propagate windows license to the VMs

Signed-off-by: Shahriyar Jalayeri <[email protected]>
lf-edge · Feb 12, 2025 · d01e127 · d01e127
1 parent bfca0fc
commit d01e127
Show file tree

Hide file tree

Showing 14 changed files with 293 additions and 30 deletions.
diff --git a/pkg/pillar/cmd/domainmgr/domainmgr.go b/pkg/pillar/cmd/domainmgr/domainmgr.go
@@ -1148,6 +1148,18 @@ func maybeRetryBoot(ctx *domainContext, status *types.DomainStatus) {
 	}
 	defer file.Close()
 
+	// setup Windows OEM license key if enabled
+	if config.OemWinLicenseKey {
+		err = hyper.Task(status).WindowsOemLicenseKeySetup(&config.WindowsOemLicenseKey)
+		if err != nil {
+			// let the VM to boot and just log the error? or terminate?
+			log.Errorf("Failed to setup Windows OEM license key for %s: %s", status.DomainName, err)
+			status.PropagateWindowsLicenseKey = false
+		} else {
+			status.PropagateWindowsLicenseKey = true
+		}
+	}
+
 	wp := &types.WatchdogParam{Ps: ctx.ps, AgentName: agentName, WarnTime: warningTime, ErrTime: errorTime}
 	err = hyper.Task(status).VirtualTPMSetup(status.DomainName, wp)
 	if err == nil {
@@ -1695,6 +1707,18 @@ func doActivate(ctx *domainContext, config types.DomainConfig,
 	}
 	defer file.Close()
 
+	// setup Windows OEM license key if enabled
+	if config.OemWinLicenseKey {
+		err = hyper.Task(status).WindowsOemLicenseKeySetup(&config.WindowsOemLicenseKey)
+		if err != nil {
+			// let the VM to boot and just log the error? or terminate?
+			log.Errorf("Failed to setup Windows OEM license key for %s: %s", status.DomainName, err)
+			status.PropagateWindowsLicenseKey = false
+		} else {
+			status.PropagateWindowsLicenseKey = true
+		}
+	}
+
 	wp := &types.WatchdogParam{Ps: ctx.ps, AgentName: agentName, WarnTime: warningTime, ErrTime: errorTime}
 	err = hyper.Task(status).VirtualTPMSetup(status.DomainName, wp)
 	if err == nil {

diff --git a/pkg/pillar/cmd/zedagent/parseconfig.go b/pkg/pillar/cmd/zedagent/parseconfig.go
@@ -704,6 +704,7 @@ func parseAppInstanceConfig(getconfigCtx *getconfigContext,
 		appInstance.Service = cfgApp.Service
 		appInstance.CloudInitVersion = cfgApp.CloudInitVersion
 		appInstance.FixedResources.CPUsPinned = cfgApp.Fixedresources.PinCpu
+		appInstance.FixedResources.OemWinLicenseKey = cfgApp.OemWinLicenseKey
 
 		// Parse the snapshot related fields
 		if cfgApp.Snapshot != nil {

diff --git a/pkg/pillar/go.mod b/pkg/pillar/go.mod
@@ -30,7 +30,7 @@ require (
 	github.com/jaypipes/ghw v0.8.0
 	github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.5.0
 	github.com/lf-edge/edge-containers v0.0.0-20240207093504-5dfda0619b80
-	github.com/lf-edge/eve-api/go v0.0.0-20250204190553-54ee503d1433
+	github.com/lf-edge/eve-api/go v0.0.0-20250211142724-fb2a525d0a32
 	github.com/lf-edge/eve-libs v0.0.0-20241210085709-fc89dcac7f3c
 	github.com/lf-edge/eve/pkg/kube/cnirpc v0.0.0-20240315102754-0f6d1f182e0d
 	github.com/lf-edge/go-qemu v0.0.0-20231121152149-4c467eda0c56

diff --git a/pkg/pillar/go.sum b/pkg/pillar/go.sum
@@ -1456,6 +1456,8 @@ github.com/lf-edge/eve-api/go v0.0.0-20250102213900-786246223024 h1:C+Xj3QOl+RMO
 github.com/lf-edge/eve-api/go v0.0.0-20250102213900-786246223024/go.mod h1:ot6MhAhBXapUDl/hXklaX4kY88T3uC4PTg0D2wD8DzA=
 github.com/lf-edge/eve-api/go v0.0.0-20250204190553-54ee503d1433 h1:GqgH3pRJKDgnpTVq2vIS2xz4lQVn2jFK/CzSKCBdQGM=
 github.com/lf-edge/eve-api/go v0.0.0-20250204190553-54ee503d1433/go.mod h1:ot6MhAhBXapUDl/hXklaX4kY88T3uC4PTg0D2wD8DzA=
+github.com/lf-edge/eve-api/go v0.0.0-20250211142724-fb2a525d0a32 h1:2w6XKQ81SyffTaNN9WLrXpcDoA4mU+ExEmjzeUH5Bgk=
+github.com/lf-edge/eve-api/go v0.0.0-20250211142724-fb2a525d0a32/go.mod h1:ot6MhAhBXapUDl/hXklaX4kY88T3uC4PTg0D2wD8DzA=
 github.com/lf-edge/eve-libs v0.0.0-20241210085709-fc89dcac7f3c h1:PN0cNV+Rwq6T358PYyuaFr3MU9xjUCPTHtUwepMACac=
 github.com/lf-edge/eve-libs v0.0.0-20241210085709-fc89dcac7f3c/go.mod h1:32koNJxwKDrVL7rBLy35QzjIuMvGy6+BmLjf8Y38MQU=
 github.com/lf-edge/eve/pkg/kube/cnirpc v0.0.0-20240315102754-0f6d1f182e0d h1:tUBb9M6u42LXwHAYHyh22wJeUUQlTpDkXwRXalpRqbo=

diff --git a/pkg/pillar/hypervisor/containerd.go b/pkg/pillar/hypervisor/containerd.go
@@ -358,3 +358,7 @@ func (ctx ctrdContext) VirtualTPMTerminate(domainName string, wp *types.Watchdog
 func (ctx ctrdContext) VirtualTPMTeardown(domainName string, wp *types.WatchdogParam) error {
 	return fmt.Errorf("not implemented")
 }
+
+func (ctx ctrdContext) WindowsOemLicenseKeySetup(wlk *types.WindowsOemLicenseKey) error {
+	return fmt.Errorf("not implemented")
+}
diff --git a/pkg/pillar/hypervisor/kubevirt.go b/pkg/pillar/hypervisor/kubevirt.go
@@ -1723,6 +1723,10 @@ func (ctx kubevirtContext) VirtualTPMTeardown(domainName string, wp *types.Watch
 	return fmt.Errorf("not implemented")
 }
 
+func (ctx kubevirtContext) WindowsOemLicenseKeySetup(wlk *types.WindowsOemLicenseKey) error {
+	return fmt.Errorf("not implemented")
+}
+
 // save the node-name to context map for later retrieval
 func saveMyNodeUUID(ctx *kubevirtContext, nodeName string) {
 	if len(ctx.nodeNameMap) == 0 {

diff --git a/pkg/pillar/hypervisor/kvm.go b/pkg/pillar/hypervisor/kvm.go
@@ -979,6 +979,15 @@ func (ctx KvmContext) Setup(status types.DomainStatus, config types.DomainConfig
 		dmArgs = append(dmArgs, "-smbios", "type=1,product=OpenStack Compute")
 	}
 
+	if status.PropagateWindowsLicenseKey {
+		if config.WindowsOemLicenseKey.Qemu.DomainArguments != nil {
+			dmArgs = append(dmArgs, config.WindowsOemLicenseKey.Qemu.DomainArguments...)
+		} else {
+			// this should never happen, but just in case.
+			return logError("Windows OEM license key is enabled but no domain arguments are provided")
+		}
+	}
+
 	os.MkdirAll(kvmStateDir+domainName, 0777)
 
 	args := []string{ctx.dmExec}
@@ -1517,6 +1526,9 @@ func (ctx KvmContext) CreateDomConfig(domainName string,
 		isVncShimVMEnabled(globalConfig, config)
 	qemuConfContext.DomainConfig.DisplayName = domainName
 
+	// signal Qemu to inject MS Licences via custom ACPI tables
+	qemuConfContext.DomainConfig.OemWinLicenseKey = config.OemWinLicenseKey
+
 	// render global device model settings
 	if err := tQemuGlobalConf.Execute(file, qemuConfContext); err != nil {
 		return logError("can't write to config file %s (%v)", file.Name(), err)
@@ -2007,3 +2019,22 @@ func requestvTPMTermination(id uuid.UUID, wp *types.WatchdogParam) error {
 
 	return nil
 }
+
+// WindowsOemLicenseKeySetup prepares the domain to recive Windows OEM license keys
+func (ctx KvmContext) WindowsOemLicenseKeySetup(wlk *types.WindowsOemLicenseKey) error {
+	licences, err := dumpWindowsLicenceFromACPI()
+	if err != nil {
+		return logError("failed to dump Windows licence from ACPI: %v", err)
+	} else {
+		for _, licence := range licences {
+			licenceFile := fmt.Sprintf("file=%s", licence)
+			wlk.Qemu.DomainArguments = append(wlk.Qemu.DomainArguments, "-acpitable", licenceFile)
+		}
+
+		// add sysinfo
+		smbiosSysInfo := generateDmidecodeSmbiosString()
+		wlk.Qemu.DomainArguments = append(wlk.Qemu.DomainArguments, "-smbios", smbiosSysInfo)
+	}
+
+	return nil
+}
diff --git a/pkg/pillar/hypervisor/null.go b/pkg/pillar/hypervisor/null.go
@@ -183,3 +183,7 @@ func (ctx nullContext) VirtualTPMTerminate(domainName string, wp *types.Watchdog
 func (ctx nullContext) VirtualTPMTeardown(domainName string, wp *types.WatchdogParam) error {
 	return fmt.Errorf("not implemented")
 }
+
+func (ctx nullContext) WindowsOemLicenseKeySetup(wlk *types.WindowsOemLicenseKey) error {
+	return fmt.Errorf("not implemented")
+}
diff --git a/pkg/pillar/hypervisor/win.go b/pkg/pillar/hypervisor/win.go
@@ -0,0 +1,155 @@
+// Copyright (c) 2025 Zededa, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package hypervisor
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	uuid "github.com/satori/go.uuid"
+
+	"github.com/lf-edge/eve/pkg/pillar/types"
+	fileutils "github.com/lf-edge/eve/pkg/pillar/utils/file"
+	"github.com/sirupsen/logrus"
+)
+
+// TODO: move all the windows related OVMF code to this file
+
+// Struct to hold system information
+type DmiSystemInfo struct {
+	Manufacturer string
+	ProductName  string
+	Version      string
+	SerialNumber string
+	UUID         string
+	SKUNumber    string
+	Family       string
+}
+
+// getSmbiosString returns a SMBIOS type 1 string (system information)
+func getSmbiosString(sysInfo DmiSystemInfo) string {
+	var fields []string
+
+	if sysInfo.UUID != "" {
+		fields = append(fields, fmt.Sprintf("uuid=%s", sysInfo.UUID))
+	}
+	if sysInfo.Manufacturer != "" {
+		fields = append(fields, fmt.Sprintf("manufacturer=%s", sysInfo.Manufacturer))
+	}
+	if sysInfo.ProductName != "" {
+		fields = append(fields, fmt.Sprintf("product=%s", sysInfo.ProductName))
+	}
+	if sysInfo.Version != "" {
+		fields = append(fields, fmt.Sprintf("version=%s", sysInfo.Version))
+	}
+	if sysInfo.SerialNumber != "" {
+		fields = append(fields, fmt.Sprintf("serial=%s", sysInfo.SerialNumber))
+	}
+	if sysInfo.SKUNumber != "" {
+		fields = append(fields, fmt.Sprintf("sku=%s", sysInfo.SKUNumber))
+	}
+	if sysInfo.Family != "" {
+		fields = append(fields, fmt.Sprintf("family=%s", sysInfo.Family))
+	}
+
+	smbiosString := "type=1," + strings.Join(fields, ",")
+	return smbiosString
+}
+
+// generateDmidecodeSmbiosString execute dmidecode and creates the SMBIOS string
+func generateDmidecodeSmbiosString() string {
+	validate := func(a string) string {
+		a = strings.TrimSpace(a)
+		if strings.Contains(a, ",") {
+			logrus.Warnf("Invalid value: %s", a)
+			return ""
+		}
+		return a
+	}
+
+	dmidecode := func(arg string) string {
+		cmd := exec.Command("dmidecode", "-s", arg)
+		output, err := cmd.CombinedOutput()
+		if err != nil {
+			logrus.Warnf("Failed to run dmidecode %s : %v", arg, err)
+			return ""
+		}
+
+		return validate(string(output))
+	}
+
+	sysInfo := DmiSystemInfo{}
+	sysInfo.Manufacturer = validate(dmidecode("system-manufacturer"))
+	sysInfo.ProductName = validate(dmidecode("system-product-name"))
+	sysInfo.Version = validate(dmidecode("system-version"))
+	sysInfo.SerialNumber = validate(dmidecode("system-serial-number"))
+	sysInfo.SKUNumber = validate(dmidecode("system-sku-number"))
+	sysInfo.Family = validate(dmidecode("system-family"))
+	smbiosString := getSmbiosString(sysInfo)
+	sysInfo.UUID = validate(dmidecode("system-uuid"))
+	if sysInfo.UUID != "" {
+		_, err := uuid.FromString(sysInfo.UUID)
+		if err != nil {
+			logrus.Warnf("Invalid UUID: %s", sysInfo.UUID)
+			sysInfo.UUID = ""
+		}
+	}
+
+	logrus.Infof("Generated SMBIOS string: %s", smbiosString)
+	return smbiosString
+}
+
+// dumpWindowsLicenceFromACPI dumps the Windows licence from ACPI tables
+func dumpWindowsLicenceFromACPI() ([]string, error) {
+	if _, err := os.Stat(types.MsWindowsLicenceStore); os.IsNotExist(err) {
+		if err := os.MkdirAll(types.MsWindowsLicenceStore, 0600); err != nil {
+			return nil, fmt.Errorf("failed to create directory %s: %v", types.MsWindowsLicenceStore, err)
+		}
+	} else {
+		return nil, fmt.Errorf("erro while checking directory %s: %v", types.MsWindowsLicenceStore, err)
+	}
+
+	collectedLicences := []string{}
+	// TODO: testing, revert this back
+	//acpiTablePath := "/sys/firmware/acpi/tables"
+	acpiTablePath := "/hostfs/etc/winlic"
+	windowsLicenceTables := map[string]bool{
+		"MSDM": true,
+		"SLIC": false,
+	}
+
+	for table, mandatory := range windowsLicenceTables {
+		winLicStorePath := filepath.Join(types.MsWindowsLicenceStore, table)
+		// skip if we already have the table dumped
+		if _, err := os.Stat(winLicStorePath); err == nil {
+			continue
+		}
+
+		sysFsPath := filepath.Join(acpiTablePath, table)
+		if _, err := os.Stat(sysFsPath); err != nil {
+			if mandatory {
+				return nil, fmt.Errorf("error while checking mandatory %s table : %w", table, err)
+			} else {
+				logrus.Warnf("error while checkin %s table : %v", table, err)
+				continue
+			}
+		}
+
+		if err := fileutils.CopyFile(sysFsPath, winLicStorePath); err != nil {
+			if mandatory {
+				return nil, fmt.Errorf("failed to copy %s table: %w", table, err)
+			} else {
+				logrus.Warnf("failed to copy %s table: %v", table, err)
+				continue
+			}
+		}
+
+		collectedLicences = append(collectedLicences, winLicStorePath)
+	}
+
+	return collectedLicences, nil
+}
diff --git a/pkg/pillar/hypervisor/xen.go b/pkg/pillar/hypervisor/xen.go
@@ -896,3 +896,7 @@ func (ctx xenContext) VirtualTPMTerminate(domainName string, wp *types.WatchdogP
 func (ctx xenContext) VirtualTPMTeardown(domainName string, wp *types.WatchdogParam) error {
 	return fmt.Errorf("not implemented")
 }
+
+func (ctx xenContext) WindowsOemLicenseKeySetup(wlk *types.WindowsOemLicenseKey) error {
+	return fmt.Errorf("not implemented")
+}
diff --git a/pkg/pillar/types/domainmgrtypes.go b/pkg/pillar/types/domainmgrtypes.go
@@ -62,6 +62,10 @@ type DomainConfig struct {
 	// once the version is changed cloud-init tool restarts in a guest.
 	// See getCloudInitVersion() and createCloudInitISO() for details.
 	CloudInitVersion uint32
+
+	// WindowsOemLicenseKey provides the information required to propogate the OEM license key
+	// to the VM.
+	WindowsOemLicenseKey WindowsOemLicenseKey
 }
 
 // MetaDataType of metadata service for app
@@ -263,6 +267,18 @@ type VmConfig struct {
 	EnableVncShimVM    bool
 	// Enables enforcement of user-defined ordering for network interfaces.
 	EnforceNetworkInterfaceOrder bool
+	// OemWinLicenseKey indicates the app should receive the embedded Windows license key (if available)
+	OemWinLicenseKey bool
+}
+
+// WindowsOemLicenseKey contains the infromation required to propogate the OEM license key
+// to the VM. Currently only QEMU/KVM is supported.
+type WindowsOemLicenseKey struct {
+	Qemu struct {
+		DomainArguments []string
+	}
+	Xen  struct{}
+	Acrn struct{}
 }
 
 // VmMode is the type for the virtualization mode
@@ -284,6 +300,7 @@ type Task interface {
 	VirtualTPMSetup(domainName string, wp *WatchdogParam) error
 	VirtualTPMTerminate(domainName string, wp *WatchdogParam) error
 	VirtualTPMTeardown(domainName string, wp *WatchdogParam) error
+	WindowsOemLicenseKeySetup(*WindowsOemLicenseKey) error
 	Create(string, string, *DomainConfig) (int, error)
 	Start(string) error
 	Stop(string, bool) error
@@ -330,6 +347,9 @@ type DomainStatus struct {
 	// the device name is used for kube node name
 	// Need to pass in from domainmgr to hypervisor context commands
 	NodeName string
+	// PropagateWindowsLicenseKey is true if eveything it available to propogate
+	// the OEM license key to the VM.
+	PropagateWindowsLicenseKey bool
 }
 
 func (status DomainStatus) Key() string {

diff --git a/pkg/pillar/types/locationconsts.go b/pkg/pillar/types/locationconsts.go
@@ -43,6 +43,8 @@ const (
 	PersistCachePatchEnvelopes = PersistDir + "/patchEnvelopesCache"
 	// PersistCachePatchEnvelopesUsage - folder to store patch envelopes usage stat per app
 	PersistCachePatchEnvelopesUsage = PersistDir + "/patchEnvelopesUsageCache"
+	// MsWindowsLicenceStore - Location to storeing MS Windows Licences dumped from ACPI tables
+	MsWindowsLicenceStore = PersistDir + "/msWindowsLicenceStore"
 
 	// IdentityDirname - Config dir
 	IdentityDirname = "/config"