Changeset 91213 in vbox

Timestamp:

Sep 10, 2021 5:58:08 PM (3 years ago)

Author:

vboxsync

Message:

Main,FE/VBoxManage: Add the necessary Main API bits to control the trusted platform module settings as well as implementing support in VBoxManage, bugref:10075

Location:

trunk

Files:

• doc/manual/en_US/man_VBoxManage-modifyvm.xml (modified) (2 diffs)
• include/VBox/log.h (modified) (2 diffs)
• include/VBox/settings.h (modified) (2 diffs)
• src/VBox/Frontends/VBoxManage/Makefile.kmk (modified) (1 diff)
• src/VBox/Frontends/VBoxManage/VBoxManageModifyVM.cpp (modified) (3 diffs)
• src/VBox/Main/Makefile.kmk (modified) (3 diffs)
• src/VBox/Main/idl/VirtualBox.xidl (modified) (3 diffs)
• src/VBox/Main/include/MachineImpl.h (modified) (4 diffs)
• src/VBox/Main/include/TrustedPlatformModuleImpl.h (added)
• src/VBox/Main/src-client/ConsoleImpl2.cpp (modified) (2 diffs)
• src/VBox/Main/src-server/MachineImpl.cpp (modified) (9 diffs)
• src/VBox/Main/src-server/SnapshotImpl.cpp (modified) (2 diffs)
• src/VBox/Main/src-server/TrustedPlatformModuleImpl.cpp (added)
• src/VBox/Main/xml/Settings.cpp (modified) (5 diffs)

trunk/doc/manual/en_US/man_VBoxManage-modifyvm.xml

@@ -184 +184 @@
         <arg choice="plain">intel</arg>
       </group></arg>
+    <arg>--tpm-type=<group choice="plain">
+        <arg choice="plain">none</arg>
+        <arg choice="plain">1.2</arg>
+        <arg choice="plain">2.0</arg>
+        <arg choice="plain">host</arg>
+        <arg choice="plain">swtpm</arg>
+      </group></arg>
+      <arg>--tpm-location=<group choice="plain">
+          <arg choice="plain"><replaceable>location</replaceable></arg>
+        </group></arg>
       <arg>--bioslogofadein=<group choice="plain">
           <arg choice="plain">on</arg>
@@ -1082 +1092 @@
         </varlistentry>
         <varlistentry>
+          <term><option>--tpm-type=none | 1.2 | 2.0 | host | swtpm</option></term>
+          <listitem><para>
+              Specifies the TPM type for &product-name; to emulate.
+            </para><para>
+              Valid values are as follows:
+            </para><itemizedlist>
+              <listitem><para>
+                  <literal>none</literal> &ndash; No TPM is present
+                  and is the default value.
+                </para></listitem>
+              <listitem><para>
+                  <literal>1.2</literal> &ndash; A TPM conforming to the TCG specification
+                  version 1.2 is present.
+                </para></listitem>
+              <listitem><para>
+                  <literal>2.0</literal> &ndash; A TPM conforming to the TCG specification
+                  version 2.0 is present.
+                </para></listitem>
+              <listitem><para>
+                  <literal>host</literal> &ndash; The host TPM is passed through to the guest.
+                  May not be available on all supported host platforms.
+                </para></listitem>
+              <listitem><para>
+                  <literal>swtpm</literal> &ndash; The VM connects to an external TPM emulation
+                  compliant to swtpm. Requires to set the TPM location to connect to (see
+                  <option>--tpm-location</option> option).
+                </para></listitem>
+            </itemizedlist></listitem>
+        </varlistentry>
+        <varlistentry>
           <term><option>--bioslogofadein=on | off</option></term>
           <listitem><para>

trunk/include/VBox/log.h

@@ -585 +585 @@
     /** Main group, IToken. */
     LOG_GROUP_MAIN_TOKEN,
+    /** Main group, ITrustedPlatformModule. */
+    LOG_GROUP_MAIN_TRUSTEDPLATFORMMODULE,
     /** Main group, IUnattended. */
     LOG_GROUP_MAIN_UNATTENDED,
@@ -1059 +1061 @@
     "MAIN_THREAD_TASK", \
     "MAIN_TOKEN", \
+    "MAIN_TRUSTEDPLATFORMMODULE", \
     "MAIN_UNATTENDED", \
     "MAIN_USBCONTROLLER", \

trunk/include/VBox/settings.h

@@ -544 +544 @@
     com::Utf8Str    strLogoImagePath;
     com::Utf8Str    strNVRAMPath;
+};
+
+/**
+ * NOTE: If you add any fields in here, you must update a) the constructor and b)
+ * the operator== which is used by MachineConfigFile::operator==(), or otherwise
+ * your settings might never get saved.
+ */
+struct TpmSettings
+{
+    TpmSettings();
+
+    bool areDefaultSettings() const;
+
+    bool operator==(const TpmSettings &d) const;
+
+    TpmType_T       tpmType;
+    com::Utf8Str    strLocation;
 };
 
@@ -1157 +1174 @@
     GraphicsAdapter     graphicsAdapter;
     USB                 usbSettings;
+    TpmSettings         tpmSettings;            // requires settings version 1.19 (VirtualBox 6.2)
     NetworkAdaptersList llNetworkAdapters;
     SerialPortsList     llSerialPorts;

trunk/src/VBox/Frontends/VBoxManage/Makefile.kmk

@@ -52 +52 @@
         $(if $(VBOX_WITH_IOMMU_INTEL),VBOX_WITH_IOMMU_INTEL) \
         $(if $(VBOX_WITH_VMSVGA),VBOX_WITH_VMSVGA) \
-        $(if $(VBOX_WITH_MAIN_NLS),VBOX_WITH_MAIN_NLS)
+        $(if $(VBOX_WITH_MAIN_NLS),VBOX_WITH_MAIN_NLS) \
+        $(if $(VBOX_WITH_TPM),VBOX_WITH_TPM)
 
 

trunk/src/VBox/Frontends/VBoxManage/VBoxManageModifyVM.cpp

@@ -239 +239 @@
     MODIFYVM_IOMMU,
 #endif
+#if defined(VBOX_WITH_TPM)
+    MODIFYVM_TPM_LOCATION,
+    MODIFYVM_TPM_TYPE,
+#endif
     MODIFYVM_DEFAULTFRONTEND,
     MODIFYVM_VMPROC_PRIORITY
@@ -415 +419 @@
     { "--iommu",                    MODIFYVM_IOMMU,                     RTGETOPT_REQ_STRING },
 #endif
+#if defined(VBOX_WITH_TPM)
+    { "--tpm-type",                 MODIFYVM_TPM_TYPE,                  RTGETOPT_REQ_STRING },
+    { "--tpm-location",             MODIFYVM_TPM_LOCATION,              RTGETOPT_REQ_STRING },
+#endif
 #ifdef VBOX_WITH_RECORDING
     { "--recording",                MODIFYVM_RECORDING,                 RTGETOPT_REQ_BOOL_ONOFF },
@@ -3056 +3064 @@
             }
 #endif
+#if defined(VBOX_WITH_TPM)
+            case MODIFYVM_TPM_TYPE:
+            {
+                ComPtr<ITrustedPlatformModule> tpm;
+                sessionMachine->COMGETTER(TrustedPlatformModule)(tpm.asOutParam());
+
+                if (   !RTStrICmp(ValueUnion.psz, "none")
+                    || !RTStrICmp(ValueUnion.psz, "disabled"))
+                    CHECK_ERROR(tpm, COMSETTER(Type)(TpmType_None));
+                else if (!RTStrICmp(ValueUnion.psz, "1.2"))
+                    CHECK_ERROR(tpm, COMSETTER(Type)(TpmType_v1_2));
+                else if (!RTStrICmp(ValueUnion.psz, "2.0"))
+                    CHECK_ERROR(tpm, COMSETTER(Type)(TpmType_v2_0));
+                else if (!RTStrICmp(ValueUnion.psz, "host"))
+                    CHECK_ERROR(tpm, COMSETTER(Type)(TpmType_Host));
+                else if (!RTStrICmp(ValueUnion.psz, "swtpm"))
+                    CHECK_ERROR(tpm, COMSETTER(Type)(TpmType_Swtpm));
+                else
+                {
+                    errorArgument("Invalid --tpm-type argument '%s'", ValueUnion.psz);
+                    rc = E_FAIL;
+                }
+                break;
+            }
+
+            case MODIFYVM_TPM_LOCATION:
+            {
+                ComPtr<ITrustedPlatformModule> tpm;
+                sessionMachine->COMGETTER(TrustedPlatformModule)(tpm.asOutParam());
+
+                CHECK_ERROR(tpm, COMSETTER(Location)(Bstr(ValueUnion.psz).raw()));
+                break;
+            }
+#endif
 #ifdef VBOX_WITH_RECORDING
             case MODIFYVM_RECORDING:

trunk/src/VBox/Main/Makefile.kmk

@@ -488 +488 @@
         $(if $(VBOX_WITH_IOMMU_AMD),VBOX_WITH_IOMMU_AMD,) \
         $(if $(VBOX_WITH_IOMMU_INTEL),VBOX_WITH_IOMMU_INTEL,) \
+        $(if $(VBOX_WITH_TPM),VBOX_WITH_TPM,) \
         $(if-expr defined(VBOX_WITH_SDS),VBOX_WITH_SDS,)
 ifdef VBOX_WITH_USB
@@ -612 +613 @@
         src-server/SystemPropertiesImpl.cpp \
         src-server/TokenImpl.cpp \
+        src-server/TrustedPlatformModuleImpl.cpp \
         $(if $(VBOX_WITH_UNATTENDED), \
         src-server/UnattendedImpl.cpp \
@@ -903 +905 @@
         $(if $(VBOX_WITH_LIBCURL), VBOX_WITH_PROXY_INFO) \
         $(if $(VBOX_WITH_IOMMU_AMD),VBOX_WITH_IOMMU_AMD,) \
-        $(if $(VBOX_WITH_IOMMU_INTEL),VBOX_WITH_IOMMU_INTEL,)
+        $(if $(VBOX_WITH_IOMMU_INTEL),VBOX_WITH_IOMMU_INTEL,) \
+        $(if $(VBOX_WITH_TPM),VBOX_WITH_TPM,)
 ifdef VBOX_WITH_NETSHAPER
  VBoxC_DEFS += VBOX_WITH_NETSHAPER

trunk/src/VBox/Main/idl/VirtualBox.xidl

@@ -5423 +5423 @@
 
   <enum
+    name="TpmType"
+    uuid="c669b9f7-a547-42b6-8464-636aa53401eb"
+    >
+    <desc>
+      TPM type enumeration.
+    </desc>
+
+    <const name="None"                   value="0">
+      <desc>No TPM present in the virtual machine.</desc>
+    </const>
+    <const name="v1_2"                   value="1">
+      <desc>A TPM compliant to the 1.2 TCG specification is emulated.</desc>
+    </const>
+    <const name="v2_0"                   value="2">
+      <desc>A TPM compliant to the 2.0 TCG specification is emulated.</desc>
+    </const>
+    <const name="Host"                   value="3">
+      <desc>The host TPM is passed through, might not be available on all host platforms.</desc>
+    </const>
+    <const name="Swtpm"                  value="4">
+      <desc>The VM will attach to an external software TPM emulation compliant to swtpm.</desc>
+    </const>
+  </enum>
+
+  <interface
+    name="ITrustedPlatformModule" extends="$unknown"
+    uuid="cf11d345-0241-4ea9-ac4c-c69ed3d674e3"
+    wsmap="managed"
+    reservedMethods="2" reservedAttributes="8"
+    >
+    <desc>
+        The ITrustedPlatformModule interface represents the settings of the virtual
+        machine's trusted platform module. This is used only in the <link to="IMachine::TrustedPlatformModule"/> attribute.
+    </desc>
+
+    <attribute name="type" type="TpmType">
+      <desc>
+        Type of TPM configured for the virtual machine.
+      </desc>
+    </attribute>
+
+    <attribute name="location" type="wstring">
+      <desc>
+        Location of the TPM. This is only used for the TpmType_Swtpm type of TPM
+        where the location denotes a <b>hostname:port</b> where to connect to.
+      </desc>
+    </attribute>
+
+  </interface>
+
+  <enum
     name="RecordingDestination"
     uuid="11E3F06B-DEC1-48B9-BDC4-1E618D72893C"
@@ -6016 +6067 @@
   <interface
     name="IMachine" extends="$unknown"
-    uuid="621a4d3f-97a5-4f64-89eb-e0a9b2b79e23"
+    uuid="9764b032-9f0f-4b3f-a6a3-e1630c8384bd"
     wsmap="managed"
     wrap-hint-server-addinterfaces="IInternalMachineControl"
@@ -6273 +6324 @@
     <attribute name="BIOSSettings" type="IBIOSSettings" readonly="yes">
       <desc>Object containing all BIOS settings.</desc>
+    </attribute>
+
+    <attribute name="TrustedPlatformModule" type="ITrustedPlatformModule" readonly="yes">
+      <desc>Object containing all TPM settings.</desc>
     </attribute>
 

trunk/src/VBox/Main/include/MachineImpl.h

@@ -41 +41 @@
 #include "BandwidthControlImpl.h"
 #include "BandwidthGroupImpl.h"
+#include "TrustedPlatformModuleImpl.h"
 #ifdef VBOX_WITH_RESOURCE_USAGE_API
 # include "Performance.h"
@@ -472 +473 @@
     enum
     {
-        IsModified_MachineData          = 0x0001,
-        IsModified_Storage              = 0x0002,
-        IsModified_NetworkAdapters      = 0x0008,
-        IsModified_SerialPorts          = 0x0010,
-        IsModified_ParallelPorts        = 0x0020,
-        IsModified_VRDEServer           = 0x0040,
-        IsModified_AudioAdapter         = 0x0080,
-        IsModified_USB                  = 0x0100,
-        IsModified_BIOS                 = 0x0200,
-        IsModified_SharedFolders        = 0x0400,
-        IsModified_Snapshots            = 0x0800,
-        IsModified_BandwidthControl     = 0x1000,
-        IsModified_Recording            = 0x2000,
-        IsModified_GraphicsAdapter      = 0x4000,
+        IsModified_MachineData           = 0x0001,
+        IsModified_Storage               = 0x0002,
+        IsModified_NetworkAdapters       = 0x0008,
+        IsModified_SerialPorts           = 0x0010,
+        IsModified_ParallelPorts         = 0x0020,
+        IsModified_VRDEServer            = 0x0040,
+        IsModified_AudioAdapter          = 0x0080,
+        IsModified_USB                   = 0x0100,
+        IsModified_BIOS                  = 0x0200,
+        IsModified_SharedFolders         = 0x0400,
+        IsModified_Snapshots             = 0x0800,
+        IsModified_BandwidthControl      = 0x1000,
+        IsModified_Recording             = 0x2000,
+        IsModified_GraphicsAdapter       = 0x4000,
+        IsModified_TrustedPlatformModule = 0x8000,
     };
 
@@ -794 +796 @@
     const ComObjPtr<GraphicsAdapter>   mGraphicsAdapter;
     const ComObjPtr<BandwidthControl>  mBandwidthControl;
+
+    const ComObjPtr<TrustedPlatformModule> mTrustedPlatformModule;
 
     typedef std::vector<ComObjPtr<NetworkAdapter> > NetworkAdapterVector;
@@ -886 +890 @@
     HRESULT getGraphicsAdapter(ComPtr<IGraphicsAdapter> &aGraphicsAdapter);
     HRESULT getBIOSSettings(ComPtr<IBIOSSettings> &aBIOSSettings);
+    HRESULT getTrustedPlatformModule(ComPtr<ITrustedPlatformModule> &aTrustedPlatformModule);
     HRESULT getRecordingSettings(ComPtr<IRecordingSettings> &aRecordingSettings);
     HRESULT getFirmwareType(FirmwareType_T *aFirmwareType);

trunk/src/VBox/Main/src-client/ConsoleImpl2.cpp

@@ -3395 +3395 @@
 #endif /* VBOX_WITH_DRAG_AND_DROP */
 
+#if defined(VBOX_WITH_TPM)
+        /*
+         * Configure the Trusted Platform Module.
+         */
+        ComObjPtr<ITrustedPlatformModule> ptrTpm;
+        TpmType_T enmTpmType = TpmType_None;
+
+        hrc = pMachine->COMGETTER(TrustedPlatformModule)(ptrTpm.asOutParam());              H();
+        hrc = ptrTpm->COMGETTER(Type)(&enmTpmType);                                         H();
+        if (enmTpmType != TpmType_None)
+        {
+            InsertConfigNode(pDevices, "tpm", &pDev);
+            InsertConfigNode(pDev,     "0", &pInst);
+            InsertConfigInteger(pInst, "Trusted", 1); /* boolean */
+            InsertConfigNode(pInst,    "Config", &pCfg);
+            InsertConfigNode(pInst,    "LUN#0", &pLunL0);
+
+            switch (enmTpmType)
+            {
+                case TpmType_v1_2:
+                case TpmType_v2_0:
+                {
+                    InsertConfigString(pLunL0, "Driver",               "TpmEmuTpms");
+                    InsertConfigNode(pLunL0,   "Config", &pCfg);
+                    InsertConfigInteger(pCfg, "TpmVersion", enmTpmType == TpmType_v1_2 ? 1 : 2);
+                    break;
+                }
+                case TpmType_Host:
+                {
+#if defined(RT_OS_LINUX) || defined(RT_OS_WINDOWS)
+                    InsertConfigString(pLunL0, "Driver",               "TpmHost");
+                    InsertConfigNode(pLunL0,   "Config", &pCfg);
+#endif
+                    break;
+                }
+                case TpmType_Swtpm:
+                {
+                    Bstr location;
+                    hrc = ptrTpm->COMGETTER(Location)(location.asOutParam());               H();
+
+                    InsertConfigString(pLunL0, "Driver",               "TpmEmu");
+                    InsertConfigNode(pLunL0,   "Config", &pCfg);
+                    InsertConfigString(pCfg,   "Location", location);
+                    break;
+                }
+                default:
+                    AssertFailedBreak();
+            }
+        }
+#endif
+
         /*
          * ACPI
@@ -3528 +3579 @@
             InsertConfigInteger(pCfg,  "Parallel1IoPortBase", auParallelIoPortBase[1]);
             InsertConfigInteger(pCfg,  "Parallel1Irq", auParallelIrq[1]);
+
+#if defined(VBOX_WITH_TPM)
+            switch (enmTpmType)
+            {
+                case TpmType_v1_2:
+                    InsertConfigString(pCfg, "TpmMode", "tis1.2");
+                    break;
+                case TpmType_v2_0:
+                    InsertConfigString(pCfg, "TpmMode", "fifo2.0");
+                    break;
+                /** @todo Host and swtpm. */
+                default:
+                    break;
+            }
+#endif
 
             InsertConfigNode(pInst,    "LUN#0", &pLunL0);

trunk/src/VBox/Main/src-server/MachineImpl.cpp

@@ -1848 +1848 @@
 }
 
+HRESULT Machine::getTrustedPlatformModule(ComPtr<ITrustedPlatformModule> &aTrustedPlatformModule)
+{
+    /* mTrustedPlatformModule is constant during life time, no need to lock */
+    aTrustedPlatformModule = mTrustedPlatformModule;
+
+    return S_OK;
+}
+
 HRESULT Machine::getRecordingSettings(ComPtr<IRecordingSettings> &aRecordingSettings)
 {
@@ -8163 +8171 @@
     mBIOSSettings->init(this);
 
+    /* create associated trusted platform module object */
+    unconst(mTrustedPlatformModule).createObject();
+    mTrustedPlatformModule->init(this);
+
     /* create associated record settings object */
     unconst(mRecordingSettings).createObject();
@@ -8292 +8304 @@
         mBIOSSettings->uninit();
         unconst(mBIOSSettings).setNull();
+    }
+
+    if (mTrustedPlatformModule)
+    {
+        mTrustedPlatformModule->uninit();
+        unconst(mTrustedPlatformModule).setNull();
     }
 
@@ -8817 +8835 @@
         /* BIOS */
         rc = mBIOSSettings->i_loadSettings(data.biosSettings);
+        if (FAILED(rc)) return rc;
+
+        /* Trusted Platform Module */
+        rc = mTrustedPlatformModule->i_loadSettings(data.tpmSettings);
         if (FAILED(rc)) return rc;
 
@@ -10166 +10188 @@
         if (FAILED(rc)) throw rc;
 
+        /* Trusted Platform Module settings (required) */
+        rc = mTrustedPlatformModule->i_saveSettings(data.tpmSettings);
+        if (FAILED(rc)) throw rc;
+
         /* Recording settings (required) */
         rc = mRecordingSettings->i_saveSettings(data.recordingSettings);
@@ -11680 +11706 @@
         mBIOSSettings->i_rollback();
 
+    if (mTrustedPlatformModule)
+        mTrustedPlatformModule->i_rollback();
+
     if (mRecordingSettings && (mData->flModifications & IsModified_Recording))
         mRecordingSettings->i_rollback();
@@ -11805 +11834 @@
 
     mBIOSSettings->i_commit();
+    mTrustedPlatformModule->i_commit();
     mRecordingSettings->i_commit();
     mGraphicsAdapter->i_commit();
@@ -12059 +12089 @@
 
     mBIOSSettings->i_copyFrom(aThat->mBIOSSettings);
+    mTrustedPlatformModule->i_copyFrom(aThat->mTrustedPlatformModule);
     mRecordingSettings->i_copyFrom(aThat->mRecordingSettings);
     mGraphicsAdapter->i_copyFrom(aThat->mGraphicsAdapter);
@@ -12434 +12465 @@
     unconst(mBIOSSettings).createObject();
     mBIOSSettings->init(this, aMachine->mBIOSSettings);
+
+    unconst(mTrustedPlatformModule).createObject();
+    mTrustedPlatformModule->init(this, aMachine->mTrustedPlatformModule);
+
     unconst(mRecordingSettings).createObject();
     mRecordingSettings->init(this, aMachine->mRecordingSettings);

trunk/src/VBox/Main/src-server/SnapshotImpl.cpp

@@ -1147 +1147 @@
     unconst(mBIOSSettings).createObject();
     rc = mBIOSSettings->initCopy(this, pMachine->mBIOSSettings);
+    if (FAILED(rc)) return rc;
+
+    unconst(mTrustedPlatformModule).createObject();
+    rc = mTrustedPlatformModule->initCopy(this, pMachine->mTrustedPlatformModule);
     if (FAILED(rc)) return rc;
 
@@ -1278 +1282 @@
     unconst(mBIOSSettings).createObject();
     mBIOSSettings->init(this);
+
+    unconst(mTrustedPlatformModule).createObject();
+    mTrustedPlatformModule->init(this);
 
     unconst(mRecordingSettings).createObject();

trunk/src/VBox/Main/xml/Settings.cpp

@@ -2830 +2830 @@
  * Constructor. Needs to set sane defaults which stand the test of time.
  */
+TpmSettings::TpmSettings() :
+    tpmType(TpmType_None)
+{
+}
+
+/**
+ * Check if all settings have default values.
+ */
+bool TpmSettings::areDefaultSettings() const
+{
+    return    tpmType     == TpmType_None
+           && strLocation.isEmpty();
+}
+
+/**
+ * Comparison operator. This gets called from MachineConfigFile::operator==,
+ * which in turn gets called from Machine::saveSettings to figure out whether
+ * machine settings have really changed and thus need to be written out to disk.
+ */
+bool TpmSettings::operator==(const TpmSettings &g) const
+{
+    return (this == &g)
+        || (   tpmType         == g.tpmType
+            && strLocation     == g.strLocation);
+}
+
+/**
+ * Constructor. Needs to set sane defaults which stand the test of time.
+ */
 USBController::USBController() :
     enmType(USBControllerType_Null)
@@ -3504 +3533 @@
             && graphicsAdapter                == h.graphicsAdapter
             && usbSettings                    == h.usbSettings
+            && tpmSettings                    == h.tpmSettings
             && llNetworkAdapters              == h.llNetworkAdapters
             && llSerialPorts                  == h.llSerialPorts
@@ -4924 +4954 @@
                 hw.storage.llStorageControllers.push_back(sctl);
             }
+        }
+        else if (pelmHwChild->nameEquals("TrustedPlatformModule"))
+        {
+            Utf8Str strTpmType;
+            if (pelmHwChild->getAttributeValue("type", strTpmType))
+            {
+                if (strTpmType == "None")
+                    hw.tpmSettings.tpmType = TpmType_None;
+                else if (strTpmType == "v1_2")
+                    hw.tpmSettings.tpmType = TpmType_v1_2;
+                else if (strTpmType == "v2_0")
+                    hw.tpmSettings.tpmType = TpmType_v2_0;
+                else if (strTpmType == "Host")
+                    hw.tpmSettings.tpmType = TpmType_Host;
+                else if (strTpmType == "Swtpm")
+                    hw.tpmSettings.tpmType = TpmType_Swtpm;
+                else
+                    throw ConfigFileError(this,
+                                          pelmHwChild,
+                                          N_("Invalid value '%s' in TrustedPlatformModule/@type"),
+                                          strTpmType.c_str());
+            }
+
+            pelmHwChild->getAttributeValue("location", hw.tpmSettings.strLocation);
         }
         else if (   (m->sv <= SettingsVersion_v1_14)
@@ -6393 +6447 @@
         if (hw.biosSettings.fSmbiosUuidLittleEndian)
             pelmBIOS->createChild("SmbiosUuidLittleEndian")->setAttribute("enabled", hw.biosSettings.fSmbiosUuidLittleEndian);
+    }
+
+    if (!hw.tpmSettings.areDefaultSettings())
+    {
+        xml::ElementNode *pelmTpm = pelmHardware->createChild("TrustedPlatformModule");
+
+        const char *pcszTpm;
+        switch (hw.tpmSettings.tpmType)
+        {
+            default:
+            case TpmType_None:
+                pcszTpm = "None";
+                break;
+            case TpmType_v1_2:
+                pcszTpm = "v1_2";
+                break;
+            case TpmType_v2_0:
+                pcszTpm = "v2_0";
+                break;
+            case TpmType_Host:
+                pcszTpm = "Host";
+                break;
+            case TpmType_Swtpm:
+                pcszTpm = "Swtpm";
+                break;
+        }
+        pelmTpm->setAttribute("type", pcszTpm);
+        pelmTpm->setAttribute("location", hw.tpmSettings.strLocation);
     }
 
@@ -7687 +7769 @@
             return;
         }
+
+        // VirtualBox 6.2 adds a Trusted Platform Module.
+        if (   hardwareMachine.tpmSettings.tpmType != TpmType_None
+            || hardwareMachine.tpmSettings.strLocation.isNotEmpty())
+        {
+            m->sv = SettingsVersion_v1_19;
+            return;
+        }
     }