From: Stefan Reiter <s.reiter@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH docs 2/2] qm: add section about TPM
Date: Wed, 6 Oct 2021 17:52:11 +0200 [thread overview]
Message-ID: <20211006155211.992254-2-s.reiter@proxmox.com> (raw)
In-Reply-To: <20211006155211.992254-1-s.reiter@proxmox.com>
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
---
qm.adoc | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/qm.adoc b/qm.adoc
index 93576c7..b9f4269 100644
--- a/qm.adoc
+++ b/qm.adoc
@@ -775,6 +775,36 @@ you need to set the client resolution in the OVMF menu (which you can reach
with a press of the ESC button during boot), or you have to choose
SPICE as the display type.
+[[qm_tpm]]
+Trusted Platform Module (TPM)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A *Trusted Platform Module* is a device which stores secret data - such as
+encryption keys - securely and provides tamper-resistance functions for
+validating system boot.
+
+Certain operating systems (e.g. Windows 11) require such a device to be attached
+to a machine (be it physical or virtual).
+
+A TPM is added by specifying a *tpmstate* volume. This works similar to an
+efidisk, in that it cannot be changed (only removed) once created. You can add
+one via the following command:
+
+ qm set <vmid> -tpmstate0 <storage>:1,version=<version>
+
+Where *<storage>* is the storage you want to put the state on, and *<version>*
+is either 'v1.2' or 'v2.0'. You can also add one via the web interface, by
+choosing 'Add' -> 'TPM State' in the hardware section of a VM.
+
+The 'v2.0' TPM spec is newer and better supported, so unless you have a specific
+implementation that requires a 'v1.2' TPM, it should be preferred.
+
+NOTE: Compared to a physical TPM, an emulated one does *not* provide any real
+security benefits. The point of a TPM is that the data on it cannot be modified
+easily, except via commands specified as part of the TPM spec. Since with an
+emulated device the data storage happens on a regular volume, it can potentially
+be edited by anyone with access to it.
+
[[qm_ivshmem]]
Inter-VM shared memory
~~~~~~~~~~~~~~~~~~~~~~
--
2.30.2
next prev parent reply other threads:[~2021-10-06 15:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-06 15:52 [pve-devel] [PATCH docs 1/2] qm: add note about secure boot and new efidisk behaviour Stefan Reiter
2021-10-06 15:52 ` Stefan Reiter [this message]
2021-10-07 12:36 ` [pve-devel] applied: [PATCH docs 2/2] qm: add section about TPM Thomas Lamprecht
2021-10-07 12:36 ` [pve-devel] applied: [PATCH docs 1/2] qm: add note about secure boot and new efidisk behaviour Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211006155211.992254-2-s.reiter@proxmox.com \
--to=s.reiter@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.