Piszki Lab | EN

My case study in the clouds…

CloudStack – VM with vTPM and Secure boot UEFI

| 1 Comment

Virtualization provides all possible tools to support the launch of operating systems with special requirements. One of such requirements is to ensure possible security by using TPM and UEFI with Secure Boot. This type of system startup ensures that nothing has been tampered with in the boot loader. While it is easy to implement in a physical host, in solutions the Stack type requires a bit more work. How it is solved in VMware vSphere, already written here. Today we will test a very similar solution in CloudStack. However, note that existing VMs installed with the BIOS will not be usable, you will have to create a completely new UEFI reference VM.

At the moment, it is not possible to use physical TPM as vTPM in the VM as it is in vSphere. Both UEFI and TPM are emulated in the VM (in KVM). We will start with UEFI, CloudStack version 4.15 introduces the ability to boot VM from UEFI as an advanced setting, the BIOS is still used by default. The whole configuration is very simple, it requires the edk2-ovmf (or just OVMF) package to be installed on the host operating system. This package contains all the files needed to emulate UEFI in both legacy and secure modes. CloudStack integrates with this package by creating a file:

/etc/cloudstack/agent/uefi.properties (the paths must be adjusted depending on the package on your OS) :

CentOS 8:


CentOS 7:


Enabling requires restarting the cloudstack-agent (no need to restart libvirt or change qemu.conf configuration), the host itself must be additionally marked in the DB CloudStack that it supports UEFI. This is not a problem for new installations, for older ones after migration, this flag should be set manually in the DB (at the moment). Without it, we will immediately meet the following message: Cannot deploy to specified host as host doesn’t support uefi vm deployment, returning.


In order to run vTPM, the swtpm swtpm-tools package must be installed on the host operating system. It does not require any additional configuration, we add TPM to the VM exactly as we did for the GPU, through the XML configuration added as ExtraConfig. The device definition looks like this:

<tpm model=’tpm-tis’>
<backend type=’emulator’ version=’2.0’/>

We create a new VM as standard, set UEFI / Secure in advanced options, we do not start the machines (nice option added in 4.15.1):


Add the vTPM in virtual machine settings as extraconfig (and only then we start and install the OS):

vm5Below is a screenshot showing that UEFI has been correctly recognized by Windows Installer:

partWe can also check if nvram files are being created:

nvramThe final result looks like this:


Finally, as a bonus, how to add USB devices to the KVM/VM (CloudStack)? The answer is as simple, as any other once you’ve identified it. In the example below, I’ll add a USB <—> Serial cable to my administrative VM. We are looking for the device with the command lsusb –v:


Then prepare the XML file and add it to the VM as extraconfig:

<hostdev mode=’subsystem’ type=’usb’ managed=’yes’>
<vendor id=’0x0403’/>
<product id=’0x6001’/>

We start the VM and check the result, in this case the USB <—> Serial cables are added as a virtual COM3 port:


Rate this article:
[Total: 1 Average: 5]

Author: Piotr Pisz

Computer always, since I got a Commodore 64 at the end of primary school, through his beloved Amiga and Linux infinite number of consoles, until today, fully virtual day. Since 2001, Unix/Linux Systems Administrator, for seven years a faithful companion and protector of Solaris system, until his sad end. In the year 2011 came in the depths of virtualization, then smoothly ascended into the clouds and continues there today. Professionally working as Systems Architect in the Polish Security Printing Works.

One Comment

Leave a Reply

Required fields are marked *.