Add vTPM specification

Add the vTPM specification to the documentation, config.go, and schema description. The following is an example of a vTPM description that is found under the path /linux/resources/vtpms: "vtpms": [ { "Statepath": "/tmp/tpm12_1_ubuntu", "VTPMVersion": "1.2", "CreateCertificates" : false } ] Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
opencontainers · Sep 8, 2017 · e8213b4 · e8213b4
1 parent a89dd9d
commit e8213b4
Show file tree

Hide file tree

Showing 6 changed files with 85 additions and 2 deletions.
diff --git a/config-linux.md b/config-linux.md
@@ -384,6 +384,31 @@ The following parameters can be specified to set up the controller:
     }
 ```
 
+## <a name="configLinuxVTPMs" />vTPMs
+
+**`vtpms`** (array of objects, OPTIONAL) lists a number of emulated TPMs that
+will be made available to the container.
+
+Each entry has the following structure:
+
+* **`Statepath`** *(string, REQUIRED)* - full path to a directory where the vTPM is to write its persistent state into
+* **`VTPMVersion`** *(string, OPTIONAL)* - The version of TPM to emulate; either 1.2 or 2; default is 1.2
+* **`CreateCertificates`** *(boolean, OPTIONAL)* - Whether to create certificates for the vTPM
+
+The `Statepath` MUST be unique per container.
+
+### Example
+
+```json
+    "vtpms": [
+        {
+            "Statepath": "/var/run/runc/ubuntu/tpm12_1",
+            "VTPMVersion": "1.2",
+            "CreateCertificates": false
+        }
+    ]
+```
+
 ### <a name="configLinuxHugePageLimits" />Huge page limits
 
 **`hugepageLimits`** (array of objects, OPTIONAL) represents the `hugetlb` controller which allows to limit the

diff --git a/config.md b/config.md
@@ -772,7 +772,14 @@ Here is a full example `config.json` for reference.
                         "rate": 300
                     }
                 ]
-            }
+            },
+            "vtpms": [
+                {
+                    "Statepath": "/var/run/runc/ubuntu/tpm12_1",
+                    "VTPMVersion": "1.2",
+                    "CreateCertificates": false
+                }
+            ]
         },
         "rootfsPropagation": "slave",
         "seccomp": {

diff --git a/schema/config-linux.json b/schema/config-linux.json
@@ -47,6 +47,13 @@
                             "$ref": "defs-linux.json#/definitions/DeviceCgroup"
                         }
                     },
+                    "vtpms" : {
+                        "id": "https://opencontainers.org/schema/bundle/linux/resources/vtpms",
+                        "type": "array",
+                        "items": {
+                            "$ref": "defs-linux.json#/definitions/VTPM"
+                        }
+                    },
                     "pids": {
                         "id": "https://opencontainers.org/schema/bundle/linux/resources/pids",
                         "type": "object",

diff --git a/schema/defs-linux.json b/schema/defs-linux.json
@@ -109,6 +109,14 @@
             "description": "minor device number",
             "$ref": "defs.json#/definitions/int64"
         },
+        "TPMVersion": {
+            "description": "The TPM version",
+            "type": "string",
+            "enum": [
+                "1.2",
+                "2"
+            ]
+        },
         "FileMode": {
             "description": "File permissions mode (typically an octal value)",
             "type": "integer",
@@ -202,6 +210,23 @@
                 }
             ]
         },
+        "VTPM" : {
+            "type": "object",
+            "properties" : {
+                "Statepath": {
+                    "type": "string"
+                },
+                "VTPMVersion": {
+                    "$ref": "#/definitions/TPMVersion"
+                },
+                "CreateCertificates": {
+                    "type": "boolean"
+                }
+            },
+            "required": [
+                "Statepath"
+            ]
+        },
         "DeviceCgroup": {
             "type": "object",
             "properties": {

diff --git a/schema/test/config/good/spec-example.json b/schema/test/config/good/spec-example.json
@@ -303,7 +303,14 @@
                         "rate": 300
                     }
                 ]
-            }
+            },
+            "vtpms": [
+                {
+                    "Statepath": "/var/run/runc/ubuntu/tpm12_1",
+                    "VTPMVersion": "1.2",
+                    "CreateCertificates": false
+                }
+            ]
         },
         "rootfsPropagation": "slave",
         "seccomp": {

diff --git a/specs-go/config.go b/specs-go/config.go
@@ -161,6 +161,8 @@ type Linux struct {
 	// IntelRdt contains Intel Resource Director Technology (RDT) information
 	// for handling resource constraints (e.g., L3 cache) for the container
 	IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"`
+	// VTPM configuration
+	VTPMS []*VTPM `json:"vtpms"`
 }
 
 // LinuxNamespace is the configuration for a Linux namespace
@@ -568,3 +570,13 @@ type LinuxIntelRdt struct {
 	// Format: "L3:<cache_id0>=<cbm0>;<cache_id1>=<cbm1>;..."
 	L3CacheSchema string `json:"l3CacheSchema,omitempty"`
 }
+
+// VTPM is used to hold the configuration state of a VTPM
+type VTPM struct {
+	// The directory where the TPM emulator writes the TPM state to
+	Statepath string `json:"statepath"`
+	// Whether to create a certificate for the VTPM
+	Createcerts bool `json:"createcerts"`
+	// Version of the TPM
+	Vtpmversion string `json:"vtpmversion"`
+}