vTPM: support KVM and VMware

[weizhouapache]

Description

This PR adds the vTPM support for VMs on KVM and VMware.

Trusted Platform Module (TPM) is a standard for a secure cryptoprocessor, which can securely store artifacts used to authenticate the platform, including passwords, certificates, or encryption keys. TPM is required by recent Windows releases.

Virtual Trusted Platform Module (vTPM) is the software-based representation of physical TPM. CloudStack supports vTPM for instances running on KVM and VMware since 4.20.1.0 .

• Boot type and boot mode

On Vmware, the boot type must be set to UEFI. Boot mode can be SECURE (recommended) or LEGACY.
On KVM, it is recommended to set boot type to UEFI, and boot mode to SECURE. UEFI is required for some Windows versions.

• For VMs and templates on KVM

• Improvement: Support CPU mode/model for VMs on KVM (root admin only)

• For VMs and templates on VMware

Please note, need to configure a Native Key Provider on vSphere vCenter.
Refer to https://www.youtube.com/watch?v=zIynD5sJOcA&ab_channel=VMwareDocs

Doc PR: apache/cloudstack-documentation#490

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[codecov]

Codecov Report

Attention: Patch coverage is 76.78571% with 26 lines in your changes missing coverage. Please review.

Project coverage is 16.03%. Comparing base (54c1f92) to head (8bfd8f8).
Report is 64 commits behind head on 4.20.

Files with missing lines	Patch %	Lines
...oud/hypervisor/vmware/resource/VmwareResource.java	76.31%	6 Missing and 3 partials ⚠️
...om/cloud/hypervisor/kvm/resource/LibvirtVMDef.java	85.71%	5 Missing and 2 partials ⚠️
...ervisor/kvm/resource/LibvirtComputingResource.java	66.66%	2 Missing and 4 partials ⚠️
...ain/java/com/cloud/api/query/QueryManagerImpl.java	20.00%	4 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               4.20   #10543      +/-   ##
============================================
+ Coverage     16.00%   16.03%   +0.02%     
- Complexity    13103    13130      +27     
============================================
  Files          5651     5652       +1     
  Lines        495841   496032     +191     
  Branches      60045    60067      +22     
============================================
+ Hits          79373    79533     +160     
- Misses       407606   407626      +20     
- Partials       8862     8873      +11     

Flag	Coverage Δ
uitests	4.00% <ø> (-0.01%)	⬇️
unittests	16.87% <76.78%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 12735

[weizhouapache]

@blueorangutan test

[blueorangutan]

@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-12651)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 57257 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t12651-kvm-ol8.zip
Smoke tests completed. 139 look OK, 2 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
ContextSuite context=TestClusterDRS>:setup	Error	0.00	test_cluster_drs.py
ContextSuite context=TestSharedNetworkWithConfigDrive>:setup	Error	1521.42	test_network.py

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 12765

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-12680)

[DaanHoogland]

clgtm

[rohityadavcloud]

Didn't test this, but LGTM overall. Probably the admin can set this on a template, which are then copied to the instances? Any security or other issues, if the end-user is able to add/edit/change this for their instances?

[weizhouapache]

Didn't test this, but LGTM overall. Probably the admin can set this on a template, which are then copied to the instances? Any security or other issues, if the end-user is able to add/edit/change this for their instances?

thanks @rohityadavcloud , good point

the vm details items and values are also populated when update template settings.

no extra changes required.

there is no settings for ISOes.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 13143

[Pearl1594]

@blueorangutan test matrix

[blueorangutan]

@Pearl1594 a [SL] Trillian-Jenkins matrix job (EL8 mgmt + EL8 KVM, Ubuntu22 mgmt + Ubuntu22 KVM, EL8 mgmt + VMware 7.0u3, EL9 mgmt + XCP-ng 8.2 ) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-13098)

[blueorangutan]

[SF] Trillian Build Failed (tid-13099)

[blueorangutan]

[SF] Trillian Build Failed (tid-13096)

[Pearl1594]

@blueorangutan test matrix

[blueorangutan]

@Pearl1594 a [SL] Trillian-Jenkins matrix job (EL8 mgmt + EL8 KVM, Ubuntu22 mgmt + Ubuntu22 KVM, EL8 mgmt + VMware 7.0u3, EL9 mgmt + XCP-ng 8.2 ) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-13097)
Environment: kvm-ubuntu22 (x2), Advanced Networking with Mgmt server u22
Total time taken: 59342 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t13097-kvm-ubuntu22.zip
Smoke tests completed. 139 look OK, 2 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_oobm_multiple_mgmt_server_ownership	Failure	30.89	test_outofbandmanagement.py
test_02_restore_vm_strict_tags_failure	Failure	58.81	test_vm_strict_host_tags.py
test_02_scale_vm_strict_tags_failure	Failure	57.96	test_vm_strict_host_tags.py
test_06_deploy_vm_on_any_host_with_strict_tags_failure	Failure	6.05	test_vm_strict_host_tags.py

[blueorangutan]

[SF] Trillian test result (tid-13101)
Environment: kvm-ubuntu22 (x2), Advanced Networking with Mgmt server u22
Total time taken: 58818 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t13101-kvm-ubuntu22.zip
Smoke tests completed. 139 look OK, 2 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_oobm_multiple_mgmt_server_ownership	Failure	31.85	test_outofbandmanagement.py
test_02_restore_vm_strict_tags_failure	Failure	58.84	test_vm_strict_host_tags.py
test_02_scale_vm_strict_tags_failure	Failure	67.13	test_vm_strict_host_tags.py
test_06_deploy_vm_on_any_host_with_strict_tags_failure	Failure	6.02	test_vm_strict_host_tags.py

[blueorangutan]

[SF] Trillian test result (tid-13100)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 58968 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t13100-kvm-ol8.zip
Smoke tests completed. 140 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_02_restore_vm_strict_tags_failure	Failure	55.49	test_vm_strict_host_tags.py
test_02_scale_vm_strict_tags_failure	Failure	65.00	test_vm_strict_host_tags.py
test_06_deploy_vm_on_any_host_with_strict_tags_failure	Failure	6.00	test_vm_strict_host_tags.py

[weizhouapache]

@Pearl1594 @DaanHoogland
the failed tests seem to be unrelated

[blueorangutan]

[SF] Trillian test result (tid-13103)
Environment: xcpng82 (x2), Advanced Networking with Mgmt server ol9
Total time taken: 83383 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t13103-xcpng82.zip
Smoke tests completed. 135 look OK, 6 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_condensed_drs_algorithm	Failure	176.04	test_cluster_drs.py
test_02_balanced_drs_algorithm	Failure	177.72	test_cluster_drs.py
ContextSuite context=TestSharedNetworkWithConfigDrive>:setup	Error	7.47	test_network.py
test_01_non_strict_host_anti_affinity	Error	253.10	test_nonstrict_affinity_group.py
test_02_non_strict_host_affinity	Error	126.98	test_nonstrict_affinity_group.py
test_02_create_volume	Error	4.32	test_resource_names.py
test_05_scale_vm_dont_allow_disk_offering_change	Failure	94.69	test_scale_vm.py
test_02_restore_vm_strict_tags_failure	Failure	87.32	test_vm_strict_host_tags.py
test_02_scale_vm_strict_tags_failure	Failure	74.15	test_vm_strict_host_tags.py
test_06_deploy_vm_on_any_host_with_strict_tags_failure	Failure	5.82	test_vm_strict_host_tags.py

[blueorangutan]

[SF] Trillian test result (tid-13102)
Environment: vmware-70u3 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 126645 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t13102-vmware-70u3.zip
Smoke tests completed. 136 look OK, 5 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_events_resource	Error	357.97	test_events_resource.py
test_04_deploy_vm_for_other_user_and_test_vm_operations	Error	124.70	test_network_permissions.py
test_01_deployVMInSharedNetwork	Failure	3604.75	test_network.py
ContextSuite context=TestSharedNetworkWithConfigDrive>:teardown	Error	3605.99	test_network.py
test_02_restore_vm_with_disk_offering	Error	63.50	test_restore_vm.py
test_03_restore_vm_with_disk_offering_custom_size	Error	58.38	test_restore_vm.py
test_01_migrate_vm_strict_tags_success	Error	3605.04	test_vm_strict_host_tags.py
test_02_migrate_vm_strict_tags_failure	Error	9.21	test_vm_strict_host_tags.py
test_01_restore_vm_strict_tags_success	Error	24.49	test_vm_strict_host_tags.py
test_02_restore_vm_strict_tags_failure	Error	3608.87	test_vm_strict_host_tags.py
test_01_scale_vm_strict_tags_success	Error	23.57	test_vm_strict_host_tags.py
test_02_scale_vm_strict_tags_failure	Error	3607.71	test_vm_strict_host_tags.py
test_01_deploy_vm_on_specific_host_without_strict_tags	Error	23.38	test_vm_strict_host_tags.py
test_02_deploy_vm_on_any_host_without_strict_tags	Error	3606.78	test_vm_strict_host_tags.py
test_03_deploy_vm_on_specific_host_with_strict_tags_success	Error	3608.38	test_vm_strict_host_tags.py
test_04_deploy_vm_on_any_host_with_strict_tags_success	Error	3606.54	test_vm_strict_host_tags.py
test_06_deploy_vm_on_any_host_with_strict_tags_failure	Failure	3.99	test_vm_strict_host_tags.py

[Pearl1594]

@blueorangutan test matrix

[blueorangutan]

@Pearl1594 a [SL] Trillian-Jenkins matrix job (EL8 mgmt + EL8 KVM, Ubuntu22 mgmt + Ubuntu22 KVM, EL8 mgmt + VMware 7.0u3, EL9 mgmt + XCP-ng 8.2 ) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-13139)

[blueorangutan]

[SF] Trillian Build Failed (tid-13142)

[blueorangutan]

[SF] Trillian Build Failed (tid-13140)

[Pearl1594]

@blueorangutan test matrix

[blueorangutan]

@Pearl1594 a [SL] Trillian-Jenkins matrix job (EL8 mgmt + EL8 KVM, Ubuntu22 mgmt + Ubuntu22 KVM, EL8 mgmt + VMware 7.0u3, EL9 mgmt + XCP-ng 8.2 ) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-13145)
Environment: kvm-ubuntu22 (x2), Advanced Networking with Mgmt server u22
Total time taken: 59702 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t13145-kvm-ubuntu22.zip
Smoke tests completed. 139 look OK, 2 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_oobm_multiple_mgmt_server_ownership	Failure	31.89	test_outofbandmanagement.py
test_02_restore_vm_strict_tags_failure	Failure	62.06	test_vm_strict_host_tags.py
test_02_scale_vm_strict_tags_failure	Failure	68.71	test_vm_strict_host_tags.py
test_06_deploy_vm_on_any_host_with_strict_tags_failure	Failure	6.00	test_vm_strict_host_tags.py

[blueorangutan]

[SF] Trillian test result (tid-13144)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 60001 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t13144-kvm-ol8.zip
Smoke tests completed. 140 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_02_restore_vm_strict_tags_failure	Failure	54.31	test_vm_strict_host_tags.py
test_02_scale_vm_strict_tags_failure	Failure	62.75	test_vm_strict_host_tags.py
test_06_deploy_vm_on_any_host_with_strict_tags_failure	Failure	5.79	test_vm_strict_host_tags.py

[blueorangutan]

[SF] Trillian test result (tid-13141)
Environment: vmware-70u3 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 68089 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t13141-vmware-70u3.zip
Smoke tests completed. 135 look OK, 6 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_events_resource	Error	367.37	test_events_resource.py
test_deploy_more_vms_than_limit_allows	Error	159.26	test_deploy_vms_in_parallel.py
test_04_deploy_vm_for_other_user_and_test_vm_operations	Error	129.04	test_network_permissions.py
test_01_deployVMInSharedNetwork	Error	192.90	test_network.py
test_02_restore_vm_with_disk_offering	Error	61.52	test_restore_vm.py
test_03_restore_vm_with_disk_offering_custom_size	Error	58.28	test_restore_vm.py
test_02_restore_vm_strict_tags_failure	Failure	59.78	test_vm_strict_host_tags.py
test_02_restore_vm_strict_tags_failure	Error	59.78	test_vm_strict_host_tags.py
test_02_scale_vm_strict_tags_failure	Failure	65.01	test_vm_strict_host_tags.py
test_06_deploy_vm_on_any_host_with_strict_tags_failure	Failure	3.78	test_vm_strict_host_tags.py

[blueorangutan]

[SF] Trillian test result (tid-13146)
Environment: vmware-70u3 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 65107 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t13146-vmware-70u3.zip
Smoke tests completed. 136 look OK, 5 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_events_resource	Error	381.87	test_events_resource.py
test_04_deploy_vm_for_other_user_and_test_vm_operations	Error	125.40	test_network_permissions.py
test_01_deployVMInSharedNetwork	Error	184.58	test_network.py
test_02_restore_vm_with_disk_offering	Error	64.52	test_restore_vm.py
test_03_restore_vm_with_disk_offering_custom_size	Error	61.49	test_restore_vm.py
test_02_restore_vm_strict_tags_failure	Failure	64.76	test_vm_strict_host_tags.py
test_02_restore_vm_strict_tags_failure	Error	64.77	test_vm_strict_host_tags.py
test_02_scale_vm_strict_tags_failure	Failure	71.16	test_vm_strict_host_tags.py
test_06_deploy_vm_on_any_host_with_strict_tags_failure	Failure	5.95	test_vm_strict_host_tags.py

[blueorangutan]

[SF] Trillian test result (tid-13147)
Environment: xcpng82 (x2), Advanced Networking with Mgmt server ol9
Total time taken: 82685 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10543-t13147-xcpng82.zip
Smoke tests completed. 135 look OK, 6 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_condensed_drs_algorithm	Failure	182.00	test_cluster_drs.py
test_02_balanced_drs_algorithm	Failure	165.42	test_cluster_drs.py
ContextSuite context=TestSharedNetworkWithConfigDrive>:setup	Error	10.64	test_network.py
test_01_non_strict_host_anti_affinity	Error	255.06	test_nonstrict_affinity_group.py
test_02_non_strict_host_affinity	Error	124.97	test_nonstrict_affinity_group.py
test_02_create_volume	Error	3.30	test_resource_names.py
test_05_scale_vm_dont_allow_disk_offering_change	Failure	74.43	test_scale_vm.py
test_02_restore_vm_strict_tags_failure	Failure	75.89	test_vm_strict_host_tags.py
test_02_scale_vm_strict_tags_failure	Failure	97.75	test_vm_strict_host_tags.py
test_06_deploy_vm_on_any_host_with_strict_tags_failure	Failure	5.74	test_vm_strict_host_tags.py

[Pearl1594]

test run looks good to me - test failures noticed on this PR are also seen upstream and have been addressed in separated PRs.