How to use physical TPM?

[hckaraca99]

Hello,

I am lately trying to reach the physical TPM in VM. I wonder if it is possible by using the passthrough drivers?
My goal is to prevent the users from copying the VM and run it on another. For this purpose, I am trying to use TPM.

Thanks.

 

[fireon]

Which operating system is running in such a VM?

My goal is to prevent the users from copying the VM and run it on another.

Wouldn't it also be possible to solve this with the user authorizations?
https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pveum_permission_management

A TMP modul can also added to the VM in the WebUI: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#qm_tpm
If that might help you.

 

[hckaraca99]

Which operating system is running in such a VM?

Ubuntu 22.04

A TMP modul can also added to the VM in the WebUI: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#qm_tpm
If that might help you.

But this method doesn't use physical TPM. It uses vTPM. What I need is hardware TPM access in VM.

 

[fiona]

My goal is to prevent the users from copying the VM and run it on another.

Wouldn't it also be possible to solve this with the user authorizations?
https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pveum_permission_management

I.e. don't give the users permission to copy/migrate/backup that VM.

 

[hckaraca99]

I.e. don't give the users permission to copy/migrate/backup that VM.

It would be very helpfull, If Proxmox Staff could tell the community how to use passthrough tpm. I saw lot of questions about this topic but there is no explanation. Is it even possible?

 

[briandevadason]

I am also hoping to get a response on this request. vTPM does not pass hardware validation test when implementing Azure Stack HCI. Is there a way to make the vTPM actually perform the responsibilities of a TPM module? Or is/will there be a TPM module passthrough option.

 

[Opal]

I am also hoping to get a response on this request. vTPM does not pass hardware validation test when implementing Azure Stack HCI. Is there a way to make the vTPM actually perform the responsibilities of a TPM module? Or is/will there be a TPM module passthrough option.

I almost forgot that proxmox is still debian+qemu so digging through the qemu docs, adding this argument line on /etc/pve/qemu-server/<vmid>.conf, mentioned on qemu docs (https://www.qemu.org/docs/master/specs/tpm.html), seems to work:

args: -tpmdev passthrough,id=tpm0,cancel-path=/dev/null,path=/dev/tpm0 -device tpm-tis,tpmdev=tpm0

 

[glaeken2]

I know this is an old thread but I have a warning for those looking for this topic and TPM in general.

Please read very carefully.

If any software or game, is forcing you to use a "certified" TPM module, which means it has to have a valid EK Cert, it means, it may try to:
- Take an advantage of you at any point in time
- Exploit you in an unknown way
- Force to change or control your behavior at any moment, including forced obedience

TPM is here to protect you, and a software emulated one or a hardware one without EK Cert is perfectly fine doing it's job.
If anything is forcing you to use a valid "CERTIFIED" EK Cert TPM type, means, you ARE HANDING OVER THE CONTROL OF YOUR HARDWARE AND OPERATING SYSTEM TO SOMEONE ELSE THAN YOU.

Please be aware of hardware and software type you are using or our privacy and freedom will collapse.