<feature>[kvm]: support clone for TPM VM

* Added support for cross-VM cloning of host files (NvRam, TpmState)
  and TPM encryption key cloning
* KvmSecureBootManager transitioned from a Component to a service
* Introducing new message/response types, workflows,
  and TPM key backend interfaces along
  with their virtual implementations

Resolves: ZSV-11439
Related: ZSV-11310

Change-Id: I796b77716b6c64657469697a7a797a7268636e6e

Author: Zhang Wenhao

conf/springConfigXml/Kvm.xml

@@ -262,6 +262,7 @@
     <bean id="KvmSecureBootManager" class="org.zstack.kvm.efi.KvmSecureBootManager">
         <zstack:plugin>
             <zstack:extension interface="org.zstack.header.Component"/>
+            <zstack:extension interface="org.zstack.header.Service" />
         </zstack:plugin>
     </bean>
 
@@ -271,4 +272,6 @@
             <zstack:extension interface="org.zstack.header.vm.PreVmInstantiateResourceExtensionPoint" />
         </zstack:plugin>
     </bean>
+
+    <bean id="DummyTpmEncryptedResourceKeyBackend" class="org.zstack.kvm.tpm.DummyTpmEncryptedResourceKeyBackend"/>
 </beans>

header/src/main/java/org/zstack/header/vm/VmInstanceConstant.java

@@ -6,6 +6,7 @@
 @PythonClass
 public interface VmInstanceConstant {
     String SERVICE_ID = "vmInstance";
+    String SECURE_BOOT_SERVICE_ID = "secureBoot";
     String ACTION_CATEGORY = "instance";
     @PythonClass
     String USER_VM_TYPE = "UserVm";

plugin/kvm/src/main/java/org/zstack/kvm/efi/CloneVmHostFileMsg.java

@@ -0,0 +1,35 @@
+package org.zstack.kvm.efi;
+
+import org.zstack.header.message.NeedReplyMessage;
+
+import java.util.List;
+
+public class CloneVmHostFileMsg extends NeedReplyMessage {
+    private String srcVmUuid;
+    private List<String> dstVmUuidList;
+    private Boolean resetTpm;
+
+    public String getSrcVmUuid() {
+        return srcVmUuid;
+    }
+
+    public void setSrcVmUuid(String srcVmUuid) {
+        this.srcVmUuid = srcVmUuid;
+    }
+
+    public List<String> getDstVmUuidList() {
+        return dstVmUuidList;
+    }
+
+    public void setDstVmUuidList(List<String> dstVmUuidList) {
+        this.dstVmUuidList = dstVmUuidList;
+    }
+
+    public Boolean getResetTpm() {
+        return resetTpm;
+    }
+
+    public void setResetTpm(Boolean resetTpm) {
+        this.resetTpm = resetTpm;
+    }
+}

plugin/kvm/src/main/java/org/zstack/kvm/efi/CloneVmHostFileReply.java

@@ -0,0 +1,6 @@
+package org.zstack.kvm.efi;
+
+import org.zstack.header.message.MessageReply;
+
+public class CloneVmHostFileReply extends MessageReply {
+}

plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootManager.java

@@ -2,34 +2,66 @@
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.zstack.compute.legacy.ComputeLegacyGlobalProperty;
+import org.zstack.core.Platform;
+import org.zstack.core.asyncbatch.While;
+import org.zstack.core.cloudbus.CloudBus;
 import org.zstack.core.cloudbus.EventCallback;
 import org.zstack.core.cloudbus.EventFacadeImpl;
+import org.zstack.core.db.DatabaseFacade;
 import org.zstack.core.db.Q;
-import org.zstack.header.Component;
+import org.zstack.core.workflow.SimpleFlowChain;
+import org.zstack.header.AbstractService;
 import org.zstack.header.core.Completion;
+import org.zstack.header.core.WhileDoneCompletion;
+import org.zstack.header.core.workflow.FlowDoneHandler;
+import org.zstack.header.core.workflow.FlowErrorHandler;
+import org.zstack.header.core.workflow.FlowTrigger;
+import org.zstack.header.core.workflow.NoRollbackFlow;
 import org.zstack.header.errorcode.ErrorCode;
+import org.zstack.header.errorcode.ErrorCodeList;
+import org.zstack.header.exception.CloudRuntimeException;
+import org.zstack.header.message.Message;
 import org.zstack.header.vm.VmCanonicalEvents;
+import org.zstack.header.vm.VmInstanceConstant;
 import org.zstack.header.vm.VmInstanceVO;
 import org.zstack.header.vm.VmInstanceVO_;
+import org.zstack.header.vm.additions.VmHostBackupFileVO;
+import org.zstack.header.vm.additions.VmHostFileContentVO;
+import org.zstack.header.vm.additions.VmHostFileContentVO_;
 import org.zstack.header.vm.additions.VmHostFileType;
 import org.zstack.header.vm.additions.VmHostFileVO;
 import org.zstack.header.vm.additions.VmHostFileVO_;
+import org.zstack.resourceconfig.ResourceConfig;
+import org.zstack.resourceconfig.ResourceConfigFacade;
+import org.zstack.utils.DebugUtils;
 import org.zstack.utils.Utils;
 import org.zstack.utils.logging.CLogger;
 
 import javax.persistence.Tuple;
+import java.sql.Timestamp;
+import java.time.Instant;
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 
+import static org.zstack.compute.vm.VmGlobalConfig.RESET_TPM_AFTER_VM_CLONE;
+import static org.zstack.kvm.efi.KvmSecureBootExtensions.*;
 import static org.zstack.utils.CollectionDSL.list;
 import static org.zstack.utils.CollectionUtils.findOneOrNull;
+import static org.zstack.utils.CollectionUtils.transform;
 
-public class KvmSecureBootManager implements Component {
+public class KvmSecureBootManager extends AbstractService {
     private static final CLogger logger = Utils.getLogger(KvmSecureBootManager.class);
 
+    @Autowired
+    private CloudBus bus;
+    @Autowired
+    private DatabaseFacade databaseFacade;
     @Autowired
     private EventFacadeImpl eventFacade;
     @Autowired
+    private ResourceConfigFacade resourceConfigFacade;
+    @Autowired
     private KvmSecureBootExtensions secureBootExtensions;
 
     @Override
@@ -101,4 +133,181 @@ public void fail(ErrorCode errorCode) {
             }
         });
     }
+
+    @Override
+    public String getId() {
+        return bus.makeLocalServiceId(VmInstanceConstant.SECURE_BOOT_SERVICE_ID);
+    }
+
+    @Override
+    public void handleMessage(Message msg) {
+        if (msg instanceof CloneVmHostFileMsg) {
+            handle((CloneVmHostFileMsg) msg);
+        } else {
+            bus.dealWithUnknownMessage(msg);
+        }
+    }
+
+    @SuppressWarnings("rawtypes")
+    private void handle(CloneVmHostFileMsg msg) {
+        CloneVmHostFileReply reply = new CloneVmHostFileReply();
+        List<VmHostFileType> needClone = list(VmHostFileType.NvRam);
+
+        boolean resetTpm;
+        if (msg.getResetTpm() == null) {
+            ResourceConfig resourceConfig = resourceConfigFacade.getResourceConfig(RESET_TPM_AFTER_VM_CLONE.getIdentity());
+            resetTpm = resourceConfig.getResourceConfigValue(msg.getSrcVmUuid(), Boolean.class);
+        } else {
+            resetTpm = msg.getResetTpm();
+        }
+        if (resetTpm) {
+            needClone.add(VmHostFileType.TpmState);
+        }
+
+        List<VmHostFileVO> files = new ArrayList<>();
+        List<SyncVmHostFilesFromHostContext> syncContexts = new ArrayList<>();
+
+        SimpleFlowChain chain = new SimpleFlowChain();
+        chain.setName("clone-vm-host-file");
+        chain.then(new NoRollbackFlow() {
+            String __name__ = "prepare-sync-vm-host-file-context-list";
+
+            @Override
+            public void run(FlowTrigger trigger, Map data) {
+                for (VmHostFileType type : needClone) {
+                    VmHostFileVO file = Q.New(VmHostFileVO.class)
+                            .eq(VmHostFileVO_.vmInstanceUuid, msg.getSrcVmUuid())
+                            .eq(VmHostFileVO_.type, type)
+                            .orderByDesc(VmHostFileVO_.lastOpDate)
+                            .limit(1)
+                            .find();
+                    if (file == null) {
+                        logger.debug(String.format("skip to read/write %s host file for VM[vmUuid=%s]: file is not registered in MN",
+                                type, msg.getSrcVmUuid()));
+                        continue;
+                    }
+                    files.add(file);
+                }
+
+                if (files.isEmpty()) {
+                    trigger.next();
+                    return;
+                }
+
+                List<String> hostUuids = transform(files, VmHostFileVO::getHostUuid);
+                for (String hostUuid : hostUuids) {
+                    SyncVmHostFilesFromHostContext syncContext = new SyncVmHostFilesFromHostContext();
+                    syncContext.hostUuid = hostUuid;
+                    syncContext.vmUuid = msg.getSrcVmUuid();
+                    syncContexts.add(syncContext);
+                }
+
+                for (VmHostFileVO file : files) {
+                    SyncVmHostFilesFromHostContext syncContext = findOneOrNull(syncContexts,
+                            item -> file.getHostUuid().equals(item.hostUuid));
+                    DebugUtils.Assert(syncContext != null, "syncContext must be not null");
+                    if (file.getType() == VmHostFileType.NvRam) {
+                        syncContext.nvRamPath = file.getPath();
+                    } else if (file.getType() == VmHostFileType.TpmState) {
+                        syncContext.tpmStateFolder = file.getPath();
+                    } else {
+                        throw new CloudRuntimeException("unsupported vm host file type: " + file.getType());
+                    }
+                }
+
+                trigger.next();
+            }
+        }).then(new NoRollbackFlow() {
+            String __name__ = "read-vm-host-file-from-origin-host";
+
+            @Override
+            public void run(FlowTrigger trigger, Map data) {
+                new While<>(syncContexts).each((syncContext, whileContext) ->
+                    secureBootExtensions.syncVmHostFilesFromHost(syncContext, new Completion(whileContext) {
+                        @Override
+                        public void success() {
+                            whileContext.done();
+                        }
+
+                        @Override
+                        public void fail(ErrorCode errorCode) {
+                            whileContext.addError(errorCode);
+                            whileContext.done();
+                        }
+                    })
+                ).run(new WhileDoneCompletion(trigger) {
+                    @Override
+                    public void done(ErrorCodeList errorCodeList) {
+                        if (!errorCodeList.isEmpty()) {
+                            logger.warn(String.format("failed to sync host file for VM[uuid=%s] but still continue:\n%s",
+                                    msg.getSrcVmUuid(),
+                                    String.join("\n", transform(errorCodeList.getCauses(), ErrorCode::getReadableDetails))));
+                        }
+                        trigger.next();
+                    }
+                });
+            }
+        }).then(new NoRollbackFlow() {
+            String __name__ = "copy-host-content-database";
+
+            @Override
+            public void run(FlowTrigger trigger, Map data) {
+                List<String> uuidList = transform(files, VmHostFileVO::getUuid);
+                List<VmHostFileVO> filesAfterSyncing = Q.New(VmHostFileVO.class)
+                        .in(VmHostFileVO_.uuid, uuidList)
+                        .list();
+                List<VmHostFileContentVO> contents = Q.New(VmHostFileContentVO.class)
+                        .in(VmHostFileContentVO_.uuid, uuidList)
+                        .list();
+
+                List<VmHostBackupFileVO> filesNeedPersists = new ArrayList<>();
+                List<VmHostFileContentVO> contentsNeedPersists = new ArrayList<>();
+
+                Timestamp now = Timestamp.from(Instant.now());
+                for (String vmUuid : msg.getDstVmUuidList()) {
+                    for (VmHostFileVO vmHostFileVO : filesAfterSyncing) {
+                        VmHostBackupFileVO file = new VmHostBackupFileVO();
+                        file.setUuid(Platform.getUuid());
+                        file.setVmInstanceUuid(vmUuid);
+                        file.setType(vmHostFileVO.getType());
+                        file.setCreateDate(now);
+                        file.setLastOpDate(now);
+                        filesNeedPersists.add(file);
+
+                        VmHostFileContentVO srcContent = findOneOrNull(contents,
+                                item -> item.getUuid().equals(vmHostFileVO.getUuid()));
+                        if (srcContent == null) {
+                            continue;
+                        }
+                        VmHostFileContentVO content = new VmHostFileContentVO();
+                        content.setUuid(file.getUuid());
+                        content.setContent(srcContent.getContent());
+                        content.setFormat(srcContent.getFormat());
+                        content.setCreateDate(now);
+                        content.setLastOpDate(now);
+                        contentsNeedPersists.add(content);
+                    }
+                }
+
+                if (!filesNeedPersists.isEmpty()) {
+                    databaseFacade.persistCollection(filesNeedPersists);
+                }
+                if (!contentsNeedPersists.isEmpty()) {
+                    databaseFacade.persistCollection(contentsNeedPersists);
+                }
+                trigger.next();
+            }
+        }).done(new FlowDoneHandler(msg) {
+            @Override
+            public void handle(Map data) {
+                bus.reply(msg, reply);
+            }
+        }).error(new FlowErrorHandler(msg) {
+            @Override
+            public void handle(ErrorCode errCode, Map data) {
+                reply.setError(errCode);
+                bus.reply(msg, reply);
+            }
+        }).start();
+    }
 }

plugin/kvm/src/main/java/org/zstack/kvm/tpm/CloneVmTpmMsg.java

@@ -0,0 +1,33 @@
+package org.zstack.kvm.tpm;
+
+import org.zstack.header.message.NeedReplyMessage;
+
+public class CloneVmTpmMsg extends NeedReplyMessage {
+    private String srcVmUuid;
+    private String dstVmUuid;
+    private Boolean resetTpm;
+
+    public String getSrcVmUuid() {
+        return srcVmUuid;
+    }
+
+    public void setSrcVmUuid(String srcVmUuid) {
+        this.srcVmUuid = srcVmUuid;
+    }
+
+    public String getDstVmUuid() {
+        return dstVmUuid;
+    }
+
+    public void setDstVmUuid(String dstVmUuid) {
+        this.dstVmUuid = dstVmUuid;
+    }
+
+    public Boolean getResetTpm() {
+        return resetTpm;
+    }
+
+    public void setResetTpm(Boolean resetTpm) {
+        this.resetTpm = resetTpm;
+    }
+}

plugin/kvm/src/main/java/org/zstack/kvm/tpm/CloneVmTpmReply.java

@@ -0,0 +1,6 @@
+package org.zstack.kvm.tpm;
+
+import org.zstack.header.message.MessageReply;
+
+public class CloneVmTpmReply extends MessageReply {
+}

plugin/kvm/src/main/java/org/zstack/kvm/tpm/DummyTpmEncryptedResourceKeyBackend.java

@@ -0,0 +1,17 @@
+package org.zstack.kvm.tpm;
+
+import org.zstack.header.core.Completion;
+import org.zstack.utils.Utils;
+import org.zstack.utils.logging.CLogger;
+
+public class DummyTpmEncryptedResourceKeyBackend implements TpmEncryptedResourceKeyBackend {
+    private static final CLogger logger = Utils.getLogger(DummyTpmEncryptedResourceKeyBackend.class);
+
+    @Override
+    public void cloneEncryptedResourceKey(CloneEncryptedResourceKeyContext context, Completion completion) {
+        // do nothing
+        logger.debug("ignore clone encrypted resource key request for TPM uuid "
+                + context.srcTpmUuid + " -> " + context.dstTpmUuid);
+        completion.success();
+    }
+}