Using virtual Trusted Platform Module devices

Add a virtual Trusted Platform Module (vTPM) device to a new or existing virtual machine by editing the VirtualMachine (VM) or VirtualMachineInstance (VMI) manifest.

About vTPM devices

A virtual Trusted Platform Module (vTPM) device functions like a physical Trusted Platform Module (TPM) hardware chip.

You can use a vTPM device with any operating system, but Windows 11 requires the presence of a TPM chip to install or boot. A vTPM device allows VMs created from a Windows 11 image to function without a physical TPM chip.

If you do not enable vTPM, then the VM does not recognize a TPM device, even if the node has one.

A vTPM device also protects virtual machines by storing secrets without physical hardware. OKD Virtualization supports persisting vTPM device state by using Persistent Volume Claims (PVCs) for VMs. You must specify the storage class to be used by the PVC by setting the vmStateStorageClass attribute in the HyperConverged custom resource (CR):

  1. kind: HyperConverged
  2. metadata:
  3. name: kubevirt-hyperconverged
  4. spec:
  5. vmStateStorageClass: <storage_class_name>
  6. # ...

The storage class must be of type Filesystem and support the ReadWriteMany (RWX) access mode.

Adding a vTPM device to a virtual machine

Adding a virtual Trusted Platform Module (vTPM) device to a virtual machine (VM) allows you to run a VM created from a Windows 11 image without a physical TPM device. A vTPM device also stores secrets for that VM.

Prerequisites

  • You have installed the OpenShift CLI (oc).

  • You have configured a Persistent Volume Claim (PVC) to use a storage class of type Filesystem that supports the ReadWriteMany (RWX) access mode. This is necessary for the vTPM device data to persist across VM reboots.

Procedure

  1. Run the following command to update the VM configuration:

    1. $ oc edit vm <vm_name>
  2. Edit the VM specification to add the vTPM device. For example:

    1. apiVersion: kubevirt.io/v1
    2. kind: VirtualMachine
    3. metadata:
    4. name: example-vm
    5. spec:
    6. template:
    7. spec:
    8. domain:
    9. devices:
    10. tpm: (1)
    11. persistent: true (2)
    12. # ...
    1Adds the vTPM device to the VM.
    2Specifies that the vTPM device state persists after the VM is shut down. The default value is false.
  3. To apply your changes, save and exit the editor.

  4. Optional: If you edited a running virtual machine, you must restart it for the changes to take effect.