diff --git a/devicemodel/hw/mmio/core.c b/devicemodel/hw/mmio/core.c
index 347a55ec0..a67f3b948 100644
--- a/devicemodel/hw/mmio/core.c
+++ b/devicemodel/hw/mmio/core.c
@@ -192,6 +192,11 @@ struct mmio_dev_ops tpm2 = {
 };
 DEFINE_MMIO_DEV(tpm2);
 
+uint64_t get_mmio_dev_tpm2_base_gpa(void)
+{
+	return tpm2.base_gpa;
+}
+
 struct mmio_dev_ops pt_mmiodev = {
 	.name		= "MMIODEV",
 	/* ToDo: we may allocate the gpa MMIO resource in a reserved MMIO region
diff --git a/devicemodel/hw/platform/acpi/acpi.c b/devicemodel/hw/platform/acpi/acpi.c
index 13fcea8ee..b87e6203e 100644
--- a/devicemodel/hw/platform/acpi/acpi.c
+++ b/devicemodel/hw/platform/acpi/acpi.c
@@ -820,7 +820,8 @@ static void tpm2_crb_fwrite_dsdt(void)
 	dsdt_line("      Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings");
 	dsdt_line("      {");
 	dsdt_indent(4);
-	dsdt_fixed_mem32(TPM_CRB_MMIO_ADDR, TPM_CRB_MMIO_SIZE);
+	/* TODO: consider a better framework for mmio likes pci's vdev_write_dsdt. */
+	dsdt_fixed_mem32(get_tpm_crb_mmio_addr(), TPM_CRB_MMIO_SIZE);
 	dsdt_unindent(4);
 	dsdt_line("      })");
 	dsdt_line("      Method (_STA, 0, NotSerialized)  // _STA: Status");
diff --git a/devicemodel/hw/platform/tpm/tpm.c b/devicemodel/hw/platform/tpm/tpm.c
index c7515116a..353624082 100644
--- a/devicemodel/hw/platform/tpm/tpm.c
+++ b/devicemodel/hw/platform/tpm/tpm.c
@@ -14,6 +14,8 @@
 #include "tpm.h"
 #include "tpm_internal.h"
 #include "log.h"
+#include "mmio_dev.h"
+#include "dm.h"
 
 static int tpm_debug;
 #define LOG_TAG "tpm: "
@@ -24,6 +26,25 @@ static int tpm_debug;
 
 #define STR_MAX_LEN 1024U
 static char *sock_path = NULL;
+static uint32_t vtpm_crb_mmio_addr = 0U;
+
+uint32_t get_vtpm_crb_mmio_addr(void) {
+	return vtpm_crb_mmio_addr;
+}
+
+uint32_t get_tpm_crb_mmio_addr(void)
+{
+	uint32_t base;
+
+	if (pt_tpm2) {
+		base = (uint32_t)get_mmio_dev_tpm2_base_gpa();
+	} else {
+		base = get_vtpm_crb_mmio_addr();
+	}
+
+	return base;
+}
+
 
 enum {
 	SOCK_PATH_OPT = 0
@@ -68,6 +89,11 @@ void init_vtpm2(struct vmctx *ctx)
 		return;
 	}
 
+	if (mmio_dev_alloc_gpa_resource32(&vtpm_crb_mmio_addr, TPM_CRB_MMIO_SIZE) < 0) {
+		WPRINTF("Failed allocate gpa resorce!\n");
+		return;
+	}
+
 	if (init_tpm_crb(ctx) < 0) {
 		WPRINTF("Failed init tpm emulator!\n");
 	}
diff --git a/devicemodel/hw/platform/tpm/tpm_crb.c b/devicemodel/hw/platform/tpm/tpm_crb.c
index 2b22e070e..602a12538 100644
--- a/devicemodel/hw/platform/tpm/tpm_crb.c
+++ b/devicemodel/hw/platform/tpm/tpm_crb.c
@@ -206,11 +206,11 @@ static uint64_t crb_reg_read(struct tpm_crb_vdev *tpm_vdev, uint64_t addr, int s
 	uint32_t val;
 	uint64_t off;
 
-	off = (addr & ~3UL) - TPM_CRB_MMIO_ADDR;
+	off = (addr & ~3UL) - get_vtpm_crb_mmio_addr();
 
 	val = mmio_read(&tpm_vdev->crb_regs.regs.bytes[off], size);
 
-	if (addr == CRB_REGS_LOC_STATE) {
+	if (off == CRB_REGS_LOC_STATE) {
 		val |= !swtpm_get_tpm_established_flag();
 	}
 
@@ -291,8 +291,9 @@ static void crb_reg_write(struct tpm_crb_vdev *tpm_vdev, uint64_t addr, int size
 {
 	uint8_t target_loc = (addr >> 12) & 0b111; /* convert address to locality */
 	uint32_t cmd_size;
+	uint64_t off = addr - get_vtpm_crb_mmio_addr();
 
-	switch (addr) {
+	switch (off) {
 	case CRB_REGS_CTRL_REQ:
 		if (tpm_vdev->crb_regs.regs.ctrl_start == CRB_CTRL_START_CMD)
 			break;
@@ -388,7 +389,7 @@ static int tpm_crb_data_buffer_handler(struct vmctx *ctx, int vcpu, int dir, uin
 	if (tpm_vdev->crb_regs.regs.ctrl_sts.tpmIdle == 1)
 		return 0;
 
-	off = addr - CRB_DATA_BUFFER;
+	off = addr - get_vtpm_crb_mmio_addr() - CRB_DATA_BUFFER;
 
 	if (dir == MEM_F_READ) {
 		*val = mmio_read(&tpm_vdev->data_buffer[off], size);
@@ -457,7 +458,7 @@ int init_tpm_crb(struct vmctx *ctx)
 	ctx->tpm_dev = tpm_vdev;
 
 	mr_cmd.name = "tpm_crb_reg";
-	mr_cmd.base = TPM_CRB_MMIO_ADDR;
+	mr_cmd.base = get_vtpm_crb_mmio_addr();
 	mr_cmd.size = TPM_CRB_REG_SIZE;
 	mr_cmd.flags = MEM_F_RW;
 	mr_cmd.handler = tpm_crb_reg_handler;
@@ -471,7 +472,7 @@ int init_tpm_crb(struct vmctx *ctx)
 	}
 
 	mr_data.name = "tpm_crb_buffer";
-	mr_data.base = CRB_DATA_BUFFER;
+	mr_data.base = get_vtpm_crb_mmio_addr() + CRB_DATA_BUFFER;
 	mr_data.size = TPM_CRB_DATA_BUFFER_SIZE;
 	mr_data.flags = MEM_F_RW;
 	mr_data.handler = tpm_crb_data_buffer_handler;
@@ -538,12 +539,12 @@ void deinit_tpm_crb(struct vmctx *ctx)
 	void *status;
 
 	mr.name = "tpm_crb_reg";
-	mr.base = TPM_CRB_MMIO_ADDR;
+	mr.base = get_vtpm_crb_mmio_addr();
 	mr.size = TPM_CRB_REG_SIZE;
 	unregister_mem(&mr);
 
 	mr.name = "tpm_crb_buffer";
-	mr.base = CRB_DATA_BUFFER;
+	mr.base = get_vtpm_crb_mmio_addr() + CRB_DATA_BUFFER;
 	mr.size = TPM_CRB_DATA_BUFFER_SIZE;
 	unregister_mem(&mr);
 
diff --git a/devicemodel/include/mmio_dev.h b/devicemodel/include/mmio_dev.h
index 7dda28fdf..51dc58660 100644
--- a/devicemodel/include/mmio_dev.h
+++ b/devicemodel/include/mmio_dev.h
@@ -15,6 +15,7 @@ int init_mmio_devs(struct vmctx *ctx);
 void deinit_mmio_devs(struct vmctx *ctx);
 
 int mmio_dev_alloc_gpa_resource32(uint32_t *addr, uint32_t size_in);
+uint64_t get_mmio_dev_tpm2_base_gpa(void);
 
 #define MMIO_DEV_BASE  0xF0000000U
 #define MMIO_DEV_LIMIT 0xFE000000U
diff --git a/devicemodel/include/tpm.h b/devicemodel/include/tpm.h
index 3770306a1..82b948141 100644
--- a/devicemodel/include/tpm.h
+++ b/devicemodel/include/tpm.h
@@ -11,32 +11,35 @@
 #define TPM_CRB_MMIO_ADDR 0xFED40000UL
 #define TPM_CRB_MMIO_SIZE 0x5000U
 
+uint32_t get_vtpm_crb_mmio_addr(void);
+uint32_t get_tpm_crb_mmio_addr(void);
+
 /* TPM CRB registers */
 enum {
-	CRB_REGS_LOC_STATE       = TPM_CRB_MMIO_ADDR + 0x00,
-	CRB_REGS_RESERVED0       = TPM_CRB_MMIO_ADDR + 0x04,
-	CRB_REGS_LOC_CTRL        = TPM_CRB_MMIO_ADDR + 0x08,
-	CRB_REGS_LOC_STS         = TPM_CRB_MMIO_ADDR + 0x0C,
-	CRB_REGS_RESERVED1       = TPM_CRB_MMIO_ADDR + 0x10,
-	CRB_REGS_INTF_ID_LO      = TPM_CRB_MMIO_ADDR + 0x30,
-	CRB_REGS_INTF_ID_HI      = TPM_CRB_MMIO_ADDR + 0x34,
-	CRB_REGS_CTRL_EXT_LO     = TPM_CRB_MMIO_ADDR + 0x38,
-	CRB_REGS_CTRL_EXT_HI     = TPM_CRB_MMIO_ADDR + 0x3C,
-	CRB_REGS_CTRL_REQ        = TPM_CRB_MMIO_ADDR + 0x40,
-	CRB_REGS_CTRL_STS        = TPM_CRB_MMIO_ADDR + 0x44,
-	CRB_REGS_CTRL_CANCEL     = TPM_CRB_MMIO_ADDR + 0x48,
-	CRB_REGS_CTRL_START      = TPM_CRB_MMIO_ADDR + 0x4C,
-	CRB_REGS_CTRL_INT_ENABLE = TPM_CRB_MMIO_ADDR + 0x50,
-	CRB_REGS_CTRL_INT_STS    = TPM_CRB_MMIO_ADDR + 0x54,
-	CRB_REGS_CTRL_CMD_SIZE   = TPM_CRB_MMIO_ADDR + 0x58,
-	CRB_REGS_CTRL_CMD_PA_LO  = TPM_CRB_MMIO_ADDR + 0x5C,
-	CRB_REGS_CTRL_CMD_PA_HI  = TPM_CRB_MMIO_ADDR + 0x60,
-	CRB_REGS_CTRL_RSP_SIZE   = TPM_CRB_MMIO_ADDR + 0x64,
-	CRB_REGS_CTRL_RSP_PA     = TPM_CRB_MMIO_ADDR + 0x68,
-	CRB_DATA_BUFFER          = TPM_CRB_MMIO_ADDR + 0x80
+	CRB_REGS_LOC_STATE       =  0x00,
+	CRB_REGS_RESERVED0       =  0x04,
+	CRB_REGS_LOC_CTRL        =  0x08,
+	CRB_REGS_LOC_STS         =  0x0C,
+	CRB_REGS_RESERVED1       =  0x10,
+	CRB_REGS_INTF_ID_LO      =  0x30,
+	CRB_REGS_INTF_ID_HI      =  0x34,
+	CRB_REGS_CTRL_EXT_LO     =  0x38,
+	CRB_REGS_CTRL_EXT_HI     =  0x3C,
+	CRB_REGS_CTRL_REQ        =  0x40,
+	CRB_REGS_CTRL_STS        =  0x44,
+	CRB_REGS_CTRL_CANCEL     =  0x48,
+	CRB_REGS_CTRL_START      =  0x4C,
+	CRB_REGS_CTRL_INT_ENABLE =  0x50,
+	CRB_REGS_CTRL_INT_STS    =  0x54,
+	CRB_REGS_CTRL_CMD_SIZE   =  0x58,
+	CRB_REGS_CTRL_CMD_PA_LO  =  0x5C,
+	CRB_REGS_CTRL_CMD_PA_HI  =  0x60,
+	CRB_REGS_CTRL_RSP_SIZE   =  0x64,
+	CRB_REGS_CTRL_RSP_PA     =  0x68,
+	CRB_DATA_BUFFER          =  0x80
 };
 
-#define TPM_CRB_REG_SIZE ((CRB_DATA_BUFFER) - (TPM_CRB_MMIO_ADDR))
+#define TPM_CRB_REG_SIZE (CRB_DATA_BUFFER)
 #define TPM_CRB_DATA_BUFFER_SIZE ((TPM_CRB_MMIO_SIZE) - (TPM_CRB_REG_SIZE))
 
 /* APIs by tpm.c */