Suppot TPM

[futuretea]

Related issues
harvester/harvester#2910

Test plan

• Setup test env by https://github.com/harvester/terraform-provider-harvester/wiki/PR-Test-Env-Setup for Reviwer
• Setup test env by https://github.com/harvester/terraform-provider-harvester/wiki/Use-the-master-head-docker-image-for-testing for Tester

Linux

• Create a test config file in the test container

vim linux.tf

resource "harvester_image" "ubuntu20" {
  name      = "ubuntu20"
  namespace = "harvester-public"

  display_name = "ubuntu-20.04-server-cloudimg-amd64.img"
  source_type  = "download"
  url          = "http://cloud-images.ubuntu.com/releases/focal/release/ubuntu-20.04-server-cloudimg-amd64.img"
}

resource "harvester_virtualmachine" "tf-test" {
  name                 = "tf-test"
  namespace            = "default"
  restart_after_update = true

  description = "test terraform provider"
  tags = {
    ssh-user = "ubuntu"
  }

  cpu    = 2
  memory = "2Gi"

  efi         = true
  secure_boot = true

  run_strategy    = "RerunOnFailure"
  hostname        = "tf-test"
  reserved_memory = "100Mi"
  machine_type    = "q35"

  network_interface {
    name           = "nic-1"
    wait_for_lease = true
  }

  disk {
    name       = "rootdisk"
    type       = "disk"
    size       = "10Gi"
    bus        = "virtio"
    boot_order = 1

    image       = harvester_image.ubuntu20.id
    auto_delete = true
  }

  tpm {}

  cloudinit {
    user_data    = <<-EOF
      #cloud-config
      password: 123456
      chpasswd:
        expire: false
      ssh_pwauth: true
      EOF
    network_data = ""
  }
}

• apply

terraform apply -auto-approve

• check the tpm device in the vm

ls -l /dev/tmp*

Windows

data "harvester_image" "win11" {
  display_name      = "win11_22h2_english_x64v1.iso"
  namespace = "harvester-public"
}

resource "harvester_virtualmachine" "tf-win11-test" {
  name                 = "tf-win11-test"
  namespace            = "default"
  restart_after_update = true

  cpu    = 8
  memory = "16Gi"

  efi         = true
  secure_boot = true

  run_strategy    = "RerunOnFailure"
  hostname        = "tf-win11-test"
  reserved_memory = "512Mi"
  machine_type    = "q35"

  network_interface {
    name           = "nic-1"
    wait_for_lease = true
  }

  disk {
    name       = "cdrom-disk"
    type       = "cd-rom"
    size       = "10Gi"
    bus        = "sata"
    boot_order = 1

    image       = data.harvester_image.win11.id
    auto_delete = true
  }

  disk {
    name       = "rootdisk"
    type       = "disk"
    size       = "50Gi"
    bus        = "virtio"
    boot_order = 2

    auto_delete = true
  }

  disk {
    name       = "virtio-container-disk"
    type       = "cd-rom"
    bus        = "sata"
    boot_order = 3
    container_image_name = "registry.suse.com/suse/vmdp/vmdp:2.5.3"

    auto_delete = true
  }

  input {
    name = "tablet"
    type = "tablet"
    bus  = "usb"
  }
  tpm {}
}

• apply

terraform apply -auto-approve

• check the windows 11 installation

Note:

1. windows 11 need efi and secure_boot
2. don't miss this: https://docs.harvesterhci.io/v1.1/vm/create-windows-vm#windows-iso-unable-to-boot-when-using-efi-mode

shortly after a prompt to “Press any key to boot from CD or DVD…”.
You have a few seconds to do so or the VM will fail to boot

[masteryyh]

LGTM, tested with command below

ubuntu@tf-test:~$ ls -l /dev/tpm*
crw-rw---- 1 tss root  10,   224 Mar  7 03:47 /dev/tpm0
crw-rw---- 1 tss tss  253, 65536 Mar  7 03:47 /dev/tpmrm0

[guangbochen]

can we add the tpm config to the TF doc? thanks.

[futuretea]

can we add the tpm config to the TF doc? thanks.

Added

[guangbochen]

LGTM, also need to add the following note to the doc according to the upstream doc.

When customizing this VMI definition or creating your own, please keep in mind that the TPM device and the UEFI firmware with SecureBoot are both hard requirements of Windows 11. Not having them will cause the Windows 11 installation to fail early. Please also note that the SMM CPU feature is required for UEFI + SecureBoot. However, they can all be omitted in the case of a Windows 10 VM(I). Finally, we do not currently support TPM persistence, so any secret stored in the emulated TPM will be lost next time you boot the VMI. For example, do not enable BitLocker, as it will fail to find the encryption key next boot and you will have to manually enter the (55 characters!) recovery key each boot.