vtpm is the system service that provides virtualized TPM interface. It provides a D-Bus interface like a TPM daemon while the backend of the TPM
implementation is virtualized, and can be backed by SW or the real TPM.
This document below provides the top view of the behavior of vtpm.
Vpm supports pre-defined persistent keys. It is implemented using a loadable transient key in the storage hierarchy. When a virtual persistent key is being used, vtpm loads the key to the host TPM, and the loaded transient key handle replaces the virtual persistent key handle value.
So far there are 2 pre-defined keys: storage root key (vSRK) and endorsement key (vEK).
Vptm provides a very limited support for authorization and sessions:
Vtpm supports pre-defined, read-only NVRAM spaces. A typical (and currently the only) use is to store a virtual endorsement key certificate.
For now, only the vEK certificate is supported.
All the key types and algorithm inputs/outputs are passed through to/from the host TPM.
Note that, though it implies that what is supported by the host TPM should work with vtpm, during the development, the testing of the vtpm implementation is ECC focused.
If vtpm receives a command that is not supported, it returns TPM_RC_COMMAND_CODE.
If any system error occurs, usually it might return TPM_RC_FAILURE. (For example, A dependent daemon service is down and a certain operation cannot be performed.)
It supports to list TPM_CAP_HANDLES with persistent key handles.
For development purposes, transient key handles and policy session handles are also supported, but they are not tested in production logic.
It supports reading the data from a predefined NV space.
Despite only vEK certificate being the only one that is supported, different indice can be implemented in different ways by design ; there is no unified way to maintain the NV space like what a real TPM does.
It supports reading the public area of a predefined NV space.
Like TPM2_NV_Read, the public information can be implemented differently index by index.
The following virtual objects are transferred to the ones the host TPM recognizes:
The following commands are forwarded to the host TPM with the rule mentioned above. Additional notes to a specific command is also documented below:
Below the important constants and parameters for gLinux use are listed below: