<feature>[kvm]: support TPM revert without KMS#3696
Closed
MatheMatrix wants to merge 1 commit intofeature-zsv-5.0.0-vm-support-vtpm-and-secucebootfrom
Closed
<feature>[kvm]: support TPM revert without KMS#3696MatheMatrix wants to merge 1 commit intofeature-zsv-5.0.0-vm-support-vtpm-and-secucebootfrom
MatheMatrix wants to merge 1 commit intofeature-zsv-5.0.0-vm-support-vtpm-and-secucebootfrom
Conversation
Walkthrough在 TPM 快照还原助手中加入对全局配置 Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 分钟 Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
plugin/kvm/src/main/java/org/zstack/kvm/tpm/SnapshotGroupRevertTpmHelper.java (1)
103-124: 建议:当跳过 key provider 解析时添加日志。当
skipKeyProvider为true时,整个 key provider 解析逻辑被跳过,但没有任何日志记录。参考KvmTpmExtensions.java(上下文代码片段 3)中的实现,在跳过 create-dek 步骤时会输出日志:"skip create-dek: allowed.tpm.vm.without.kms is enabled and no KMS provider bound"。建议添加类似的日志以便于调试和问题排查:
♻️ 建议添加跳过日志
final Boolean skipKeyProvider = ALLOWED_TPM_VM_WITHOUT_KMS.value(Boolean.class); if (skipKeyProvider != Boolean.TRUE) { String keyProviderName = KVMSystemTags.TPM_KEY_PROVIDER_NAME .getTokenByResourceUuid(tpmBackupFile.getUuid(), KVMSystemTags.TPM_KEY_PROVIDER_NAME_TOKEN); // ... existing logic ... + } else { + logger.debug(String.format("skip key provider resolution for snapshotGroup[uuid:%s]: " + + "allowed.tpm.vm.without.kms is enabled", snapshotGroupUuid)); }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@plugin/kvm/src/main/java/org/zstack/kvm/tpm/SnapshotGroupRevertTpmHelper.java` around lines 103 - 124, When ALLOWED_TPM_VM_WITHOUT_KMS causes skipKeyProvider to be true the method in SnapshotGroupRevertTpmHelper currently does nothing and emits no trace; add a log entry (e.g. logger.info or logger.warn) in the branch where skipKeyProvider == Boolean.TRUE to record that key-provider resolution was skipped because allowed.tpm.vm.without.kms is enabled and no KMS provider is bound, referencing the snapshotGroupUuid and tpmBackupFile.getUuid() for context so operators can correlate events.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In
`@plugin/kvm/src/main/java/org/zstack/kvm/tpm/SnapshotGroupRevertTpmHelper.java`:
- Around line 103-124: When ALLOWED_TPM_VM_WITHOUT_KMS causes skipKeyProvider to
be true the method in SnapshotGroupRevertTpmHelper currently does nothing and
emits no trace; add a log entry (e.g. logger.info or logger.warn) in the branch
where skipKeyProvider == Boolean.TRUE to record that key-provider resolution was
skipped because allowed.tpm.vm.without.kms is enabled and no KMS provider is
bound, referencing the snapshotGroupUuid and tpmBackupFile.getUuid() for context
so operators can correlate events.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: d1be1bc3-83f0-4b56-bd7a-f8120a254ddc
📒 Files selected for processing (1)
plugin/kvm/src/main/java/org/zstack/kvm/tpm/SnapshotGroupRevertTpmHelper.java
Support TPM snapshot group revert when ALLOWED_TPM_VM_WITHOUT_KMS config is enabled. Skip key provider resolution to allow TPM recovery without KMS dependency. Changes: - Add ALLOWED_TPM_VM_WITHOUT_KMS config check - Skip key provider resolution when config is true Resolves: ZSV-11489 Related: ZSV-11310 Change-Id: I6470766e66656f6464767a7776696a7a6979706b
MatheMatrix
force-pushed
the
sync/wenhao.zhang/zsv-ldap-9
branch
from
e7edbfb to
866fc0f
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
plugin/kvm/src/main/java/org/zstack/kvm/tpm/SnapshotGroupRevertTpmHelper.java (1)
103-123: 建议把 provider 解析/兜底提取成私有方法。新增这层配置门控后,
setupFromApi()在 TPM 还原分支里的if/else层级又加深了一层。把keyProviderName查询、keyProviderUuid解析和默认值兜底拆出去,会让resetTpm、backupFileUuid和“允许无 KMS”这三条主线更清楚。
As per coding guidelines, “应尽量减少 if...else 结构的使用,建议:限制嵌套层级最多为两层,且内层不应再出现 else 分支。尽早返回(Early Return),将条件判断中的处理逻辑提前结束或抽成独立方法。”🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@plugin/kvm/src/main/java/org/zstack/kvm/tpm/SnapshotGroupRevertTpmHelper.java` around lines 103 - 123, Extract the key-provider lookup/resolve logic into a private helper in SnapshotGroupRevertTpmHelper (called from setupFromApi) to reduce nesting: create a method like resolveAndSetKeyProvider(TpmSpec tpmSpec, BackupFile tpmBackupFile, String snapshotGroupUuid) that encapsulates reading KVMSystemTags.TPM_KEY_PROVIDER_NAME token, calling tpmKeyBackend.findKeyProviderUuidByName(...), setting tpmSpec.setKeyProviderUuid(...) or falling back to tpmKeyBackend.defaultKeyProviderUuid() when appropriate and logging warnings; then replace the current nested if/else block (which references ALLOWED_TPM_VM_WITHOUT_KMS, tpmBackupFile.getUuid(), keyProviderName, keyProviderUuid) with a simple guarded call to this helper to keep setupFromApi’s control flow shallow and follow early-return/early-exit style.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In
`@plugin/kvm/src/main/java/org/zstack/kvm/tpm/SnapshotGroupRevertTpmHelper.java`:
- Around line 103-123: Extract the key-provider lookup/resolve logic into a
private helper in SnapshotGroupRevertTpmHelper (called from setupFromApi) to
reduce nesting: create a method like resolveAndSetKeyProvider(TpmSpec tpmSpec,
BackupFile tpmBackupFile, String snapshotGroupUuid) that encapsulates reading
KVMSystemTags.TPM_KEY_PROVIDER_NAME token, calling
tpmKeyBackend.findKeyProviderUuidByName(...), setting
tpmSpec.setKeyProviderUuid(...) or falling back to
tpmKeyBackend.defaultKeyProviderUuid() when appropriate and logging warnings;
then replace the current nested if/else block (which references
ALLOWED_TPM_VM_WITHOUT_KMS, tpmBackupFile.getUuid(), keyProviderName,
keyProviderUuid) with a simple guarded call to this helper to keep
setupFromApi’s control flow shallow and follow early-return/early-exit style.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 9b454d11-e761-4792-999b-d28da9b0c111
📒 Files selected for processing (1)
plugin/kvm/src/main/java/org/zstack/kvm/tpm/SnapshotGroupRevertTpmHelper.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Support TPM snapshot group revert when ALLOWED_TPM_VM_WITHOUT_KMS
config is enabled. Skip key provider resolution to allow TPM
recovery without KMS dependency.
Changes:
Resolves: ZSV-11489
Related: ZSV-11310
Change-Id: I6470766e66656f6464767a7776696a7a6979706b
sync from gitlab !9558