Skip to content

Advanced usage

Enable vTPM for your instances

In the dc4-a region, you can enable a virtual Trusted Platform Module (vTPM) for your instances by configuring image metadata. Two TPM versions are supported (1.2 and 2.0), as well as two models: TPM Interface Specification (TIS) and Command-Response Buffer (CRB). Note that the CRB model is only supported with version 2.0.

Warning

vTPM suport is only available in the dc4-a region. Attempting to boot a VM with vtpm metadata in dc3-a will result in a failed scheduling.

Note

In order to edit the image's metadata, you must own the image. This requires that you build or upload your own images to the public cloud in order to be able to set the vTPM metadata.

Image Metadata Properties

Image Metadata Key Description
hw_tpm_version Specify the TPM version, 1.2 or 2.0. This is required to request a vTPM.
hw_tpm_model Specify the TPM model, tpm-tis (default) or tpm-crb (only valid with version 2.0).

Example: Configuring an Image to Use TPM 2.0 with the CRB Model

To configure an image for TPM 2.0 and the CRB model:

 openstack image set <image-id> \
  --property hw_tpm_version=2.0 \
  --property hw_tpm_model=tpm-crb

Replace <image-id> with the ID of your image.

instance_advanced_vtpm_image.png

resource "openstack_images_image_v2" "ubuntu_noble_tpm" {
  name             = "Ubuntu 24.04 - Noble Numbat (vTPM)"
  image_source_url = "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img"
  container_format = "bare"
  disk_format      = "qcow2"

  properties = {
    hw_tpm_version = "2.0"
    hw_tpm_model   = "tpm-crb"
  }
}

Warning

Model Limitations: The tpm-crb model can only be used with TPM version 2.0. Setting this model with version 1.2 will cause an error. Image Configuration: Ensure that the image metadata does not specify conflicting values. For example, you cannot set both hw_tpm_version=1.2 and hw_tpm_version=2.0 on the same image.

Verification

Upon successful boot, the instance should have access to a TPM device (e.g., /dev/tpm0), which can be used as a hardware TPM would.

This setup ensures your instances leverage the enhanced security benefits of a virtual TPM.