VMware vSphere

 View Only

  • 1.  Virtual TPM (vTPM) in Linux guest OS

    Posted Mar 15, 2019 08:08 AM

    Hello,

    All the resources I've read about the virtual TPM 2.0 device in VMWare seem to suggest that the guest OS should be Windows 10 or 2016. One post, https://blogs.vmware.com/vsphere/2018/05/vsphere-6-7-virtual-trusted-platform-modules.html​, suggests that support for other OS's is possible through the use of an API, but doesn't go into detail about which API should be used or how it should be used. It seems to me that if the vTPM is an implementation of a TPM 2.0 interface, it should show up as a TPM device in Linux too, and "just work".

    I have a use case where we would need to store server SSH keys, VPN keys and such securely in a TPM in CentOS. The vTPM seems like a great fit, but it is very unclear from the current documentation if this is supported at the moment. Is it possible to add/use a vTPM in Linux, and if not, are there plans to add support in the near future?

    Best regards,

    Stefan



  • 2.  RE: Virtual TPM (vTPM) in Linux guest OS

    Posted Jun 03, 2019 08:24 AM

    Don't know, if you have already solved this problem, but I have found an option how to add a vTPM to another VM, than one with Windows 10/2016 OS, which is available in the HTML5 client.

    But you need to go into API calls.

    I have used the Code capture feature that came with 6.7U2.

    Powershell code:

    $VMName = "RedHat"

    $spec = New-Object VMware.Vim.VirtualMachineConfigSpec

    $spec.DeviceChange = New-Object VMware.Vim.VirtualDeviceConfigSpec[] (1)

    $spec.DeviceChange[0] = New-Object VMware.Vim.VirtualDeviceConfigSpec

    $spec.DeviceChange[0].Device = New-Object VMware.Vim.VirtualTPM

    $spec.DeviceChange[0].Device.DeviceInfo = New-Object VMware.Vim.Description

    $spec.DeviceChange[0].Device.DeviceInfo.Summary = 'Trusted Platform Module'

    $spec.DeviceChange[0].Device.DeviceInfo.Label = 'Trusted Platform Module'

    $spec.DeviceChange[0].Device.Key = -1

    $spec.DeviceChange[0].Operation = 'add'

    $_this = Get-VM $VMname | Get-View

    $_this.ReconfigVM_Task($spec)

    But it is not yet officially supported by VMware.

    To use virtual TPM, the following prerequisites must be met:

    Ensure your vSphere environment is configured for virtual machine encryption. See Set up the Key Management Server Cluster.

    The guest OS you use must be either Windows Server 2016 (64 bit) or Windows 10 (64 bit).

    The ESXi hosts running in your environment must be ESXi 6.7 or later.

    The virtual machine must use EFI firmware.



  • 3.  RE: Virtual TPM (vTPM) in Linux guest OS

    Posted Aug 08, 2019 05:07 AM

    Hi.

    Thank you for the info and instructions :smileyhappy: Any news regarding this matter? At least the official guides have not been updated since the beginning of 2019?