Trusted Platform Module Support

[vltmn]

We are working on integrating Trusted Platform Module device support for Firecracker as part of our master's thesis.
Our fork currently has working functionality for a TPM over virtio, to match the FC device model in comparison to implementing a hardware interface such as CRB or TIS.
One caveat with this is that there is no mainline Linux support for virtio-tpm. However Google have implemented a driver in their ChromeOS Linux fork [1].
They have also made efforts to merge it into Linux mainline, but the request was not accepted [2]. In our testing we have compiled the mainline linux kernel and only adding that specific driver which works fine.

As mentioned, the hypervisor changes are simple and fits the virtio architecture in the project well. In practice this can be used in conjunction with Linux IMA to have integrity-verified workloads in Firecracker.

Is there interest to try to get this merged into upstream? We are of course willing to work together to get the changes up to the quality of the rest of the project.

[paigeadelethompson]

Hey @vltmn

IMA/EVM is a topic that I'm particularly interested in. This is cool that you're working on TPM support for Firecracker. I'm curious if you've given any consideration to something like swtpm for guests? Do you have a time frame for when you will be submitting your thesis and if so do you suspect you will want to submit a pull request for firecracker?

[vltmn]

Hi @paigeadelethompson
We are actually using swtpm as the vTPM implementation in the project. We connect to an swtpm process on the host using a UNIX socket.
I believe this image explains it a bit:

We do not plan to submit a PR during the project, as we are presenting it this very week. Therefore it would be too much external dependencies. We might however submit it if there is interest from the Firecracker team, but as we have not seen any interest since posting the issue, there might not be any interest.

[xmarcalx]

Hi @vltmn ,

Thank you very much for your contribution. Sorry for the late reply.

Can you tell us a bit more about your usecase?
Honestly speaking at the moment we did not have any actual usecase for this functionality that is why we didn't look at this possibility before. The technology does not seems also mature at the moment, and requiring a custom kernel to run Firecracker may hinder the utility of the functionality itself but we are curious to learn more about it.
At the same TPMs are very hw specific components which do not often scale with the numbers of clouds that is why usually supporting specific HW accelerated product in Firecracker is hard. because you need to passthrough the device and/or trade-off memory and CPU overcommitting capabilities.
For example, can virtio-tpm be safely used in a multi-tenant environment?

[vltmn]

Hi @xmarcalx,
Thank for getting back to me. Regarding the usecase, one thing to keep in mind is that we are not actual users of Firecracker, but have done research within TPMs for Firecracker. The main idea is to support integrity-verified workloads in PaaS environments, similar to how it is supported in IaaS environments (w/ AWS EC2 NitroTPM, GCP Shielded VMs etc). With Firecracker posing as one of the more isolated PaaS virtualisation primitives, it works well in this scenario.

Regarding HW passthrough/ HW TPM, our project brings emulated TPMs/virtual TPMs (vTPM) to Firecracker and does not intend to passthrough a hardware device. Consider something similar to NitroTPM here for a platform-specific implementation.
During our development, we use swtpm by IBM as it is open-source.

To address the maturity concern, the different components included and their maturity properties are:

• Firecracker w/ virtio-tpm device support
  Our contribution
• swtpm (used vtpm implementation)
  IBM-supported implementation that has been around for ~5 years
  Not required specifically but fills the vTPM implementation requirement.
• virtio-tpm (Linux driver to use within guest for TPM driver)
  Used within ChromeOS Linux since 2019, though not merged to mainline Linux (Linux Mailing list conversation).

A small correction regarding the custom kernel is that there is no need for a custom kernel on the host, but only in the guest. For the host mainline Linux can be used.

And lastly, regarding multi-tenancy, it is largely dependent on the vTPM implementation used. The implementation used specifically(swtpm) can be considered mature. Platform-specific implementations such as NitroTPM is already used in EC2 etc. It is also dependent on the actual Firecracker implementation of the device, which is what our contributions are.

I hope this answers your questions.

[xmarcalx]

Hi @vltmn ,

Thank you very much for coming back to me.

All your points make sense, thanks for the explanation. Yeah i can confirm that we never had the request to support integrity verified functions (we are more of a FaaS), but it is definitely an interesting topic.

I added the label to track it as a new request. Unfortunately we do not have timelines defined for such feature yet because of course will depend on the business need too. Meanwhile we always encourage people to post PR if they already have the code, because it is also a way to have feedback from the broader developer community and we can help integration at least with reviews.