Docs, HowTos, Tips & Tricks • How to configure software emulated TPM (swtpm) to enable secure boot on QEMU/KVM (for computers without hardware tpm)

Hello,

I had to configure an emulated Trusted Platform Module (TPM) [0] for a QEMU/KVM Linux virtual machine (VM) running a Debian UEFI installation.

I was using the virt-manager ("Virtual Machine Manager") [1] with libvirtd running QEMU/VM as host with Debian Trixie (13).

The VM host did not have a hardware TPM to make it available to the guest.

Therefore, I need to install a TPM software emulator, available in Debian with the swtpm package [2], but other packages are required to be installed to make it work [3].

The following packages can be installed to enable a software TPM in the VM host without the TPM device:

$ sudo apt install swtpm tpm2-tools libtss0 libtss2-dev

Then, you modify the VM guest configuration. You can do it updating the configuration from the Virtual Machine Manager of your (not running) guest adding a virtual TPM 2.0 device and checking that the xml configuration is like that:

<tpm model="tpm-tis">  <backend type="emulator" version="2.0"/>  <alias name="tpm0"/></tpm>

You can do the same from the command line:

$ sudo virsh edit YOUR-VM_DOMAIN_NAME

adding the following xml snipped between the <device></device> tags:

<tpm model="tpm-tis">  <backend type="emulator" version="2.0"/>  <alias name="tpm0"/></tpm>

Hope this helps.

--
[0] Trusted Platform Module
[1] Package: virt-manager (1:5.0.0-5+deb13u1)
[2] Package: swtpm (0.7.1-1.5)
[3] How to enable TPM and secure boot on KVM?

Statistics: Posted by Aki — 2026-02-11 07:17