From e8213b41565988fb9dc690d3b2762e7cc5280dc3 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Fri, 8 Sep 2017 20:40:51 +0200 Subject: [PATCH] Add vTPM specification Add the vTPM specification to the documentation, config.go, and schema description. The following is an example of a vTPM description that is found under the path /linux/resources/vtpms: "vtpms": [ { "Statepath": "/tmp/tpm12_1_ubuntu", "VTPMVersion": "1.2", "CreateCertificates" : false } ] Signed-off-by: Stefan Berger --- config-linux.md | 25 +++++++++++++++++++++++ config.md | 9 +++++++- schema/config-linux.json | 7 +++++++ schema/defs-linux.json | 25 +++++++++++++++++++++++ schema/test/config/good/spec-example.json | 9 +++++++- specs-go/config.go | 12 +++++++++++ 6 files changed, 85 insertions(+), 2 deletions(-) diff --git a/config-linux.md b/config-linux.md index 2cb1ff81a..97b168879 100644 --- a/config-linux.md +++ b/config-linux.md @@ -384,6 +384,31 @@ The following parameters can be specified to set up the controller: } ``` +## vTPMs + +**`vtpms`** (array of objects, OPTIONAL) lists a number of emulated TPMs that +will be made available to the container. + +Each entry has the following structure: + +* **`Statepath`** *(string, REQUIRED)* - full path to a directory where the vTPM is to write its persistent state into +* **`VTPMVersion`** *(string, OPTIONAL)* - The version of TPM to emulate; either 1.2 or 2; default is 1.2 +* **`CreateCertificates`** *(boolean, OPTIONAL)* - Whether to create certificates for the vTPM + +The `Statepath` MUST be unique per container. + +### Example + +```json + "vtpms": [ + { + "Statepath": "/var/run/runc/ubuntu/tpm12_1", + "VTPMVersion": "1.2", + "CreateCertificates": false + } + ] +``` + ### Huge page limits **`hugepageLimits`** (array of objects, OPTIONAL) represents the `hugetlb` controller which allows to limit the diff --git a/config.md b/config.md index 46937051b..497ca099c 100644 --- a/config.md +++ b/config.md @@ -772,7 +772,14 @@ Here is a full example `config.json` for reference. "rate": 300 } ] - } + }, + "vtpms": [ + { + "Statepath": "/var/run/runc/ubuntu/tpm12_1", + "VTPMVersion": "1.2", + "CreateCertificates": false + } + ] }, "rootfsPropagation": "slave", "seccomp": { diff --git a/schema/config-linux.json b/schema/config-linux.json index 83a562677..422c5caf7 100644 --- a/schema/config-linux.json +++ b/schema/config-linux.json @@ -47,6 +47,13 @@ "$ref": "defs-linux.json#/definitions/DeviceCgroup" } }, + "vtpms" : { + "id": "https://opencontainers.org/schema/bundle/linux/resources/vtpms", + "type": "array", + "items": { + "$ref": "defs-linux.json#/definitions/VTPM" + } + }, "pids": { "id": "https://opencontainers.org/schema/bundle/linux/resources/pids", "type": "object", diff --git a/schema/defs-linux.json b/schema/defs-linux.json index 4d9620a4a..2c2bfbff4 100644 --- a/schema/defs-linux.json +++ b/schema/defs-linux.json @@ -109,6 +109,14 @@ "description": "minor device number", "$ref": "defs.json#/definitions/int64" }, + "TPMVersion": { + "description": "The TPM version", + "type": "string", + "enum": [ + "1.2", + "2" + ] + }, "FileMode": { "description": "File permissions mode (typically an octal value)", "type": "integer", @@ -202,6 +210,23 @@ } ] }, + "VTPM" : { + "type": "object", + "properties" : { + "Statepath": { + "type": "string" + }, + "VTPMVersion": { + "$ref": "#/definitions/TPMVersion" + }, + "CreateCertificates": { + "type": "boolean" + } + }, + "required": [ + "Statepath" + ] + }, "DeviceCgroup": { "type": "object", "properties": { diff --git a/schema/test/config/good/spec-example.json b/schema/test/config/good/spec-example.json index c7db729bd..2a9e6eeeb 100644 --- a/schema/test/config/good/spec-example.json +++ b/schema/test/config/good/spec-example.json @@ -303,7 +303,14 @@ "rate": 300 } ] - } + }, + "vtpms": [ + { + "Statepath": "/var/run/runc/ubuntu/tpm12_1", + "VTPMVersion": "1.2", + "CreateCertificates": false + } + ] }, "rootfsPropagation": "slave", "seccomp": { diff --git a/specs-go/config.go b/specs-go/config.go index 71c9fa773..65b0ab57a 100644 --- a/specs-go/config.go +++ b/specs-go/config.go @@ -161,6 +161,8 @@ type Linux struct { // IntelRdt contains Intel Resource Director Technology (RDT) information // for handling resource constraints (e.g., L3 cache) for the container IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"` + // VTPM configuration + VTPMS []*VTPM `json:"vtpms"` } // LinuxNamespace is the configuration for a Linux namespace @@ -568,3 +570,13 @@ type LinuxIntelRdt struct { // Format: "L3:=;=;..." L3CacheSchema string `json:"l3CacheSchema,omitempty"` } + +// VTPM is used to hold the configuration state of a VTPM +type VTPM struct { + // The directory where the TPM emulator writes the TPM state to + Statepath string `json:"statepath"` + // Whether to create a certificate for the VTPM + Createcerts bool `json:"createcerts"` + // Version of the TPM + Vtpmversion string `json:"vtpmversion"` +}