i've read the article about vTPM in vSphere 6.7 - Virtual Trusted Platform Modules - VMware vSphere Blog
according to the content, the vTPM function seems to only work on Win 10 or server 2016 virtual machine, is it correct?
what about other OS? which API can reach the enablement of vTPM for other VM OS?
the last question is, does the vTPM need to configure certificate on it or the guest OS will do the job??
does anyone know? Any reply will be appreciated![]()
Hi niceguy001
Yes it is correct. VMware Docs: Add a Virtual Trusted Platform Module to a Virtual Machine | vSphere 6.7: Virtual TPM 2.0 - YouTube
https://docs.vmware.com/en/VMware-vSphere/6.7/vsphere-esxi-vcenter-server-67-security-guide.pdf
Please be so kind and mark this answer as "correct" or "helpful" if you think your questions have been answered.
thanks
Marcel
Hi niceguy001
Yes it is correct. VMware Docs: Add a Virtual Trusted Platform Module to a Virtual Machine | vSphere 6.7: Virtual TPM 2.0 - YouTube
https://docs.vmware.com/en/VMware-vSphere/6.7/vsphere-esxi-vcenter-server-67-security-guide.pdf
Please be so kind and mark this answer as "correct" or "helpful" if you think your questions have been answered.
thanks
Marcel
You can enable a vTPM for virtual machines running on vSphere 6.7 and later. The VMware virtual TPM is compatible with TPM 2.0 and creates a TPM-enabled virtual chip for use by the virtual machine and the guest OS it hosts.
To use virtual TPM, the following prerequisites must be met:
Ensure your vSphere environment is configured for virtual machine encryption. See Set up the Key Management Server Cluster.
The guest OS you use must be either Windows Server 2016 (64 bit) or Windows 10 (64 bit).
The ESXi hosts running in your environment must be ESXi 6.7 or later.
The virtual machine must use EFI firmware.
Rick
Don't know, if you have already solved this problem, but I have found an option how to add a vTPM to another VM, than one with Windows 10/2016 OS, which is available in the HTML5 client.
But you need to go into API calls.
I have used the Code capture feature that came with 6.7U2.
Powershell code:
$VMName = "RedHat"
$spec = New-Object VMware.Vim.VirtualMachineConfigSpec
$spec.DeviceChange = New-Object VMware.Vim.VirtualDeviceConfigSpec[] (1)
$spec.DeviceChange[0] = New-Object VMware.Vim.VirtualDeviceConfigSpec
$spec.DeviceChange[0].Device = New-Object VMware.Vim.VirtualTPM
$spec.DeviceChange[0].Device.DeviceInfo = New-Object VMware.Vim.Description
$spec.DeviceChange[0].Device.DeviceInfo.Summary = 'Trusted Platform Module'
$spec.DeviceChange[0].Device.DeviceInfo.Label = 'Trusted Platform Module'
$spec.DeviceChange[0].Device.Key = -1
$spec.DeviceChange[0].Operation = 'add'
$_this = Get-VM $VMname | Get-View
$_this.ReconfigVM_Task($spec)
But it is not yet officially supported by VMware.
AFAIK The reason it was limited to Windows only was at the time of vTPM's release there wasn't widespread support for tboot "out of the box" in the Linux distributions.
https://trustedcomputinggroup.org/resource/trusted-boot/
It should work if the GOS is configured properly to take advantage (although not officially supported, as we didn't test)
