Type: tpm

Note

The tpm device type is supported for both containers and VMs. It supports hotplugging only for containers, not for VMs.

TPM devices enable access to a TPM emulator.

TPM devices can be used to validate the boot process and ensure that no steps in the boot chain have been tampered with, and they can securely generate and store encryption keys.

LXD uses a software TPM that supports TPM 2.0. For containers, the main use case is sealing certificates, which means that the keys are stored outside of the container, making it virtually impossible for attackers to retrieve them. For virtual machines, TPM can be used both for sealing certificates and for validating the boot process, which allows using full disk encryption compatible with, for example, Windows BitLocker.

Device options

tpm devices have the following device options:

path

Path inside the container

Key: path
Type:

string

Required:

for containers

For example: /dev/tpm0

pathrm

Resource manager path inside the container

Key: pathrm
Type:

string

Required:

for containers

For example: /dev/tpmrm0

Configuration examples

Add a tpm device to a container by specifying its path and the resource manager path:

lxc config device add <instance_name> <device_name> tpm path=<path_on_instance> pathrm=<resource_manager_path>

Add a tpm device to a virtual machine:

lxc config device add <instance_name> <device_name> tpm

See Configure devices for more information.