diff --git a/Dockerfile b/Dockerfile
index a171c97c..8b2272d1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -29,11 +29,19 @@ ARG DEBIAN_FRONTEND=noninteractive
 ARG UID=42424
 ARG GID=42424
 
+# Nova arguments
+# User/group that swtpm binary runs as.
+ARG NOVA_TSS_USER=tss
+ARG NOVA_TSS_UID=42434
+ARG NOVA_TSS_GID=42434
+
 ARG NOVNC_REPO=${NOVNC_REPO:-https://github.com/novnc/novnc}
 ARG NOVNC_REF=${NOVNC_REF:-v1.0.0}
 ARG SPICE_REPO=${SPICE_REPO:-https://gitlab.freedesktop.org/spice/spice-html5.git}
 ARG SPICE_REF=${SPICE_REF:-spice-html5-0.1.6}
 
+# End Nova arguments
+
 ADD data /tmp/
 COPY scripts /opt/loci/scripts
 ADD bindep.txt pydep.txt $EXTRA_BINDEP $EXTRA_PYDEP /opt/loci/
diff --git a/scripts/project_specific/nova/02_add_tss_user.sh b/scripts/project_specific/nova/02_add_tss_user.sh
new file mode 100755
index 00000000..d97eca08
--- /dev/null
+++ b/scripts/project_specific/nova/02_add_tss_user.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# When using emulated TPM, the user/group that swtpm binary runs as.
+set -ex
+
+groupadd -g ${NOVA_TSS_GID} ${NOVA_TSS_USER}
+useradd -u ${NOVA_TSS_UID} -g ${NOVA_TSS_USER} -s /usr/sbin/nologin -c "${NOVA_TSS_USER} user" ${NOVA_TSS_USER}