Add support for libvirt swtpm (vTPM) configuration.

Since both nova-compute and nova-libvirt Kolla images have swtpm packages installed [1], it is possible to configure vTPM for libvirt instances. This patch adds support for such configuration in kolla-ansible. [1] https://bugs.launchpad.net/kolla/+bug/2062572 Closes-Bug: #2106219 Change-Id: Ic7969b05bde258c38ee31fe2821aeb4e9c77a567 Signed-off-by: fprzewozn <przewozny.franciszek@gmail.com>
2025-04-04 14:03:56 +02:00
parent adba766950
commit 3d0fbfe65c
6 changed files with 30 additions and 0 deletions
--- a/ansible/roles/nova-cell/defaults/main.yml
+++ b/ansible/roles/nova-cell/defaults/main.yml
@@ -563,6 +563,10 @@ nova_compute_registration_fatal: false

 nova_cell_conductor_workers: "{{ openstack_service_workers }}"

+enable_nova_swtpm: false
+swtpm_user: "{{ 'swtpm' if kolla_base_distro == 'ubuntu' else 'tss' }}"
+swtpm_group: "{{ 'swtpm' if kolla_base_distro == 'ubuntu' else 'tss' }}"
+
 ####################
 # Notification
 ####################
--- a/ansible/roles/nova-cell/templates/nova.conf.d/libvirt.conf.j2
+++ b/ansible/roles/nova-cell/templates/nova.conf.d/libvirt.conf.j2
@@ -28,5 +28,10 @@ cpu_mode = {{ nova_libvirt_cpu_mode }}
 volume_use_multipath = true
 {% endif %}
 num_pcie_ports = 16
+{% if enable_nova_swtpm | bool %}
+swtpm_enabled = true
+swtpm_user = {{ swtpm_user }}
+swtpm_group = {{ swtpm_group }}
+{% endif %}
 [workarounds]
 skip_cpu_compare_on_dest = true
--- a/ansible/roles/nova-cell/templates/qemu.conf.j2
+++ b/ansible/roles/nova-cell/templates/qemu.conf.j2
@@ -5,3 +5,8 @@ group = "nova"

 max_files =  {{ qemu_max_files }}
 max_processes =  {{ qemu_max_processes }}
+
+{% if enable_nova_swtpm | bool %}
+swtpm_user = "{{ swtpm_user }}"
+swtpm_group = "{{ swtpm_group }}"
+{% endif %}
--- a/doc/source/reference/compute/nova-guide.rst
+++ b/doc/source/reference/compute/nova-guide.rst
@@ -121,3 +121,13 @@ effectively remove the configuration when the Nova Compute service is restarted.
 If you choose to undefine `nova_cell_compute_provider_config` on a host, you must
 manually remove the generated config from inside the container, or recreate the
 container.
+
+Emulated virtual Trusted Platform Module (vTPM)
+===============================================
+
+Nova supports adding an emulated virtual Trusted Platform Module (vTPM) to
+instances. This feature is implemented with the SWTPM (Software TPM Emulator)
+package. To enable this feature, set ``enable_nova_swtpm`` to ``true``.
+Beware of `limitations`__ that come with this solution.
+
+  __ https://docs.openstack.org/nova/latest/admin/emulated-tpm.html#limitations
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -416,6 +416,7 @@ workaround_ansible_issue_8743: true
 #enable_neutron_port_forwarding: false
 #enable_nova_serialconsole_proxy: false
 #enable_nova_ssh: true
+#enable_nova_swtpm: false
 #enable_octavia: false
 #enable_octavia_driver_agent: "{{ enable_octavia | bool and neutron_plugin_agent == 'ovn' }}"
 #enable_octavia_jobboard: "{{ enable_octavia | bool and 'amphora' in octavia_provider_drivers }}"
--- a/releasenotes/notes/bug-2073159-67532593585a1e10.yaml
+++ b/releasenotes/notes/bug-2073159-67532593585a1e10.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Add support for libvirt vTPM (swtpm) configuration.
+    `LP#2106219 <https://launchpad.net/bugs/2106219>`__