<fix>[crypto]: clean TPM key ref on VM destroy

compute/src/main/java/org/zstack/compute/vm/VmInstanceBase.java

@@ -7,6 +7,7 @@
 import org.springframework.dao.DataIntegrityViolationException;
 import org.springframework.transaction.annotation.Transactional;
 import org.zstack.compute.allocator.HostAllocatorManager;
+import org.zstack.compute.vm.devices.VmTpmManager;
 import org.zstack.core.Platform;
 import org.zstack.core.asyncbatch.While;
 import org.zstack.core.cascade.CascadeConstant;
@@ -142,6 +143,8 @@ public class VmInstanceBase extends AbstractVmInstance {
     private VmInstanceResourceMetadataManager vidm;
     @Autowired
     private NetworkServiceManager nwServiceMgr;
+    @Autowired
+    private VmTpmManager vmTpmManager;
 
     protected VmInstanceVO self;
     protected VmInstanceVO originalCopy;
@@ -1272,6 +1275,8 @@ public void handle(Map data) {
                 CollectionUtils.safeForEach(pluginRgty.getExtensionList(VmAfterExpungeExtensionPoint.class),
                         arg -> arg.vmAfterExpunge(inv));
 
+                final String tpmUuidForEncryptedKeyRef = vmTpmManager.findTpmUuidForVmOrNull(self.getUuid());
+
                 callVmJustBeforeDeleteFromDbExtensionPoint();
 
                 dbf.reload(self);
@@ -1283,6 +1288,9 @@ public void handle(Map data) {
                 if (inv.getRootVolumeUuid() != null) {
                     dbf.eoCleanup(VolumeVO.class, inv.getRootVolumeUuid());
                 }
+                if (tpmUuidForEncryptedKeyRef != null) {
+                    vmTpmManager.deleteResourceKeyRefForTpm(tpmUuidForEncryptedKeyRef);
+                }
                 completion.success();
             }
         }).error(new FlowErrorHandler(completion) {
@@ -2582,12 +2590,17 @@ public void success() {
                     if (self.getState() != VmInstanceState.Destroyed) {
                         changeVmStateInDb(VmInstanceStateEvent.destroyed);
                     }
+                    final String tpmUuidForEncryptedKeyRef = vmTpmManager.findTpmUuidForVmOrNull(self.getUuid());
                     callVmJustBeforeDeleteFromDbExtensionPoint();
                     dbf.removeCollection(self.getVmCdRoms(), VmCdRomVO.class);
                     dbf.remove(getSelf());
                     dbf.eoCleanup(VmInstanceVO.class, self.getUuid());
+                    if (tpmUuidForEncryptedKeyRef != null) {
+                        vmTpmManager.deleteResourceKeyRefForTpm(tpmUuidForEncryptedKeyRef);
+                    }
                 } else if (deletionPolicy == VmInstanceDeletionPolicy.DBOnly || deletionPolicy == VmInstanceDeletionPolicy.KeepVolume) {
                     String accountUuid = acntMgr.getOwnerAccountUuidOfResource(inv.getUuid());
+                    final String tpmUuidForEncryptedKeyRef = vmTpmManager.findTpmUuidForVmOrNull(self.getUuid());
                     new SQLBatch() {
                         @Override
                         protected void scripts() {
@@ -2599,6 +2612,9 @@ protected void scripts() {
                                     .hardDelete();
                             sql(VmCdRomVO.class).eq(VmCdRomVO_.vmInstanceUuid, self.getUuid()).hardDelete();
                             sql(VmInstanceVO.class).eq(VmInstanceVO_.uuid, self.getUuid()).hardDelete();
+                            if (tpmUuidForEncryptedKeyRef != null) {
+                                vmTpmManager.deleteResourceKeyRefForTpm(tpmUuidForEncryptedKeyRef);
+                            }
                         }
                     }.execute();
                     callVmJustAfterDeleteFromDbExtensionPoint(inv, accountUuid);

compute/src/main/java/org/zstack/compute/vm/devices/DummyEncryptedResourceKeyManager.java

@@ -23,4 +23,9 @@ public void getOrCreateKey(GetOrCreateResourceKeyContext ctx,
     public void rollbackCreatedKey(ResourceKeyResult result, Completion completion) {
         completion.success();
     }
+
+    @Override
+    public void deleteRef(String resourceType, String resourceUuid) {
+        // do-nothing
+    }
 }

compute/src/main/java/org/zstack/compute/vm/devices/VmTpmExtensions.java

@@ -70,11 +70,7 @@ public void afterRollbackPersistVmInstanceVO(VmInstanceVO vo, CreateVmInstanceMs
         new SQLBatch() {
             @Override
             protected void scripts() {
-                try {
-                    resourceKeyBackend.detachKeyProviderFromTpm(tpmUuid);
-                } finally {
-                    vmTpmManager.deleteTpmVO(tpmUuid);
-                }
+                vmTpmManager.deleteTpmAndResourceKeyRef(tpmUuid);
             }
         }.execute();
     }

compute/src/main/java/org/zstack/compute/vm/devices/VmTpmManager.java

@@ -5,6 +5,7 @@
 import org.zstack.core.db.DatabaseFacade;
 import org.zstack.core.db.Q;
 import org.zstack.header.image.ImageBootMode;
+import org.zstack.header.keyprovider.EncryptedResourceKeyManager;
 import org.zstack.header.tpm.entity.TpmVO;
 import org.zstack.header.tpm.entity.TpmVO_;
 import org.zstack.resourceconfig.ResourceConfig;
@@ -23,6 +24,8 @@ public class VmTpmManager {
     private DatabaseFacade databaseFacade;
     @Autowired
     private ResourceConfigFacade resourceConfigFacade;
+    @Autowired
+    private EncryptedResourceKeyManager resourceKeyManager;
 
     public TpmVO persistTpmVO(String tpmUuid, String vmUuid) {
         if (tpmUuid == null) {
@@ -42,6 +45,34 @@ public void deleteTpmVO(String tpmUuid) {
         databaseFacade.removeByPrimaryKey(tpmUuid, TpmVO.class);
     }
 
+    public String findTpmUuidForVmOrNull(String vmInstanceUuid) {
+        return Q.New(TpmVO.class)
+                .eq(TpmVO_.vmInstanceUuid, vmInstanceUuid)
+                .select(TpmVO_.uuid)
+                .findValue();
+    }
+
+    public void deleteResourceKeyRefForTpm(String tpmUuid) {
+        if (tpmUuid == null) {
+            return;
+        }
+        try {
+            resourceKeyManager.deleteRef(TpmVO.class.getSimpleName(), tpmUuid);
+        } catch (Throwable t) {
+            logger.warn(String.format(
+                    "failed to delete encrypted resource key ref for TPM[uuid:%s]; continuing VM cleanup: %s",
+                    tpmUuid, t.getMessage()), t);
+        }
+    }
+
+    public void deleteTpmAndResourceKeyRef(String tpmUuid) {
+        try {
+            deleteResourceKeyRefForTpm(tpmUuid);
+        } finally {
+            deleteTpmVO(tpmUuid);
+        }
+    }
+
     /**
      * @param bootMode boot mode, null is Legacy
      */

header/src/main/java/org/zstack/header/keyprovider/EncryptedResourceKeyManager.java

@@ -34,10 +34,17 @@ void getOrCreateKey(GetOrCreateResourceKeyContext ctx,
      */
     void rollbackCreatedKey(ResourceKeyResult result, Completion completion);
 
+    /**
+     * Delete the resource-to-key-provider relationship for the specified resource.
+     * This only removes the persisted ref record and does not delete the remote secret.
+     */
+    void deleteRef(String resourceType, String resourceUuid);
+
     class GetOrCreateResourceKeyContext {
         private String resourceUuid;
         private String resourceType;
         private String keyProviderUuid;
+        private String keyProviderName;
         private String purpose;
 
         public String getResourceUuid() {
@@ -64,6 +71,14 @@ public void setKeyProviderUuid(String keyProviderUuid) {
             this.keyProviderUuid = keyProviderUuid;
         }
 
+        public String getKeyProviderName() {
+            return keyProviderName;
+        }
+
+        public void setKeyProviderName(String keyProviderName) {
+            this.keyProviderName = keyProviderName;
+        }
+
         public String getPurpose() {
             return purpose;
         }

plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmExtensions.java

@@ -173,7 +173,7 @@ public void fail(ErrorCode errorCode) {
             @Override
             public boolean skip(Map data) {
                 boolean shouldSkip = VmGlobalConfig.ALLOWED_TPM_VM_WITHOUT_KMS.value(Boolean.class) &&
-                        (StringUtils.isBlank(context.providerUuid) || StringUtils.isBlank(context.providerName));
+                        (StringUtils.isBlank(context.providerUuid) && StringUtils.isBlank(context.providerName));
                 if (shouldSkip) {
                     logger.info("skip create-dek: allowed.tpm.vm.without.kms is enabled and no KMS provider bound");
                 }
@@ -182,7 +182,7 @@ public boolean skip(Map data) {
 
             @Override
             public void run(FlowTrigger trigger, Map data) {
-                if (StringUtils.isBlank(context.providerUuid) || StringUtils.isBlank(context.providerName)) {
+                if (StringUtils.isBlank(context.providerUuid) && StringUtils.isBlank(context.providerName)) {
                     trigger.fail(operr("missing TPM resource key binding for tpm[uuid:%s], attachKeyProviderToTpm must run before create-dek", context.tpmUuid));
                     return;
                 }
@@ -191,13 +191,15 @@ public void run(FlowTrigger trigger, Map data) {
                 keyCtx.setResourceUuid(context.tpmUuid);
                 keyCtx.setResourceType(TpmVO.class.getSimpleName());
                 keyCtx.setKeyProviderUuid(context.providerUuid);
+                keyCtx.setKeyProviderName(context.providerName);
                 keyCtx.setPurpose("vtpm");
 
                 resourceKeyManager.getOrCreateKey(keyCtx, new ReturnValueCompletion<ResourceKeyResult>(trigger) {
                     @Override
                     public void success(ResourceKeyResult result) {
                         tpmSpec.setResourceKeyCreatedNew(result.isCreatedNewKey());
                         tpmSpec.setResourceKeyProviderUuid(result.getKeyProviderUuid());
+                        context.providerUuid = result.getKeyProviderUuid();
                         context.providerName = result.getKeyProviderName();
                         context.dekBase64 = result.getDekBase64();
                         trigger.next();

plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmManager.java

@@ -241,7 +241,11 @@ private void addTpmToVm(AddTpmToVmContext context, Completion completion) {
                 })
                 .rollback(trigger -> {
                     if (context.tpmCreated && context.createdTpmUuid != null) {
-                        vmTpmManager.deleteTpmVO(context.createdTpmUuid);
+                        if (context.keyProviderAttached) {
+                            vmTpmManager.deleteTpmAndResourceKeyRef(context.createdTpmUuid);
+                        } else {
+                            vmTpmManager.deleteTpmVO(context.createdTpmUuid);
+                        }
                     }
                     trigger.rollback();
                 })
@@ -392,7 +396,7 @@ public void done(ErrorCodeList errorCodeList) {
                 .build())
             .then(Flow.of("detach-resource-key")
                 .handle(trigger -> {
-                    tpmKeyBackend.detachKeyProviderFromTpm(context.tpmUuid);
+                    vmTpmManager.deleteResourceKeyRefForTpm(context.tpmUuid);
                     trigger.next();
                 })
                 .build())

sdk/src/main/java/org/zstack/sdk/keyprovider/api/RekeyKeyProviderRefsResult.java

@@ -27,6 +27,14 @@ public int getSkippedCount() {
         return this.skippedCount;
     }
 
+    public int failedCount;
+    public void setFailedCount(int failedCount) {
+        this.failedCount = failedCount;
+    }
+    public int getFailedCount() {
+        return this.failedCount;
+    }
+
     public java.util.List skippedResources;
     public void setSkippedResources(java.util.List skippedResources) {
         this.skippedResources = skippedResources;
@@ -35,4 +43,12 @@ public java.util.List getSkippedResources() {
         return this.skippedResources;
     }
 
+    public java.util.List failedResources;
+    public void setFailedResources(java.util.List failedResources) {
+        this.failedResources = failedResources;
+    }
+    public java.util.List getFailedResources() {
+        return this.failedResources;
+    }
+
 }