Linux Virtual Machine Manager Interface
TPM Passthrough in Linux Virtual Machine Manager (virt-manager)

TPM Passthrough in Linux Virtual Machine Manager (virt-manager)

Comments 0 Comment

Hi everyone,

Today, we will see how to pass our TPM (Trusted Platform Module) from our machine to our QEMU/KVM virtual machine using the Virtual Machine Manager tool. We will also modify an AppArmor configuration file to allow access to it. This is needed mostly if you plan on using Windows 11 as a virtual machine, unless you use a method to patch a Windows 11 ISO image in order to install it.

Once Windows 11 is installed, the TPM is not really required, but these steps will make it appear in your VM regardless and provide better security to the OS.

Adding the TPM module to our Virtual Machine

We’ll start by launching the Virtual Machine Manager tool:

Linux Virtual Machine Manager Interface

There, we will double click on our machine. This will open our VM console. Then, we will go to the “View” menu and select “Details” to bring our machine configuration:

00 - QEMU-KVM Windows 11 Machine Details

Click on “Add Hardware”, and select “TPM” from the list that will be shown:

00 - Adding TPM module 1

We will change the Type to “Passthrough”. In the Device Path, our TPM device should be “/dev/tpm0”. Click “Finish”:

00 - Adding TPM Module 2

Editing the AppArmor libvirt-qemu file to allow access to our TPM

If we attempt to start our VM, we may be presented with this message:

01 - TPM Passthrough not working

First, be sure that you have the TPM module enabled in your BIOS. If it is, then we may need to update the AppArmor libvirt-qemu file to allow QEMU/KVM to access the module. For this, we will load a terminal window and edit the file /etc/apparmor.d/abstractions/libvirt-qemu. I’ll use nano to edit it:

02 - Modify apparmor libvirt.conf

Scroll down to the part where it mentions swtpm (Emulated TPM section):

03 - Area to type TPM access in the apparmor libvirt-qemu file

Add below the following. You can add a comment line to let you easily identify this section:

# TPM Passthrough
/dev/tmp0 rw,
04 - TPM Passthrough line in apparmor libvirt-qemu file

Save the file pressing CTRL + O and pressing Enter:

05 - Saving apparmor libvirt-qemu file 1
06 - Saving apparmor libvirt-qemu file 2

Exit nano by pressing CTRL + X. Then, restart the AppArmor service with:

sudo service apparmor restart
07 - Restarting apparmor service

Now we can attempt to run our VM.

You may be presented with another issue:

08 - Machine still fails to boot with TPM

In this case, you can easily overcome this by changing the Model type from CRB to TIS:

09 - Change TPM model to TIS

Now, boot your VM again, and you should now have the TPM module inside it:

10 - TPM in Device Manager
Post Views: 934