[nova] TPM passthrough

Mohammed Naser mnaser at vexxhost.com
Thu Jun 20 14:44:47 UTC 2019

On Thu, Jun 20, 2019 at 10:40 AM Jim Rollenhagen <jim at jimrollenhagen.com> wrote:
> Hey y'all,
> We have an internal use case which requires a VM with a TPM, to be used to
> store a private key. Libvirt has two ways to present a TPM to a VM: passthrough
> or emulated. Per kashyap and the #qemu IRC channel, libvirt stores the TPM's
> state on disk, unencrypted. Our risk profile includes "someone walks away with
> a disk", so this won't work for our use case.
> The QEMU devs have asked for RFEs to implement vTPMs where the state never
> touches the disk, so I have hopes that this will be done eventually.
> However, I suspect that this will still take some time, especially as nobody
> has volunteered to actually do the work yet. So, I'd like to propose we
> implement TPM passthrough in Nova. My team is happy to do the work, but I'd
> love some guidance as to the best way to implement this so we can get a spec
> done (I assume it's "just another resource class"?).


Would it be using this?  I'm just trying to gauge out what TPM passthrough
involves out of personal curiosity.

> If Nova doesn't want this feature in, and would rather just wait for the
> features in QEMU, we'll carry it downstream, I guess. :)
> Thoughts?
> // jim

Mohammed Naser — vexxhost
D. 514-316-8872
D. 800-910-1726 ext. 200
E. mnaser at vexxhost.com
W. http://vexxhost.com

More information about the openstack-discuss mailing list