Feature Request: Native/Simplified TPM Support for Windows 11 VMs

[Defenso-EBO]

Current Problem and Complexity

It is currently not possible to configure TPM 2.0 directly within the VM configuration file managed by vm-bhyve for Windows 11 guests.

This feature, which is technically supported by the underlying bhyve hypervisor, must be implemented through a manual, multi-step workaround:

1. A separate, low-level bhyve.conf file must be created to define the necessary TPM parameters:

   tpm.type=swtpm
   tpm.path=/path/to/the/created/swtpm.sock
   tpm.version=2.0
   

2. To instruct bhyve to use this custom configuration file, the VM's main configuration file (<vmname>.conf in the datastore) must be manually updated to inject the external configuration into the bhyve command line:

   bhyve_options= -k [path of configuration file for bhyve]
   

This process significantly increases the complexity of setting up and maintaining modern virtual machines.

Proposed Solution

It would be highly beneficial for the user experience and the adoption of vm-bhyve to natively support TPM configuration.

This could be achieved by allowing the user to set the parameters directly within the VM's main configuration file, allowing the utility to automatically manage the file creation and parameter injection.

[michael-o]

Please don't forget that there is also native TPM passthrough from Beckhoff as far as I remember. That one above is implemented in software.

[Defenso-EBO]

Thank you @michael-o for this information. I was not aware of this possibility. I prefer to use a simulated TPM in my setup instead of the actual one via passthrough. Because of this disctinction I think it makes sense to add this feature.

[michael-o]

Thank you @michael-o for this information. I was not aware of this possibility. I prefer to use a simulated TPM in my setup instead of the actual one via passthrough. Because of this disctinction I think it makes sense to add this feature.

https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.youtube.com/watch%3Fv%3D5wDs1K5ppbQ&ved=2ahUKEwijuLfohIGRAxW-9QIHHXh7G-wQtwJ6BAgUEAE&usg=AOvVaw1BSvrKD1f-JLc_l8uHL1FK

[michael-o]

I checked the manpage on 16-CURRENT and you have two TPM optiona: pass-through and swtpm.

[Firstyear]

I think reading between the lines here, I think it is a request that the vm command/system can setup and run swtpm for you as swtpm can be a bit fiddly to setup.

[Defenso-EBO]

I think reading between the lines here, I think it is a request that the vm command/system can setup and run swtpm for you as swtpm can be a bit fiddly to setup.

Exactly. It would be great to see native swtpm integration in vm-bhyve as it provides additionnal features that TPM pass-through lacks. For example, the ability to emulate multiple TPMs simultaneously.

[metalefty]

I plan to work on this. Considering migration, I prefer swtpm to hardware TPM pass-through.

[Firstyear]

Yep, TPM pass through limits you to a single VM with a TPM, swtpm is the better path here.