Emulated Trusted Platform Module (vTPM)

Atmosphere ships with the vTPM features enabled by default, so you just need to verify that it’s setup optionally and either configure a flavor or an image to use it.

Verify the configuration (optional)

You can verify that the vTPM support is activated by inspecting the traits on the compute nodes resource provider:

$ COMPUTE_UUID=$(openstack resource provider list --name $HOST -f value -c uuid)
$ openstack resource provider trait list $COMPUTE_UUID | grep SECURITY_TPM
| COMPUTE_SECURITY_TPM_1_2 |
| COMPUTE_SECURITY_TPM_2_0 |

In the example above, $HOST is the hostname of the compute node where you want to verify that vTPM support is enabled.

Configuring vTPM

The vTPM can be configured using flavor extra specs (which requires an operator) or through image metadata properties which can be set by the user. There are two versions supported:

  • 1.2

  • 2.0

In addition, there are two models supported:

  • TPM Interface Specification (TIS)

  • Command-Response Buffer (CRB)

Note

The CRB model is only supported with version 2.0 which is the recommended option as well.

Flavor configuration

You can use the hw:tpm_version and hw:tpm_model properties to configure the vTPM on a flavor. For example, to configure a flavor to use the TPM 2.0 with the CRB model:

$ openstack flavor create test.vtpm \
    --ram 512 --disk 1 --vcpus 1  \
    --property hw:tpm_version=2.0 \
    --property hw:tpm_model=tpm-crb

Image configuration

You can also configure the vTPM on an image using the same properties. For example, to configure an image to use the TPM 2.0 with CRB model:

$ openstack image set <image-name-or-uuid> \
    --property hw:tpm_version=2.0 \
    --property hw:tpm_model=tpm-crb

This can be useful if you need to enable the vTPM feature without having operator access to the cloud or for specific images such as Windows versions that require a TPM to be present.

Create an instance with vTPM

Once you’ve configured the vTPM, you can create an instance using the flavor or image you configured. For example, to create an instance using the flavor we created previously:

$ openstack server create --flavor test.vtpm test-instance

Or using an image:

$ openstack server create --image <image-name-or-uuid> test-instance

The instance should now have the vTPM device available.