vTPM: support KVM and VMware

[weizhouapache]

Description

This PR adds the vTPM support for VMs on KVM and VMware.

Trusted Platform Module (TPM) is a standard for a secure cryptoprocessor, which can securely store artifacts used to authenticate the platform, including passwords, certificates, or encryption keys. TPM is required by recent Windows releases.

Virtual Trusted Platform Module (vTPM) is the software-based representation of physical TPM. CloudStack supports vTPM for instances running on KVM and VMware since 4.20.1.0 .

• Boot type and boot mode

On Vmware, the boot type must be set to UEFI. Boot mode can be SECURE (recommended) or LEGACY.
On KVM, it is recommended to set boot type to UEFI, and boot mode to SECURE. UEFI is required for some Windows versions.

• For VMs and templates on KVM

• Improvement: Support CPU mode/model for VMs on KVM (root admin only)

• For VMs and templates on VMware

Please note, need to configure a Native Key Provider on vSphere vCenter.
Refer to https://www.youtube.com/watch?v=zIynD5sJOcA&ab_channel=VMwareDocs

Doc PR: apache/cloudstack-documentation#490

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[codecov]

Codecov Report

Attention: Patch coverage is 76.78571% with 26 lines in your changes missing coverage. Please review.

Project coverage is 16.03%. Comparing base (54c1f92) to head (8bfd8f8).
Report is 39 commits behind head on 4.20.

Files with missing lines	Patch %	Lines
...oud/hypervisor/vmware/resource/VmwareResource.java	76.31%	6 Missing and 3 partials ⚠️
...om/cloud/hypervisor/kvm/resource/LibvirtVMDef.java	85.71%	5 Missing and 2 partials ⚠️
...ervisor/kvm/resource/LibvirtComputingResource.java	66.66%	2 Missing and 4 partials ⚠️
...ain/java/com/cloud/api/query/QueryManagerImpl.java	20.00%	4 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               4.20   #10543      +/-   ##
============================================
+ Coverage     16.00%   16.03%   +0.02%     
- Complexity    13103    13130      +27     
============================================
  Files          5651     5652       +1     
  Lines        495841   496032     +191     
  Branches      60045    60067      +22     
============================================
+ Hits          79373    79533     +160     
- Misses       407606   407626      +20     
- Partials       8862     8873      +11     

Flag	Coverage Δ
uitests	4.00% <ø> (-0.01%)	⬇️
unittests	16.87% <76.78%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 12735

[weizhouapache]

@blueorangutan test

[blueorangutan]

@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-12651)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 57257 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t12651-kvm-ol8.zip
Smoke tests completed. 139 look OK, 2 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
ContextSuite context=TestClusterDRS>:setup	Error	0.00	test_cluster_drs.py
ContextSuite context=TestSharedNetworkWithConfigDrive>:setup	Error	1521.42	test_network.py

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 12765

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-12680)

[DaanHoogland]

clgtm

[rohityadavcloud]

Didn't test this, but LGTM overall. Probably the admin can set this on a template, which are then copied to the instances? Any security or other issues, if the end-user is able to add/edit/change this for their instances?

[weizhouapache]

Didn't test this, but LGTM overall. Probably the admin can set this on a template, which are then copied to the instances? Any security or other issues, if the end-user is able to add/edit/change this for their instances?

thanks @rohityadavcloud , good point

the vm details items and values are also populated when update template settings.

no extra changes required.

there is no settings for ISOes.

[blueorangutan]

[SF] Trillian Build Failed (tid-12734)

[blueorangutan]

[SF] Trillian Build Failed (tid-12741)

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✔️ debian ✖️ suse15. SL-JID 12812

[blueorangutan]

[SF] Trillian test result (tid-12720)
Environment: kvm-ol9 (x2), Advanced Networking with Mgmt server ol9
Total time taken: 61853 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t12720-kvm-ol9.zip
Smoke tests completed. 138 look OK, 3 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_02_deploy_vm_from_iso_uefi_legacy	Error	13.55	test_deploy_vm_iso_uefi.py
test_03_deploy_windows_vm_from_iso_uefi_legacy	Error	13.51	test_deploy_vm_iso_uefi.py
ContextSuite context=TestSharedNetworkWithConfigDrive>:setup	Error	1517.92	test_network.py
test_01_sys_vm_start	Failure	0.12	test_secondary_storage.py

[blueorangutan]

[SF] Trillian test result (tid-12718)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 64859 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t12718-kvm-ol8.zip
Smoke tests completed. 138 look OK, 3 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_02_deploy_vm_from_iso_uefi_legacy	Error	11.55	test_deploy_vm_iso_uefi.py
test_03_deploy_windows_vm_from_iso_uefi_legacy	Error	11.52	test_deploy_vm_iso_uefi.py
test_03_deploy_and_scale_kubernetes_cluster	Failure	231.97	test_kubernetes_clusters.py
ContextSuite context=TestSharedNetworkWithConfigDrive>:setup	Error	1520.19	test_network.py

[blueorangutan]

[SF] Trillian test result (tid-12727)
Environment: kvm-debian12 (x2), Advanced Networking with Mgmt server d12
Total time taken: 58694 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t12727-kvm-debian12.zip
Smoke tests completed. 139 look OK, 2 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
ContextSuite context=TestSharedNetworkWithConfigDrive>:setup	Error	1520.02	test_network.py
test_oobm_multiple_mgmt_server_ownership	Failure	30.74	test_outofbandmanagement.py

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 12818

[blueorangutan]

[SF] Trillian test result (tid-12736)
Environment: kvm-debian12 (x2), Advanced Networking with Mgmt server d12
Total time taken: 61732 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t12736-kvm-debian12.zip
Smoke tests completed. 139 look OK, 2 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
ContextSuite context=TestSharedNetworkWithConfigDrive>:setup	Error	1520.90	test_network.py
test_oobm_multiple_mgmt_server_ownership	Failure	31.75	test_outofbandmanagement.py

[blueorangutan]

[SF] Trillian test result (tid-12746)
Environment: kvm-ubuntu24 (x2), Advanced Networking with Mgmt server u24
Total time taken: 55191 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t12746-kvm-ubuntu24.zip
Smoke tests completed. 139 look OK, 2 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_08_arping_in_ssvm	Failure	5.24	test_diagnostics.py
test_09_arping_in_cpvm	Failure	5.26	test_diagnostics.py
test_oobm_multiple_mgmt_server_ownership	Failure	30.77	test_outofbandmanagement.py

[blueorangutan]

[SF] Trillian test result (tid-12747)
Environment: kvm-ol9 (x2), Advanced Networking with Mgmt server ol9
Total time taken: 55938 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t12747-kvm-ol9.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[blueorangutan]

[SF] Trillian test result (tid-12748)
Environment: vmware-70u3 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 64190 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t12748-vmware-70u3.zip
Smoke tests completed. 136 look OK, 5 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_events_resource	Error	356.92	test_events_resource.py
test_04_deploy_vm_for_other_user_and_test_vm_operations	Error	117.67	test_network_permissions.py
ContextSuite context=TestSharedNetworkWithConfigDrive>:setup	Error	1520.84	test_network.py
test_02_restore_vm_with_disk_offering	Error	94.13	test_restore_vm.py
test_03_restore_vm_with_disk_offering_custom_size	Error	62.57	test_restore_vm.py
test_02_restore_vm_strict_tags_failure	Error	61.64	test_vm_strict_host_tags.py

[sureshanaparti]

@weizhouapache will this impact any VMs in existing deployments with these settings?

[weizhouapache]

These two settings have no impact in older versions, but are only available for root admin with this PR (because I think the host CPU is sensitive information).

I think it is better to remove them during upgrade. Otherwise user can add the settings before upgrade, and get the Host CPU after upgrade.

[sureshanaparti]

can non-admin user deploy vTPM enabled instance without these settings? any other way for the normal user to provide these options, from service offering, etc?

[weizhouapache]

Currently no.
I am thinking of adding global/domain/account settings for both.

[weizhouapache]

oh, wait, these settings are also available for templates. But again, only available for admin. I will test it

[weizhouapache]

yes, these two settings are available for templates.
but only root admin can add

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 12915