Google TPM: initial commit to support Google vTPM

README.md

@@ -13,11 +13,11 @@
 ## 2. Features
 
 - Support Attestation through Integrity Measurement Architecture (IMA): Ensure the integrity of Confidential Virtual Machine (CVM) instances through robust attestation mechanisms leveraging Integrity Measurement Architecture (IMA). It provides trusted primitives (measurement, eventlog, quote) of CVM. All below steps are supposed to run in a CVM, such as Intel® TD.
-  
+
 - Support `cloud-init` for seamless initial state setting for CVMs: Utilize `cloud-init` for effortless setup of initial states for Confidential Virtual Machines (CVMs), ensuring a smooth and consistent bootstrapping process.
 
 - Support `Terraform`-alike deployment: Facilitate easy and efficient deployment of Confidential Virtual Machines (CVMs) with support for Terraform-like infrastructure provisioning.
-  
+
 - Support seamless Transformation of Ubuntu and Debian Images into CVM Images: Effortlessly convert regular Ubuntu and Debian images into secure and trusted Confidential Virtual Machine (CVM) images, ensuring compatibility and reliability.
 
 - Support Rust and Python modes
@@ -27,8 +27,9 @@
 
 ## 3. Getting Started
 
-VMSDK is supposed to provide VM image rewrite to CVM image, and provide trusted primitives (measurement, eventlog, quote) of CVM.
-All below steps are supposed to run in a CVM, such as Intel® TD.
+VMSDK is supposed to provide VM image rewrite to CVM image, and provide trusted primitives (measurement, eventlog, quote)
+of CVM.
+All below steps are supposed to run in a CVM, such as Intel® TD with native CCEL and RTMR as trusted foundation.
 
 ### Installation
 
@@ -48,7 +49,7 @@
 
 ### Run CLI tool
 
-It provides 3 CLI tools for quick usage of Python VMSDK. 
+It provides 3 CLI tools for quick usage of Python VMSDK.
 
 - [cc_event_log_cli.py](./src/python/cc_event_log_cli.py): Print event log of CVM.
 - [cc_imr_cli.py](./src/python/cc_imr_cli.py): Print algorithm and hash od Integrity Measurement Registers (IMR).
@@ -85,14 +86,26 @@
 
 _NOTE: The tests need to run via root user._
 
-### Test the CVM image 
 
-```
-$ ./qemu-test.sh -i /path-to-your-cvm-qcow2/td.qcow2 -k /path-to-your-td-guest-os/vmlinuz -r /dev/vda1 
-```
+## 4. Run in Google TDX VM environment with vTPM
+
+Google TDX VM does not support CCEL and RTMR yet, but only support vTPM. So this
+SDK will get event log and integrated measurement register from vTPM by default.
+
+Please install following pre-requisite for Google TDVM with Ubuntu 22.04 distro:
+
+``
+sudo apt install libtss-dev
+sudo python3 -m pip install tpm2-pytss
+``
+
+- Dump the PCR (IMR) in Google' TDX instance as follows:
+![](/docs/gogle_tdx_tpm_dump_imr.png)
 
+- Dump the TPM event log in Google's TDX instance as follows:
+![](/docs/gogle_tdx_tpm_dump_eventlog.png)
 
-## 4. License
+## 5. License
 This project is licensed under the Apache 2.0 License.
 
 ## 5. Contact

src/python/cc_event_log_cli.py

@@ -44,7 +44,7 @@ def main():
     LOG.info("Replayed result of collected event logs:")
     # pylint: disable-next=C0201
     for key in res.keys():
-        LOG.info("RTMR[%d]: ", key)
+        LOG.info("IMR[%d]: ", key)
         LOG.info("     %s", res.get(key).get(12).hex())
 
     LOG.info("Dump collected event logs:")

src/python/cctrusted_vm/cvm.py

@@ -101,6 +101,8 @@ def detect_cc_type():
         for devpath in TdxVM.DEVICE_NODE_PATH.values():
             if os.path.exists(devpath):
                 return CCTrustedApi.TYPE_CC_TDX
+        if os.path.exists(TpmVM.DEFAULT_TPM_DEVICE_NODE):
+            return CCTrustedApi.TYPE_CC_TPM
         return CCTrustedApi.TYPE_CC_NONE
 
     @abstractmethod
@@ -233,6 +235,8 @@ def inst():
             cc_type = ConfidentialVM.detect_cc_type()
             if cc_type is CCTrustedApi.TYPE_CC_TDX:
                 obj = TdxVM()
+            elif cc_type is CCTrustedApi.TYPE_CC_TPM:
+                obj = TpmVM()
             else:
                 LOG.error("Unsupported confidential environment.")
                 return None
@@ -243,6 +247,43 @@ def inst():
                 LOG.error("Fail to initialize the confidential VM.")
         return ConfidentialVM._inst
 
+from tpm2_pytss import ESAPI
+from cctrusted_base.tpm.pcr import TpmPCR
+
+class TpmVM(ConfidentialVM):
+
+    DEFAULT_TPM_DEVICE_NODE="/dev/tpm0"
+    BIOS_MEAUSREMENT="/sys/kernel/security/tpm0/binary_bios_measurements"
+
+    def __init__(self, dev_node=DEFAULT_TPM_DEVICE_NODE):
+        ConfidentialVM.__init__(self, CCTrustedApi.TYPE_CC_TPM)
+        self._dev_node = dev_node
+        self._esapi = ESAPI("device:" + dev_node)
+
+    @property
+    def default_algo_id(self):
+        return TcgAlgorithmRegistry.TPM_ALG_SHA256
+
+    def process_cc_report(self, report_data=None) -> bool:
+        """
+        For TPM, we do not need to get integrited measurement register
+        """
+        for index in range(24):
+            _, _, digests = self._esapi.pcr_read("sha256:%d" % index)
+            assert digests.count == 1
+            self._imrs[index] = TpmPCR(index, bytes.fromhex(str(digests.digests[0])))
+        return True
+
+    def process_eventlog(self) -> bool:
+        try:
+            with open(TpmVM.BIOS_MEAUSREMENT, "rb") as f:
+                self._boot_time_event_log = f.read()
+                assert len(self._boot_time_event_log) > 0
+        except (PermissionError, OSError):
+            LOG.error("Need root permission to open file %s", TdxVM.BIOS_MEAUSREMENT)
+            return False
+        return True
+
 class TdxVM(ConfidentialVM):
 
     DEVICE_NODE_PATH = {

src/python/requirements.txt

@@ -1,2 +1,3 @@
 cctrusted_base
 pytest
+tpm2-pytss