This is a cache of https://docs.openshift.com/container-platform/4.17/virt/virtual_machines/virt-using-vtpm-devices.html. It is a snapshot of the page at 2024-11-24T08:36:38.320+0000.
Using virtual Trusted Platform Module devices - Virtual machines | Virtualization | OpenShift Container Platform 4.17
×

Add a virtual Trusted Platform Module (vTPM) device to a new or existing virtual machine by editing the VirtualMachine (VM) or VirtualMachineInstance (VMI) manifest.

About vTPM devices

A virtual Trusted Platform Module (vTPM) device functions like a physical Trusted Platform Module (TPM) hardware chip.

You can use a vTPM device with any operating system, but Windows 11 requires the presence of a TPM chip to install or boot. A vTPM device allows VMs created from a Windows 11 image to function without a physical TPM chip.

If you do not enable vTPM, then the VM does not recognize a TPM device, even if the node has one.

A vTPM device also protects virtual machines by storing secrets without physical hardware. OpenShift Virtualization supports persisting vTPM device state by using Persistent Volume Claims (PVCs) for VMs. You must specify the storage class to be used by the PVC by setting the vmStateStorageClass attribute in the HyperConverged custom resource (CR):

kind: HyperConverged
metadata:
  name: kubevirt-hyperconverged
spec:
  vmStateStorageClass: <storage_class_name>

# ...

The storage class must be of type Filesystem and support the ReadWriteMany (RWX) access mode.

Adding a vTPM device to a virtual machine

Adding a virtual Trusted Platform Module (vTPM) device to a virtual machine (VM) allows you to run a VM created from a Windows 11 image without a physical TPM device. A vTPM device also stores secrets for that VM.

Prerequisites
  • You have installed the OpenShift CLI (oc).

  • You have configured a Persistent Volume Claim (PVC) to use a storage class of type Filesystem that supports the ReadWriteMany (RWX) access mode. This is necessary for the vTPM device data to persist across VM reboots.

Procedure
  1. Run the following command to update the VM configuration:

    $ oc edit vm <vm_name> -n <namespace>
  2. Edit the VM specification to add the vTPM device. For example:

    apiVersion: kubevirt.io/v1
    kind: VirtualMachine
    metadata:
        name: example-vm
    spec:
      template:
        spec:
          domain:
            devices:
              tpm:  (1)
                persistent: true (2)
    # ...
    1 Adds the vTPM device to the VM.
    2 Specifies that the vTPM device state persists after the VM is shut down. The default value is false.
  3. To apply your changes, save and exit the editor.

  4. Optional: If you edited a running virtual machine, you must restart it for the changes to take effect.