VMware vSphere Support of Trusted Platform Module (TPM) and Trusted Execution Technology (TXT)
search cancel

VMware vSphere Support of Trusted Platform Module (TPM) and Trusted Execution Technology (TXT)

book

Article ID: 312159

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

This article provides guidance to customers and server vendors on Trusted Platform Module (TPM) hardware when running vSphere ESXi.

Environment

VMware vSphere ESXi 6.5
VMware vSphere ESXi 6.0
VMware vSphere ESXi 7.0.x
VMware vSphere ESXi 8.0.x

Resolution

Target Audience and Guidance
 
Target AudienceGuidance

Users who use, or plan to use, the VMware TPM/TXT feature
 
  • Ensure the server and TPM hardware are certified for the TPM feature before running the TPM/TXT configuration in production 
  • When procuring hardware for vSphere 6.5 and prior releases, select TPM 1.2 hardware for vSphere compatibility
  • When procuring hardware for vSphere 6.7 GA and later releases, select TPM 1.2 or 2.0 hardware, and verify UEFI Secure Boot support when choosing TPM 2.0. 
Support of TPM 1.2 and TPM 1.1 and associated features is deprecated and not supported in vSphere versions 8.0 and laterRefer to the link:https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vmware-vsphere-80-release-notes/index.html#:~:text=VMware%20discontinues%20support%20of%20TPM%201.2
 
Background
 
TPM is a standard for a secure cryptoprocessor.  The dedicated microprocessor is designed to secure hardware by integrating cryptographic keys into devices.  The Trusted Computing Group (TCG) is responsible for TPM technical specifications.  Since the initial publication, TCG has released two major revisions:  1.2 and 2.0.  TPM hardware is designed to be compliant with 1.2 or 2.0 specifications.  TPM hardware stores measurements in Platform Configuration Registers (PCRs).  These measurements can be used to detect changes for anything that can be loaded into memory. 

Intel TXT is computer hardware technology that uses a TPM and cryptographic techniques to provide measurements of software and platform components so that the system software and management applications may use those measurements to make trust decisions.  It protects users from software-based attacks which attempt to steal sensitive information by corrupting system and/or BIOS code, or modifying the platform’s configuration.

TPM and TXT support are enabled / disabled in system BIOS.  Platform-specific TPM actions are done in BIOS.

The VMware TPM/TXT feature leverages industry standard TPM and Intel TXT to detect corruption of the measured images, unexpected or unauthorized updates, or other types of changes to the measured images. 
Servers can be shipped with the TPM 1.2 or TPM 2.0 chip.  The TPM chip usually is part of the system board; the user may not be able to change it after the purchase.  It is important for users to select the correct TPM hardware at the time of purchase. 

Table 2 lists vSphere TPM certification options.
 
vSphere VersionTPM Certification OptionsUEFI Secure Boot Support Required?
vSphere 6.0 to vSphere 6.5TPM 1.2 with TXTNo
vSphere 6.7 GATPM 1.2 with TXTNo
TPM 2.0Yes
vSphere 6.7 U1 or newer versionsTPM 1.2 with TXTNo
TPM 2.0Yes
TPM 2.0 with TXTYes
vSphere 8.0 and laterTPM 2.0Yes
TPM 2.0 with TXTYes
 
General Requirements

TPM is an optional vSphere certification.  The server must be certified to get proper support.   

The VMware TPM/TXT feature works with the TPM 1.2 hardware and TXT for vSphere 6.0 and higher release versions.  The combination of TPM 1.2 and Intel TXT are only available on Intel-based platforms.  When using the TPM 1.2 hardware, Intel TXT must be enabled in BIOS. 

UEFI Secure Boot is a prerequisite for TPM 2.0 support.  UEFI Secure Boot protects the Boot Loader against tampering and ensures only signed software is installed.

vSphere 6.7 GA supports TPM 2.0 but ignores TXT.  The TPM 2.0 hardware can be found on both Intel and AMD platforms.  vSphere 6.7 GA safely ignores the TXT setting, regardless if it is enabled or disabled in BIOS.

Besides TPM 1.2 with TXT and TPM 2.0, vSphere 6.7 U1 adds support for TPM 2.0 with TXT.  If applicable, the user should check the TXT setting in BIOS.

vSphere 6.5 and prior versions safely ignores the TPM 2.0 hardware and ignores any attempt to enable and use TXT trusted boot.

The TPM 1.2 with TXT feature can be used together with a 3rd-party security solution that leverages Intel TXT hardware technology.  Without 3rd-party support, ESXi will measure the stack that’s running into the TPM, but the customer cannot validate these measurements directly.  Refer to the solution provider’s documentation on how to create a trusted environment.

vSphere 6.7 GA supports attestation with TPM 2.0.  vSphere 6.7 U1 supports attestation with TPM 2.0 and TPM 2.0 with TXT.  The user can view the attestation result in vSphere client
 
 


Additional Information


在 vSphere 中对可信平台模块 (TPM) 1.2 和可信执行技术 (TXT) 的支持
vSphere における Trusted Platform Module (TPM) 1.2 と Trusted Execution Technology (TXT) のサポート

Impact/Risks:

Other than the lack of TXT measured boot support, vSphere 6.x and prior versions will operate correctly in the presence of TPM 2.0 hardware. These versions of vSphere will safely ignore TPM 2.0 hardware and ignore any attempt to enable and use TXT.

vSphere 6.7 U1 adds support for TPM 2.0 with TXT.  vSphere 6.7 GA lacks TXT trusted boot support when used with TPM 2.0.

Customers wanting to use TPM on a server must ensure the server is certified for the desired version.