VCD logo
VMware Cloud Provider

Deep Dive into Virtual Trusted Platform Module (vTPM) in VCD

Secure your Cloud Data further (Cloud Sovereignty)

VMware Cloud Director has just released an exciting new update that allows for even greater security of your Virtual Machines! With the introduction of Trusted Platform Module (TPM) devices, you can now rest assured that your guest operating system is more secure than ever. You have the ability to add a TPM device to any new or existing VM as long as certain prerequisites are met by both the VM Guest OS and the underlying vCenter Server infrastructure. Plus, you’ll be pleased to know that most VCD workflows for Virtual Machine, vApp, and Templates now support TPM. Upgrade your VM security with VMware Cloud Director today!

What is a Trusted Platform Module?

A Trusted Platform Module (TPM) is a specialized chip that is integrated into a computer’s desktop or laptop hardware to provide security using cryptographic keys. Its purpose is to ensure a higher level of security by authenticating the user’s identity and validating their device. Furthermore, the TPM is designed to provide protection against potential security threats like firmware attacks and ransomware.

What is a Virtual Trusted Platform Module?

A virtual Trusted Platform Module (vTPM) is a software emulation of a physical Trusted Platform Module chip. It functions like any other virtual device when attached to a Virtual Machine. The vTPM facilitates the creation of keys that are not directly accessible to the Virtual Machine Guest Operating System, which reduces the risk of the Virtual Machine being attacked and the data being compromised. These keys are used solely for encryption and signing purposes.

Pre-requisites (for VCD Workflow within same vCenter Server)

In order to use a vTPM on a Virtual Machine in VMware Cloud Director 10.4.2, there are several requirements that must be met:

  1. Key Management System (KMS) pre-configure on vCenter Server.
  2. Virtual Machine must support EFI Boot and must be Hardware v14 and above.
  3. Virtual Machine Encryption (for VM home files encryption).
  4. Guest OS must be Linux, Windows Server 2008 and later or Windows 7 or later.
  5. vCenter Server 6.7 and later for Windows VMs and vCenter Server 7.0U2 for Linux VMs.

Know them before you proceed

KMS-vCentre -> VCD-VDC Information

With the release of version 10.4.2, VMware Cloud Director now has the ability to detect whether a KMS server is connected and set up with the vCenter Server integrated with VCD. This allows for automatic updates to VDC capabilities whenever a VCD Workflow involving a VM or vApp is executed and determines whether a vTPM device can be created or not. It’s important to note that the VDC supporting the Virtual Machine must also support vTPM.

vTPM COPY and REPLACE Options

It is important to understand the options presented during the VCD workflow action when connecting a vTPM device to a VM, vApp, or vApp Template.

  1. Copy: Make an identical copy of the TPM device
  2. Replace: Create a new TPM device for the VM
Example: Copy and Replace option is presented when performing a VCD Workflow on a VM.

vCenter 7 vs vCenter 8

There are differences in workflow in vCenter Server 7 and vCenter Server 8. Hence the options presented during a VCD workflow on a VM or a vApp might differ.

Which KMS does VCD use?

vCenter Server can have multiple KMS servers configured. However, VCD will use the KMS server, defaulted at the vCenter server or Cluster level backing the VDC.

General

  • One VM can have only one vTPM Device.
  • If a VM Guest OS or a Boot Firmware does not support TPM, then the TPM option will not be seen on the UI when performing a VM Create or Edit workflow task.
  • If a VM Guest OS or a Boot Firmware does support TPM, then the TPM option will be seen on the UI when performing a VM Create or Edit workflow task under the Security Devices section.

VCD Workflows Supporting vTPM

Based on the VCD Workflow performed and the type of object, the Copy or Replace option will appear accordingly.

Virtual Machine Workflows

WorkflowWhat can be done?
Create New VMAttach a new TPM device
Create New VM from a Template

 
– If the VM template was created with the instruction to Replace the TPM device, a new TPM device will be created when a VM is created from the template.

– If the VM template was created with the instruction to Copy the TPM device, a new VM created from this template will use an exact duplicate of the TPM device found in the template.
Edit / Reconfigure VMTo detach a TPM device from a VM, ensure that the VM is powered off and that there are no snapshots associated with it. Removing the TPM device from the VM will trigger a warning message, as shown in the “Detach TPM Device” image.
Copy VM– When the destination vApp is supported by vCenter Server version 7.x, only the Copy option is available, and it is set as the default option in the workflow.

– When the destination vApp is supported by vCenter Server version 8.x, both the Copy and Replace options will be presented.
Move VMIt is not possible to replace the TPM device, regardless of the vCenter Server version. When performing a Move operation, the TPM device on the VM must be the same.
Import a VM from vCenter Server as a VM (Move or Clone)The Copy option is the default selection, regardless of the version of the vCenter Server from which the VM is being imported.

A new view labeled “Security Devices” is added under the Hardware section, specifically for TPM devices. This section indicates whether a VM has a TPM device (Present) or does not have one (Not Present).

The image shows the new view for TPM devices under the VM settings
Detach TPM Device

vApp Workflows

The Copy or Replace option applies to all VMs within the vApp, and their corresponding TPM device status will be displayed as either “Present” for those with the TPM device or “Not Present” for those without it.

WorkflowWhat can be done?
vApp creation from VM TemplateSame as Create New VM from the Template
vApp creation Using OVF PackageA new TPM device is attached to each VM
Add a new VM to a vAppSame as Create New VM
Add a VM from a Template to a vAppSame as Create New VM from a Template
Copy vAppSame as Copy VM
Move vAppSame as Move VM
Import a vApp from vCenter Server as a vApp (Move or Clone)The Copy option is the default selection, regardless of the version of the vCenter Server from which the vApp is being imported.

vApp Template Workflow

WorkflowWhat can be done?
Create vApp Template (Add to Catalog)Both Copy and Replace options will be presented, and the chosen option will apply when instantiating a vApp using the vApp template.
Copy vApp TemplateDepending on the “Create vApp Template” selection.

– If a vApp Template was captured using the Copy option, then the TPM Provisioning will also be set to Copy when this vApp template is copied to another catalog.

If a vApp Template was captured using the Replace option, then the TPM Provisioning will also be set to Replace when this vApp template is copied to another catalog.
Move vApp TemplateSame as Move VM or vApp
Download /Export vApp TempalateThis workflow is restricted if any of the VMs within the vApp template have a TPM device attached.

– The download will not be successful if the Copy TPM Provisioning option was selected at the time of capturing the vApp Template. This is a restriction from the vCenter Server.

– If the Replace TPM Provisioning option was selected when capturing the vApp Template, the download will be successful.

The vApp Template view now includes a new column titled “TPM Provisioning”, which indicates whether the vApp Template was captured using the TPM Copy or Replace option.

vApp Template page showing the new column for TPM Provisioning (needs to be enabled manually).

Cross vCenter Server Operations with TPM Device attached

Pre-requisite

  1. The key provider (KMS) used to encrypt each VM must be registered on the target vCenter Server instance under the same name.
  2. The VM and the target vCenter Server instance are on the same shared storage. Alternatively, fast cross vCenter Server vApp instantiation must be activated. 

Operations allowed across vCenter Server

Certain prerequisites need to be met before performing specific operations for VMs with TPM across vCenter Server instances. These operations include:

  1. Copy / Move a VM
  2. Copy / Move a vApp
  3. Instantiate a vApp template when the template copies the TPM during instantiation.
  4. Save a vApp as a vApp template to a catalog
  5. Add a standalone VM to a catalog
  6. Create a vApp template from an OVF file
  7. Import a VM from vCenter Server

Sample Error when any of the Cross vCenter Server pre-requisite is not met

When KMS requirement is not met: Cannot move or clone VM TestVm. The operation is not available at the destination.

When shared storage requirement is not met: Copy, move, and instantiation operations for a source VM with TPM device or a VM template captured with Copy TPM option are not allowed for the target VDC.

Catalog Sync with TPM VMs in a vApp

There is a limitation to be aware of: only vApp templates that were captured with the Replace TPM Provisioning option will be synchronized at the subscriber side. vApp templates with the Copy TPM Provisioning option will not be synchronized due to a vCenter Server restriction that prohibits OVF export of VM/vApp templates that are encrypted and have the encryption key stored.

At the subscriber side, only vApp Templates with the Replace TPM Provisioning option can be synced because when the template was captured, no encryption key was stored. The VMware Cloud Director (VCD) only has the metadata indicating that the VM inside the vApp Template has a TPM device attached and a new TPM device will be attached when the vApp template is instantiated. On the other hand, VCD restricts the export of VM/vApp templates encrypted with a stored encryption key, which is why vApp templates with the Copy TPM Provisioning option will not get synced.

Note that the difference in the syncing behaviour between vApp templates with the Replace TPM Provisioning option and those with the Copy TPM Provisioning option may result in a discrepancy in the number of vApp templates available at the Publisher side and the subscriber side.

This feature is applicable to Cloud Director service as well.

Please be advised that this report is intended for informational purposes only and represents our best effort to provide accurate and useful insights.