VMware vSphere

 View Only

  • 1.  virtual TPM for Windows 10 and 2016 only?

    Posted Jul 24, 2018 08:54 AM

    i've read the article about vTPM in vSphere 6.7 - Virtual Trusted Platform Modules - VMware vSphere Blog

    according to the content, the vTPM function seems to only work on Win 10 or server 2016 virtual machine, is it correct?

    what about other OS? which API can reach the enablement of vTPM for other VM OS?

    the last question is, does the vTPM need to configure certificate on it or the guest OS will do the job??

    does anyone know? Any reply will be appreciated:smileyhappy:



  • 2.  RE: virtual TPM for Windows 10 and 2016 only?
    Best Answer

    Posted Jul 24, 2018 12:53 PM

    Hi niceguy001

    Yes it is correct. VMware Docs: Add a Virtual Trusted Platform Module to a Virtual Machine | vSphere 6.7: Virtual TPM 2.0 - YouTube

    Prerequisites

    • Ensure your vSphere environment is configured for virtual machine encryption. See Set up the Key Management Server Cluster.
    • The guest OS you use must be either Windows Server 2016 (64 bit) or Windows 10 (64 bit).
    • The ESXi hosts running in your environment must be ESXi 6.7 or later.
    • The virtual machine must use EFI firmware.

    https://docs.vmware.com/en/VMware-vSphere/6.7/vsphere-esxi-vcenter-server-67-security-guide.pdf

    Please be so kind and mark this answer as "correct" or "helpful" if you think your questions have been answered.

    thanks

    Marcel



  • 3.  RE: virtual TPM for Windows 10 and 2016 only?

    Posted Jul 24, 2018 12:53 PM

    You can enable a vTPM for virtual machines running on vSphere 6.7 and later. The VMware virtual TPM is compatible with TPM 2.0 and creates a TPM-enabled virtual chip for use by the virtual machine and the guest OS it hosts.

    To use virtual TPM, the following prerequisites must be met:

    Ensure your vSphere environment is configured for virtual machine encryption. See Set up the Key Management Server Cluster.

    The guest OS you use must be either Windows Server 2016 (64 bit) or Windows 10 (64 bit).

    The ESXi hosts running in your environment must be ESXi 6.7 or later.

    The virtual machine must use EFI firmware.

    Rick



  • 4.  RE: virtual TPM for Windows 10 and 2016 only?

    Posted Jun 03, 2019 08:15 AM

    Don't know, if you have already solved this problem, but I have found an option how to add a vTPM to another VM, than one with Windows 10/2016 OS, which is available in the HTML5 client.

    But you need to go into API calls.

    I have used the Code capture feature that came with 6.7U2.

    Powershell code:

    $VMName = "RedHat"

    $spec = New-Object VMware.Vim.VirtualMachineConfigSpec

    $spec.DeviceChange = New-Object VMware.Vim.VirtualDeviceConfigSpec[] (1)

    $spec.DeviceChange[0] = New-Object VMware.Vim.VirtualDeviceConfigSpec

    $spec.DeviceChange[0].Device = New-Object VMware.Vim.VirtualTPM

    $spec.DeviceChange[0].Device.DeviceInfo = New-Object VMware.Vim.Description

    $spec.DeviceChange[0].Device.DeviceInfo.Summary = 'Trusted Platform Module'

    $spec.DeviceChange[0].Device.DeviceInfo.Label = 'Trusted Platform Module'

    $spec.DeviceChange[0].Device.Key = -1

    $spec.DeviceChange[0].Operation = 'add'

    $_this = Get-VM $VMname | Get-View

    $_this.ReconfigVM_Task($spec)

    But it is not yet officially supported by VMware.



  • 5.  RE: virtual TPM for Windows 10 and 2016 only?

    Posted Jun 03, 2019 09:51 PM

    AFAIK The reason it was limited to Windows only was at the time of vTPM's release there wasn't widespread support for tboot "out of the box" in the Linux distributions.

    https://trustedcomputinggroup.org/resource/trusted-boot/

    It should work if the GOS is configured properly to take advantage (although not officially supported, as we didn't test)