From 3d0fbfe65c687060529b92e7abf351277dcd99b2 Mon Sep 17 00:00:00 2001
From: Franciszek Przewozny <przewozny.franciszek@gmail.com>
Date: Fri, 4 Apr 2025 14:03:56 +0200
Subject: [PATCH] Add support for libvirt swtpm (vTPM) configuration.

Since both nova-compute and nova-libvirt Kolla images have swtpm
packages installed [1], it is possible to configure vTPM for libvirt
instances. This patch adds support for such configuration in
kolla-ansible.

[1] https://bugs.launchpad.net/kolla/+bug/2062572

Closes-Bug: #2106219
Change-Id: Ic7969b05bde258c38ee31fe2821aeb4e9c77a567
Signed-off-by: fprzewozn <przewozny.franciszek@gmail.com>
---
 ansible/roles/nova-cell/defaults/main.yml              |  4 ++++
 .../nova-cell/templates/nova.conf.d/libvirt.conf.j2    |  5 +++++
 ansible/roles/nova-cell/templates/qemu.conf.j2         |  5 +++++
 doc/source/reference/compute/nova-guide.rst            | 10 ++++++++++
 etc/kolla/globals.yml                                  |  1 +
 releasenotes/notes/bug-2073159-67532593585a1e10.yaml   |  5 +++++
 6 files changed, 30 insertions(+)
 create mode 100644 releasenotes/notes/bug-2073159-67532593585a1e10.yaml

diff --git a/ansible/roles/nova-cell/defaults/main.yml b/ansible/roles/nova-cell/defaults/main.yml
index 1cc4a04aa8..e33ee73cf8 100644
--- a/ansible/roles/nova-cell/defaults/main.yml
+++ b/ansible/roles/nova-cell/defaults/main.yml
@@ -563,6 +563,10 @@ nova_compute_registration_fatal: false
 
 nova_cell_conductor_workers: "{{ openstack_service_workers }}"
 
+enable_nova_swtpm: false
+swtpm_user: "{{ 'swtpm' if kolla_base_distro == 'ubuntu' else 'tss' }}"
+swtpm_group: "{{ 'swtpm' if kolla_base_distro == 'ubuntu' else 'tss' }}"
+
 ####################
 # Notification
 ####################
diff --git a/ansible/roles/nova-cell/templates/nova.conf.d/libvirt.conf.j2 b/ansible/roles/nova-cell/templates/nova.conf.d/libvirt.conf.j2
index 35b538a31d..87e0bf9775 100644
--- a/ansible/roles/nova-cell/templates/nova.conf.d/libvirt.conf.j2
+++ b/ansible/roles/nova-cell/templates/nova.conf.d/libvirt.conf.j2
@@ -28,5 +28,10 @@ cpu_mode = {{ nova_libvirt_cpu_mode }}
 volume_use_multipath = true
 {% endif %}
 num_pcie_ports = 16
+{% if enable_nova_swtpm | bool %}
+swtpm_enabled = true
+swtpm_user = {{ swtpm_user }}
+swtpm_group = {{ swtpm_group }}
+{% endif %}
 [workarounds]
 skip_cpu_compare_on_dest = true
diff --git a/ansible/roles/nova-cell/templates/qemu.conf.j2 b/ansible/roles/nova-cell/templates/qemu.conf.j2
index 82ecd7f233..03b56479a9 100644
--- a/ansible/roles/nova-cell/templates/qemu.conf.j2
+++ b/ansible/roles/nova-cell/templates/qemu.conf.j2
@@ -5,3 +5,8 @@ group = "nova"
 
 max_files =  {{ qemu_max_files }}
 max_processes =  {{ qemu_max_processes }}
+
+{% if enable_nova_swtpm | bool %}
+swtpm_user = "{{ swtpm_user }}"
+swtpm_group = "{{ swtpm_group }}"
+{% endif %}
diff --git a/doc/source/reference/compute/nova-guide.rst b/doc/source/reference/compute/nova-guide.rst
index 3cf5848d42..8e083f2413 100644
--- a/doc/source/reference/compute/nova-guide.rst
+++ b/doc/source/reference/compute/nova-guide.rst
@@ -121,3 +121,13 @@ effectively remove the configuration when the Nova Compute service is restarted.
 If you choose to undefine `nova_cell_compute_provider_config` on a host, you must
 manually remove the generated config from inside the container, or recreate the
 container.
+
+Emulated virtual Trusted Platform Module (vTPM)
+===============================================
+
+Nova supports adding an emulated virtual Trusted Platform Module (vTPM) to
+instances. This feature is implemented with the SWTPM (Software TPM Emulator)
+package. To enable this feature, set ``enable_nova_swtpm`` to ``true``.
+Beware of `limitations`__ that come with this solution.
+
+  __ https://docs.openstack.org/nova/latest/admin/emulated-tpm.html#limitations
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index 6bf2b9e267..8c32f5b3fd 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -416,6 +416,7 @@ workaround_ansible_issue_8743: true
 #enable_neutron_port_forwarding: false
 #enable_nova_serialconsole_proxy: false
 #enable_nova_ssh: true
+#enable_nova_swtpm: false
 #enable_octavia: false
 #enable_octavia_driver_agent: "{{ enable_octavia | bool and neutron_plugin_agent == 'ovn' }}"
 #enable_octavia_jobboard: "{{ enable_octavia | bool and 'amphora' in octavia_provider_drivers }}"
diff --git a/releasenotes/notes/bug-2073159-67532593585a1e10.yaml b/releasenotes/notes/bug-2073159-67532593585a1e10.yaml
new file mode 100644
index 0000000000..a9e60b0736
--- /dev/null
+++ b/releasenotes/notes/bug-2073159-67532593585a1e10.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Add support for libvirt vTPM (swtpm) configuration.
+    `LP#2106219 <https://launchpad.net/bugs/2106219>`__