Feature: implement swtpm in runc

Dockerfile

@@ -1,6 +1,8 @@
 ARG GO_VERSION=1.23
 ARG BATS_VERSION=v1.11.0
 ARG LIBSECCOMP_VERSION=2.5.6
+ARG SWTPM_VERSION=0.10.1
+ARG LIBTPMS_VERSION=0.10.0
 
 FROM golang:${GO_VERSION}-bookworm
 ARG DEBIAN_FRONTEND=noninteractive
@@ -36,6 +38,24 @@ RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \
         gcc-powerpc64le-linux-gnu libc-dev-ppc64el-cross \
         gcc-s390x-linux-gnu libc-dev-s390x-cross \
         gcc-riscv64-linux-gnu libc-dev-riscv64-cross \
+    && apt-get install -y --no-install-recommends \
+        automake \
+        autoconf \
+        libtool \
+        libssl-dev \
+        dh-exec \
+    && apt-get install -y --no-install-recommends \
+        dh-autoreconf \
+        libtasn1-6-dev \
+        net-tools \
+        libgnutls28-dev \
+        libjson-glib-dev \
+        expect \
+        socat \
+        libseccomp-dev \
+        libfuse-dev \
+        libglib2.0-dev \
+        gnutls-bin \
     && apt-get clean \
     && rm -rf /var/cache/apt /var/lib/apt/lists/* /etc/apt/sources.list.d/*.list
 
@@ -63,6 +83,11 @@ ENV LIBSECCOMP_VERSION=$LIBSECCOMP_VERSION
 ENV LD_LIBRARY_PATH=/opt/libseccomp/lib
 ENV PKG_CONFIG_PATH=/opt/libseccomp/lib/pkgconfig
 
+ARG SWTPM_VERSION
+ARG LIBTPMS_VERSION
+COPY script/swtpm.sh /tmp/script/
+RUN /tmp/script/swtpm.sh "$SWTPM_VERSION" "$LIBTPMS_VERSION"
+
 # Prevent the "fatal: detected dubious ownership in repository" git complain during build.
 RUN git config --global --add safe.directory /go/src/github.com/opencontainers/runc
 

Makefile

@@ -58,6 +58,10 @@ GO_BUILD_STATIC := $(GO) build $(TRIMPATH) $(GO_BUILDMODE_STATIC) \
 
 GPG_KEYID ?= [email protected]
 
+RUN_IN_CONTAINER_MAJOR ?= 100
+RUN_IN_CONTAINER_MAJOR_SECOND ?= 101
+RUN_IN_CONTAINER_MINOR ?= 1
+
 # Some targets need cgo, which is disabled by default when cross compiling.
 # Enable cgo explicitly for those.
 # Both runc and libcontainer/integration need libcontainer/nsenter.
@@ -67,6 +71,8 @@ ifneq (,$(filter $(BUILDTAGS),seccomp))
 seccompagent: export CGO_ENABLED=1
 endif
 
+tpm-helper: export CGO_ENABLED=0
+
 .DEFAULT: runc
 
 .PHONY: runc
@@ -87,7 +93,7 @@ TESTBINDIR := tests/cmd/_bin
 $(TESTBINDIR):
 	mkdir $(TESTBINDIR)
 
-TESTBINS := recvtty sd-helper seccompagent fs-idmap pidfd-kill remap-rootfs key_label
+TESTBINS := recvtty sd-helper seccompagent fs-idmap pidfd-kill remap-rootfs key_label tpm-helper
 .PHONY: test-binaries $(TESTBINS)
 test-binaries: $(TESTBINS)
 $(TESTBINS): $(TESTBINDIR)
@@ -155,6 +161,9 @@ unittest: runcimage
 		-t --privileged --rm \
 		-v /lib/modules:/lib/modules:ro \
 		-v $(CURDIR):/go/src/$(PROJECT) \
+		--device=/dev/cuse --device-cgroup-rule "c $(RUN_IN_CONTAINER_MAJOR):$(RUN_IN_CONTAINER_MINOR) rwm" \
+		-e "RUN_IN_CONTAINER_MAJOR=$(RUN_IN_CONTAINER_MAJOR)" \
+		-e "RUN_IN_CONTAINER_MINOR=$(RUN_IN_CONTAINER_MINOR)" \
 		$(RUNC_IMAGE) make localunittest TESTFLAGS="$(TESTFLAGS)"
 
 .PHONY: localunittest
@@ -167,6 +176,11 @@ integration: runcimage
 		-t --privileged --rm \
 		-v /lib/modules:/lib/modules:ro \
 		-v $(CURDIR):/go/src/$(PROJECT) \
+		--device=/dev/cuse --device-cgroup-rule "c $(RUN_IN_CONTAINER_MAJOR):$(RUN_IN_CONTAINER_MINOR) rwm" \
+		--device-cgroup-rule "c $(RUN_IN_CONTAINER_MAJOR_SECOND):$(RUN_IN_CONTAINER_MINOR) rwm" \
+		-e "RUN_IN_CONTAINER_MAJOR=$(RUN_IN_CONTAINER_MAJOR)" \
+		-e "RUN_IN_CONTAINER_MAJOR_SECOND=$(RUN_IN_CONTAINER_MAJOR_SECOND)" \
+		-e "RUN_IN_CONTAINER_MINOR=$(RUN_IN_CONTAINER_MINOR)" \
 		$(RUNC_IMAGE) make localintegration TESTPATH="$(TESTPATH)"
 
 .PHONY: localintegration

go.mod

@@ -9,6 +9,7 @@ require (
 	github.com/cyphar/filepath-securejoin v0.4.1
 	github.com/docker/go-units v0.5.0
 	github.com/godbus/dbus/v5 v5.1.0
+	github.com/google/go-tpm v0.0.0-00010101000000-000000000000
 	github.com/moby/sys/capability v0.4.0
 	github.com/moby/sys/mountinfo v0.7.2
 	github.com/moby/sys/user v0.4.0
@@ -32,3 +33,7 @@ require (
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 )
+
+replace github.com/google/go-tpm => github.com/everzakov/go-tpm v0.0.0-20250815102554-13e640365049
+
+replace github.com/opencontainers/runtime-spec => github.com/everzakov/runtime-spec v0.0.0-20250816064520-f0885e035161

go.sum

@@ -16,13 +16,19 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/everzakov/go-tpm v0.0.0-20250815102554-13e640365049 h1:TOFYpbcgHw260lHT+hW7k97Ri7i/+UfEuQW7/3GBb8E=
+github.com/everzakov/go-tpm v0.0.0-20250815102554-13e640365049/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/everzakov/runtime-spec v0.0.0-20250816064520-f0885e035161 h1:B4CMvhQY1Sijg20viaZo4jy267Mo8/Z+huqx9x3rd7A=
+github.com/everzakov/runtime-spec v0.0.0-20250816064520-f0885e035161/go.mod h1:Kbvgc27P6fS+ifaBC6lxYMD2hmLwpmWT4+fJCvyJvRg=
 github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
 github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba h1:qJEJcuLzH5KDR0gKc0zcktin6KSAwL7+jWKBYceddTc=
+github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba/go.mod h1:EFYHy8/1y2KfgTAsx7Luu7NGhoxtuVHnNo8jE7FikKc=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
 github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/jsimonetti/rtnetlink/v2 v2.0.1 h1:xda7qaHDSVOsADNouv7ukSuicKZO7GgVUCXxpaIEIlM=
@@ -47,8 +53,6 @@ github.com/mrunalp/fileutils v0.5.1 h1:F+S7ZlNKnrwHfSwdlgNSkKo67ReVf8o9fel6C3dkm
 github.com/mrunalp/fileutils v0.5.1/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
 github.com/opencontainers/cgroups v0.0.4 h1:XVj8P/IHVms/j+7eh8ggdkTLAxjz84ZzuFyGoE28DR4=
 github.com/opencontainers/cgroups v0.0.4/go.mod h1:s8lktyhlGUqM7OSRL5P7eAW6Wb+kWPNvt4qvVfzA5vs=
-github.com/opencontainers/runtime-spec v1.2.2-0.20250401095657-e935f995dd67 h1:Q+KewUGTMamIe6Q39xCD/T1NC1POmaTlWnhjikCrZHA=
-github.com/opencontainers/runtime-spec v1.2.2-0.20250401095657-e935f995dd67/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplUkdTrmPb8=
 github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

libcontainer/configs/config.go

@@ -13,6 +13,7 @@ import (
 	"time"
 	"unsafe"
 
+	"github.com/opencontainers/runc/libcontainer/vtpm"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 
@@ -238,6 +239,9 @@ type Config struct {
 
 	// ExecCPUAffinity is CPU affinity for a non-init process to be run in the container.
 	ExecCPUAffinity *CPUAffinity `json:"exec_cpu_affinity,omitempty"`
+
+	// VTPM configuration
+	VTPMs []*vtpm.VTPM `json:"vtpms"`
 }
 
 // Scheduler is based on the Linux sched_setattr(2) syscall.

libcontainer/container_linux.go

@@ -15,6 +15,7 @@ import (
 	"sync"
 	"time"
 
+	vtpmhelper "github.com/opencontainers/runc/libcontainer/vtpm/vtpm-helper"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink/nl"
@@ -371,6 +372,11 @@ func (c *Container) start(process *Process) (retErr error) {
 				return err
 			}
 		}
+		if len(c.config.VTPMs) > 0 {
+			if err := vtpmhelper.ApplyCGroupVTPMs(c.config.VTPMs, c.cgroupManager); err != nil {
+				return err
+			}
+		}
 	}
 	return nil
 }

libcontainer/criu_linux.go

@@ -288,6 +288,10 @@ func (c *Container) Checkpoint(criuOpts *CriuOpts) error {
 	//               support for doing unprivileged dumps, but the setup of
 	//               rootless containers might make this complicated.
 
+	if len(c.config.VTPMs) > 0 {
+		return fmt.Errorf("Checkpointing with attached vTPM is not supported")
+	}
+
 	// We are relying on the CRIU version RPC which was introduced with CRIU 3.0.0
 	if err := c.checkCriuVersion(30000); err != nil {
 		return err

libcontainer/rootfs_linux.go

@@ -949,6 +949,7 @@ func createDeviceNode(rootfs string, node *devices.Device, bind bool) error {
 		// The node only exists for cgroup reasons, ignore it here.
 		return nil
 	}
+
 	dest, err := securejoin.SecureJoin(rootfs, node.Path)
 	if err != nil {
 		return err

libcontainer/specconv/example.go

@@ -112,6 +112,7 @@ func Example() *specs.Spec {
 				"/proc/sched_debug",
 				"/sys/firmware",
 				"/proc/scsi",
+				"/sys/devices/virtual/tpm",
 			},
 			ReadonlyPaths: []string{
 				"/proc/bus",

libcontainer/specconv/spec_linux.go

@@ -22,6 +22,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/internal/userns"
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
+	"github.com/opencontainers/runc/libcontainer/vtpm"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 
@@ -344,6 +345,7 @@ type CreateOpts struct {
 	Spec             *specs.Spec
 	RootlessEUID     bool
 	RootlessCgroups  bool
+	VTPMs            []*vtpm.VTPM
 }
 
 // CreateLibcontainerConfig creates a new libcontainer configuration from a
@@ -378,6 +380,7 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
 		NoNewKeyring:    opts.NoNewKeyring,
 		RootlessEUID:    opts.RootlessEUID,
 		RootlessCgroups: opts.RootlessCgroups,
+		VTPMs:           opts.VTPMs,
 	}
 
 	for _, m := range spec.Mounts {

libcontainer/state_linux.go

@@ -7,7 +7,9 @@ import (
 
 	"github.com/opencontainers/cgroups"
 	"github.com/opencontainers/runc/libcontainer/configs"
+	vtpmhelper "github.com/opencontainers/runc/libcontainer/vtpm/vtpm-helper"
 	"github.com/opencontainers/runtime-spec/specs-go"
+
 	"golang.org/x/sys/unix"
 )
 
@@ -36,6 +38,7 @@ type containerState interface {
 }
 
 func destroy(c *Container) error {
+	vtpmhelper.DestroyVTPMs(c.config.VTPMs)
 	// Usually, when a container init is gone, all other processes in its
 	// cgroup are killed by the kernel. This is not the case for a shared
 	// PID namespace container, which may have some processes left after