Is there an existing issue for this?
What are you currently unable to do
When attaching a vTPM to a Container or VM, the vTPM is in a completely empty state with no permanent objects.
This means no Endorsement Key, which is usually embedded into a hardware TPM.
$ # On my laptop
$ tss2_provision
Fapi_Provision(0x60035) - fapi:Already provisioned
$ tpm2_getekcertificate | openssl x509 -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
aa:...:zz
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CH, O=STMicroelectronics NV, CN=STM TPM EK Intermediate CA 06
Validity
Not Before: Feb 18 15:17:30 2025 GMT
Not After : Dec 31 23:59:59 9999 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
...
$ # On a newly provisioned VM or Container
$ tss2_provision
Fapi_Provision(0x60025) - fapi:No certificate
$ tpm2_getekcertificate
ERROR: Must specify the EK public key path
This means that the Container or VM cannot prove to any external party that a certificate actually lives on the vTPM.
What do you think would need to be added
Incus should support provisioning the vTPM prior to attaching to the Container or VM (swtpm docs here).
This would require additional configuration, as Incus would need to have a platform certificate key kept secret that it uses to sign the provisioned endorsement keys, but make the certificate itself available so that external parties could verify the vTPM operations (ex. by having the VM perform a tpm2_quote operation).
This would likely involve global settings such as tpm2.platform_cert.crt and tpm2.platform_cert.key, and a per-TPM setting that allowed configuring whether the vTPM is setup with an Endorsement Key. On IncusOS, storing the platform cert on the hardware TPM would give users a great end-to-end attestation story.
Is there an existing issue for this?
What are you currently unable to do
When attaching a vTPM to a Container or VM, the vTPM is in a completely empty state with no permanent objects.
This means no Endorsement Key, which is usually embedded into a hardware TPM.
This means that the Container or VM cannot prove to any external party that a certificate actually lives on the vTPM.
What do you think would need to be added
Incus should support provisioning the vTPM prior to attaching to the Container or VM (swtpm docs here).
This would require additional configuration, as Incus would need to have a platform certificate key kept secret that it uses to sign the provisioned endorsement keys, but make the certificate itself available so that external parties could verify the vTPM operations (ex. by having the VM perform a
tpm2_quoteoperation).This would likely involve global settings such as
tpm2.platform_cert.crtandtpm2.platform_cert.key, and a per-TPM setting that allowed configuring whether the vTPM is setup with an Endorsement Key. On IncusOS, storing the platform cert on the hardware TPM would give users a great end-to-end attestation story.