New in version 22.0.0: (Victoria)
Starting in the 22.0.0 (Victoria) release, Nova supports adding an emulated virtual Trusted Platform Module (vTPM) to guests.
The following are required on each compute host wishing to support the vTPM feature:
libvirt.virt_type
of kvm
or qemu
.libvirt.swtpm_enabled
config option to
True
. This will enable support for both TPM version 1.2 and 2.0.With the above requirements satisfied, verify vTPM support by inspecting the traits on the compute node’s resource provider:
$ openstack resource provider trait list $compute_uuid | grep SECURITY_TPM
| COMPUTE_SECURITY_TPM_1_2 |
| COMPUTE_SECURITY_TPM_2_0 |
A vTPM can be requested on a server via flavor extra_specs or image metadata properties.
Flavor extra_specs | Image metadata | Description |
---|---|---|
hw:tpm_version |
hw_tpm_version |
Specify the TPM version, 1.2 or 2.0 . Required if requesting a
vTPM. |
hw:tpm_model |
hw_tpm_model |
Specify the TPM model, tpm-tis (the default) or tpm-crb (only
valid with version 2.0 . |
Scheduling will fail if flavor and image supply conflicting values, or if model
tpm-crb
is requested with version 1.2
.
Upon successful boot, the server should see a TPM device such as /dev/tpm0
which can be used in the same manner as a hardware TPM.
With a hardware TPM, the root of trust is a secret known only to the TPM user. In contrast, an emulated TPM comprises a file on disk which the libvirt daemon must be able to present to the guest. At rest, this file is encrypted using a passphrase stored in a key manager service. The passphrase in the key manager is associated with the credentials of the owner of the server (the user who initially created it). The passphrase is retrieved and used by libvirt to unlock the emulated TPM data any time the server is booted.
Although the above mechanism uses a libvirt secret that is both private
(can’t be displayed via the libvirt API or virsh
) and ephemeral
(exists
only in memory, never on disk), it is theoretically possible for a sufficiently
privileged user to retrieve the secret and/or vTPM data from memory.
A full analysis and discussion of security issues related to emulated TPM is beyond the scope of this document.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.