vTPM notes

source/intro_release_notes/release_notes/known_issues.rst

@@ -13,6 +13,28 @@ Drivers - Virtualization
 
 - `libvirtd restarts in cycles each 10 minutes with error message in system logs <https://github.com/OpenNebula/one/issues/6463>`_, due to the way libvirtd gets activated per interaction by systemd in 120-second slices. As the default interval for the OpenNebula monitor probe is 600 seconds (10 minutes), each time a probe reactivates libvirtd, it sends those messages to syslog.
 
+- Due to `Missing automation for enabling vTPM support <https://github.com/OpenNebula/one/issues/7422>`_ issue one needs to perform several additional steps on hypervisor nodes to make the vTPM work with OpenNebula. Please, find these steps below.
+
+Add the following lines into the ``/etc/libvirt/qemu.conf`` file:
+
+.. prompt:: bash $ auto
+
+   swtpm_user = "oneadmin"
+   swtpm_group = "oneadmin"
+
+and restart libvirtd.service:
+
+.. prompt:: bash $ auto
+
+   systemctl restart libvirtd.service
+
+Change thei ownership of ``/run/libvirt/qemu/swtpm/`` and ``/var/lib/swtpm-localca`` directories:
+
+.. prompt:: bash $ auto
+
+   chown oneadmin:oneadmin -R /run/libvirt/qemu/swtpm/ /var/lib/swtpm-localca
+
+
 Drivers - Network
 ================================================================================
 

source/management_and_operations/guest_os/windows_best_practice.rst

@@ -166,6 +166,10 @@ If you have a physical TPM device on your host, you can pass through the TPM to
 
 If you do not have a physical TPM device on your host you can emulate one.  There are two options for the model, `tpm-tis` is the default and will work with both TPM 1.2 and 2.0  while `tpm-crb` will only work when the TPM version is 2.0.
 
+.. warning:: 
+   | Please, be aware that current implementation of vTPM support in the OpenNebula 6.10 has the following critical limitations:  power off -> on cycle as well as backup operations trigger TPM state loss. It means for example if the VM disk was encrypted with a key protected by the TPM the VM will typically no longer be able to unseal the disk key and thus unable to access the disk data. Although VM migration works since the corresponding vTPM operations are implemented on the libvirt level.
+   | For the best vTPM experiace we recommend to `upgrade <https://docs.opennebula.io/7.0/software/upgrade_process/upgrade_guide/>`__ to 7.0 OpenNebula release. To use vTPM on the OpenNebula 6.10, please, check :ref:`Known Issues <known_issues>` for the details on required steps to make hypervisor nodes working properly with OpenNebula.
+
 .. note:: If using an emulated TPM device, ensure you have installed swtpm and swtpm-tools packages on all hypervisors.
 
 .. code::