bhyve: support for TPM passthru

cbsd · Dec 27, 2023 · b495a2a · b495a2a
1 parent 3efe2a7
commit b495a2a
Show file tree

Hide file tree

Showing 15 changed files with 71 additions and 13 deletions.
diff --git a/bhyvectl/bconfig b/bhyvectl/bconfig
@@ -63,7 +63,7 @@ if [ -z "${cmd}" ]; then
 	bhyve_vnc_resolution bhyve_vnc_tcp_bind bhyve_vnc_vgaconf bhyve_wire_memory bhyve_x2apic_mode cd_boot_firmware cd_vnc_wait cpuset \
 	debug_engine hidden ip4_addr on_crash on_poweroff on_reboot protected vm_boot vm_cpu_topology vm_cpus vm_efi vm_hostbridge \
 	vm_iso_path vm_ram vm_vnc_port vnc_password xhci tablet fbuf double_acpi virtio_rnd uuid hdd_boot_firmware bhyverun_wrapper \
-	boot_delay bhyve_cmd efi_firmware bhyve_vnc_kbdlayout"
+	boot_delay bhyve_cmd efi_firmware bhyve_vnc_kbdlayout tpm"
 
 	# jailed for FreeBSD 12.0+
 	[ ${freebsdhostversion} -gt 1200086 ] && myargs="${myargs} jailed"

diff --git a/bhyvectl/bconstruct-tui b/bhyvectl/bconstruct-tui
@@ -372,7 +372,7 @@ esac
 [ -z "${imgtype}" ] && imgtype="zvol"
 [ -z "${uuid}" ] && uuid="0"
 [ -z "${bhyve_vnc_kbdlayout}" ] && bhyve_vnc_kbdlayout="${default_bhyve_vnc_kbdlayout}"
-
+[ -z "${tpm}" ] && tpm="${default_tpm}"
 
 baserw=1
 ip4_addr="DHCP"

diff --git a/bhyvectl/bsetup-tui b/bhyvectl/bsetup-tui
@@ -113,7 +113,7 @@ dialog_menu_main()
 
 	# don't show it in main menu:
 	local _in_sub_menu="bhyve_generate_acpi bhyve_wire_memory bhyve_rts_keeps_utc bhyve_force_msi_irq bhyve_x2apic_mode bhyve_mptable_gen bhyve_ignore_msr_acc cd_vnc_wait bhyve_vnc_resolution bhyve_vnc_tcp_bind \
-	vnc_password bhyve_vnc_vgaconf on_crash on_poweroff on_reboot double_acpi virtio_rnd bhyverun_wrapper bhyvestop_wrapper boot_delay bhyve_cmd efi_firmware bhyve_vnc_kbdlayout"
+	vnc_password bhyve_vnc_vgaconf on_crash on_poweroff on_reboot double_acpi virtio_rnd bhyverun_wrapper bhyvestop_wrapper boot_delay bhyve_cmd efi_firmware bhyve_vnc_kbdlayout tpm"
 
 	item_let="A"
 	item_num=0

diff --git a/etc/defaults/bhyve-default-default.conf b/etc/defaults/bhyve-default-default.conf
@@ -111,6 +111,13 @@ default_bhyve_vnc_vgaconf="io"
 # '0' for disable (default)
 default_bhyve_vnc_kbdlayout="0"
 
+# enable tpm?
+# /dev/tpm to pass
+# or
+# 'new' to emulate
+# '0' for disable
+default_tpm="0"
+
 efi_firmware="/usr/local/cbsd/upgrade/patch/efi.fd"
 efi_firmware_csm="/usr/local/cbsd/upgrade/patch/efi_csm.fd"
 

diff --git a/share/bhyve.conf b/share/bhyve.conf
@@ -2,4 +2,4 @@
 MYCOL="jname astart vm_cpus vm_ram vm_os_type vm_boot virtio_type vm_hostbridge bhyve_flags vm_os_profile vm_iso_path vm_console vm_efi vm_vnc_port vm_rd_port protected hidden \
 bhyve_generate_acpi bhyve_wire_memory bhyve_rts_keeps_utc bhyve_force_msi_irq bhyve_x2apic_mode bhyve_mptable_gen bhyve_ignore_msr_acc cd_vnc_wait bhyve_vnc_resolution bhyve_vnc_tcp_bind \
 maintenance ip4_addr vnc_password bhyve_vnc_vgaconf vm_cpu_topology debug_engine xhci cd_boot_firmware jailed vm_iso_path2 on_poweroff on_reboot on_crash soundhw bhyve_cmd vm_zfs_guid \
-mnt_start mnt_stop double_acpi virtio_rnd hdd_boot_firmware chrooted uuid bhyverun_wrapper bhyvestop_wrapper tags fbuf tablet boot_delay cpuset efi_firmware bhyve_vnc_kbdlayout pid_wait"
+mnt_start mnt_stop double_acpi virtio_rnd hdd_boot_firmware chrooted uuid bhyverun_wrapper bhyvestop_wrapper tags fbuf tablet boot_delay cpuset efi_firmware bhyve_vnc_kbdlayout pid_wait tpm"
diff --git a/share/bhyve_settings.conf b/share/bhyve_settings.conf
@@ -1,4 +1,4 @@
 # Default SQL scheme for DB local::bhyve_settings
 MYCOL="created astart vm_cpus vm_ram vm_os_type vm_boot vm_os_profile bhyve_flags vm_vnc_port virtio_type bhyve_vnc_tcp_bind bhyve_vnc_resolution cd_vnc_wait protected hidden maintenance ip4_addr vnc_password state_time vm_hostbridge vm_iso_path vm_console vm_efi \
 vm_rd_port bhyve_generate_acpi bhyve_wire_memory bhyve_rts_keeps_utc bhyve_force_msi_irq bhyve_x2apic_mode bhyve_mptable_gen bhyve_ignore_msr_acc bhyve_vnc_vgaconf media_auto_eject vm_cpu_topology debug_engine xhci cd_boot_firmware jailed vm_iso_path2 \
-on_poweroff on_reboot on_crash vm_zfs_guid vnc_port soundhw bhyve_cmd double_acpi virtio_rnd hdd_boot_firmware chrooted uuid bhyverun_wrapper bhyvestop_wrapper tags fbuf tablet boot_delay cpuset efi_firmware bhyve_vnc_kbdlayout pid_wait"
+on_poweroff on_reboot on_crash vm_zfs_guid vnc_port soundhw bhyve_cmd double_acpi virtio_rnd hdd_boot_firmware chrooted uuid bhyverun_wrapper bhyvestop_wrapper tags fbuf tablet boot_delay cpuset efi_firmware bhyve_vnc_kbdlayout pid_wait tpm"
diff --git a/share/bhyverun.sh b/share/bhyverun.sh
@@ -293,6 +293,21 @@ while [ ! -f ${tmpdir}/bhyvestop.${jname}.lock  ]; do
 		fi
 	fi
 
+	# TPM args
+	if [ -n "${tpm}" ]; then
+		case "${tmp}" in
+			0)
+				break
+				;;
+			new)
+				echo "emulate tpm"
+				;;
+				add_bhyve_opts="${add_bhyve_opts} -l tpm2,passthru,${tmp}"
+				;;
+			*)
+		esac
+	fi
+
 	if [ -n "${soundhw_args}" ]; then
 		if [ "${soundhw_args}" = "none" -o ${freebsdhostversion} -lt 1300034 ]; then
 			soundhw_args=

diff --git a/share/local-bhyve-settings.schema b/share/local-bhyve-settings.schema
@@ -56,6 +56,8 @@ bhyve_vnc_vgaconf="text default 'io'"
 bhyve_vnc_kbdlayout="text default '0'"
 pid_wait="integer default 1"
 
+tpm="text default '0'"
+
 state_time="TIMESTAMP DATE DEFAULT (datetime('now','localtime'))"
 
 media_auto_eject="integer default 0"

diff --git a/share/local-bhyve.schema b/share/local-bhyve.schema
@@ -84,6 +84,8 @@ cpuset="text default \"0\""
 bhyve_vnc_kbdlayout="text default '0'"
 pid_wait="integer default 1"
 
+tpm="text default \"0\""
+
 CONSTRAINT=", FOREIGN KEY(jname) REFERENCES jails(jname)"
 
 INITDB=""
diff --git a/subr/rcconf.subr b/subr/rcconf.subr
@@ -18,7 +18,7 @@ init_bhyve_rcconf()
 	local A
 	_sqlfile="${dbdir}/${_datafile}.sqlite"
 
-	A=$( cbsdsqlro ${jailsysdir}/${jname}/local.sqlite "SELECT astart,vm_cpus,vm_ram,vm_os_type,vm_boot,vm_os_profile,vnc_port,virtio_type,bhyve_vnc_tcp_bind,bhyve_vnc_resolution,cd_vnc_wait,protected,hidden,maintenance,ip4_addr,vnc_password,vm_hostbridge,vm_iso_path,vm_console,vm_efi,bhyve_generate_acpi,bhyve_wire_memory,bhyve_rts_keeps_utc,bhyve_force_msi_irq,bhyve_x2apic_mode,bhyve_mptable_gen,bhyve_ignore_msr_acc,bhyve_vnc_vgaconf,vm_cpu_topology,debug_engine,soundhw,double_acpi,virtio_rnd,uuid,boot_delay,cpuset,bhyve_cmd,efi_firmware,bhyve_vnc_vgaconf,bhyve_vnc_kbdlayout,pid_wait FROM settings ORDER BY (created) DESC LIMIT 1;" )
+	A=$( cbsdsqlro ${jailsysdir}/${jname}/local.sqlite "SELECT astart,vm_cpus,vm_ram,vm_os_type,vm_boot,vm_os_profile,vnc_port,virtio_type,bhyve_vnc_tcp_bind,bhyve_vnc_resolution,cd_vnc_wait,protected,hidden,maintenance,ip4_addr,vnc_password,vm_hostbridge,vm_iso_path,vm_console,vm_efi,bhyve_generate_acpi,bhyve_wire_memory,bhyve_rts_keeps_utc,bhyve_force_msi_irq,bhyve_x2apic_mode,bhyve_mptable_gen,bhyve_ignore_msr_acc,bhyve_vnc_vgaconf,vm_cpu_topology,debug_engine,soundhw,double_acpi,virtio_rnd,uuid,boot_delay,cpuset,bhyve_cmd,efi_firmware,bhyve_vnc_vgaconf,bhyve_vnc_kbdlayout,pid_wait,tpm FROM settings ORDER BY (created) DESC LIMIT 1;" )
 
 	if [ -n "${A}" ]; then
 		OIFS="${IFS}"
@@ -64,7 +64,8 @@ init_bhyve_rcconf()
 		bhyve_vnc_vgaconf=
 		bhyve_vnc_kbdlayout=
 		pid_wait=
-		sqllist "${A}" astart vm_cpus vm_ram vm_os_type vm_boot vm_os_profile vnc_port virtio_type bhyve_vnc_tcp_bind bhyve_vnc_resolution cd_vnc_wait protected hidden maintenance ip4_addr vnc_password vm_hostbridge vm_iso_path vm_console vm_efi bhyve_generate_acpi bhyve_wire_memory bhyve_rts_keeps_utc bhyve_force_msi_irq bhyve_x2apic_mode bhyve_mptable_gen bhyve_ignore_msr_acc bhyve_vnc_vgaconf vm_cpu_topology debug_engine soundhw double_acpi virtio_rnd uuid boot_delay cpuset bhyve_cmd efi_firmware bhyve_vnc_vgaconf bhyve_vnc_kbdlayout pid_wait
+		tpm=
+		sqllist "${A}" astart vm_cpus vm_ram vm_os_type vm_boot vm_os_profile vnc_port virtio_type bhyve_vnc_tcp_bind bhyve_vnc_resolution cd_vnc_wait protected hidden maintenance ip4_addr vnc_password vm_hostbridge vm_iso_path vm_console vm_efi bhyve_generate_acpi bhyve_wire_memory bhyve_rts_keeps_utc bhyve_force_msi_irq bhyve_x2apic_mode bhyve_mptable_gen bhyve_ignore_msr_acc bhyve_vnc_vgaconf vm_cpu_topology debug_engine soundhw double_acpi virtio_rnd uuid boot_delay cpuset bhyve_cmd efi_firmware bhyve_vnc_vgaconf bhyve_vnc_kbdlayout pid_wait tpm
 		IFS="${OIFS}"
 	else
 		err 1 "${N1_COLOR}Unable to fetch vm data from: ${N2_COLOR}${jailsysdir}/${jname}/local.sqlite${N0_COLOR}"

diff --git a/subr/rrcconf.subr b/subr/rrcconf.subr
@@ -27,7 +27,7 @@ init_bhyve_rrcconf()
 	local sqldelimer="|"
 	local A
 
-	A=$( cbsdsqlro ${_sqlite} "SELECT astart,vm_cpus,vm_ram,vm_os_type,vm_boot,vm_os_profile,vm_vnc_port,virtio_type,bhyve_vnc_tcp_bind,bhyve_vnc_resolution,cd_vnc_wait,protected,hidden,maintenance,ip4_addr,vnc_password,vm_hostbridge,vm_iso_path,vm_console,vm_efi,bhyve_generate_acpi,bhyve_wire_memory,bhyve_rts_keeps_utc,bhyve_force_msi_irq,bhyve_x2apic_mode,bhyve_mptable_gen,bhyve_ignore_msr_acc,bhyve_vnc_vgaconf,vm_cpu_topology,debug_engine,bhyve_vnc_kbdlayout,pid_wait FROM settings ORDER BY (created) DESC LIMIT 1;"  2>/dev/null )
+	A=$( cbsdsqlro ${_sqlite} "SELECT astart,vm_cpus,vm_ram,vm_os_type,vm_boot,vm_os_profile,vm_vnc_port,virtio_type,bhyve_vnc_tcp_bind,bhyve_vnc_resolution,cd_vnc_wait,protected,hidden,maintenance,ip4_addr,vnc_password,vm_hostbridge,vm_iso_path,vm_console,vm_efi,bhyve_generate_acpi,bhyve_wire_memory,bhyve_rts_keeps_utc,bhyve_force_msi_irq,bhyve_x2apic_mode,bhyve_mptable_gen,bhyve_ignore_msr_acc,bhyve_vnc_vgaconf,vm_cpu_topology,debug_engine,bhyve_vnc_kbdlayout,pid_wait,tpm FROM settings ORDER BY (created) DESC LIMIT 1;"  2>/dev/null )
 
 	if [ -n "${A}" ]; then
 		OIFS="${IFS}"
@@ -64,7 +64,8 @@ init_bhyve_rrcconf()
 		debug_engine=
 		bhyve_vnc_kbdlayout=
 		pid_wait=
-		sqllist "${A}" astart vm_cpus vm_ram vm_os_type vm_boot vm_os_profile vm_vnc_port virtio_type bhyve_vnc_tcp_bind bhyve_vnc_resolution cd_vnc_wait protected hidden maintenance ip4_addr vnc_password vm_hostbridge vm_iso_path vm_console vm_efi bhyve_generate_acpi bhyve_wire_memory bhyve_rts_keeps_utc bhyve_force_msi_irq bhyve_x2apic_mode bhyve_mptable_gen bhyve_ignore_msr_acc bhyve_vnc_vgaconf vm_cpu_topology debug_engine bhyve_vnc_kbdlayout pid_wait
+		tpm=
+		sqllist "${A}" astart vm_cpus vm_ram vm_os_type vm_boot vm_os_profile vm_vnc_port virtio_type bhyve_vnc_tcp_bind bhyve_vnc_resolution cd_vnc_wait protected hidden maintenance ip4_addr vnc_password vm_hostbridge vm_iso_path vm_console vm_efi bhyve_generate_acpi bhyve_wire_memory bhyve_rts_keeps_utc bhyve_force_msi_irq bhyve_x2apic_mode bhyve_mptable_gen bhyve_ignore_msr_acc bhyve_vnc_vgaconf vm_cpu_topology debug_engine bhyve_vnc_kbdlayout pid_wait tpm
 		IFS="${OIFS}"
 	else
 		err 1 "${N1_COLOR}Unable to fetch vm data from: ${N2_COLOR}${jailsysdir}/${jname}/local.sqlite${N0_COLOR}"

diff --git a/subr/up.subr b/subr/up.subr
@@ -560,7 +560,8 @@ run_bhyve()
 	bhyve_mptable_gen bhyve_ignore_msr_acc cd_vnc_wait bhyve_vnc_resolution bhyve_vnc_tcp_bind bhyve_vnc_vgaconf nic_driver vnc_password media_auto_eject \
 	vm_cpu_topology debug_engine xhci cd_boot_firmware jailed chrooted on_poweroff on_reboot on_crash is_cloud ci_jname ci_fqdn ci_template ci_interface \
 	ci_ip4_addr ci_gw4 ci_nameserver_address ci_nameserver_searchci_adjust_inteface_helper ci_user_add ci_user_pw_user ci_user_pw_root ci_user_pubkey uuid \
-	ci_interface_mtu ci_interface2 ci_interface_mtu2 ci_ip4_addr2 ci_gw42 nic_flags nic_flags2 bhyve_vnc_kbdlayout bhyverun_wrapper bhyve_cmd pid_wait flavor"
+	ci_interface_mtu ci_interface2 ci_interface_mtu2 ci_ip4_addr2 ci_gw42 nic_flags nic_flags2 bhyve_vnc_kbdlayout bhyverun_wrapper bhyve_cmd pid_wait flavor \
+	tpm"
 
 	if [ -n "${CLOUD_URL}" ]; then
 		# unset all

diff --git a/sudoexec/bcreate b/sudoexec/bcreate
@@ -9,7 +9,7 @@ vm_efi iso_site iso_img register_iso_name register_iso_as vm_hostbridge bhyve_fl
 bhyve_rts_keeps_utc bhyve_force_msi_irq bhyve_x2apic_mode bhyve_mptable_gen bhyve_ignore_msr_acc cd_vnc_wait bhyve_vnc_resolution bhyve_vnc_tcp_bind bhyve_vnc_vgaconf nic_driver vnc_password \
 media_auto_eject vm_cpu_topology debug_engine xhci cd_boot_firmware jailed chrooted on_poweroff on_reboot on_crash is_cloud ci_jname ci_fqdn ci_template ci_interface ci_ip4_addr ci_gw4 \
 ci_nameserver_address ci_nameserver_searchci_adjust_inteface_helper ci_user_add ci_user_pw_user ci_user_pw_root ci_user_pubkey uuid ci_interface_mtu ci_ip4_addr2 ci_gw42 ci_interface_mtu2 \
-interface2 ci_interface2 nic_flags nic2_flags bhyve_vnc_kbdlayout progress_state_file extra_profile_dir flavor vars_img"
+interface2 ci_interface2 nic_flags nic2_flags bhyve_vnc_kbdlayout progress_state_file extra_profile_dir flavor vars_img tpm"
 MYOPTARG="${MYOPTARG} ${BHYVE_ARGS}"
 MYDESC="Create bhyve VM from config file or args"
 ADDHELP="
@@ -504,6 +504,7 @@ readconf vnc.conf
 [ -z "${bhyve_vnc_tcp_bind}" ] && ${SYSRC_CMD} -qf ${jconf_tmp} bhyve_vnc_tcp_bind="${default_vnc_tcp_bind}"  > /dev/null 2>&1
 [ -z "${bhyve_vnc_vgaconf}" ] && ${SYSRC_CMD} -qf ${jconf_tmp} bhyve_vnc_vgaconf="${default_bhyve_vnc_vgaconf}"  > /dev/null 2>&1
 [ -z "${bhyve_vnc_kbdlayout}" ] && ${SYSRC_CMD} -qf ${jconf_tmp} bhyve_vnc_kbdlayout="${default_bhyve_vnc_kbdlayout}"  > /dev/null 2>&1
+[ -z "${tpm}" ] && ${SYSRC_CMD} -qf ${jconf_tmp} tpm="${default_tpm}"  > /dev/null 2>&1
 
 if [ -z "${cd_vnc_wait}" ]; then
 	case "${default_vnc_wait}" in

diff --git a/sudoexec/bstart b/sudoexec/bstart
@@ -780,6 +780,7 @@ vnc_password="${vnc_password}"
 virtio_9p_args="${virtio_9p_args}"
 bhyve_vnc_vgaconf="${bhyve_vnc_vgaconf}"
 bhyve_vnc_kbdlayout="${bhyve_vnc_kbdlayout}"
+tpm="${tpm}"
 
 media_auto_eject="${media_auto_eject}"
 
@@ -955,7 +956,6 @@ EOF
 
 	[ -z "${vm_pid}" ] && vm_pid="0"
 
-
 	${ECHO} "${N1_COLOR}PID: ${N2_COLOR}${vm_pid}${N0_COLOR}"
 
 	if [ "${vm_pid}" = "0" ]; then
@@ -1053,7 +1053,7 @@ if [ ${jail_num} -gt 1 ]; then
 
 			env NOINTER=1 ${DAEMON_CMD} -p ${ftmpdir}/bstart.${jname}.$$ /usr/local/bin/cbsd bstart jname=${jname} delay=${_boot_delay}
 
-			if [ ${pid_wait} -eq 1 ]; then
+			if [ ${_pid_wait} -eq 1 ]; then
 				if [ -z "${wait_pid_files}" ]; then
 					wait_pid_files="${ftmpdir}/bstart.${jname}.$$"
 				else

diff --git a/upgrade/pre-patch-14.0.3.0 b/upgrade/pre-patch-14.0.3.0
@@ -0,0 +1,28 @@
+#!/bin/sh
+#v13.0.23
+# Update bhyve tables for tpm
+: ${distdir="/usr/local/cbsd"}
+[ ! -r "${distdir}/subr/cbsdbootstrap.subr" ] && exit 1
+. ${distdir}/subr/cbsdbootstrap.subr || exit 1
+test_sql_stuff
+
+[ ! -h "${dbdir}/local.sqlite" ] && exit
+
+_test=$( ${miscdir}/sqlcli ${mydb} "SELECT name FROM sqlite_master WHERE type='table' AND name='tpm'" )
+if [ -z "${_test}" ]; then
+	${ECHO} "  * ${MAGENTA}Update bhyve tables: tpm"
+	${miscdir}/sqlcli ${dbdir}/local.sqlite "ALTER TABLE bhyve ADD COLUMN tpm TEXT DEFAULT '0'"
+fi
+
+vms=$( ${miscdir}/sqlcli ${dbdir}/local.sqlite "SELECT jname FROM jails WHERE emulator = 'bhyve'" )
+
+for i in ${vms}; do
+	mydb="${jailsysdir}/${i}/local.sqlite"
+	[ ! -r "${mydb}" ] && continue
+	# alter tpm if not exist
+	unset _test
+	_test=$( ${miscdir}/sqlcli ${mydb} "SELECT COUNT(tpm) FROM settings LIMIT 1" 2>/dev/null )
+	[ -n "${_test}" ] && continue
+	${ECHO} "  * ${N1_COLOR}Update settings tables: tpm for ${N2_COLOR}${i}${N0_COLOR}"
+	${miscdir}/sqlcli ${mydb} "ALTER TABLE settings ADD COLUMN tpm TEXT DEFAULT '0'"
+done