Introduction
VMs can be configured to use a virtual Trust Platform Module (TPM) during configuration. A TPM provides a variety of security features such as the generation and storage of cryptographic keys. Note that a virtual TPM does not have the same security guarantees as a true hardware module (see here).
Additional dependencies are required to create the virtual TPM socket the VM connects to. The following sections describe the use of one option, swtpm.
Using swtpm
swtpm is a software TPM emulator that has been tested with minimega. The general process for using swtpm is as follows:
- Install swtpm on the host machine following the instructions
- Start a swtpm socket:
swtpm socket --tpmstate dir=/mydir --ctrl type=unixio,path=/mydir/swtpm-socket - Configure your VM to point to the socket
vm config tpm-socket /mydir/swtpm-socket - After booting, configure your VM as needed to utilize TPM
- For example, a Windows domain can be configured to use virtual smartcards
Repeat steps 2-4 for each individual VM that needs a TPM. A different socket should be used per VM.