search

dmacvicar / terraform-provider-libvirt

Terraform provider to provision infrastructure with Linux's KVM using libvirt
Apache License 2.0
1.54k stars 457 forks source link

TPM active PCR banks & domain firmware type #977

Open daniel-weisse opened 1 year ago

daniel-weisse commented 1 year ago

This PR comes in 2 parts

  1. Allow setting the active PCR banks of a domain's TPM This setting is currently missing from the TPM definition and causes some issues when using the TPM attestation functionality. This PR expands the TPM definition to allow users the choice of which PCR banks to set active.

  2. Allow choosing a domain's firmware type To make proper use of the TPM, e.g. measured-boot/secure-boot, we need EFI firmware. Correctly setting up EFI is currently a bit messy using the terraform provider since simply setting OS.Firmware is not supported. Using libvirt directly, one would simply define the following to achieve a functional efi setup:

    <os firmware='efi'>
   ...
</os>

    See the libvirt bootloader XML definition for more details.

    With this PR users can set a new option, firmware_type, to efi to achieve the same behavior.

    Personally, I would prefer renaming the current firmware option to the more appropriate loader, so we can simply name the new firmware_type option firmware. But I am not sure if such a thing should be done in this PR as this will likely break existing configurations relying on it.

I am also open to splitting this PR in two parts if so desired.

Example definition:

resource "libvirt_domain" "example" {
  count   = 1
  memory  = 2048
  vcpu    = 2
  machine = "q35"
  fimrware_type = "efi"
  tpm {
    backend_type    = "emulator"
    backend_version = "2.0"
    backend_active_pcr_banks {
      sha1   = true
      sha256 = true
      sha384 = true
      sha512 = true
    }
  }
}

For reference, this is the xslt I am currently using as a workaround to achieve the functionality of this PR.

<xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
  <xsl:output omit-xml-declaration="yes" indent="yes"/>
    <xsl:template match="node()|@*">
        <xsl:copy>
            <xsl:apply-templates select="node()|@*"/>
        </xsl:copy>
    </xsl:template>
    <xsl:template match="os">
        <os firmware="efi">
            <xsl:apply-templates select="@*|node()"/>
        </os>
    </xsl:template>
    <xsl:template match="/domain/devices/tpm/backend">
    <xsl:copy>
        <xsl:apply-templates select="node()|@*"/>
        <xsl:element name ="active_pcr_banks">
            <xsl:element name="sha1"></xsl:element>
            <xsl:element name="sha256"></xsl:element>
            <xsl:element name="sha384"></xsl:element>
            <xsl:element name="sha512"></xsl:element>
        </xsl:element>
    </xsl:copy>
  </xsl:template>
</xsl:stylesheet>
bhundven commented 3 days ago

@daniel-weisse I'd really like to see this in the next release. Could you update the branch?

daniel-weisse commented 1 day ago

Updated the branch, but considering no-one seems to have looked at this PR for the last 2 years, I think its somewhat unlikely this will get into the next release. I would suggest using the xslt workaround for now.

bhundven commented 7 hours ago

Since this enables the <os firmware='efi'> part, would it be too hard to also add support for toggling the secure-boot and enrolled-keys options as well? https://libvirt.org/kbase/secureboot.html

<firmware>
  <feature enabled='yes' name='secure-boot'/>
  <feature enabled='yes' name='enrolled-keys'/>
</firmware>

I could probably figure out the xslt part, but I wasn't sure if you think that should also go with this change or in a separate change?