136 private links
The specific use case for a vTPM on vSphere is to support Windows 10 and 2016 security features. The HTML5 UI is designed with this in mind. Enablement of VBS does not require a vTPM.
Enablement of vTPM for any VM other than Windows 10 and 2016 is done via API. More on that in the future.
Let’s get a question I get asked about out of the way up front.
“Does this mean I can run Bitlocker on a Windows VM now?!”
Well, technically, all the parts are now there to run Bitlocker but I have to ask “Why??”. Remember, in order to enable vTPM you have to already have VM Encryption!
This means you already have a virtual machine encryption solution that’s easy to manage and works for every virtual machine that’s supported on vSphere, regardless of the guest operating system. Not to mention, you don’t have to manage the encryption “in guest” which lowers your overall workload significantly. #NoSecuritySnowflakes
If you want to test software which exploits TPM 2.0 functionality inside the qemu-kvm emulator, this can be challenging because the software stack is still quite new. Here is how I did it.
To login to the vm run: virsh console test
Please then complete the following steps:
dhclient should get an address for the vm
dnf install tpm2-tools tpm2-tss tpm2-abrmd
Then run the abrmd as root:
/usr/sbin/tpm2-abrmd --allow-root &
You should now be able to query the tpm with a command such as tpm2_pcrlist