Virtual Trusted Platform Module (vTPM)
Xen provides support for Trusted Platform Module (TPM). You must have an x86 machine with a TPM on the motherboard, to make use of vTPM. The reader is assumed to have familiarity with building and installing Xen, Linux, and a basic understanding of the TPM and vTPM concepts.
vTPM Support in XL
vtpm-attach domain-id vtpm-device
Creates a new vtpm device in the domain specified by domain-id. vtpm-device describes the device to attach, using the same format as the vtpm string in the domain config file. See xl.cfg for more information.
vtpm-detach domain-id devid|uuid
Removes the vtpm device from the domain specified by domain-id. devid is the numeric device id given to the virtual trusted platform module device. You will need to run xl vtpm-list to determine that number. Alternatively the uuid of the vtpm can be used to select the virtual device to detach.
List virtual trusted platform modules for a domain.
vTPM Extensions in Xen 4.3
Xen 4.3 exposes TPM functionality to virtual guest operating system (a DomU). This allows programs to interact with a TPM in a virtual system the same way they interact with a TPM on the physical system. Each guest gets its own unique, emulated, software TPM. However, each of the vTPM's secrets (Keys, NVRAM, etc) are managed by a vTPM Manager domain, which seals the secrets to the Physical TPM. If the process of creating each of these domains (manager, vTPM, and guest) is trusted, the vTPM subsystem extends the chain of trust rooted in the hardware TPM to virtual machines in Xen. Each major component of vTPM is implemented as a separate domain, providing secure separation guaranteed by the hypervisor. The vTPM domains are implemented in mini-os to reduce memory and processor overhead.
vTPM 2.0 in Xen 4.6
Support for vTPM 2.0 was added in Xen 4.6: for more information, see  section Appendix B: vtpmmgr on TPM 2.0.