diff --git a/modules/virt-about-vtpm-devices.adoc b/modules/virt-about-vtpm-devices.adoc index 75d880e55a..9f91ebbc90 100644 --- a/modules/virt-about-vtpm-devices.adoc +++ b/modules/virt-about-vtpm-devices.adoc @@ -16,6 +16,20 @@ from a Windows 11 image to function without a physical TPM chip. If you do not enable vTPM, then the VM does not recognize a TPM device, even if the node has one. -vTPM devices also protect virtual machines by temporarily storing secrets -without physical hardware. However, using vTPM for persistent secret storage is -not currently supported. vTPM discards stored secrets after a VM shuts down. +A vTPM device also protects virtual machines by storing secrets without physical hardware. {VirtProductName} supports persisting vTPM device state by using Persistent Volume Claims (PVCs) for VMs. You must specify the storage class to be used by the PVC by setting the `vmStateStorageClass` attribute in the `HyperConverged` custom resource (CR): + +[source,yaml] +---- +kind: HyperConverged +metadata: + name: kubevirt-hyperconverged +spec: + vmStateStorageClass: + +# ... +---- + +[NOTE] +==== +The storage class must be of type `Filesystem` and support the `ReadWriteMany` (RWX) access mode. +==== diff --git a/modules/virt-adding-vtpm-to-vm.adoc b/modules/virt-adding-vtpm-to-vm.adoc index 4610cf9ce0..e2ab0879a1 100644 --- a/modules/virt-adding-vtpm-to-vm.adoc +++ b/modules/virt-adding-vtpm-to-vm.adoc @@ -8,7 +8,11 @@ Adding a virtual Trusted Platform Module (vTPM) device to a virtual machine (VM) allows you to run a VM created from a Windows 11 image without a physical -TPM device. A vTPM device also temporarily stores secrets for that VM. +TPM device. A vTPM device also stores secrets for that VM. + +.Prerequisites +* You have installed the OpenShift CLI (`oc`). +* You have configured a Persistent Volume Claim (PVC) to use a storage class of type `Filesystem` that supports the `ReadWriteMany` (RWX) access mode. This is necessary for the vTPM device data to persist across VM reboots. .Procedure @@ -19,7 +23,7 @@ TPM device. A vTPM device also temporarily stores secrets for that VM. $ oc edit vm ---- -. Edit the VM `spec` so that it includes the `tpm: {}` line. For example: +. Edit the VM specification to add the vTPM device. For example: + [source,yaml] ---- @@ -32,10 +36,12 @@ spec: spec: domain: devices: - tpm: {} <1> + tpm: <1> + persistent: true <2> # ... ---- -<1> Adds the TPM device to the VM. +<1> Adds the vTPM device to the VM. +<2> Specifies that the vTPM device state persists after the VM is shut down. The default value is `false`. . To apply your changes, save and exit the editor.