A trusted platform module (TPM) is a microcontroller designed to assure integrity (e.g., expected behavior) of a device by integrating cryptographic keys and unforgeable measurements into the device. Such cryptographic keys may be used to establish a “chain of trust” under which each component of hardware and software of the device may be validated (a.k.a. certified). The process of validating the integrity of the device or any components thereof is referred to as “attestation.”
TPMs typically are configured to operate in accordance with the TPM technical specification written by a computer industry consortium called Trusted Computing Group (TCG). A TPM often is implemented as a semiconductor chip that has a randomly-created, static endorsement key associated with the chip. The endorsement key has a public portion (a.k.a. public key) and a private portion (a.k.a. private key). The private portion does not leave the chip; whereas, the public portion is publicly available for attestation and other purposes.
A virtual trusted platform module (vTPM) is a software emulation of a TPM. The vTPM may be provided by a hypervisor, for example. A chain of trust typically is not capable of being established with regard to a vTPM because the vTPM is not rooted in hardware or firmware of a host on which the vTPM runs. Unlike with a hardware TPM, no entity vouches for the integrity of the vTPM in a conventional system. Accordingly, a vTPM typically does not come with an endorsement key certificate.