VMware Cloud Community
StippenG
Contributor
Contributor
‎03-15-2019 01:08 AM

Virtual TPM (vTPM) in Linux guest OS

Hello,

All the resources I've read about the virtual TPM 2.0 device in VMWare seem to suggest that the guest OS should be Windows 10 or 2016. One post, https://blogs.vmware.com/vsphere/2018/05/vsphere-6-7-virtual-trusted-platform-modules.html​, suggests that support for other OS's is possible through the use of an API, but doesn't go into detail about which API should be used or how it should be used. It seems to me that if the vTPM is an implementation of a TPM 2.0 interface, it should show up as a TPM device in Linux too, and "just work".

I have a use case where we would need to store server SSH keys, VPN keys and such securely in a TPM in CentOS. The vTPM seems like a great fit, but it is very unclear from the current documentation if this is supported at the moment. Is it possible to add/use a vTPM in Linux, and if not, are there plans to add support in the near future?

Best regards,

Stefan

Tags (2)
0 Kudos
2 Replies
Geogee
Enthusiast
Enthusiast
‎06-03-2019 01:23 AM

Don't know, if you have already solved this problem, but I have found an option how to add a vTPM to another VM, than one with Windows 10/2016 OS, which is available in the HTML5 client.

But you need to go into API calls.

I have used the Code capture feature that came with 6.7U2.

Powershell code:

$VMName = "RedHat"

$spec = New-Object VMware.Vim.VirtualMachineConfigSpec

$spec.DeviceChange = New-Object VMware.Vim.VirtualDeviceConfigSpec[] (1)

$spec.DeviceChange[0] = New-Object VMware.Vim.VirtualDeviceConfigSpec

$spec.DeviceChange[0].Device = New-Object VMware.Vim.VirtualTPM

$spec.DeviceChange[0].Device.DeviceInfo = New-Object VMware.Vim.Description

$spec.DeviceChange[0].Device.DeviceInfo.Summary = 'Trusted Platform Module'

$spec.DeviceChange[0].Device.DeviceInfo.Label = 'Trusted Platform Module'

$spec.DeviceChange[0].Device.Key = -1

$spec.DeviceChange[0].Operation = 'add'

$_this = Get-VM $VMname | Get-View

$_this.ReconfigVM_Task($spec)

But it is not yet officially supported by VMware.

To use virtual TPM, the following prerequisites must be met:

Ensure your vSphere environment is configured for virtual machine encryption. See Set up the Key Management Server Cluster.

The guest OS you use must be either Windows Server 2016 (64 bit) or Windows 10 (64 bit).

The ESXi hosts running in your environment must be ESXi 6.7 or later.

The virtual machine must use EFI firmware.

0 Kudos
iNvisibleM4n
Contributor
Contributor
‎08-07-2019 10:07 PM

Hi.

Thank you for the info and instructions Smiley Happy Any news regarding this matter? At least the official guides have not been updated since the beginning of 2019?

0 Kudos