eb1e9e207b
To conform to documentation best practices add a spellchecker. A Sphinx extension is used. Correct any current spelling mistakes across the doc set. Add a seeding file that extends the system dictionary. Going forward, the 'spelling_words.txt' file will be used to extend the dictionary. Do not enforce spelling during a normal doc build; add a new tox target. Add a non-voting Zuul job that consumes the new tox target. The doc-contrib documentation will include information on the spellchecker in a subsequent PR. Future work is necessary in terms of making checking more intelligent. As such, file 'dubious_words.txt' has been added to temporarily store those words that should be filtered. For instance, the word 'tis' is in this file because it is part of proper noun 'tpm-tis'. Hyphenated words (or words in single quotes) could be exempt from the check. Change-Id: I70a1d5208b97923c081b359af3208f4de65eb6ca
3.8 KiB
Emulated Trusted Platform Module (vTPM)
Overview
Trusted Platform Modules can be used to enhance computer security and privacy. TPM is even required by some Operating Systems.
To support TPM devices within guest instances, OpenStack Nova
integrates with software-based emulated TPM devices for QEMU and KVM
guest instances. The secrets stored within the emulated devices are
encrypted using Barbican secrets. The devices are then provided via the
swtpm software
package.
Pre-requisites
The following requirements must be met in order to enable vTPM support in the nova-compute charm:
- OpenStack Wallaby or newer
- Barbican Key Manager service must be deployed and configured
- swtpm libraries must be available for installation
If you are using an apt mirror, make sure it contains the
swtpm, swtpm-tools, and libtpms0
packages.
Note
The swtpm, swtpm-tools, and libtpms libraries are available in Ubuntu 22.04 LTS (Jammy) release. It is expected that they will be backported to the Ubuntu 20.04 LTS (Focal) archives. Until this is done, the OpenStack Charms team is providing a Personal Package Archive (PPA) with the necessary packages for Focal.
Deployment
TPM support is enabled on all compute nodes by using the nova-compute
charm's enable-vtpm configuration option.
In this example, support is enabled on Focal-based nodes via a PPA. The following YAML excerpt contains the configuration:
nova-compute:
enable-vtpm: True
extra-repositories: ppa:openstack-charmers/swtpmNova will use the credentials for service discovery from Keystone in order to determine the Barbican endpoint to use.
Once vTPM support has been enabled in the compute nodes, verify that the compute nodes are registering the TPM traits within the Placement service:
COMPUTE_UUID=$(openstack resource provider list --name $HOST -f value -c uuid)
openstack resource provider trait list $COMPUTE_UUID | grep SECURITY_TPM
| COMPUTE_SECURITY_TPM_1_2 |
| COMPUTE_SECURITY_TPM_2_0 |OpenStack configuration
TPM support is added to a VM by means of an OpenStack flavor. This will specify the TPM version and model for the vTPM device to emulate.
There are two versions to choose from (1.2 and 2.0) as well as two model types (tpm-tis and tpm-crb).
Note
The default model is 'tpm-tis'.
The tpm-crb model is only compatible with TPM version 2.0
The following example configures an existing flavor to use TPM 2.0 with the CRB model (optionally create a new flavor):
openstack flavor set <flavor-name> \
--property hw:tpm_version=2.0 \
--property hw:tpm_model=tpm-crbThe image used to create a TPM-supported VM must be configured to use
UEFI firmware. This is done by setting the hw_firmware_type
property to uefi.
The following example configures an existing image to use UEFI (optionally import a new image):
openstack image set <image-name-or-uuid> --property hw_firmware_type=uefiReferences
More information related to the usage of vTPM can be found in the upstream OpenStack documentation:
- Emulated Trusted Platform Module (Nova)
- Extra Specs (Nova)
- Secure Boot (Nova)
- Useful image properties (Glance)