View Only

Understanding the Virtual TPM Encryption Levels

By JOEL WOLFRATH posted Mon February 05, 2024 05:05 PM


Virtual Trusted Platform Module (VTPM) 2.0 is a PowerVM feature introduced as part of the Power10 platform. It allows a logical partition to be configured with a virtual TPM device which complies with various versions of the TCG TPM 2.0 specification. This includes a new feature— algorithmic agility —where the cryptographic algorithms supported by the device may change without requiring changes to the device communication protocol. However, changing versions of the TCG spec or changing the underlying algorithms supported by the device can introduce incompatibilities between virtual devices.

To address these issues, each VTPM 2.0 device has an associated encryption level, which corresponds to a specific version of the TCG spec and a fixed set of algorithms supported by the virtual device. The currently supported encryption levels are:

Power10v1 — The initial encryption level that was released with VTPM 2.0 in FW1010. This corresponds to the TCG Spec Version 150.

Power10v2 — An updated encryption level that was released in FW1050 to address CVE-2021-3505. This corresponds to the TCG Spec Version 164.

Note: The “Power10” naming convention indicates which hardware platform introduced the encryption level.

Upgrading the Encryption Level

To switch encryption levels, the owning logical partition needs to be powered off. Then, the existing VTPM 2.0 instance needs to be removed from the partition, and a new VTPM instance with the new encryption level can be assigned. If the owning partition has interacted with the current VTPM instance then any keys/objects that are fixed TPM that were created will be lost and any other objects are lost if not backed up/duplicated. If data has been stored in TPM non-volatile storage that data must be offloaded from the VTPM prior to deleting it. Then the data can be persisted in the new VTPM instance after it has been created. Encryption keys will differ in the new VTPM instance, so data previously encrypted by the old VTPM instance will need to be decrypted, then re-encrypted with the new VTPM.

Contacting the PowerVM Team

Have questions for the PowerVM team or want to learn more?  Follow our discussion group on LinkedIn IBM PowerVM or IBM Community Discussions