<fix>[crypto]: Fix the issue where VMs fail to boot after deleting NKP and reimporting them.

[zstack-robot-2]

sync from gitlab !9552

[coderabbitai]

总览

本次变更为 TPM 加密资源密钥管理添加了数据一致性修复机制。更新了 TpmEncryptedResourceKeyBackend 的文档，新增 KvmTpmEncryptedResourceKeyRefJdbcRepair 数据库修复工具类，并在 KvmTpmExtensions 中集成孤儿行清理和密钥提供者重新绑定逻辑。

变更清单

宇宙群组 / 文件	摘要
TPM 加密资源文档更新 compute/src/main/java/.../TpmEncryptedResourceKeyBackend.java	更新 Javadoc，记录避免插入重复 EncryptedResourceKeyRef 行的行为约束。
数据库修复工具 plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmEncryptedResourceKeyRefJdbcRepair.java	新增 Spring 管理的修复助手类，提供两个事务方法：删除孤儿占位符行（基于 TPM UUID）和更新行上的提供者 UUID（含时间戳）。
TPM 扩展与修复集成 plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmExtensions.java	注入修复工具，在 VM 启动和资源预初始化时集成孤儿清理逻辑；新增安全查询包装器捕捉非唯一结果异常；在密钥提供者 UUID 缺失时自动修复或尝试按名称重新绑定。

序列图

sequenceDiagram
    participant VM as VM 启动
    participant KTE as KvmTpmExtensions
    participant Repair as KvmTpmEncryptedResourceKeyRefJdbcRepair
    participant DB as 数据库
    participant Backend as TpmEncryptedResourceKeyBackend

    VM->>KTE: beforeStartVmOnKvm(tpmUuid)
    KTE->>Repair: repairOrphanTpmKeyRefPlaceholders(tpmUuid)
    Repair->>DB: DELETE 孤儿占位符行<br/>(providerUuid NOT NULL AND kekRef IS NULL)
    DB-->>Repair: 返回影响行数
    
    KTE->>DB: safeFindKeyProviderUuidByTpm(tpmUuid)
    DB-->>KTE: 返回 providerUuid (可能为 null)
    
    alt providerUuid 为空
        KTE->>KTE: tryRebindKeyProviderByName(tpmUuid)
        KTE->>DB: 按名称查询提供者
        DB-->>KTE: 返回提供者信息
        KTE->>Repair: applyProviderUuidOnRowWithKek(tpmUuid, providerUuid)
        Repair->>DB: UPDATE 设置 providerUuid
        DB-->>Repair: 返回影响行数
    end
    
    KTE->>Backend: attachKeyProviderToTpm(tpmUuid, providerUuid)
    Backend->>DB: 确保 DB 一致性
    DB-->>Backend: 完成
    KTE-->>VM: 返回配置后的启动命令

Loading

代码审查工作量估计

🎯 4 (复杂) | ⏱️ ~45 分钟

诗歌

修复孤儿行，绑定密钥牵，
兔子跳数据库，清理又重建，
安全查询包，异常不惊扰，
TPM 更稳妥，🔐✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 8.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	标题清晰准确地总结了主要变更：修复删除NKP并重新导入后虚拟机无法启动的问题。
Description check	✅ Passed	描述内容与变更集相关，说明这是从GitLab同步的更改。

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sync/zstackio/fix/nkp_startvm@@2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmExtensions.java (1)

425-432: 建议：使用更健壮的异常类型检查。

当前通过类名后缀字符串匹配来检测 NonUniqueResultException，虽然能兼容不同 JPA 实现，但较为脆弱。

♻️ 可选改进：显式检查已知异常类型

 private static boolean isNonUniqueResultException(Throwable e) {
     for (Throwable t = e; t != null; t = t.getCause()) {
-        if (t.getClass().getName().endsWith("NonUniqueResultException")) {
+        if (t instanceof javax.persistence.NonUniqueResultException
+                || t.getClass().getName().equals("org.hibernate.NonUniqueResultException")) {
             return true;
         }
     }
     return false;
 }

注：若项目明确仅使用 Hibernate，可直接 instanceof 检查 org.hibernate.NonUniqueResultException。

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmExtensions.java` around
lines 425 - 432, The current isNonUniqueResultException(Throwable e) uses
fragile class-name suffix matching; update it to first explicitly check known
exception classes (e.g., org.hibernate.NonUniqueResultException via instanceof
if that dependency is present, and any other project-known
NonUniqueResultException types) while still walking causes, and only fall back
to the name-suffix string check if no explicit instanceof matches; keep the same
Throwable cause traversal logic and preserve method signature so callers of
isNonUniqueResultException behave identically.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmExtensions.java`:
- Around line 425-432: The current isNonUniqueResultException(Throwable e) uses
fragile class-name suffix matching; update it to first explicitly check known
exception classes (e.g., org.hibernate.NonUniqueResultException via instanceof
if that dependency is present, and any other project-known
NonUniqueResultException types) while still walking causes, and only fall back
to the name-suffix string check if no explicit instanceof matches; keep the same
Throwable cause traversal logic and preserve method signature so callers of
isNonUniqueResultException behave identically.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: df691ea4-0010-4fb3-b8ed-10143545c926

📥 Commits

Reviewing files that changed from the base of the PR and between 912b02f and 7c95d6b.

⛔ Files ignored due to path filters (1)

• conf/springConfigXml/Kvm.xml is excluded by !**/*.xml

📒 Files selected for processing (3)

• compute/src/main/java/org/zstack/compute/vm/devices/TpmEncryptedResourceKeyBackend.java
• plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmEncryptedResourceKeyRefJdbcRepair.java
• plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmExtensions.java