What is TPM?
TPM is an industry-wide standard for secure cryptoprocessors. Since vSphere 6.7 VMware has supported TPM v2.0
A Trusted Platform Module (TPM) is a specialized microcontroller designed to secure hardware through integrated cryptographic keys. It is embedded either on a computer’s motherboard or within its processor. TPM technology provides a hardware-level security solution that protects sensitive data from malware and sophisticated cyberattacks.
TPM attests to the identity of a host. Host attestation is the process of authenticating and attesting to the state of the software on a host at a given time. UEFI secure boot, which ensures that only signed software is loaded at boot time, is a requirement for successful attestation. The TPM chip records and securely stores measurements of the software modules booted in the system, which vCenter remotely verifies.
The high-level steps of the remote attestation process are:
- Establish the remote TPM’s trustworthiness and create an Attestation Key (AK) for it. When a host is added to, rebooted from, or reconnected to vCenter, vCenter requests an AK from the host. Part of the AK creation process also involves verifying the TPM hardware itself to ensure that it was produced by a known (and trusted) vendor.
- Retrieve the Attestation Report from the host.
vCenter requests that the host send an Attestation Report containing a quote for Platform Configuration Registers (PCRs) signed by the TPM and other signed host binary metadata. By checking that the information corresponds to a trusted configuration, vCenter identifies the platform on a previously untrusted host. - Verify the host’s authenticity.
vCenter verifies the authenticity of the signed quote, infers the software versions, and determines their trustworthiness. If vCenter determines that the signed quote is invalid, remote attestation fails, and the host cannot be trusted.
How do I turn on TPM?
First, TPM has to be enabled on the server hardware. You must reboot the server, enter the BIOS, and enable the feature if it isn’t already enabled.
Ensure Prerequisites:
– Verify that your vSphere environment is configured with a key provider. This could be a vSphere Native Key Provider or an external Key Management Server (KMS).
– Verify that your vCenter is configured with a key Provider
– vSphere 7.0 Update 2 and later for Linux VM support; Windows has been supported since version 6.7
– Ensure the virtual machine uses EFI firmware.
– Hardware version 14 or later
Edit VM Settings:
– Right-click the virtual machine you wish to modify and select “Edit Settings.”
Add vTPM:
– In the Edit Settings dialog box, click “Add New Device.”
– Select “Trusted Platform Module” from the list of available devices and click “Finish.”
Verify:
– After adding the vTPM, the virtual machine’s Summary tab should include the Virtual Trusted Platform Module in the VM Hardware pane.
Virtual Machine vTPM
You can add a vTPM to both new and existing virtual machines. It relies on virtual machine encryption to protect critical TPM data, requiring the configuration of a key provider. When setting up a vTPM, the virtual machine files are encrypted, but the disks are not.
When backing up a virtual machine with a vTPM, including all virtual machine data, specifically the *.nvram file is crucial. Failure to include this file in the backup will prevent restoring a virtual machine with a vTPM. In addition, since the VM home files of a vTPM-enabled virtual machine are encrypted, it is essential to ensure that the encryption keys are accessible during restoration.
In vSphere 8.0 and later versions, cloning a virtual machine with a vTPM and choosing the Replace option results in a new, blank vTPM, which has its own secrets and identity. Replacing the secrets of a vTPM involves replacing all keys, including those related to workloads. As a best practice, ensure that your workloads no longer utilize a vTPM before replacing the keys; otherwise, the workloads in the cloned virtual machine may not function properly.
Conclusion
Newever Windows operating systems like Windows 11 and Windows Server 2025 use TPM 2.0 to function. This requires VMware admins to configure and set up an infrastructure to support it.
