TPM with Windows Virtualization

TPM with Windows Virtualization

Overview

NAPERVILLE, IL – April 20, 2022 In this article we are going to talk about the implementation of Linux based docker container to invoke TPM [1] on Windows host machine.

Objectives

IdeaNova server software is delivered as Linux containers, also known as Docker containers. These containers can not only run on Linux hosts, but also on Windows and macOS host by using virtualization technology such as Docker Desktop. This technology makes running containers seamless on these platforms, but unfortunately it does not support all available native hardware devices. In our case, our software utilizes TPM technology to achieve higher level of security. Unfortunately, the TPM hardware is not accessible from Linux containers when using technology such as Docker Desktop.

In this document, we provide an alternative approach to run the containers in a way where the our linux container based application can access TPM hardware. Otherwise our software could not leverage TPM and therefore would have to be reduced to a lower level of security for storing sensitive information such as private keys for encryption.

Project Description

Our team has decided to use Hyper-V to validate if a docker service and Linux container could run and access Windows machine TPM.

Hyper-V version 8.0 was installed on the Windows 10 operating system and subsequently a brand new version of docker service was installed on the Hyper-V Linux OS. IdeaNova containers were installed inside this virtual machine as seen on the picture below.

This configuration was used earlier as it represents our standard configuration that has been proven to have access to TPM on Linux.

By using the GUI utility “Hyper-V Manager” or the powershell command it is easy to configure Windows Hyper-V to enable TPM on a virtual machine.

This configuration worked pretty much out of the box, allowing the team to continue using the production proven TPM technology to store and process sensitive encryption data. The data results (less sensitive) were made available through a mounted drive and thus made accessible outside of the Hyper-V terminal.

Results

The results were a functional configuration that satisfied above objectives. The startup type of Hyper-V terminal is almost similar to the native docker container run on Linux.

The advantage is that users who are more familiar with Windows OS can readily use systems built for Linux, without any additional ramp up time to get trained on a new platform.

Users of this system must be aware of OS updates (especially major software releases) and re-configure Hyper-V after such update.

About IdeaNova Technologies, Inc.

IdeaNova Technologies, Inc. is a software company with more than a decade of experience in IT security and secure video streaming. They pioneered the distribution and integration of secure streaming technologies in aviation, media, and entertainment industries. If you’d like to learn more about Inconcert, Intouch, Inplay or the growing suite of products, please contact IdeaNova Technologies at 630-470-9477 or email info@ideanovatech.com.


  1. Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard. TPM is used for digital rights management (DRM), Windows Defender, Windows Domain logon, protection and enforcement of software licenses, and prevention of cheating in online games. ↩︎