Merge pull request #63792 from openshift-cherrypick-robot/cherry-pick-63333-to-enterprise-4.14

[enterprise-4.14] CNV-18302: Persistent storage support for vTPM
2026-02-05 12:46:18 +01:00 · 2023-08-22 09:10:28 -04:00
parent c9e88012e4 7dd1688857
commit 0bda200440
2 changed files with 27 additions and 7 deletions
--- a/modules/virt-about-vtpm-devices.adoc
+++ b/modules/virt-about-vtpm-devices.adoc
@@ -16,6 +16,20 @@ from a Windows 11 image to function without a physical TPM chip.
 If you do not enable vTPM, then the VM does not recognize a TPM device, even if
 the node has one.

-vTPM devices also protect virtual machines by temporarily storing secrets
-without physical hardware. However, using vTPM for persistent secret storage is
-not currently supported. vTPM discards stored secrets after a VM shuts down.
+A vTPM device also protects virtual machines by storing secrets without physical hardware. {VirtProductName} supports persisting vTPM device state by using Persistent Volume Claims (PVCs) for VMs. You must specify the storage class to be used by the PVC by setting the `vmStateStorageClass` attribute in the `HyperConverged` custom resource (CR):
+
+[source,yaml]
+----
+kind: HyperConverged
+metadata:
+  name: kubevirt-hyperconverged
+spec:
+  vmStateStorageClass: <storage_class_name>
+
+# ...
+----
+
+[NOTE]
+====
+The storage class must be of type `Filesystem` and support the `ReadWriteMany` (RWX) access mode.
+====
--- a/modules/virt-adding-vtpm-to-vm.adoc
+++ b/modules/virt-adding-vtpm-to-vm.adoc
@@ -8,7 +8,11 @@

 Adding a virtual Trusted Platform Module (vTPM) device to a virtual machine
 (VM) allows you to run a VM created from a Windows 11 image without a physical
-TPM device. A vTPM device also temporarily stores secrets for that VM.
+TPM device. A vTPM device also stores secrets for that VM.
+
+.Prerequisites
+* You have installed the OpenShift CLI (`oc`).
+* You have configured a Persistent Volume Claim (PVC) to use a storage class of type `Filesystem` that supports the `ReadWriteMany` (RWX) access mode. This is necessary for the vTPM device data to persist across VM reboots. 

 .Procedure

@@ -19,7 +23,7 @@ TPM device. A vTPM device also temporarily stores secrets for that VM.
 $ oc edit vm <vm_name>
 ----

-. Edit the VM `spec` so that it includes the `tpm: {}` line. For example:
+. Edit the VM specification to add the vTPM device. For example:
 +
 [source,yaml]
 ----
@@ -32,10 +36,12 @@ spec:
    spec:
      domain:
        devices:
-          tpm: {} <1>
+          tpm:  <1>
+            persistent: true <2>
 # ...
 ----
-<1> Adds the TPM device to the VM.
+<1> Adds the vTPM device to the VM.
+<2> Specifies that the vTPM device state persists after the VM is shut down. The default value is `false`.

 . To apply your changes, save and exit the editor.