Incus: PKI for vTPMs

skye · April 23, 2026, 12:12am

Incus supports adding vTPMs to containers and virtual machines, which I believe is implemented with swtpm. The docs mention two uses: securing certificates (the same way one would use a HSM) and for secure boot validation.

Another use would be for remote attestation – a container or VM could create a certificate on the TPM, then prove to an external party that the certificate was created by that TPM with certain properties. The trust model works by chaining everything up to the Endorsement Key, which is signed by the hardware vendor.

Because the TPM is virtual, there isn’t a hardware vendor cert for the TPM’s Endorsement Key to chain up to. But Incus could be configured with a certificate, and sign the EK of every vTPM it creates with that cert. This would allow an external party to believe that a VM created a key on the TPM, so long as it trusts Incus’s “TPM vendor cert”.

I wanted to know if this is able to be implemented, or if there is a gap in my understanding of the Incus tpm implementation that makes this impossible.

stgraber · April 23, 2026, 10:10am

Should be possible. We could add config keys to the tpm device type to provide the signing certificate and key. Then if you want the same to apply to a bunch of VMs, you could use a profile.

skye · April 23, 2026, 8:37pm

Cool! I’ll make a GitHub issue to keep track

simos · April 24, 2026, 11:07am

github.com/lxc/incus

vTPM EK cert provisioning and PKI

opened 08:57PM - 23 Apr 26 UTC

Skyb0rg007

Documentation Easy API

### Is there an existing issue for this? - [x] There is no existing issue for t…his feature ### What are you currently unable to do When attaching a vTPM to a Container or VM, the vTPM is in a completely empty state with no permanent objects. This means no Endorsement Key, which is usually embedded into a hardware TPM. ``` $ # On my laptop $ tss2_provision Fapi_Provision(0x60035) - fapi:Already provisioned $ tpm2_getekcertificate | openssl x509 -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: aa:...:zz Signature Algorithm: sha256WithRSAEncryption Issuer: C=CH, O=STMicroelectronics NV, CN=STM TPM EK Intermediate CA 06 Validity Not Before: Feb 18 15:17:30 2025 GMT Not After : Dec 31 23:59:59 9999 GMT Subject: Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) ... ``` ``` $ # On a newly provisioned VM or Container $ tss2_provision Fapi_Provision(0x60025) - fapi:No certificate $ tpm2_getekcertificate ERROR: Must specify the EK public key path ``` This means that the Container or VM cannot prove to any external party that a certificate actually lives on the vTPM. ### What do you think would need to be added Incus should support provisioning the vTPM prior to attaching to the Container or VM (swtpm docs [here](https://github.com/stefanberger/swtpm/wiki/Certificates-created-by-swtpm_setup#creating-the-ek)). This would require additional configuration, as Incus would need to have a platform certificate key kept secret that it uses to sign the provisioned endorsement keys, but make the certificate itself available so that external parties could verify the vTPM operations (ex. by having the VM perform a `tpm2_quote` operation). This would likely involve global settings such as `tpm2.platform_cert.crt` and `tpm2.platform_cert.key`, and a per-TPM setting that allowed configuring whether the vTPM is setup with an Endorsement Key. On IncusOS, storing the platform cert on the hardware TPM would give users a great end-to-end attestation story.