Description¶

The systemd-tpm2-swtpm.service provides fallback software TPM functionality, intended for use in environments where a discrete or firmware TPM ("hardware TPM") is not available. It is pulled into the boot process by systemd-tpm2-generator(8) if a hardware TPM is not available, and the system is configured to provide a software TPM in that case.

Note that a software TPM provides only very weak security properties compared to a hardware TPM, and hence should only be used as a fallback mechanism if a hardware TPM is not available but TPM semantics are desired. This service ultimately wraps swtpm(8).

If the boot secret /.extra/boot-secret (in the initrd) or /run/systemd/stub/boot-secret (on the host) is available the software TPM NVRAM storage is encrypted with this key. See systemd-stub(7) for details.

The TPM NVRAM storage is placed on the EFI System Partition as it needs to be accessible during very early boot-up, in particular before the root file system is decrypted and mounted.

See Also¶

systemd(1), systemd-tpm2-generator(8), swtpm(8), systemd-stub(7)