Virtual TPM

This guide outlines the implementation and configuration requirements for Virtual Trusted Platform Module (vTPM) v2.0 support in Private Cloud Director.

What is Virtual Trusted Platform Module (vTPM)

A Trusted Platform Module (TPM) is a specialized hardware chip on your computer's motherboard that is designed to enhance your computer's security by securely storing cryptographic keys that are used for encryption and decryption.

vTPM v2.0 is a software-based representation of a traditional TPM 2.0 chip. It carries out the same hardware-based security functions as a physical Trusted Platform Module, such as attestation, key and random number generation, but without the physical TPM chip being required.

Private Cloud Director's vTPM solution leverages open source Barbican service for encryption management. Private Cloud Director's Virtual TPM service enables TPM support by default on Private Cloud Director hypervisor hosts.

TPM Version and Models Supported

The Virtual TPM configuration is controlled through metadata that can be applied at the virtual machine image level.

Private Cloud Director currently only supports TPM version 2.0. PCD supports two models for vTPM

• tpm-tis: This option emulates a TPM device based on the TPM Interface Specification, which is the standard for TPM version 1.2.

• tpm-crb: This option emulates a TPM device based on the TPM 2.0 CRB (Chip Reference Board) specification.

Image Preparation and Configuration

When you add TPM metadata to an image, any VM created using the image will automatically enable vTPM with the specified configuration. The metadata parameters control:

• The TPM model type (tpm-tis or tpm-crb)

You can apply these configurations by adding metadata to the image as below:

Image-level Properties

Following is the TPM metadata that you need to associate with a virtual machine image in order to enable vTPM for the VMs created with the image.

For example, you might start with a standard Windows image without TPM support and later add TPM 2.0 support by updating the image metadata. Any new VMs created from this image will have TPM 2.0 enabled, while existing VMs remain unchanged.

Similarly, if you create a VM using an image with these tags, do not remove these metadata keys while you have active vTPM VMs as it may lead to unexpected failures.

Flavor-level Properties

To enable the support of vTPM live migration, ensure the flavor has the metadata

Please note that this can only be set on the flavor metadata, not the image metadata.

Shared swtpm State Directory

The directory /var/lib/libvirt/swtpm must be shared across all compute hosts. Use NFS with the following mount options:

Consistent swtpm UID Across Hosts

Ensure that the swtpm user ID matches across all hosts. Platform9 pins this to UID 64130 starting 2026.4 release. If your UIDs are not consistent across hosts, please fix them so they are consistent. While doing this, you may also have to change the ownership of /var/lib/swtpm-localca to the swtpm user again.

VM Deployment and Verification

1. Create a VM with vTPM support through the Private Cloud Director UI

2. Make sure that the VM reaches "Active" state

3. Perform TPM verification:

TPM Verification for Windows VMs

TPM Verification For Linux VMs:

General TPM Verification:

Expected TPM configuration in XML:

Secret Management Verification

Run the following command to make sure that the secrets got created successfully:

Each VM with TPM should have a corresponding secret entry.

vTPM State File

VTPM state files are located on directory /var/lib/libvirt/swtpm by default on the hypervisor host.