Passthrough TPM

W

wsandiego

New Member
Nov 28, 2022
8
0
1
Hi, is there a way to create a VM and "passthrough" the TPM chip from the CPU/motherboard to it?
This is a newbie question so maybe I'm misunderstanding how crypto/certificates work, but here is my need:
I have a GlobalSign code-signing certificate which is supposed to be installed "in the TPM chip". I don't know exactly how this works, but I know it works.
However, I believe it needs a Windows OS to do so. Obviously I cannot do it with Proxmox, so I need to do it from a Windows VM, but I have to make sure the certificate I'm going to install in Windows VM will be saved in the real hardware, so it can be accessible from other VMs as well.

Is there such a feature to "passthrough" TPM to the Windows VM?
 
leesteken said:
Maybe an emulated TPM is a better approach? You don't want to lock yourself out of Proxmox with the real one.
Click to expand...
It would be better, if I could share such storage between VMs. The problem here is that I install a certificate in an emulated TPM attached to a VM, and then I'd like to use the same certificate in another VM (for example, two different build servers).

That's why I considered trying to passthrough the host TPM to multiple VMs.

Is it possible to use a single virtual TPM storage in two or more different VMs?
 
wsandiego said:
Is it possible to use a single virtual TPM storage in two or more different VMs?
Click to expand...
Sorry to necro an old thread - did you ever figure this out? I'm interested in this as well.

I'm pretty sure that passthrough works with only one VM running at a time, but maybe Proxmox is able to use the physical TPM module as underlying vTPM storage?
 
Last edited:
For those that are still looking for answers: Proxmox now supports vTPM - vTPM is a virtual TPM, basically software that emulates a TPM, it should be secure provided your host is secure (eg. Secure Boot + TPM + encryption and tamper detection, what I'm looking into right now). You can chain Secure Boot all the way into the swtpm software, but it becomes complicated. You don't want to give your VM access to your host's TPM, always a bad idea, most TPM these days are embedded in the CPU if not closely tied together.

What OP is asking about is an HSM (Hardware Security Module) which is a pluggable hardware module that can be virtualized and provides similar functions to a TPM, but to more clients than just 1. Thales sells one, not sure if it supports SR-IOV or anything.
 
You must log in or register to reply here.
Top Bottom