|
A vTPM is a software-based representation of a traditional TPM 2.0 chip. It performs the same hardware-based security functions as a TPM, including attestation, key generation, and random number generation, without requiring a physical chip.
The open-source Kernel-based Virtual Machine (KVM) will be used to make vTPM support available in virtual FortiGate running in Nutanix AHV.
Prerequisites:
- A Linux host on which the user has root access (using Ubuntu 22.04.1 LTS). Any modern distribution would suffice.
- Virtualization support enabled.
- KVM is installed on the Host.
A FortiOS Virtual Machine with a TPM Emulator enabled is already deployed in the KVM environments.
(The XML configuration on the KVM would be similar to the one below for the TPM part.)
--tpm backend.type=emulator,backend.version=2.0,model=tpm-tis
Exporting from KVM:
- will perform a backup of the hard disk and XML configuration from the KVM Host.
- The default directory for the disk image is:
/var/lib/libvirt/images/
- The XML configuration file is usually stored in:
/etc/libvirt/qemu/
- If they are not stored in the default location, individuate their position using the following command:
virsh domblklist <VM-NAME>
- This will export the hard disk in a QCOW format from KVM to Nutanix AHV.
To backup the disk image and configuration file, utilize commands such as cp or rsync.
This setup was tested using the Nutanix Community Edition.
Importing in Nutanix:
- It will use the exported disk image from the KVM environment to create a custom one in Nutanix and store it in the desired container.
-
Create a new Virtual Machine.
- Follow the Nutanix VM creation wizard.
- Under the operations menu, select the "Clone from Image Service" option.
- Choose the image created in the previous step.
The settings of the Virtual Machine, such as the number of vCPUs, memory, network interfaces, and disks, should be tweaked according to the specific needs.
Keep in mind that the FortiGate license only limits the amount of CPU.
- Mandatory Settings:
- UEFI Firmware: Enable UEFI but ensure the secure boot is disabled.
- Disk Type: Use SCSI for the hard drive.
- Recommended Settings:
- At least two NICs (for handling internal and external traffic).
Additional hard drive (~30GB) for logging purposes.
Enable vTPM:
Do not power it on after the Virtual Machine has been created.
- Connect to any Controller VM in the Nutanix cluster using SSH.
- At the CVM prompt, type acli to enter the Acropolis CLI mode.
- Enable vTPM using:
vm.update <vm-name> virtual_tpm=true
Replace <vm-name> with the name of the FortiGate VM.
Start FortiGate VM.
The FortiGate should take a few minutes to boot and is expected to preserve the configuration and log present on the FortiGate deployed in the KVM environment (the hard disk imported is a sector-by-sector copy of the original).
Verify the vTMP:
Check if vTMP is enabled and works correctly, and confirm it using the following command:
diagnose hardware deviceinfo tpm
diagnose tpm get-property
diagnose tpm selftest
|
