vTPM support - do we have guide to add the vTPM support?

jerry4on

New Member
Jul 24, 2019
5
3
1
36
Hi,

I am trying to do some labs on Windows 10 regarding Windows Hello, but it requires TPM.

I searched many places but find no doc on how to add the TPM support on PVE platform, but I find it is possible to be done via "swtpm" - a emulated tpm for QEMU :

https://s3hh.wordpress.com/2018/06/03/tpm-2-0-in-qemu/
https://github.com/stefanberger/swtpm

However, the steps in the blog require compiling the source. Before I mess up my whole environment (by compiling and install the files), I want to ask if there is any OFFICIAL document / proved working steps to provide vTPM support on PVE platform?

Any input are welcome!
 
Last edited:
There is no official documentation or support for this, but I just tried the procedure from the blog you posted, and except for some missing packages (it'll tell you which you need) it worked fine. QEMU itself seems to handle it, though of course you will have to specify the swtpm device either manually (e.g. 'qm showcmd <vmid> --pretty', add your device and run it) or via the 'args:' parameter in your vm config.
 
earlier i did some work to make this work, but due to real life i did not finish it.

made a build environment on pve for libtpm en swtpm. script and packages are here: https://github.com/rayures/vTPM/releases/
after installation they can be accessed on pve. Had no time to configure a VM to use these.
 
Last edited:
Thanks for the script.

As mentioned before the only way of specifying the vTPM device right now is editing the qm config file and adding the specific command line arguments to qemu there, right?
 
@Stefan_R I can open a feature request as you said. But I think they are probably two in one. One would be managing vTPM devices within the web UI, the other one one would be being able to assign those vTPM devices to specific VMs.
 
If you have a specific use case for this feature, you can of course always open a feature request (a good idea is to also mention *why* you need it). I think one would be enough to cover both issues you mention though, as they'd have to be implemented together to make sense anyway.
 
Just found this thread today because i like to create a Windows Endpoint Management Lab that also needs a TPM Chip. I installed the two software packages. But now i struggle with the implementation on the VM. Can someone point me to the right direction what exactly i have to configure?
 
Adding to the pile here. We have 5 instances of Windows Server 2019 running on our 6-node Proxmox cluster at work here and would like the ability to demonstrate protection of data at rest in these VM's with bitlocker to meet information security requirements, as well as have the option to upgrade to the next major Windows Server version that will likely require TPM 2.0 hardware functionality to run.
 
  • Like
Reactions: crazybyte
Adding to the pile here. We have 5 instances of Windows Server 2019 running on our 6-node Proxmox cluster at work here and would like the ability to demonstrate protection of data at rest in these VM's with bitlocker to meet information security requirements, as well as have the option to upgrade to the next major Windows Server version that will likely require TPM 2.0 hardware functionality to run.
We are still working on native vTPM support for PVE, but keep in mind that this will use emulated TPM devices, which means true "protection of data at rest" will not be given - the keys for bitlocker will be stored in a file on the host. And AFAIK a physical TPM can only store one OS's data, so a "pass-through" solution would also be impractical.

It will however allow Windows versions requiring it to boot. For encryption at rest, something like full disk encryption (e.g. LUKS) would be needed, which can then be applied on the host level (and thus includes any local VM data).
 
I'm also watching for any developments regarding this features.

I run Windows 10 machines for tests, auto-deployment, Intune management, etc... and also some Windows Servers. TPM becomes more and more required and also a necessity to get Bitlocker to work properly without having to manually set passwords, keys, etc. Especially true when you initially start the Bitlocker's encrypted VM. Without a TPM, you have to manually enter a password which is not required when you have TPM. This vTPM should in theory fix this, especially if it is a virtual TPM, not a passthrough of the host's TPM since some hardware I have to not have a TPM chip or I disabled it but I would still want to emulate it for the VMs.

I'm glad to know Proxmox devs are working on this, it will be a very nice update and will make things much better for me.
 
  • Like
Reactions: cromatn5

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!