Adding or enabling trusted platform module (TPM)

[veikkoeeva]

Hi!

Now that trusted platform modules (TPMs) are becoming more widely used, would it be possible to enable or configure a simular for them by default in virtual environments? This could help testing software and scripts that use them.

[miketimofeev]

Hi @veikkoeeva!
I'm afraid we don't have experience with TPM. Have you tried configuring it on Azure VMs?

[veikkoeeva]

Hi, @miketimofeev!

I'm afraid we don't have experience with TPM. Have you tried configuring it on Azure VMs?

Unfortunately no.

Context: Today I saw https://techcommunity.microsoft.com/t5/azure-confidential-computing/announcing-general-availability-of-azure-trusted-launch-for/ba-p/2871755. I also read https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch, but I don't know how up-to-date it is (e.g. considering VM images). So it looks to me it should be possible to enable TPM on Azure virtual machines if this is a prerequisite.

I have some TPM related action code at https://github.com/lumoin/Verifiable/blob/main/.github/workflows/main.yml#L76. It asks from the system if TPM is enabled (the answer: no). I think I can't try to enable TPM in code since it would require a reboot.

So, I thought about skipping Windows and to install a TPM simulator from a Linux repository, but I run into D-Bus errors as detailed at tpm2-software/tpm2-abrmd#778 (comment).

I have been time-to-time wondering what would it take to automatically enable a TPM. As today I saw the aforementioned TPM link, I got myself finally on the move to write this discussion item here. I might think for testing purposes a simulator works just fine, but for a reason or another I can't get one installed on Linux, as noted in the other issue. A simulator for Windows is probably a bit more work since it'd need to be compiled from sources at https://github.com/microsoft/TSS.MSR.

Summa summarum: I wonder if there would a reason to not to provide either a TPM or a simulator? If it'd be possible to go ahead, what would it require in practice to provide either one?

[miketimofeev]

@veikkoeeva thanks for all the provided information. Could you try to spin up a VM in azure to use as a self-hosted runner and test if the functionality you need works there?

[veikkoeeva]

I will try to do it this week. I have an idea how to run a self-hosted GHA runner on Azure (neved done before). I report here then.

[veikkoeeva]

Coming fairly slowly, but seems to be this is also very recent addition to Azure. :) I created a small script to check VMs can be provisioned with TPM and then called a script checking vTPM (virtual TPM) is functional. This seems to be possible on many provided VMs. This requires having a suitable gen2 image and enabling trusted launch. These are listed at https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch in more detail.

@miketimofeev What more should be known for GHA runners? I'm thinking that if more images should be checked and if there's specifically something that could come up with trying a private runner (since I seem to be very slow with getting this moving and thinking if I should specifically pay attention to something).

The script is as follows:

# az login
# az account list
# az account set --subscription <guid>

# az login --identity -u

$resourceGroupNameLinux = "TpmTesLinuxtRg"
$resourceGroupNameWindows = "TpmTesWindowsRg"
$location = "westeurope"
$vmNameLinux = "TpmTestvmLinux"
$vmNameWindowsServer = "TpmTestServer"
$vmSize = "Standard_B11ls"

Write-Output "Creating resource group `"$resourceGroupNameLinux`"..."
if((az group exists --name $resourceGroupNameLinux) -eq 'False')
{
    az group create `
        --name $resourceGroupNameLinux `
        --location $location

    Write-Output "Resource group `"$resourceGroupNameLinux`" created."
}
else
{
    Write-Output "Resource group `"$resourceGroupNameLinux`" exists and was not created."
}


Write-Output "Creating Linux virtual machine `"$vmNameLinux`"..."
if((az vm list --query "[?name=='$vmNameLinux'] | length(@)") -lt 1)
{
     az vm create `
        --resource-group $resourceGroupNameLinux `
        --location $location `
        --name $vmNameLinux  `
        --public-ip-sku Standard `
        --image Canonical:0001-com-ubuntu-server-focal:20_04-lts-gen2:latest `
        --admin-username azureuser123 `
        --generate-ssh-keys `
        --security-type trustedLaunch `
        --enable-secure-boot true `
        --enable-vtpm true

    Write-Output "Virtual machine `"$vmNameLinux`" created."
}
else
{
    Write-Output "Virtual machine `"$vmNameLinux`" exists and was not created."
}


Write-Host "Checking TPM status of `"$vmNameLinux`"..." -ForegroundColor Yellow
az vm run-command invoke `
    --resource-group $resourceGroupNameLinux `
    --name $vmNameLinux  --command-id RunShellScript `
    --scripts "sudo dmesg | grep -i tpm"


# Use "az vm image list --publisher MicrosoftWindowsServer --output table --all" to query suitable images.
Write-Output "Creating Windows server virtual machine `"$vmNameWindowsServer`"..."
if((az vm list --query "[?name=='$vmNameWindowsServer'] | length(@)") -lt 1)
{
     az vm create `
        --resource-group $resourceGroupNameWindows `
        --location $location `
        --name $vmNameWindowsServer  `
        --public-ip-sku Standard `
        --image MicrosoftWindowsServer:WindowsServer:2022-datacenter-g2:latest `
        --admin-username < snip > `
        --admin-password < snip > `
        --security-type trustedLaunch `
        --enable-secure-boot true `
        --enable-vtpm true

    Write-Output "Virtual machine `"$vmNameWindowsServer`" created."
}
else
{
    Write-Output "Virtual machine `"$vmNameWindowsServer`" exists and was not created."
}


Write-Host "Checking TPM status of `"$vmNameWindowsServer`"..." -ForegroundColor Yellow
az vm run-command invoke `
    --resource-group $resourceGroupNameWindows `
    --name $vmNameWindowsServer `
    --command-id RunPowerShellScript `
    --scripts "Get-Tpm"

[miketimofeev]

@veikkoeeva thanks for such a detailed explanation! I'm afraid we still use gen1 images as you can see from our packer templated (there should be -g2 postfix otherwise)
https://github.com/actions/virtual-environments/blob/9ec86a6e3e7696fff040cb80cf2cfaa589039019/images/win/windows2022.json#L59

So as a first step we need to migrate to g2 if it is possible and check whether TPM can be enabled after that or not. I'll try to check if we can switch to g2, but it will take some time, no ETA for now.

[veikkoeeva]

@miketimofeev Thanks for getting back! Next question, now that you kindly pointed out the templates that is there anything that prevents passing in

--security-type trustedLaunch `
--enable-secure-boot true `
--enable-vtpm true

and changing to gen2 images?

I could imagine the bigger issue is changing to gen2 images. I tried to look at about this gen1-gen2 thing and didn't see a problem on migrating. I might be wrong too, though.

[miketimofeev]

@veikkoeeva I tried to build g2 image and it turned out that unmanaged disks are not supported. This is a blocker for us as we can't migrate everything to managed disks at the moment.
https://github.visualstudio.com/virtual-environments/_build/results?buildId=120335&view=logs&j=011e1ec8-6569-5e69-4f06-baf193d1351e&t=5431112d-2b61-5a5f-7042-ef698f761043

[veikkoeeva]

I add a screenshot that confirms this.

Seeing also the Packer warning, this dance may require a bit more coordination. But I think now the basics at least have been established. Thanks for your time and going through the trouble, @miketimofeev!

[veikkoeeva]

We have no plans to use managed vms so far.

from #6783 (comment)

[veikkoeeva]

from #5104 one comment

Microsoft has announced the below:

As of November 18, 2022, new customer subscriptions won't be eligible to create unmanaged disks.
As of September 30, 2023, existing customers won't be able to create new unmanaged disks.
On September 30, 2025, customers will no longer be able to start IaaS VMs by using unmanaged disks. Any VMs that are still running or allocated will be stopped and deallocated.

[veikkoeeva]

#8221

New unmanaged disks cannot be created after Sept 30th, 2023

[veikkoeeva]

@veikkoeeva thanks for such a detailed explanation! I'm afraid we still use gen1 images as you can see from our packer templated (there should be -g2 postfix otherwise) https://github.com/actions/virtual-environments/blob/9ec86a6e3e7696fff040cb80cf2cfaa589039019/images/win/windows2022.json#L59

So as a first step we need to migrate to g2 if it is possible and check whether TPM can be enabled after that or not. I'll try to check if we can switch to g2, but it will take some time, no ETA for now.

Updating the link, it appears the image template line is now at https://github.com/actions/runner-images/blob/main/images/windows/templates/windows-2022.pkr.hcl#L160 .

[jbaublitz]

We've bumped into a similar need for TPM testing in our Github Actions infrastructure. I stumbled across this discussion and just wanted to confirm that the work being done here would eventually be available in Github-hosted runners if it's able to be done, is that correct?