TPM 2.0 in qemu

If you want to test software which exploits TPM 2.0 functionality inside the qemu-kvm emulator, this can be challenging because the software stack is still quite new. Here is how I did it.

First, you need a new enough qemu. The version on Ubuntu xenial does not suffice. The 2.11 version in Ubuntu bionic does. I believe the 2.10 version in artful is also too old, but might be mis-remembering haven’t tested that lately.

The two pieces of software I needed were libtpms and swtpm. For libtpms I used the tpm2-preview.rev146.v2 branch, and for swtpm I used the tpm2-preview.v2 branch.

apt -y install libtool autoconf tpm-tools expect socat libssl-dev
git clone
( cd libtpms &&
  git checkout tpm2-preview.rev146.v2 &&
  ./ &&
  ./configure --prefix=/usr --with-openssl --with-tpm2 &&
  make && make install)
git clone
(cd swtpm &&
  git checkout tpm2-preview.v2 &&
  ./ &&
  configure --prefix=/usr --with-openssl --with-tpm2 &&
  make &&
  make install)

For each qemu instance, I create a tpm device. The relevant part of the script I used looks like this:


while [ -d /tmp/mytpm$i ]; do
let i=i+1

mkdir $tpm
echo "Starting $tpm"
sudo swtpm socket --tpmstate dir=$tpm --tpm2 \
             --ctrl type=unixio,path=/$tpm/swtpm-sock &
sleep 2 # this should be changed to a netstat query

next_vnc() {
    while nc -z $port; do
        port=$((port + 1))
        vncport=$((vncport + 1))
    echo $vncport

sudo kvm -drive file=${disk},format=raw,if=virtio,cache=none -chardev socket,id=chrtpm,path=/$tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -vnc :$nextvnc -m 2048
This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to TPM 2.0 in qemu

  1. Luke Hinds says:

    So is this creating an emulated (or simulated) TPM or is this some sort of paravirtualization of a hardware TPM exposed via QEMU?

    • s3hh says:

      Hi – sorry for the late reply. It’s an emulated TPM.

      • Luke Hinds says:

        Hi, thanks for reply and apologies for my late reply. I guess what I mean is does the keys, quotes etc reside in the hardware TPM and the vTPM acts a paravirtualized instance of the TPM, or does it exist soley on its own and the keys are stored on disc / memory (for example, you could run it with a hardware TPM present). Hope that makes sense.

      • s3hh says:

        Exist solely on its own.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s