Virtual TPM

This guide outlines the implementation and configuration requirements for Virtual Trusted Platform Module (vTPM) v2.0 support in Private Cloud Director.

What is Virtual Trusted Platform Module (vTPM)

A Trusted Platform Module (TPM) is a specialized hardware chip on your computer's motherboard that is designed to enhance your computer's security by securely storing cryptographic keys that are used for encryption and decryption.

vTPM v2.0 is a software-based representation of a traditional TPM 2.0 chip. It carries out the same hardware-based security functions as a physical Trusted Platform Module, such as attestation, key and random number generation, but without the physical TPM chip being required.

Private Cloud Director's vTPM solution leverages open source Barbican service for encryption management. Private Cloud Director's Virtual TPM service enables TPM support by default on Private Cloud Director hypervisor hosts.

TPM Version and Models Supported

The Virtual TPM configuration is controlled through metadata that can be applied at the virtual machine image level.

Private Cloud Director currently only supports TPM version 2.0. PCD supports two models for vTPM

  • tpm-tis: This option emulates a TPM device based on the TPM Interface Specification, which is the standard for TPM version 1.2.

  • tpm-crb: This option emulates a TPM device based on the TPM 2.0 CRB (Chip Reference Board) specification.

Image Preparation and Configuration

When you add TPM metadata to an image, any VM created using the image will automatically enable vTPM with the specified configuration. The metadata parameters control:

  • The TPM model type (tpm-tis or tpm-crb)

You can apply these configurations by adding metadata to the image as below:

Image-level Properties

Following is the TPM metadata that you need to associate with a virtual machine image in order to enable vTPM for the VMs created with the image.

hw_tpm_version = 2.0
hw_tpm_model = tpm-crb

For example, you might start with a standard Windows image without TPM support and later add TPM 2.0 support by updating the image metadata. Any new VMs created from this image will have TPM 2.0 enabled, while existing VMs remain unchanged.

Similarly, if you create a VM using an image with these tags, do not remove these metadata keys while you have active vTPM VMs as it may lead to unexpected failures.

VM Deployment and Verification

  1. Create a VM with vTPM support through the Private Cloud Director UI

  2. Make sure that the VM reaches "Active" state

  3. Perform TPM verification:

TPM Verification for Windows VMs

1. Press Windows key + R
2. Execute tpm.msc

TPM Verification For Linux VMs:

ls /dev | grep tpm    # Should show TPM device

General TPM Verification:

# List running VMs
virsh list

# Verify TPM configuration
virsh dumpxml <VM_ID>

Expected TPM configuration in XML:

<tpm model='tpm-crb'>
  <backend type='emulator' version='2.0' persistent_state='yes'>
    <encryption secret='<secret>'/>
  </backend>
  <alias name='tpm0'/>
</tpm>

Secret Management Verification

Run the following command to make sure that the secrets got created successfully:

openstack secret list

Each VM with TPM should have a corresponding secret entry.

PreviousAdvanced Scheduling OptionsNextBackup

Last updated

Was this helpful?