Skip to Content

How to enable TPM and secure boot on KVM?

By: Author Saifudheen Sidheeq

Posted on  - Last updated:

The TPM, known as Trusted Platform Module, is a technology that enables security on both the hardware and software levels on a device. You can find TPM on pretty much every device out there.

When the windows11 came out, Microsoft made sure that TPM was one of the requirements for you to install the operating system. It caused many people to get frustrated because some of the CPUs that are older than two years don’t support TPM.

Is TPM required for the windows 11 virtual machine?

When windows 11 initially came out as beta under the windows insider program, everyone could install the operating system without the TPM. However, things changed when the official ISO image was released to the public on Oct 5th, 2021. TPM has become mandatory for windows 11 virtual machines as well. Since then, users have had to enable TPM on the hypervisor to install the windows 11 operating system.  Most of the hypervisors do support TPM, including VMware and KVM, except VirtualBox. At the time of this writing, VirtualBox currently does not support TPM functionality. Hence, windows 11 is not officially supported in VirtualBox.

In this blog, we will see how you can enable TPM on the KVM host, also enable the secure boot.

Installation of TPM on Ubuntu KVM.

To emulate the TPM, we are going to install a software called swtpm-tools. And it works great with the KVM.

Since it is not available to download from the default ubuntu repository, you must add the below repository to Ubuntu.

http://ppa.launchpad.net/stefanberger/swtpm-focal/ubuntu

You must find the Ubuntu version before you proceed.

To check the version of Ubuntu, you can enter the below command.

lsb_release -a

saif@saif-KVM:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.3 LTS
Release:        20.04
Codename:       focal

As I am using the Ubuntu version 20.04, my Ubuntu codename is focal, so you must use the version’s codename.

As we are adding the third party repository it is important to add ‘trusted=yes’ to trust the source.

To add the repository, you can enter the repository with the below command, ensure to replace the repo url with your version. 

echo "deb [trusted=yes] http://ppa.launchpad.net/stefanberger/swtpm-focal/ubuntu focal main bionic main" | sudo tee -a /etc/apt/sources.list

And update the repository using the command sudo apt-get update.

Now that we have added the repository, let’s go ahead and install the swtpm on our machine. To install, enter the below command.

sudo apt-get install swtpm-tools -y

That’s it, you have successfully installed Software TPM binary for your KVM host.

You can check the version that you have installed by typing the command swtpm –version.

saif@saif-KVM:~$ swtpm --version
TPM emulator version 0.6.3, Copyright (c) 2014-2021 IBM Corp.
saif@saif-KVM:~$

Note: If you have followed this step to install windows 11 on kvm, you have completed the step, you can go righ back to the article here.

To add the TPM via the command line.

Shut down the VM with the below command.

virsh shutdown <vmname>

or

virsh destroy <vmname>

Edit the VM configuration using the command virsh edit <vmname>

This will let you edit the XML file of your VM, add the below line.

<tpm model='tpm-tis'>
      <backend type='emulator' version='2.0'/>
      <alias name='tpm0'/>
    </tpm>

Alright, we have enabled the TPM on the KVM. Let’s go ahead and enable secure boot as well.

Enable secure-boot/UEFI on KVM.

The secure boot/UEFI is available by default when you have installed the KVM program on your machine. If it is not available by any chance, you may enter the command below to install it.

sudo apt install ovmf

To enable Secure boot or UEFI boot, click on the Overview option during the VM installation and change the following settings.

  • Chipset – i440FX
  • Firmware – UEFI x86_64:/usr/share/OVMF/OVMF_CODE.fd

And click on Apply.

You have now successfully added the TPM and enabled the secure boot as well. You can now go ahead and install any Virtual machines which require TPM. Especially the windows11.

SH

Wednesday 31st of January 2024

Hi.

The XML content seems not visible; can you fixe it, plz?!

Saifudheen Sidheeq

Wednesday 13th of March 2024

Thanks for letting me know 🙌

It should be fine now.