This is a draft document that was built and uploaded automatically. It may document beta software and be incomplete or even incorrect. Use this document at your own risk.

Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Virtualization Guide › Hypervisor-independent features › Software TPM emulator
ContentsContents
Virtualization Guide
  1. Preface
  2. I Introduction
    1. 1 Virtualization technology
    2. 2 Virtualization scenarios
    3. 3 Introduction to Xen virtualization
    4. 4 Introduction to KVM virtualization
    5. 5 Virtualization tools
    6. 6 Installation of virtualization components
  3. II Managing virtual machines with libvirt
    1. 7 libvirt daemons
    2. 8 Preparing the VM Host Server
    3. 9 Guest installation
    4. 10 Basic VM Guest management
    5. 11 Connecting and authorizing
    6. 12 Advanced storage topics
    7. 13 Configuring virtual machines with Virtual Machine Manager
    8. 14 Configuring virtual machines with virsh
    9. 15 Enhancing virtual machine security with AMD SEV-SNP
    10. 16 Migrating VM Guests
    11. 17 Xen to KVM migration guide
  4. III Hypervisor-independent features
    1. 18 Disk cache modes
    2. 19 VM Guest clock settings
    3. 20 libguestfs
    4. 21 QEMU guest agent
    5. 22 Software TPM emulator
    6. 23 Creating crash dumps of a VM Guest
  5. IV Managing virtual machines with Xen
    1. 24 Setting up a virtual machine host
    2. 25 Virtual networking
    3. 26 Managing a virtualization environment
    4. 27 Block devices in Xen
    5. 28 Virtualization: configuration options and settings
    6. 29 Administrative tasks
    7. 30 XenStore: configuration database shared between domains
    8. 31 Xen as a high-availability virtualization host
    9. 32 Xen: converting a paravirtual (PV) guest into a fully virtual (FV/HVM) guest
  6. V Managing virtual machines with QEMU
    1. 33 QEMU overview
    2. 34 Setting up a KVM VM Host Server
    3. 35 Guest installation
    4. 36 Running virtual machines with qemu-system-ARCH
    5. 37 Virtual machine administration using QEMU monitor
  7. VI Troubleshooting
    1. 38 Integrated help and package documentation
    2. 39 Gathering system information and logs
  8. Glossary
  9. A Configuring GPU Pass-Through for NVIDIA cards
  10. B GNU licenses
Navigation
Virtualization Guide › Hypervisor-independent features › Software TPM emulator
Top
Applies to openSUSE Leap 15.7

22 Software TPM emulator Edit source

  • File Name: vt_qemu_tpm.xml
  • ID: tpm
Revision History
2024-06-27
22.1 Introduction
22.2 Prerequisites
22.3 Installation
22.4 Using swtpm with QEMU
22.5 Using swtpm with libvirt
22.6 TPM measurement with OVMF firmware
22.7 Resources

22.1 Introduction Edit source

  • File Name: vt_qemu_tpm.xml
  • ID: tpm-introduction

The Trusted Platform Module (TPM) is a cryptoprocessor that secures hardware using cryptographic keys. For developers who use the TPM to develop security features, a software TPM emulator is a convenient solution. Compared to a hardware TPM device, the emulator has no limit on the number of guests that can access it. Also, it is simple to switch between TPM versions 1.2 and 2.0. QEMU supports the software TPM emulator that is included in the swtpm package.

22.2 Prerequisites Edit source

  • File Name: vt_qemu_tpm.xml
  • ID: tpm-prerequisite

Before you can install and use the software TPM emulator, you need to install the libvirt virtualization environment. Refer to Section 6.2, “Installing virtualization components” and install one of the provided virtualization solutions.

22.3 Installation Edit source

  • File Name: vt_qemu_tpm.xml
  • ID: tpm-installation

To use the software TPM emulator, install the swtpm package: 

> sudo zypper install swtpm

22.4 Using swtpm with QEMU Edit source

  • File Name: vt_qemu_tpm.xml
  • ID: tpm-qemu

swtpm provides three types of interface: socket, chardev, and cuse. This procedure focuses on the socket interface.

  1. Create a directory mytpm0 inside the VM directory to store the TPM states—for example, /var/lib/libvirt/qemu/sle15sp3: 

    > sudo mkdir /var/lib/libvirt/qemu/sle15sp3/mytpm0

  2. Start swtmp. It creates a socket file that QEMU can use—for example, /var/lib/libvirt/qemu/sle15sp3: 

     > sudo swtpm socket
  --tpmstate dir=/var/lib/libvirt/qemu/sle15sp3/mytpm0 \
  --ctrl type=unixio,path=/var/lib/libvirt/qemu/sle15sp3/mytpm0/swtpm-sock \
  --log level=20
    Tip
    Tip: TPM version 2.0

    By default, swtpm starts a TPM version 1.2 emulator and stores its states in the tpm-00.permall directory. To create a TPM 2.0 instance, run: 

     > sudo swtpm socket
  --tpm2
  --tpmstate dir=/var/lib/libvirt/qemu/sle15sp3/mytpm0 \
  --ctrl type=unixio,path=/var/lib/libvirt/qemu/sle15sp3/mytpm0/swtpm-sock \
  --log level=20

    TPM 2.0 states are stored in the tpm2-00.permall directory.

  3. Add the following command line parameters to the qemu-system-ARCH command: 

    > qemu-system-x86_64 \
[...]
-chardev socket,id=chrtpm,path=/var/lib/libvirt/qemu/sle15sp3/mytpm0/swtpm-sock \
-tpmdev emulator,id=tpm0,chardev=chrtpm \
-device tpm-tis,tpmdev=tpm0

  4. Verify that the TPM device is available in the guest by running the following command: 

    > tpm_version
TPM 1.2 Version Info:
Chip Version:        1.2.18.158
Spec Level:          2
Errata Revision:     3
TPM Vendor ID:       IBM
TPM Version:         01010000
Manufacturer Info:   49424d00

22.5 Using swtpm with libvirt Edit source

  • File Name: vt_qemu_tpm.xml
  • ID: tpm-libvirt

To use swtpm with libvirt, add the following TPM device to the guest XML specification: 

<devices>
 <tpm model='tpm-tis'>
  <backend type='emulator' version='2.0'/>
 </tpm>
</devices>

libvirt starts swtpm for the guest automatically. You do not need to start it manually in advance. The corresponding permall file is created in /var/lib/libvirt/swtpm/VM_UUID.

22.6 TPM measurement with OVMF firmware Edit source

  • File Name: vt_qemu_tpm.xml
  • ID: tpm-ovmf

If the guest uses the Open Virtual Machine Firmware (OVMF), it measures components with TPM. You can find the event log in /sys/kernel/security/tpm0/binary_bios_measurements.

22.7 Resources Edit source

  • File Name: vt_qemu_tpm.xml
  • ID: qemu-tpm-resources
Chapter 23 Creating crash dumps of a VM GuestChapter 21 QEMU guest agent
Print this page

© 2025 SUSE