Emulated Trusted Platform Module (vTPM)

Overview

Trusted Platform Modules can be used to enhance computer security and privacy. TPM is even required by some Operating Systems.

To support TPM devices within guest instances, OpenStack Nova integrates with software-based emulated TPM devices for QEMU and KVM guest instances. The secrets stored within the emulated devices are encrypted using Barbican secrets. The devices are then provided via the swtpm software package.

Pre-requisites

The following requirements must be met in order to enable vTPM support in the nova-compute charm:

• OpenStack Wallaby or newer

• Barbican Key Manager service must be deployed and configured

• swtpm libraries must be available for installation

If you are using an apt mirror, make sure it contains the swtpm, swtpm-tools, and libtpms0 packages.

Note

The swtpm, swtpm-tools, and libtpms libraries are available in Ubuntu 22.04 LTS (Jammy) release. It is expected that they will be backported to the Ubuntu 20.04 LTS (Focal) archives. Until this is done, the OpenStack Charms team is providing a Personal Package Archive (PPA) with the necessary packages for Focal.

Deployment

TPM support is enabled on all compute nodes by using the nova-compute charm’s enable-vtpm configuration option.

In this example, support is enabled on Focal-based nodes via a PPA. The following YAML excerpt contains the configuration:

nova-compute:
  enable-vtpm: True
  extra-repositories: ppa:openstack-charmers/swtpm

Nova will use the credentials for service discovery from Keystone in order to determine the Barbican endpoint to use.

Once vTPM support has been enabled in the compute nodes, verify that the compute nodes are registering the TPM traits within the Placement service:

COMPUTE_UUID=$(openstack resource provider list --name $HOST -f value -c uuid)
openstack resource provider trait list $COMPUTE_UUID | grep SECURITY_TPM
| COMPUTE_SECURITY_TPM_1_2 |
| COMPUTE_SECURITY_TPM_2_0 |

OpenStack configuration

TPM support is added to a VM by means of an OpenStack flavor. This will specify the TPM version and model for the vTPM device to emulate.

There are two versions to choose from (1.2 and 2.0) as well as two model types (tpm-tis and tpm-crb).

Note

The default model is ‘tpm-tis’.

The tpm-crb model is only compatible with TPM version 2.0

The following example configures an existing flavor to use TPM 2.0 with the CRB model (optionally create a new flavor):

openstack flavor set <flavor-name> \
  --property hw:tpm_version=2.0 \
  --property hw:tpm_model=tpm-crb

The image used to create a TPM-supported VM must be configured to use UEFI firmware. This is done by setting the hw_firmware_type property to uefi.

The following example configures an existing image to use UEFI (optionally import a new image):

openstack image set <image-name-or-uuid> --property hw_firmware_type=uefi

References

More information related to the usage of vTPM can be found in the upstream OpenStack documentation:

• Emulated Trusted Platform Module (Nova)

• Extra Specs (Nova)

• Secure Boot (Nova)

• Useful image properties (Glance)