Hi all,
libvirt/qemu provide support for virtual Trusted Platform Module (TPM) via the swtpm package(*). Are there plans to extend this support to OpenNebula as well? I guess the bare minimum would be to be able to move the swtpm data with the VM on reschedule/migrate.
Thanks!
-Yenya
This is an interesting feature to be added in OpenNebula, we’ve opened a feature request to be incorporated future releases: Virtual TPM Support · Issue #5892 · OpenNebula/one · GitHub
Subscribed, thanks!
What is the status of this FR? We would like to install Windows 11 Pro in OpenNebula 6.6 but as of now we don’t have a solution.
You can bypass TPM on the Windows registry. We have included a link on how to do that in our Knowledge Base on how to setup Windows VMs.
Is the vTPM available in the paid version of OpenNebula?
How can you put in the official doc something like * Disable TPM for Windows 11 using the registry? Is this professional? It’s not even your material.
Hello @Cryssis,
There’s no problem on referencing other articles that includes a solution to a problem, and avoid duplicating content. We are aware this is a temporary workaround until the TPM feature is finally implemented (on both versions).
Please understand, this is a work in progress, and we are working on the implementation, so please be patient.
I am running KVM at the host and Opennebula 6.8.0. I tried to add a RAW TPM section at the VM config. Since for some reason it does not pass the validation I disabled validation as below:
RAW = [
TYPE = "KVM",
VALIDATE = "no",
DATA = "<tpm><backend type='emulator' version='2.0'/></tpm>"
]
But still this is not seen at the XML of the VM. I am trying this as it will be a good work-around to be able to add vTPM support at the VM in this way until it is fully supported from the UI. This is needed for Windows 11 VMs. How could I pass such RAW XML data to a deployment?
Thanks
The TPM device was able to be attached by adjusting the RAW XML section as below:
RAW = [
TYPE = "KVM",
VALIDATE = "yes",
DATA = "<devices><tpm model='tpm-crb'><backend type='emulator' version='2.0'/></tpm></devices>"
]
Is there finally a solution to this? Does Opennebula support TPM on KVM now?
Unfortunately, it does not work by default on ONE 6.10 since swtpm is run as root:
Starting vTPM manufacturing as root:root @ Tue 19 Nov 2024 10:56:27 AM CET
The qemu process can’t access that socket by default
Tue Nov 19 10:56:31 2024 [Z0][VMM][E]: DEPLOY: error: Failed to create domain from /var/lib/one//datastores/0/34/deployment.0 error: internal error: process exited while connecting to monitor: 2024-11-19T09:56:27.597981Z qemu-kvm-one: -chardev socket,id=chrtpm,path=/run/libvirt/qemu/swtpm/12-one-34-swtpm.sock: Failed to connect to '/run/libvirt/qemu/swtpm/12-one-34-swtpm.sock': Permission denied Could not create domain from /var/lib/one//datastores/0/34/deployment.0 ExitCode: 255
To fix that, I needed:
/etc/libvirt/qemu.confsed -i -E 's,^#?(swtpm_[^ ]+).*,\1 = "oneadmin",' /etc/libvirt/qemu.conf
/var/lib/swtpm-localca/chown -R oneadmin: /var/lib/swtpm-localca/
libvirtd