
+                    "type": "string"
+                },
+                "vtpmMajor": {
+                    "$ref": "#/definitions/Major"
+                },
+                "vtpmMinor": {
+                    "$ref": "#/definitions/Minor"
                 }
             },
             "required": [
-                "statePath"
+                "statePath",
+                "vtpmName"
             ]
         },
         "DeviceCgroup": {

schema/test/config/good/spec-example.json

@@ -352,7 +352,11 @@
                     "vtpmVersion": "2",
                     "createCerts": false,
                     "runAs": "tss",
-                    "pcrBanks": "sha1,sha512"
+                    "pcrBanks": "sha1,sha512",
+                    "encryptionPassword": "mysecret",
+                    "vtpmName": "tpm0",
+                    "vtpmMajor": 100,
+                    "vtpmMinor": 1
                 },
                 {
                     "statePath": "/var/lib/runc/myvtpm2",
@@ -361,7 +365,10 @@
                     "createCerts": true,
                     "runAs": "root",
                     "pcrBanks": "sha1,sha512",
-                    "encryptionPassword": "mysecret"
+                    "encryptionPassword": "mysecret",
+                    "vtpmName": "tpm1",
+                    "vtpmMajor": 101,
+                    "vtpmMinor": 1
                 }
             ]
         },

specs-go/config.go

@@ -460,7 +460,7 @@ type LinuxVTPM struct {
 	// Whether runc is allowed to delete the 'Statepath' once the TPM is destroyed
 	StatePathIsManaged bool `json:"statePathIsManaged,omitempty"`
 	// Version of the TPM that is emulated
-	TPMVersion string `json:"vtpmVersion,omitempty"`
+	VTPMVersion string `json:"vtpmVersion,omitempty"`
 	// Whether to create certificates upon first start of vTPM
 	CreateCertificates bool `json:"createCerts,omitempty"`
 	// The PCR banks to enable
@@ -469,6 +469,12 @@ type LinuxVTPM struct {
 	RunAs string `json:"runAs,omitempty"`
 	// The password to derive the encryption key from
 	EncryptionPassword string `json:"encryptionPassword,omitempty"`
+	// Name of the vtpm
+	VTPMName string `json:"vtpmName,omitempty"`
+	// Device's major to be created
+	VTPMMajor int64 `json:"vtpmMajor,omitempty"`
+	// Device's minor to be created
+	VTPMMinor int64 `json:"vtpmMinor,omitempty"`
 }
 
 // LinuxResources has container runtime resource constraints
@@ -493,7 +499,7 @@ type LinuxResources struct {
 	Rdma map[string]LinuxRdma `json:"rdma,omitempty"`
 	// Unified resources.
 	Unified map[string]string `json:"unified,omitempty"`
-	// VTPM configuration
+	// Linux VTPM configuration
 	VTPMs []LinuxVTPM `json:"vtpms,omitempty"`
 }