1. KVM User's Guide
  2. KVM Instances: Hardware Configuration
  3. Add vTPM Security to KVM Instance

Add vTPM Security to KVM Instance

The following provides information about the use of Virtual Trusted Platform Module (vTPM) security. It also includes configuration information for enabling vTPM security on a KVM instance.

About vTPM Security

A virtual Trusted Platform Module (vTPM) is a software-based representation of a physical Trusted Platform Module 2.0 chip. A vTPM acts as any other virtual device and provides security-related functions such as random number generation, attestation, and key generation. When added to a KVM instance, vTPM enables the guest OS to create and store keys that are private and not exposed to other guests. If a KVM instance is compromised and vTPM is enabled, the risk of its secrets being compromised is reduced because the keys are only usable to the KVM's guest OS for encryption or signing.

You can add a vTPM to an existing Oracle Linux 8, or Oracle Linux 9 KVM. When you enable vTPM, the KVM files are encrypted but not the disks. Although, you can choose to add encryption explicitly for the KVM and its disks.

What Do You Need?

  • Administrator privileges.
  • Existing KVM instance on host system.

    For details, see Create: KVM Instance.

Steps

Follow these steps to install the vTPM software package and edit the guest OS configuration file to include vTPM security properties.

  1. Install the vTPM software packages.

    Example syntax using Yum. 

    yum -y install swtpm libtpms swtpm-tools
  2. Shut down the KVM instance.
    For details, see KVM: Shut Down Instance.
  3. Perform these steps to add the vTPM settings to the guest OS XML configuration file:
    1. Use the virsh edit command to edit the guest OS XML configuration.
      For example: 
      virsh edit My_KVMGuest_Name

      Note:

      The virsh edit command opens the XML file in the text editor specified by the $EDITOR shell parameter. The vi editor is set by default.
    2. Update the guest OS XML configuration file to include the vTPM security properties.
      For example: 
      <devices>
     ...
     </input>
     <input type='mouse' bus='ps2'/>
     <input type='keyboard' bus='ps2'/>
     <tpm model='tpm-crb'>
       <backend type='emulator' version='2.0'/>
     </tpm>
     <graphics type='vnc' port='-1' autoport='yes'>
       <listen type='address'/>
     </graphics>
     ...
</devices>
      Where:
      • model='tpm-crb' – sets the TPM model type as Command-Response Buffer (CRB).

        Note:

        The tpm-crb option is available only when you specify version='2.0'.
      • type='emulator' – sets the device type as emulator.
      • version='2.0' – sets the tpm version as 2.0.

      Note:

      When creating a KVM instance for the first time on Oracle Linux 8 or Oracle Linux 9, you can also use the virt-install command --tpm option to specify the TPM emulated device information at installation time. For example: 
      virt-install --name MY_KVMGuest_ol8-tpm2 --memory 2048 --vcpus 2 \
--disk path=/systest/images/My_KVMGuest_ol8-tpm2.qcow2,size=20 \
--location /systest/iso/ol8.iso --os-variant ol8 \
--network network=default --graphics vnc,listen=0.0.0.0 --tpm
emulator,model=tpm-crb,version=2.0
    3. Save the guest OS XML configuration changes.
  4. Start the KVM instance.
    For details, see KVM: Start Instance.