Sjaddy Posted June 29, 2021 Share Posted June 29, 2021 According to MS post here (https://download.microsoft.com/download/7/8/8/788bf5ab-0751-4928-a22c-dffdc23c27f2/Minimum%20Hardware%20Requirements%20for%20Windows%2011.pdf) VM machines are exempt from the requirements: There will be some exceptions to Microsoft’s new rules, though. “Windows 11 does not apply the hardware-compliance check for virtualized instances either during setup or upgrade,” notes a Microsoft document (PDF) on minimum hardware requirements for Windows 11. That means if you run Windows 11 as a virtual machine, you can ignore the CPU and security requirements. That flies in the face of Microsoft’s big security push here, but the reality is that most consumers and commercial customers won’t be running Windows 11 in a VM. Quote Link to comment
quasihellfish Posted June 30, 2021 Share Posted June 30, 2021 23 hours ago, Sjaddy said: That means if you run Windows 11 as a virtual machine, you can ignore the CPU and security requirements. That flies in the face of Microsoft’s big security push here, Does it though? The point of MS's security requirements is to prevent malware from affecting the PC at boot time. Well, we're talking about VMs here, which does not have the same risk associated with it. By definition, the VM is separated from the hardware boot BIOS/firmware, right? It's one of the reasons to run a VM: to separate the OS from the hardware layer. Quote Link to comment
ghost82 Posted July 1, 2021 Share Posted July 1, 2021 (edited) 17 hours ago, quasihellfish said: Well, we're talking about VMs here, which does not have the same risk associated with it. By definition, the VM is separated from the hardware boot BIOS/firmware, right? It really depends on how you use the vm. Most of users, including me, are using one or more vm just as if they use a traditional pc: if this is the case, we want performance on our vm, so we start to passthrough hardware, cpu, gpu, sata controllers. nvme drives, usb controllers, ethernet cards, etc. Why we do this? In my case I'm using a mac os vm with most hardware passed through, I decided to go with a vm because it's faster to set up the environment and you have less headache, moreover I have a complete separated environment, so the bootloader cannot mess with windows 10 installed on another drive, which I boot bare metal. Others prefer performance vms because they can have "more computers" into the same pc, for example different vms for different operating systems, different vms for different fields (school, work, media, firewall, gaming, etc.). Virtual machines can boot uefi with ovmf, so the malware will act the same if it finds a vulnerability in the firmware: but in this case the firmware is a file (OVMF_CODE and its OVMF_VARS), so if it gets infected all you need to do is delete the files and replace instead of flashing the bios chip. But if a malware infects the os in the cases I described above it's near the same as having a malware on a bare metal installation. Another case is if you use vms in a different way, consider for example online services for antivirus scan, all the malwares run on virtual machines which are created and deleted before and as soon as the scan finishes: the base os can be in a vdisk and all you have to do to start fresh is delete and replace the vdisk (some seconds?). Or if you need only few apps in your vm, installed in vdisk: again backup a copy of the base vdisk and of the firmware and if you get infected just start fresh in few minutes. What microsoft is choosing, i.e. add secure boot and tpm as mandatory (in addition to a series of other things), doesn't agree with me (but this is a personal opinion, I am the owner of my pc and I want to do all that I want, without having limits). Edited July 1, 2021 by ghost82 3 Quote Link to comment
Enver Posted September 17, 2021 Share Posted September 17, 2021 https://www.linkedin.com/pulse/swtpm-unraid-zoltan-repasi/ Quote Link to comment
Mantene Posted September 20, 2021 Author Share Posted September 20, 2021 https://betanews.com/2021/09/18/microsoft-even-requires-tpm-2-0-for-windows-11-virtual-machines/ Microsoft has changed their policy on Virtualized Installations. Virtualized installations now require the same hardware physical installations require. 2 Quote Link to comment
ghost82 Posted September 20, 2021 Share Posted September 20, 2021 I think I will move my bare windows (10) installation to qemu too, to upgrade to 11...my workstation is still powerful but doesn't support tpm. Quote Link to comment
unrateable Posted September 25, 2021 Share Posted September 25, 2021 since Win 11 also requires a certain CPU Gen. Is it possible to change the CPUID of my guest VM to a newer Gen CPU, and advisable at all ? I wonder by doing that there may be other implications for security/proper ISA functions ? Quote Link to comment
Cliff Posted September 29, 2021 Share Posted September 29, 2021 I have upgraded my window 10 VM to Windows 11 a while ago. When trying to update it now says my computer is missing TPM 2.0 and secure boot. I am using a Ryzen 3900X which supports TPM 2.0 as I understand. Is there any guides of how to fix my VM so that I can update again ? Quote Link to comment
Mantene Posted September 29, 2021 Author Share Posted September 29, 2021 25 minutes ago, Cliff said: I have upgraded my window 10 VM to Windows 11 a while ago. When trying to update it now says my computer is missing TPM 2.0 and secure boot. I am using a Ryzen 3900X which supports TPM 2.0 as I understand. Is there any guides of how to fix my VM so that I can update again ? https://www.linkedin.com/pulse/swtpm-unraid-zoltan-repasi/ That worked for me. Quote Link to comment
ich777 Posted September 29, 2021 Share Posted September 29, 2021 Please refer to this thread, SWTPM will be integrated into unRAID: Quote Link to comment
ich777 Posted September 29, 2021 Share Posted September 29, 2021 On 9/25/2021 at 9:06 AM, unrateable said: since Win 11 also requires a certain CPU Gen. Is it possible to change the CPUID of my guest VM to a newer Gen CPU, and advisable at all ? I wonder by doing that there may be other implications for security/proper ISA functions ? The latest Windows 11 build doesn't even complains about the CPU when you install it... Quote Link to comment
alturismo Posted September 30, 2021 Share Posted September 30, 2021 19 hours ago, Cliff said: Is there any guides of how to fix my VM so that I can update again ? 19 hours ago, Mantene said: That worked for me. when its integrated it will be sure easier and you dont have to play with more manual entries in your xml's ... so i d suggest to wait a few days until limetech is ready. also a removal will work then regular etc etc ... now after adjusting you have to revert to remove a vm and so on ... and whoever is now capable to run the script, edit his xml's etc etc pretty sure can also make the 2 steps on updating to bypass the checks .. 1 Quote Link to comment
ghost82 Posted October 11, 2021 Share Posted October 11, 2021 I really can't understand how the linkedin author was able to compile (if he compiled) the OVMF files.. I usually don't like "black boxes" so I'm trying to understand how and if he compiled the ovmf package to build OVMF_CODE.fd and OVMF_VARS.fd. If I use OVMF files from here: https://github.com/rezo552/unraid-swtpm Windows 11 installation goes smooth, system is seen as compatible. However if I boot into ovmf settings secure boot model is DISABLED with that ovmf files, so the first question: why windows 11 doesn't complain about secure boot being disabled? After trying the "black box" ovmf files, I tried to compile myself the OVMF package with secure boot enabled: git clone https://github.com/tianocore/edk2.git cd edk2 git clean -ffdx git reset --hard git submodule deinit --force --all git checkout edk2-stable202011 git submodule update --init --force source edksetup.sh nice make -C "$EDK_TOOLS_PATH" -j $(getconf _NPROCESSORS_ONLN) build -a X64 -b RELEASE -DSECURE_BOOT_ENABLE=TRUE -p OvmfPkg/OvmfPkgX64.dsc -t GCC5 Notes: -DSECURE_BOOT_ENABLE=TRUE allows to build a secboot version of ovmf. I prefer 202011 stable version. Now, time to inject the keys, I tried 2 ways: 1- inject keys with EnrollDefaultKeys.efi (built within the ovmf package)--> I put it on another raw image and run it from the uefi shell; from OVMF settings I can see that PK, KEK and DB keys are injected, but windows 11 tells me that the system is not compatible to run windows 11... 2- downloaded: MicCorUEFCA2011_2011-06-27.cer (2nd import in DB) MicWinProPCA2011_2011-10-19.cer (1st import in DB) MicCorKEKCA2011_2011-06-24.cer (imported as KEK) and generated a DER self-signed certificated, imported as PK. Here I have another issue, because if I look at the KEK and DB keys (for example by deleting them from the ovmf settings), they seem to be imported as 00000-0000-00000 (only zeroes...???), so something is wrong... Obviously same issue with 2nd method as the first one, no compatible system. Note that the xml is the same, what changes is only OVMF_CODE.fd and OVMF_VARS.fd. Anybody with some lights?I'm currently walking in the dark Quote Link to comment
alturismo Posted October 11, 2021 Share Posted October 11, 2021 1 hour ago, ghost82 said: so the first question: why windows 11 doesn't complain about secure boot being disabled? windows 11 secure boot "capable" and NOT "must be enabled", there is the difference 1 Quote Link to comment
ghost82 Posted October 11, 2021 Share Posted October 11, 2021 21 minutes ago, alturismo said: windows 11 secure boot "capable" and NOT "must be enabled", there is the difference Thanks for answering the first question! Still cannoy explain incompatibility with capable secboot ovmf files. Quote Link to comment
ghost82 Posted October 12, 2021 Share Posted October 12, 2021 15 hours ago, ghost82 said: Obviously same issue with 2nd method as the first one, no compatible system. Problem solved, I was missing some flags for building a proper version of ovmf. I didn't know tpm has flags too, that need to be enabled. So, summarizing, if one wants to compile himself/herself ovmf (following example build latest stable version at the time of writing, 202108): git clone https://github.com/tianocore/edk2.git cd edk2 git clean -ffdx git reset --hard git submodule deinit --force --all git checkout edk2-stable202108 git submodule update --init --force source edksetup.sh nice make -C "$EDK_TOOLS_PATH" -j $(getconf _NPROCESSORS_ONLN) build -a X64 -b RELEASE -D SECURE_BOOT_ENABLE -D TPM_ENABLE -D FD_SIZE_4MB -p OvmfPkg/OvmfPkgX64.dsc -t GCC5 SECURE_BOOT_ENABLE: build a secure boot compatible ovmf TPM_ENABLE: enable tpm in ovmf FD_SIZE_4MB: not sure this is needed, but I read that Microsoft Hardware Certification Kit expects to be able to populate the variable store up to roughly 64 KB, without this flag ovmf varstore area is only 56 KB, this flag increases it to 256 KB -D TPM_CONFIG_ENABLE is not needed, tpm will be auto configured Quote Link to comment
Cliff Posted October 26, 2021 Share Posted October 26, 2021 are there any new on when the unraid update will be released ? Quote Link to comment
RiDDiX Posted October 26, 2021 Share Posted October 26, 2021 (edited) 6 hours ago, Cliff said: are there any new on when the unraid update will be released ? I dont know if I am supposed to post a 6.10.0-rc2h Build here... But with this no "external" Patches are needed. Decided to do because it is visible within the forums itself: https://s3.amazonaws.com/dnld.lime-technology.com/test/unRAIDServer.plg This will bring into the "Test"-Branche but you will be able to get the "OVMF TPM"-BIOS. Just edit then your xml or from the drop down menu.. Edited October 26, 2021 by RiDDiX 1 Quote Link to comment
Ninnetyer Posted October 26, 2021 Share Posted October 26, 2021 12 hours ago, RiDDiX said: I dont know if I am supposed to post a 6.10.0-rc2h Build here... But with this no "external" Patches are needed. Decided to do because it is visible within the forums itself: https://s3.amazonaws.com/dnld.lime-technology.com/test/unRAIDServer.plg This will bring into the "Test"-Branche but you will be able to get the "OVMF TPM"-BIOS. Just edit then your xml or from the drop down menu.. Hey, not sure if I will be able to go back to stable version if something goes wrong, you know, like the usual behaviour of standard update, or is it that the link just simply provides an extra branch additional to "stable" and "next"? 1 Quote Link to comment
alturismo Posted October 27, 2021 Share Posted October 27, 2021 4 hours ago, Ninnetyer said: Hey, not sure if I will be able to go back to stable version if something goes wrong, yes and yes 1 Quote Link to comment
NLS Posted October 27, 2021 Share Posted October 27, 2021 23 hours ago, RiDDiX said: I dont know if I am supposed to post a 6.10.0-rc2h Build here... But with this no "external" Patches are needed. Decided to do because it is visible within the forums itself: https://s3.amazonaws.com/dnld.lime-technology.com/test/unRAIDServer.plg This will bring into the "Test"-Branche but you will be able to get the "OVMF TPM"-BIOS. Just edit then your xml or from the drop down menu.. "plugin: not installing older version" 1 Quote Link to comment
JorgeB Posted October 27, 2021 Share Posted October 27, 2021 43 minutes ago, NLS said: "plugin: not installing older version" First upgrade to rc1, reboot, then install the plugin. 1 Quote Link to comment
okkies Posted October 27, 2021 Share Posted October 27, 2021 (edited) - stopped the userscript - deleted everything in /boot/extra/ - upgraded to Rc2 seems to work better already, i had an issue where windows 11 became sluggish for no real reason. That seems to work better, for now - network shares actually work after a reboot - docker containers dont have any any issues starting up i probaly have to reset some Bitlocker keys (disable tpm and enable tpm) due to these changes, but thats something for tommorow Edited October 27, 2021 by okkies 1 Quote Link to comment
RiDDiX Posted October 28, 2021 Share Posted October 28, 2021 20 hours ago, JorgeB said: First upgrade to rc1, reboot, then install the plugin. Ups yeah sorry forgot to mention it. Quote Link to comment
ghost82 Posted December 28, 2021 Share Posted December 28, 2021 On 10/12/2021 at 9:41 AM, ghost82 said: build -a X64 -b RELEASE -D SECURE_BOOT_ENABLE -D TPM_ENABLE -D FD_SIZE_4MB -p OvmfPkg/OvmfPkgX64.dsc -t GCC5 Just to let you know that with this commit: https://github.com/tianocore/edk2/commit/4de8d61bcec02a13ceed84f92b0cf3ea58adf9c5 from release > 202111 (excluded) "-D TPM_ENABLE" doesn't exist anymore and it's replaced by -D TPM1_ENABLE for tpm 1.2 or -D TPM2_ENABLE for tpm 2.0. I spent a couple of hours trying to figure out why my emulated tpm didn't start in win 11. TPM_CONFIG_ENABLE is also removed from the code. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.