[Question] How safe is Virtualbox's TPM implementation?

This is for discussing general topics about how to use VirtualBox.
Post Reply
jjolidon
Posts: 5
Joined: 10. Mar 2021, 19:02

[Question] How safe is Virtualbox's TPM implementation?

Post by jjolidon »

Hi everyone,

With version 7 providing a TPM implementation, I am curious to know how safe the virtualized TPM really is:

- Are secrets encrypted at rest?
- Are they accessible to the host?
- Are the secrets encrypted with a key anchored in the host's TPM?

Thanks for your replies,
Jérôme Jolidon
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: [Question] How safe is Virtualbox's TPM implementation?

Post by scottgus1 »

jjolidon wrote: 19. Sep 2023, 14:14 Are the secrets encrypted with a key anchored in the host's TPM?
I may be able to answer this one partially: There is a host or simulated TPM option in https://www.virtualbox.org/manual/ch08. ... e-createvm see:

--tpm-type=none | 1.2 | 2.0 | host | swtpm
jjolidon
Posts: 5
Joined: 10. Mar 2021, 19:02

Re: [Question] How safe is Virtualbox's TPM implementation?

Post by jjolidon »

Yep ;-) That's the premise of my question... I am wondering about the safety of the vTPM-encrypted data, though. That the implementation complies with the TCG specification doesn't say much about the safety/integrity of the keys, I think (I may be wrong, I didn't read whole of the spec).
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: [Question] How safe is Virtualbox's TPM implementation?

Post by scottgus1 »

The only closed-source part of Virtualbox is the Extension Pack, and the Extension Pack doesn't handle the TPM, as best as I can see.

So it could be possible to peruse the TPM source code to see how secure it is. Source code is way beyond me, unless it's VBscript, which Virtualbox is not. :lol:

I could imagine that the simulated TPM allows moving the VM to a different host more easily, because the host TPM is not involved. Or for making TPM VMs on hosts that don't have a TPM.

Determining how secure it is may require a source code deep dive.
fth0
Volunteer
Posts: 5635
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: [Question] How safe is Virtualbox's TPM implementation?

Post by fth0 »

I cannot answer your questions myself (without a deep dive into the publicly available source code ;)), but I can give a few hints:

The TPM implementation of VirtualBox 7.0 is based on libtpms 0.9.6.

I'll make an educated guess that the TPM types 1.2 and 2.0 are meant to be secure from the POV of the guest, but not from the POV of the host. For example, on the host you can always use VirtualBox's built-in VM debugger.

PS: In general, there is no such thing as security, there's only the absence of known insecurities. ;)
jjolidon
Posts: 5
Joined: 10. Mar 2021, 19:02

Re: [Question] How safe is Virtualbox's TPM implementation?

Post by jjolidon »

scottgus1 wrote: 25. Sep 2023, 13:24 I could imagine that the simulated TPM allows moving the VM to a different host more easily, because the host TPM is not involved. Or for making TPM VMs on hosts that don't have a TPM.
Good insight, I hadn't thought of VM mobility. I guess that pretty much settles that, then, the only way to secure the TPM access would be to use the host's - which now also explains the existence of the option, so far I hadn't found an explanation on why it would be there.

Thanks all for your help !
Post Reply