ashman70 Posted September 17, 2021 Share Posted September 17, 2021 Today I noticed my windows 11 VM had some updates, went to run the updates and got this message: My mother board on this system is a Gigabyte Z370 HD3 which should support TPM 2.0 I believe I have enabled it in the BIOS Is there a way to pass it through to this VM I am running unRAID 6.8.2 on this server. Quote Link to comment
okkies Posted September 17, 2021 Share Posted September 17, 2021 I got TPM and secure boot working trough this guide https://www.linkedin.com/pulse/swtpm-unraid-zoltan-repasi/ 2 Quote Link to comment
sheldz8 Posted September 18, 2021 Share Posted September 18, 2021 I hope Microsoft removes those two requirements because if someone gets the update on their old machine they won't know what to do if they aren't tech savvy Sent from my SM-A305F using Tapatalk Quote Link to comment
ab5g Posted September 20, 2021 Share Posted September 20, 2021 (edited) On 9/18/2021 at 7:28 AM, okkies said: I got TPM and secure boot working trough this guide https://www.linkedin.com/pulse/swtpm-unraid-zoltan-repasi/ I place the 3 packages in /boot/extra and nothing happens after a reboot. The /var/lib/libvirt/swtpm is empty? Do you know why ? EDIT: I am running 6.10-RC1 root@Server:/boot/extra# ls -al total 2640 drwx------ 2 root root 16384 Sep 20 13:36 ./ drwx------ 13 root root 16384 Jan 1 1970 ../ -rw------- 1 root root 190644 Sep 20 13:33 libseccomp.txz -rw------- 1 root root 1781908 Sep 20 13:33 libtpms.txz -rw------- 1 root root 673376 Jul 3 03:10 swtpm_final.txz root@Server:/var/lib/libvirt/swtpm# ls -al total 0 drwxr-xr-x 2 root root 40 May 6 03:31 ./ drwxr-xr-x 10 root root 200 May 6 03:31 ../ root@Jarvis:/var/lib/libvirt/swtpm# Edited September 20, 2021 by ab5g Quote Link to comment
okkies Posted September 20, 2021 Share Posted September 20, 2021 did you run the userscript? 59 minutes ago, ab5g said: I place the 3 packages in /boot/extra and nothing happens after a reboot. The /var/lib/libvirt/swtpm is empty? Do you know why ? EDIT: I am running 6.10-RC1 did you run the userscript and did you make the edits in your config ? Quote Link to comment
ab5g Posted September 20, 2021 Share Posted September 20, 2021 (edited) 1 hour ago, okkies said: did you run the userscript? did you run the userscript and did you make the edits in your config ? I did make the edits in my XML. On booting the VM should it not create the directory in /var/lib/libvirt/swtpm first which should then be used in the script ? I don't suppose I can use the script before the directory in /var/lib/libvirt/swtpm is created I have added the OVMF files to the VM and XML edits for the TPM chip. This is a WIN-11 VM. When I start the VM I get an error internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/Windows 11-swtpm.log' for details. # cat /var/log/swtpm/libvirt/qemu/Windows\ 11-swtpm.log Starting vTPM manufacturing as root:tss @ Mon Sep 20 16:10:52 2021 Error: Could not start the TPM 2. Error: An error occurred. Authoring the TPM state failed. Ending vTPM manufacturing @ Mon Sep 20 16:10:57 2021 Starting vTPM manufacturing as root:tss @ Mon Sep 20 16:15:14 2021 Error: Could not start the TPM 2. Error: An error occurred. Authoring the TPM state failed. Ending vTPM manufacturing @ Mon Sep 20 16:15:19 2021 Edited September 20, 2021 by ab5g Quote Link to comment
rezo Posted September 20, 2021 Share Posted September 20, 2021 55 minutes ago, ab5g said: I did make the edits in my XML. On booting the VM should it not create the directory in /var/lib/libvirt/swtpm first which should then be used in the script ? I don't suppose I can use the script before the directory in /var/lib/libvirt/swtpm is created I have added the OVMF files to the VM and XML edits for the TPM chip. This is a WIN-11 VM. When I start the VM I get an error internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/Windows 11-swtpm.log' for details. # cat /var/log/swtpm/libvirt/qemu/Windows\ 11-swtpm.log Starting vTPM manufacturing as root:tss @ Mon Sep 20 16:10:52 2021 Error: Could not start the TPM 2. Error: An error occurred. Authoring the TPM state failed. Ending vTPM manufacturing @ Mon Sep 20 16:10:57 2021 Starting vTPM manufacturing as root:tss @ Mon Sep 20 16:15:14 2021 Error: Could not start the TPM 2. Error: An error occurred. Authoring the TPM state failed. Ending vTPM manufacturing @ Mon Sep 20 16:15:19 2021 Yeah, I wrote this in my article: "When you first startup the virtual machine during the runtime it will create a folder under /var/lib/libvirt/swtpm/ something like this /var/lib/libvirt/swtpm/141d5517-bb66-23b3-6373-c4288xxxxxx, you need to make sure that you copy this whole folder into the VM storage area and symlink it back on the next boot as /var/lib/libvirt/swtpm/ is not persistent." Anyway to do a quick test (most probably its a permission issue), you could do ln -s /usr/lib64/libcrypto.so /usr/lib64/libcrypto.so.1 chmod 755 /var/lib -R 1 Quote Link to comment
ab5g Posted September 20, 2021 Share Posted September 20, 2021 52 minutes ago, rezo said: Yeah, I wrote this in my article: "When you first startup the virtual machine during the runtime it will create a folder under /var/lib/libvirt/swtpm/ something like this /var/lib/libvirt/swtpm/141d5517-bb66-23b3-6373-c4288xxxxxx, you need to make sure that you copy this whole folder into the VM storage area and symlink it back on the next boot as /var/lib/libvirt/swtpm/ is not persistent." Anyway to do a quick test (most probably its a permission issue), you could do ln -s /usr/lib64/libcrypto.so /usr/lib64/libcrypto.so.1 chmod 755 /var/lib -R Thank you got it working now Quote Link to comment
ghost82 Posted September 20, 2021 Share Posted September 20, 2021 Sorry to hijack the post, but did something change?for the first win 11 leaked iso tpm was not required if windows 11 was in a vm, did it become mandatory to install it in a vm? Quote Link to comment
Chrscool8 Posted September 20, 2021 Share Posted September 20, 2021 Yep. Pre-release/beta builds didn't enforce the requirement but upgrading to or past the actual release needs TPM 2.0 and Secure Boot or else Windows Update refuses to do so. 1 Quote Link to comment
ab5g Posted September 21, 2021 Share Posted September 21, 2021 (edited) 11 hours ago, ghost82 said: Sorry to hijack the post, but did something change?for the first win 11 leaked iso tpm was not required if windows 11 was in a vm, did it become mandatory to install it in a vm? The latest Developer Beta is enforcing the check. The installer checks for TPM at around 4% and does not proceed if the chip is not found. This is with the help from the members above Edited September 21, 2021 by ab5g 1 Quote Link to comment
Skitals Posted October 4, 2021 Share Posted October 4, 2021 On 9/17/2021 at 7:28 PM, okkies said: I got TPM and secure boot working trough this guide https://www.linkedin.com/pulse/swtpm-unraid-zoltan-repasi/ TYVM. Retail ISO is out, just updated my win10 vm to win11 final no problem after getting TPM emulation working per the guide. I'm on Unraid 6.9.1. 1 Quote Link to comment
Norbs Posted October 5, 2021 Share Posted October 5, 2021 What happens if you set up an emulated TPM now but you want to switch to the pass-through later when it's out. Will that break an existing install? Quote Link to comment
JonathanM Posted October 5, 2021 Share Posted October 5, 2021 Break may not be the right word, but it will definitely be effected, pretty much the same as if you replaced a motherboard with active TPM. At the very least Bitlocker would need to be recovered, there may be other effects I'm not aware of yet with 11. 1 Quote Link to comment
M4st3r Posted October 7, 2021 Share Posted October 7, 2021 (edited) Hi all, unfortunately I've been trying the posted solution since yesterday, but I'm stuck at the first step, i.e. the SCRIPT: Quote ln -s /usr/lib64/libcrypto.so /usr/lib64/libcrypto.so.1 swtpm_ret=1 until [ -f /var/run/libvirt/libvirtd.pid ] && [ $swtpm_ret -eq 0 ] do sleep 10 which swtpm swtpm_ret=$? done (for the moment, I have eliminated the part where the symlink is created on the array). If I look at the script log, this is the output: ln: failed to create symbolic link '/usr/lib64/libcrypto.so.1': File exists which: no swtpm in (.:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin) Where am I going wrong? Should I set the server BIOS in some special way or can I leave everything as it is? Edited October 7, 2021 by M4st3r Quote Link to comment
Skitals Posted October 7, 2021 Share Posted October 7, 2021 (edited) 4 hours ago, M4st3r said: Hi all, unfortunately I've been trying the posted solution since yesterday, but I'm stuck at the first step, i.e. the SCRIPT: (for the moment, I have eliminated the part where the symlink is created on the array). If I look at the script log, this is the output: ln: failed to create symbolic link '/usr/lib64/libcrypto.so.1': File exists which: no swtpm in (.:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin) Where am I going wrong? Should I set the server BIOS in some special way or can I leave everything as it is? The swtpm module is not installed. You need to download the .txz files, put them in /boot/extra, and reboot. The tzx files in /boot/extra get installed at boot time so the binaries aren't installed until reboot. Edited October 7, 2021 by Skitals 1 Quote Link to comment
M4st3r Posted October 9, 2021 Share Posted October 9, 2021 On 10/7/2021 at 3:23 PM, Skitals said: The swtpm module is not installed. You need to download the .txz files, put them in /boot/extra, and reboot. The tzx files in /boot/extra get installed at boot time so the binaries aren't installed until reboot. Thanks for the tip. I've just put ALL the files found here https://github.com/rezo552/unraid-swtpm into the dir /boot/extra, I've rebooted and now the startup script log seems to be ok: Script Starting Oct 09, 2021 23:29.41 Full logs for this script are available at /tmp/user.scripts/tmpScripts/TPM/log.txt /usr/bin/swtpm Script Finished Oct 09, 2021 23:29.51 Full logs for this script are available at /tmp/user.scripts/tmpScripts/TPM/log.txt ...but I cannot find anything into the directory /var/lib/libvirt/swtpm because it's empty! Quote Link to comment
Skitals Posted October 10, 2021 Share Posted October 10, 2021 17 hours ago, M4st3r said: Thanks for the tip. I've just put ALL the files found here https://github.com/rezo552/unraid-swtpm into the dir /boot/extra, I've rebooted and now the startup script log seems to be ok: Script Starting Oct 09, 2021 23:29.41 Full logs for this script are available at /tmp/user.scripts/tmpScripts/TPM/log.txt /usr/bin/swtpm Script Finished Oct 09, 2021 23:29.51 Full logs for this script are available at /tmp/user.scripts/tmpScripts/TPM/log.txt ...but I cannot find anything into the directory /var/lib/libvirt/swtpm because it's empty! You need to add the tpm to your xml and start the vm for the first time for the files to be created. If you get "Could not run '/usr/bin/swtpm_setup'" error starting the vm, for fix is in this post above (chmod to fix permissions): 1 Quote Link to comment
M4st3r Posted October 11, 2021 Share Posted October 11, 2021 Everything done, thanks for the help Quote Link to comment
doesntaffect Posted October 15, 2021 Share Posted October 15, 2021 seems like I don't have the extra folder in /boot/ Did you guys create this folder manually? And if so, how? I am using Cloud Commander as primary file manager on my host, but seems like this container has no permissions to create a new folder in /boot/. Any advise? I am running 6.10 RC1 Thanks! Quote Link to comment
sheldz8 Posted October 15, 2021 Share Posted October 15, 2021 seems like I don't have the extra folder in /boot/ Did you guys create this folder manually? And if so, how? I am using Cloud Commander as primary file manager on my host, but seems like this container has no permissions to create a new folder in /boot/. Any advise? I am running 6.10 RC1 Thanks! Follow this guide you just need to edit your VM settings shown in the post.If you want me to share my modified iso link I canhttps://forums.unraid.net/index.php?/topic/114471-Windows-10-VM-missing-Secure-boot-and-TPM-for-Windows-11-upgrade&do=findComment&comment=1044181It's better than messing with unraid settingsSent from my SM-A305F using Tapatalk Quote Link to comment
alturismo Posted October 15, 2021 Share Posted October 15, 2021 21 minutes ago, doesntaffect said: Any advise? I am running 6.10 RC1 as it seems you prefer GUI etc ... in the unraid main tab, click the Flash Drive, enable as SMB share then create your folder ... but i still would suggest to wait until @limetech finally releases its RC2 including the changes ... 1 Quote Link to comment
doesntaffect Posted October 15, 2021 Share Posted October 15, 2021 Thanks @alturismo I came across the other thread and will wait for RC2, since I don't want to mess with the rollback of the manual changes once swTPM becomes official. Meanwhile, I updated the VMs this morning with a ISO file where I removed the TPM requirements (used NTLite). That's a hassle to do every few weeks so I cross fingers that RC2 isnt too far out. Quote Link to comment
alturismo Posted October 15, 2021 Share Posted October 15, 2021 25 minutes ago, doesntaffect said: few weeks so I cross fingers that RC2 isnt too far out. well, i also thought it should be out by now, i can say it works flawlessly and i guess @limetech just wants to put more updates into it and thats why it takes a little longer, but makes life (later) sure alot easier ... Quote Link to comment
TCMapes Posted October 21, 2021 Share Posted October 21, 2021 Does it matter where i put this in my VM xml? Is there a certain location i should put these? <loader readonly='yes' type='pflash'>/mnt/disk1/domains/Windows 10/OVMF_CODE.fd</loader> <nvram>/mnt/disk1/domains/Windows 10/OVMF_VARS.fd</nvram> <tpm model='tpm-tis'> <backend type='emulator' version='2.0'/> <alias name='tpm0'/> </tpm> Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.