I had an interesting question this morning asking whether it was possible to add a vTPM (Virtual Trusted Platform Module) to a Nested ESXi VM? The user was interested in testing a particular scenario with the new vSphere Trust Authority feature that was introduced in the vSphere 7.0. I personally had not done much with vTPM and I had assumed it should just work as long as you have a physical TPM chip in the underlying hardware and you have setup either a Standard or Native Key Provider within your vCenter Server.
The user observed that adding a vTPM to a Windows VM was possible using the vSphere UI but when attempting to perform the same operation on a Nested ESXi VM, the option to add vTPM device was not available. After spending ~30 minutes asking around for hardware that had a physical TPM, I remember that my Quartz Canyon NUC (NUC 9 Pro) is a Xeon based system and it has TPM 2.0 chip. I was able to take a closer look and quickly found the solution was very pretty straight forward!
As most folks know, Nested ESXi and Nested Virtualization is not officially supported by VMware, so I suspect that the workflow for adding vTPM simply did not consider Nested ESXi as a valid GuestOS or blocked it by default within the vSphere UI. With that said, you can absolutely add vTPM to a Nested ESXi VM using the vSphere API and luckily, you can easily do this by using PowerCLI's New-VTpm cmdlet.
Here is the command which retrieves the desired Nested ESXi VM by name and then adds the vTPM device:
Get-VM "Nested_ESXi7.0u3c" | New-VTpm
Once the operation has completed, we can now navigate to the vSphere UI and we should now see a vTPM device has been added to our Nested ESXi VM
We can also confirm that the Nested ESXi VM can see vTPM device by running the following ESXCLI command:
esxcli hardware trustedboot get
Lastly, we can add our Nested ESXi to a vSphere Cluster and enable the vSphere Trust Authority state, which also requires the use of PowerCLI and we can now see that vSphere Trust Authority has been properly configured using a Nested ESXi VM and vTPM device!
That would be a nice feature for a more secure version of the VSAN wittness node.
Hi William, to use New-VTpm, my understanding is that the (nested) cluster must already be deployed with a KMS added to VC?
My use case is trying to use New-VTpm on appropriate nested ESXi, however proior to being added to a cluster in VC.
eg:
PS C:\scripts> get-vm "esx01-0baF" | New-VTpm
New-VTpm: 11/23/2022 12:51:12 PM New-VTpm Server task failed: RuntimeFault.summary Cannot apply encryption policy. You must set the default key provider.
PS C:\scripts>
ah, please iognore my above reply
"as long as you have a physical TPM chip in the underlying hardware and you have setup either a Standard or Native Key Provider within your vCenter Server"