lf-edge
Enable/Disable vTPM based on the domain config
Description
This PR allows enabling/disabling vTPM based on the domain config. If the domain configuration has vTPM disabled, the domainmgr will not configure the vTPM device for the domain. By default, vTPM is enabled for all domains.
PR dependencies
Should go after ~https://github.com/lf-edge/eve-api/pull/103~ and ~https://github.com/lf-edge/eve-api/pull/104~
How to test and validate this PR
It needs implementation on the cloud controller, for now I tested it manually. if DisableVirtualTPM is not set VM runs with a vTPM instance as expected :
c7df7e00-fe37-446b-ac70-4a3602ba3307:~# ls -al /run/swtpm/*.pid
-rw-r--r-- 1 vtpm vtpm 2 Jun 26 09:23 /run/swtpm/5c1b092f-c2e9-41f8-821e-859d8c77e9b3.pid
c7df7e00-fe37-446b-ac70-4a3602ba3307:~# ps aux | grep swtpm
5348 vtpm 0:00 /usr/bin/swtpm socket --tpm2 --tpmstate dir=/persist/swtpm/tpm-state-5c1b092f-c2e9-41f8-821e-859d8c77e9b3,backup --ctrl type=unixio,path=/run/swtpm/5c1b092f-c2e9-41f8-821e-859d8c77e9b3.ctrl.sock,terminate --pid file=/run/swtpm/5c1b092f-c2e9-41f8-821e-859d8c77e9b3.pid --log level=3,truncate,file=/persist/swtpm/tpm-state-5c1b092f-c2e9-41f8-821e-859d8c77e9b3/swtpm.log --daemon --key file=/run/swtpm/5c1b092f-c2e9-41f8-821e-859d8c77e9b3.binkey,format=binary,mode=aes-256-cbc,remove=true
6772 root 0:00 grep swtpm
c7df7e00-fe37-446b-ac70-4a3602ba3307:~#
if DisableVirtualTPM is set VM runs without any vTPM instance and logs a warning:
c68c05c8-c918-4e46-8c67-b79e1cbca18a:~# ls -al /run/swtpm/*.pid
ls: /run/swtpm/*.pid: No such file or directory
c68c05c8-c918-4e46-8c67-b79e1cbca18a:~# ps aux | grep swtpm
5638 root 0:00 grep swtpm
c68c05c8-c918-4e46-8c67-b79e1cbca18a:~# logread | grep "vTPM is disabled"
2025-06-26T09:38:53.484708721Z;pillar.out;{"file":"/pillar/cmd/domainmgr/domainmgr.go:1760","func":"github.com/lf-edge/eve/pkg/pillar/cmd/domainmgr.doActivate","level":"warning","msg":"vTPM is disabled for 8f79e5ee-b32e-4cd8-b0ae-24e99f4b2a4d.1.1 by user request","pid":2255,"source":"domainmgr","time":"2025-06-26T09:38:53.484621642Z"}
c68c05c8-c918-4e46-8c67-b79e1cbca18a:~#
Changelog notes
Add support to enable or disable vTPM per domain via domain config, defaulting to enabled.
Checklist
- [x] I've provided a proper description
- [ ] I've added the proper documentation
- [x] I've tested my PR on amd64 device
- [ ] I've tested my PR on arm64 device
- [x] I've written the test verification instructions
- [x] I've set the proper labels to this PR
@shjala, only merge conflicts prevent me from merging the PR...
I thought I resolved it :-/ maybe it was another conflict before the recent merges, anyways should be OK now.
Please fix the typo in the first commit message "pillar : update eve-api to DisbaleVtpm changes"
Other than that, LGTM
Fixed.
@OhmSpectator compared to last commit only fixed typo in commit message, no code change.