Tpm support #339
Tpm support #339
Conversation
|
|
There was a problem hiding this comment.
Hi @ccravens,
Thanks for the PR! The code overall looks good to me, I left a couple of nitpicks on the docs and the changes to the code documentation, while linting is appreciated, in this case since it is intertwined with the proposed enhancement, I think this is detrimental to the comprehension of the change, and therefore suggest that this is moved to a separate PR so we can independently take a look at it.
Aside from that, I see that the ebs builder is left out of this PR, I presume since it does not use the RegisterAMI API call to finalise the AMI creation. This is not the first time a feature is left out for this specific builder unfortunately, I think we should track this work independently, and refactor the logic for all builders so they're on an equal footing regarding this method to create AMIs.
If anything regarding testing, while this won't work locally completely, I would suggest adding an acceptance test to ensure the feature works as expected. We don't have anything for builders like chroot or instance, but we do have an acceptance test structure for ebssurrogate.
Since this involves creating resources (and using IAM roles that are permissive in the environment tests are run), I understand if this is not something you want to do, in this case let me know, and I will take some time to do this in the coming days.
Pre-approving the PR for a later merge, I will circle back on it when you have addressed my comments.
Thanks again for the contribution!
| @@ -159,6 +159,10 @@ | |||
| more information. Defaults to `legacy-bios` when `ami_architecture` is `x86_64` and | |||
| `uefi` when `ami_architecture` is `arm64`. | |||
|
|
|||
| - `tpm_support` (string) - The TPM Support mode. Valid options are `v2.0`. See the documentation on | |||
There was a problem hiding this comment.
The doc snippet looks good to me, for completeness I'd suggest adding this to all the builders that support the feature, so in addition to the chroot builder, the ebssurrogate and the instance builder docs should add this to their sections.
| @@ -50,6 +50,7 @@ type Config struct { | |||
| Format string `mapstructure:"format"` | |||
| Architecture string `mapstructure:"architecture"` | |||
| BootMode string `mapstructure:"boot_mode"` | |||
| TpmSupport string `mapstructure:"tpm_support"` | |||
There was a problem hiding this comment.
This is added to the post-processor here, but I don't see the related step being updated, is this voluntary?
| // encrypted = true | ||
| // kms_key_id = "1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d" | ||
| // } | ||
| // |
There was a problem hiding this comment.
While I generally am not against using a linter for cleaning-up files, in this case, updating the documentation feels out of the scope of this PR, and makes the diff harder to read.
Could you please leave the doc changes out of this PR? If you think they are relevant, maybe open a separate PR for us to review, so this doesn't become a blocker for this one?
|
Superseded by #379 |
Adding AWS NitroTPM support to AMI. More information can be found here:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-support-on-ami.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-prerequisites.html
There is a flag that is not currently supported by the Packer AMI Builder:
--tpm-support v2.0This update is meant to resolve that. I am not a packer plugin developer, but added what I believe to be the basic necessary code and tried my best to maintain the compatibility of the code based on the other options that are currently there. I want to see this feature as soon as possible so if there are updates that need to be made please let me know.
Both
go buildandmake devseem to work.Testing results in the following output:
Closes #314