Applies to SUSE Linux Enterprise Server 15 SP3

22 Software TPM emulator #

Revision History: Documentação do SUSE Linux Enterprise Server

22.1 Introduction #

The Trusted Platform Module (TPM) is a cryptoprocessor that secures hardware using cryptographic keys. For developers who use the TPM to develop security features, a software TPM emulator is a convenient solution. Compared to a hardware TPM device, the emulator has no limit on the number of guests that can access it. Also, it is simple to switch between TPM versions 1.2 and 2.0. QEMU supports the software TPM emulator that is included in the swtpm package.

22.2 Prerequisites #

Before you can install and use the software TPM emulator, you need to install the libvirt virtualization environment. Refer to Section 6.2, “Running the yast2-vm module” and install one of the provided virtualization solutions.

22.3 Installation #

To use the software TPM emulator, install the swtpm package:

> sudo zypper install swtpm

22.4 Using `swtpm` with QEMU #

swtpm provides three types of interface: socket, chardev, and cuse. This procedure focuses on the socket interface.

Create a directory mytpm0 inside the VM directory to store the TPM states—for example, /var/lib/libvirt/qemu/sle15sp3:
```
> sudo mkdir /var/lib/libvirt/qemu/sle15sp3/mytpm0
```

Start swtmp. It will create a socket file that QEMU can use—for example, /var/lib/libvirt/qemu/sle15sp3:

 > sudo swtpm socket
  --tpmstate dir=/var/lib/libvirt/qemu/sle15sp3/mytpm0 \
  --ctrl type=unixio,path=/var/lib/libvirt/qemu/sle15sp3/mytpm0/swtpm-sock \
  --log level=20

Tip: TPM version 2.0

By default, swtpm starts a TPM version 1.2 emulator and stores its states in the tpm-00.permall directory. To create a TPM 2.0 instance, run:

 > sudo swtpm socket
  --tpm2
  --tpmstate dir=/var/lib/libvirt/qemu/sle15sp3/mytpm0 \
  --ctrl type=unixio,path=/var/lib/libvirt/qemu/sle15sp3/mytpm0/swtpm-sock \
  --log level=20

TPM 2.0 states will be stored in the tpm2-00.permall directory.

Add the following command line parameters to the qemu-system-ARCH command:

> qemu-system-x86_64 \
[...]
-chardev socket,id=chrtpm,path=/var/lib/libvirt/qemu/sle15sp3/mytpm0/swtpm-sock \
-tpmdev emulator,id=tpm0,chardev=chrtpm \
-device tpm-tis,tpmdev=tpm0

Verify that the TPM device is available in the guest by running the following command:

> tpm_version
TPM 1.2 Version Info:
Chip Version:        1.2.18.158
Spec Level:          2
Errata Revision:     3
TPM Vendor ID:       IBM
TPM Version:         01010000
Manufacturer Info:   49424d00

22.5 Using swtpm with `libvirt` #

To use swtpm with libvirt, add the following TPM device to the guest XML specification:

<devices>
 <tpm model='tpm-tis'>
  <backend type='emulator' version='2.0'/>
 </tpm>
</devices>

libvirt will start swtpm for the guest automatically; you do not need to start it manually in advance. The corresponding permall file will be created in /var/lib/libvirt/swtpm/VM_UUID.

22.6 TPM measurement with OVMF firmware #

If the guest uses the Open Virtual Machine Firmware (OVMF), it will measure components with TPM. You can find the event log in /sys/kernel/security/tpm0/binary_bios_measurements.

22.7 Resources #

Wikipedia offers a thorough description of the TPM at the page https://en.wikipedia.org/wiki/Trusted_Platform_Module.
Configuring a specific virtualization environment on SUSE Linux Enterprise Server is described in Chapter 6, Installation of virtualization components.
Details on the use of swtpm are on its manual page (man 8 swtpm).
A detailed libvirt specification of TPM is at https://libvirt.org/formatdomain.html#elementsTpm
A description of enabling UEFI firmware by using OVMF is at Section 6.4, “Installing UEFI support”.