VMware vSphere Support of Trusted Platform Module (TPM) and Trusted Execution Technology (TXT)
Article ID: 312159
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
This article provides guidance to customers and server vendors on Trusted Platform Module (TPM) hardware when running vSphere ESXi.
Environment
VMware vSphere ESXi 6.5
VMware vSphere ESXi 6.0
VMware vSphere ESXi 7.0.x
VMware vSphere ESXi 8.0.x
VMware vSphere ESXi 6.0
VMware vSphere ESXi 7.0.x
VMware vSphere ESXi 8.0.x
Resolution
Target Audience and Guidance
TPM is an optional vSphere certification. The server must be certified to get proper support.
The VMware TPM/TXT feature works with the TPM 1.2 hardware and TXT for vSphere 6.0 and higher release versions. The combination of TPM 1.2 and Intel TXT are only available on Intel-based platforms. When using the TPM 1.2 hardware, Intel TXT must be enabled in BIOS.
UEFI Secure Boot is a prerequisite for TPM 2.0 support. UEFI Secure Boot protects the Boot Loader against tampering and ensures only signed software is installed.
vSphere 6.7 GA supports TPM 2.0 but ignores TXT. The TPM 2.0 hardware can be found on both Intel and AMD platforms. vSphere 6.7 GA safely ignores the TXT setting, regardless if it is enabled or disabled in BIOS.
Besides TPM 1.2 with TXT and TPM 2.0, vSphere 6.7 U1 adds support for TPM 2.0 with TXT. If applicable, the user should check the TXT setting in BIOS.
vSphere 6.5 and prior versions safely ignores the TPM 2.0 hardware and ignores any attempt to enable and use TXT trusted boot.
The TPM 1.2 with TXT feature can be used together with a 3rd-party security solution that leverages Intel TXT hardware technology. Without 3rd-party support, ESXi will measure the stack that’s running into the TPM, but the customer cannot validate these measurements directly. Refer to the solution provider’s documentation on how to create a trusted environment.
vSphere 6.7 GA supports attestation with TPM 2.0. vSphere 6.7 U1 supports attestation with TPM 2.0 and TPM 2.0 with TXT. The user can view the attestation result in vSphere client
| Target Audience | Guidance |
Users who use, or plan to use, the VMware TPM/TXT feature |
|
| Support of TPM 1.2 and TPM 1.1 and associated features is deprecated and not supported in vSphere versions 8.0 and later | Refer to the link:https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vmware-vsphere-80-release-notes/index.html#:~:text=VMware%20discontinues%20support%20of%20TPM%201.2 |
Background
TPM is a standard for a secure cryptoprocessor. The dedicated microprocessor is designed to secure hardware by integrating cryptographic keys into devices. The Trusted Computing Group (TCG) is responsible for TPM technical specifications. Since the initial publication, TCG has released two major revisions: 1.2 and 2.0. TPM hardware is designed to be compliant with 1.2 or 2.0 specifications. TPM hardware stores measurements in Platform Configuration Registers (PCRs). These measurements can be used to detect changes for anything that can be loaded into memory.
Intel TXT is computer hardware technology that uses a TPM and cryptographic techniques to provide measurements of software and platform components so that the system software and management applications may use those measurements to make trust decisions. It protects users from software-based attacks which attempt to steal sensitive information by corrupting system and/or BIOS code, or modifying the platform’s configuration.
TPM and TXT support are enabled / disabled in system BIOS. Platform-specific TPM actions are done in BIOS.
The VMware TPM/TXT feature leverages industry standard TPM and Intel TXT to detect corruption of the measured images, unexpected or unauthorized updates, or other types of changes to the measured images.
Servers can be shipped with the TPM 1.2 or TPM 2.0 chip. The TPM chip usually is part of the system board; the user may not be able to change it after the purchase. It is important for users to select the correct TPM hardware at the time of purchase.
Table 2 lists vSphere TPM certification options.
Intel TXT is computer hardware technology that uses a TPM and cryptographic techniques to provide measurements of software and platform components so that the system software and management applications may use those measurements to make trust decisions. It protects users from software-based attacks which attempt to steal sensitive information by corrupting system and/or BIOS code, or modifying the platform’s configuration.
TPM and TXT support are enabled / disabled in system BIOS. Platform-specific TPM actions are done in BIOS.
The VMware TPM/TXT feature leverages industry standard TPM and Intel TXT to detect corruption of the measured images, unexpected or unauthorized updates, or other types of changes to the measured images.
Servers can be shipped with the TPM 1.2 or TPM 2.0 chip. The TPM chip usually is part of the system board; the user may not be able to change it after the purchase. It is important for users to select the correct TPM hardware at the time of purchase.
Table 2 lists vSphere TPM certification options.
| vSphere Version | TPM Certification Options | UEFI Secure Boot Support Required? |
| vSphere 6.0 to vSphere 6.5 | TPM 1.2 with TXT | No |
| vSphere 6.7 GA | TPM 1.2 with TXT | No |
| TPM 2.0 | Yes | |
| vSphere 6.7 U1 or newer versions | TPM 1.2 with TXT | No |
| TPM 2.0 | Yes | |
| TPM 2.0 with TXT | Yes | |
| vSphere 8.0 and later | TPM 2.0 | Yes |
| TPM 2.0 with TXT | Yes |
General Requirements
TPM is an optional vSphere certification. The server must be certified to get proper support.
The VMware TPM/TXT feature works with the TPM 1.2 hardware and TXT for vSphere 6.0 and higher release versions. The combination of TPM 1.2 and Intel TXT are only available on Intel-based platforms. When using the TPM 1.2 hardware, Intel TXT must be enabled in BIOS.
UEFI Secure Boot is a prerequisite for TPM 2.0 support. UEFI Secure Boot protects the Boot Loader against tampering and ensures only signed software is installed.
vSphere 6.7 GA supports TPM 2.0 but ignores TXT. The TPM 2.0 hardware can be found on both Intel and AMD platforms. vSphere 6.7 GA safely ignores the TXT setting, regardless if it is enabled or disabled in BIOS.
Besides TPM 1.2 with TXT and TPM 2.0, vSphere 6.7 U1 adds support for TPM 2.0 with TXT. If applicable, the user should check the TXT setting in BIOS.
vSphere 6.5 and prior versions safely ignores the TPM 2.0 hardware and ignores any attempt to enable and use TXT trusted boot.
The TPM 1.2 with TXT feature can be used together with a 3rd-party security solution that leverages Intel TXT hardware technology. Without 3rd-party support, ESXi will measure the stack that’s running into the TPM, but the customer cannot validate these measurements directly. Refer to the solution provider’s documentation on how to create a trusted environment.
vSphere 6.7 GA supports attestation with TPM 2.0. vSphere 6.7 U1 supports attestation with TPM 2.0 and TPM 2.0 with TXT. The user can view the attestation result in vSphere client
Additional Information
Impact/Risks:
Other than the lack of TXT measured boot support, vSphere 6.x and prior versions will operate correctly in the presence of TPM 2.0 hardware. These versions of vSphere will safely ignore TPM 2.0 hardware and ignore any attempt to enable and use TXT.
vSphere 6.7 U1 adds support for TPM 2.0 with TXT. vSphere 6.7 GA lacks TXT trusted boot support when used with TPM 2.0.
Customers wanting to use TPM on a server must ensure the server is certified for the desired version.
Feedback
Yes
No
Powered by
