| Dong Ma | 2a8502c | 2024-12-13 03:35:14 +0800 | [diff] [blame] | 1 | ####################################### |
| 2 | Emulated Trusted Platform Module (vTPM) |
| 3 | ####################################### |
| 4 | |
| Mohammed Naser | c1ae5f0 | 2024-12-12 23:59:43 -0500 | [diff] [blame] | 5 | Atmosphere ships with the vTPM features enabled by default, so you just need |
| 6 | to verify that it's setup optionally and either configure a flavor or an image |
| 7 | to use it. |
| Dong Ma | 2a8502c | 2024-12-13 03:35:14 +0800 | [diff] [blame] | 8 | |
| Mohammed Naser | c1ae5f0 | 2024-12-12 23:59:43 -0500 | [diff] [blame] | 9 | Verify the configuration (optional) |
| 10 | =================================== |
| Dong Ma | 2a8502c | 2024-12-13 03:35:14 +0800 | [diff] [blame] | 11 | |
| Mohammed Naser | c1ae5f0 | 2024-12-12 23:59:43 -0500 | [diff] [blame] | 12 | You can verify that the vTPM support is activated by inspecting the traits on |
| 13 | the compute nodes resource provider: |
| Dong Ma | 2a8502c | 2024-12-13 03:35:14 +0800 | [diff] [blame] | 14 | |
| 15 | .. code-block:: console |
| 16 | |
| 17 | $ COMPUTE_UUID=$(openstack resource provider list --name $HOST -f value -c uuid) |
| 18 | $ openstack resource provider trait list $COMPUTE_UUID | grep SECURITY_TPM |
| 19 | | COMPUTE_SECURITY_TPM_1_2 | |
| 20 | | COMPUTE_SECURITY_TPM_2_0 | |
| 21 | |
| Mohammed Naser | c1ae5f0 | 2024-12-12 23:59:43 -0500 | [diff] [blame] | 22 | In the example above, ``$HOST`` is the hostname of the compute node where you |
| 23 | want to verify that vTPM support is enabled. |
| Dong Ma | 2a8502c | 2024-12-13 03:35:14 +0800 | [diff] [blame] | 24 | |
| Mohammed Naser | c1ae5f0 | 2024-12-12 23:59:43 -0500 | [diff] [blame] | 25 | Configuring vTPM |
| 26 | ================ |
| Dong Ma | 2a8502c | 2024-12-13 03:35:14 +0800 | [diff] [blame] | 27 | |
| Mohammed Naser | c1ae5f0 | 2024-12-12 23:59:43 -0500 | [diff] [blame] | 28 | The vTPM can be configured using flavor extra specs (which requires an operator) |
| 29 | or through image metadata properties which can be set by the user. There are two |
| 30 | versions supported: |
| Dong Ma | 2a8502c | 2024-12-13 03:35:14 +0800 | [diff] [blame] | 31 | |
| Mohammed Naser | c1ae5f0 | 2024-12-12 23:59:43 -0500 | [diff] [blame] | 32 | - 1.2 |
| 33 | - 2.0 |
| Dong Ma | 2a8502c | 2024-12-13 03:35:14 +0800 | [diff] [blame] | 34 | |
| Mohammed Naser | c1ae5f0 | 2024-12-12 23:59:43 -0500 | [diff] [blame] | 35 | In addition, there are two models supported: |
| 36 | |
| 37 | - TPM Interface Specification (TIS) |
| 38 | - Command-Response Buffer (CRB) |
| 39 | |
| 40 | .. note:: |
| 41 | |
| 42 | The CRB model is only supported with version 2.0 which is the recommended |
| 43 | option as well. |
| 44 | |
| 45 | Flavor configuration |
| 46 | -------------------- |
| 47 | |
| 48 | You can use the ``hw:tpm_version`` and ``hw:tpm_model`` properties to configure |
| 49 | the vTPM on a flavor. For example, to configure a flavor to use the TPM 2.0 with |
| 50 | the CRB model: |
| Dong Ma | 2a8502c | 2024-12-13 03:35:14 +0800 | [diff] [blame] | 51 | |
| 52 | .. code-block:: console |
| 53 | |
| Mohammed Naser | c1ae5f0 | 2024-12-12 23:59:43 -0500 | [diff] [blame] | 54 | $ openstack flavor create test.vtpm \ |
| 55 | --ram 512 --disk 1 --vcpus 1 \ |
| 56 | --property hw:tpm_version=2.0 \ |
| 57 | --property hw:tpm_model=tpm-crb |
| Dong Ma | 2a8502c | 2024-12-13 03:35:14 +0800 | [diff] [blame] | 58 | |
| Mohammed Naser | c1ae5f0 | 2024-12-12 23:59:43 -0500 | [diff] [blame] | 59 | Image configuration |
| 60 | ------------------- |
| 61 | |
| Dong Ma | c9be709 | 2025-01-17 00:08:01 +0000 | [diff] [blame] | 62 | You can also configure the vTPM on an image using the ``hw_tpm_version`` and |
| 63 | ``hw_tpm_model`` image metadata properties. For example, to configure an image |
| 64 | to use the TPM 2.0 with CRB model: |
| Dong Ma | 2a8502c | 2024-12-13 03:35:14 +0800 | [diff] [blame] | 65 | |
| 66 | .. code-block:: console |
| 67 | |
| Mohammed Naser | c1ae5f0 | 2024-12-12 23:59:43 -0500 | [diff] [blame] | 68 | $ openstack image set <image-name-or-uuid> \ |
| Dong Ma | c9be709 | 2025-01-17 00:08:01 +0000 | [diff] [blame] | 69 | --property hw_tpm_version=2.0 \ |
| 70 | --property hw_tpm_model=tpm-crb |
| Dong Ma | 2a8502c | 2024-12-13 03:35:14 +0800 | [diff] [blame] | 71 | |
| Mohammed Naser | c1ae5f0 | 2024-12-12 23:59:43 -0500 | [diff] [blame] | 72 | This can be useful if you need to enable the vTPM feature without having operator |
| 73 | access to the cloud or for specific images such as Windows versions that require |
| 74 | a TPM to be present. |
| Dong Ma | 2a8502c | 2024-12-13 03:35:14 +0800 | [diff] [blame] | 75 | |
| 76 | Create an instance with vTPM |
| 77 | ============================ |
| Mohammed Naser | c1ae5f0 | 2024-12-12 23:59:43 -0500 | [diff] [blame] | 78 | |
| 79 | Once you've configured the vTPM, you can create an instance using the flavor or |
| 80 | image you configured. For example, to create an instance using the flavor we |
| 81 | created previously: |
| 82 | |
| 83 | .. code-block:: console |
| 84 | |
| 85 | $ openstack server create --flavor test.vtpm test-instance |
| 86 | |
| 87 | Or using an image: |
| 88 | |
| 89 | .. code-block:: console |
| 90 | |
| 91 | $ openstack server create --image <image-name-or-uuid> test-instance |
| 92 | |
| 93 | The instance should now have the vTPM device available. |