Virtualizing Windows 11 and TPM 2.0 requirement


ashman70

Recommended Posts

On 9/18/2021 at 7:28 AM, okkies said:

I got TPM and secure boot working trough this guide

https://www.linkedin.com/pulse/swtpm-unraid-zoltan-repasi/msinfo32_INzmdSm6Ja.thumb.png.2e44516fa9731369eff9a8e3c9ae25a9.png

 

I place the 3 packages in /boot/extra and nothing happens after a reboot. The /var/lib/libvirt/swtpm is empty? Do you know why ?

 

EDIT: I am running 6.10-RC1

 

root@Server:/boot/extra# ls -al

total 2640

drwx------  2 root root   16384 Sep 20 13:36 ./

drwx------ 13 root root   16384 Jan  1  1970 ../

-rw-------  1 root root  190644 Sep 20 13:33 libseccomp.txz

-rw-------  1 root root 1781908 Sep 20 13:33 libtpms.txz

-rw-------  1 root root  673376 Jul  3 03:10 swtpm_final.txz

 

root@Server:/var/lib/libvirt/swtpm# ls -al

total 0

drwxr-xr-x  2 root root  40 May  6 03:31 ./

drwxr-xr-x 10 root root 200 May  6 03:31 ../

root@Jarvis:/var/lib/libvirt/swtpm#

 

 

 

Edited by ab5g
Link to comment

did you run the userscript?

59 minutes ago, ab5g said:

 

I place the 3 packages in /boot/extra and nothing happens after a reboot. The /var/lib/libvirt/swtpm is empty? Do you know why ?

 

EDIT: I am running 6.10-RC1

 

did you run the userscript and did you make the edits in your config ?

 

Link to comment
1 hour ago, okkies said:

did you run the userscript?

did you run the userscript and did you make the edits in your config ?

 

I did make the edits in my XML. On booting the VM should it not create the directory in  /var/lib/libvirt/swtpm first which should then be used in the script ?

I don't suppose I can use the script before the directory in /var/lib/libvirt/swtpm is created

 

I have added the OVMF files to the VM and XML edits for the TPM chip. This is a WIN-11 VM.
When I start the VM I get an error

 

internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/Windows 11-swtpm.log' for details.

 

 

# cat /var/log/swtpm/libvirt/qemu/Windows\ 11-swtpm.log

Starting vTPM manufacturing as root:tss @ Mon Sep 20 16:10:52 2021

Error: Could not start the TPM 2.

Error: An error occurred. Authoring the TPM state failed.

Ending vTPM manufacturing @ Mon Sep 20 16:10:57 2021

Starting vTPM manufacturing as root:tss @ Mon Sep 20 16:15:14 2021

Error: Could not start the TPM 2.

Error: An error occurred. Authoring the TPM state failed.

Ending vTPM manufacturing @ Mon Sep 20 16:15:19 2021

 

Edited by ab5g
Link to comment
55 minutes ago, ab5g said:

I did make the edits in my XML. On booting the VM should it not create the directory in  /var/lib/libvirt/swtpm first which should then be used in the script ?

I don't suppose I can use the script before the directory in /var/lib/libvirt/swtpm is created

 

I have added the OVMF files to the VM and XML edits for the TPM chip. This is a WIN-11 VM.
When I start the VM I get an error

 

internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/Windows 11-swtpm.log' for details.

 

 

# cat /var/log/swtpm/libvirt/qemu/Windows\ 11-swtpm.log

Starting vTPM manufacturing as root:tss @ Mon Sep 20 16:10:52 2021

Error: Could not start the TPM 2.

Error: An error occurred. Authoring the TPM state failed.

Ending vTPM manufacturing @ Mon Sep 20 16:10:57 2021

Starting vTPM manufacturing as root:tss @ Mon Sep 20 16:15:14 2021

Error: Could not start the TPM 2.

Error: An error occurred. Authoring the TPM state failed.

Ending vTPM manufacturing @ Mon Sep 20 16:15:19 2021

 

 

Yeah, I wrote this in my article:

"When you first startup the virtual machine during the runtime it will create a folder under /var/lib/libvirt/swtpm/ something like this /var/lib/libvirt/swtpm/141d5517-bb66-23b3-6373-c4288xxxxxx, you need to make sure that you copy this whole folder into the VM storage area and symlink it back on the next boot as /var/lib/libvirt/swtpm/ is not persistent."

 

Anyway to do a quick test (most probably its a permission issue), you could do 

ln -s /usr/lib64/libcrypto.so /usr/lib64/libcrypto.so.1

chmod 755 /var/lib -R

 

 

 

  • Like 1
Link to comment
52 minutes ago, rezo said:

 

Yeah, I wrote this in my article:

"When you first startup the virtual machine during the runtime it will create a folder under /var/lib/libvirt/swtpm/ something like this /var/lib/libvirt/swtpm/141d5517-bb66-23b3-6373-c4288xxxxxx, you need to make sure that you copy this whole folder into the VM storage area and symlink it back on the next boot as /var/lib/libvirt/swtpm/ is not persistent."

 

Anyway to do a quick test (most probably its a permission issue), you could do 

ln -s /usr/lib64/libcrypto.so /usr/lib64/libcrypto.so.1

chmod 755 /var/lib -R

 

 

 

Thank you got it working now

Link to comment
11 hours ago, ghost82 said:

Sorry to hijack the post, but did something change?for the first win 11 leaked iso tpm was not required if windows 11 was in a vm, did it become mandatory to install it in a vm?

The latest Developer Beta is enforcing the check. The installer checks for TPM at around 4% and does not proceed if the chip is not found.

This is with the help from the members above 

 

image.png.6bd4546dd4a821378f83f5bde1e81a67.png

Edited by ab5g
  • Like 1
Link to comment
  • 2 weeks later...

  

Hi all, unfortunately I've been trying the posted solution since yesterday, but I'm stuck at the first step, i.e. the SCRIPT:

 

Quote

ln -s /usr/lib64/libcrypto.so /usr/lib64/libcrypto.so.1

swtpm_ret=1

until [ -f /var/run/libvirt/libvirtd.pid ] && [ $swtpm_ret -eq 0 ]

do

sleep 10

which swtpm

swtpm_ret=$?

done

(for the moment, I have eliminated the part where the symlink is created on the array).

If I look at the script log, this is the output:

 

ln: failed to create symbolic link '/usr/lib64/libcrypto.so.1': File exists

which: no swtpm in (.:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin)

 

Where am I going wrong? Should I set the server BIOS in some special way or can I leave everything as it is?

Edited by M4st3r
Link to comment
4 hours ago, M4st3r said:

  

Hi all, unfortunately I've been trying the posted solution since yesterday, but I'm stuck at the first step, i.e. the SCRIPT:

 

(for the moment, I have eliminated the part where the symlink is created on the array).

If I look at the script log, this is the output:

 

ln: failed to create symbolic link '/usr/lib64/libcrypto.so.1': File exists

which: no swtpm in (.:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin)

 

Where am I going wrong? Should I set the server BIOS in some special way or can I leave everything as it is?

 

The swtpm module is not installed. You need to download the .txz files, put them in /boot/extra, and reboot. The tzx files in /boot/extra get installed at boot time so the binaries aren't installed until reboot.

Edited by Skitals
  • Like 1
Link to comment
On 10/7/2021 at 3:23 PM, Skitals said:

 

The swtpm module is not installed. You need to download the .txz files, put them in /boot/extra, and reboot. The tzx files in /boot/extra get installed at boot time so the binaries aren't installed until reboot.

Thanks for the tip.
I've just put ALL the files found here https://github.com/rezo552/unraid-swtpm into the dir /boot/extra, I've rebooted and now the startup script log seems to be ok:

 

 Script Starting Oct 09, 2021 23:29.41

Full logs for this script are available at /tmp/user.scripts/tmpScripts/TPM/log.txt

/usr/bin/swtpm
Script Finished Oct 09, 2021 23:29.51

Full logs for this script are available at /tmp/user.scripts/tmpScripts/TPM/log.txt

 

...but I cannot find anything into the directory /var/lib/libvirt/swtpm because it's empty!

Link to comment
17 hours ago, M4st3r said:

Thanks for the tip.
I've just put ALL the files found here https://github.com/rezo552/unraid-swtpm into the dir /boot/extra, I've rebooted and now the startup script log seems to be ok:

 

 Script Starting Oct 09, 2021 23:29.41

Full logs for this script are available at /tmp/user.scripts/tmpScripts/TPM/log.txt

/usr/bin/swtpm
Script Finished Oct 09, 2021 23:29.51

Full logs for this script are available at /tmp/user.scripts/tmpScripts/TPM/log.txt

 

...but I cannot find anything into the directory /var/lib/libvirt/swtpm because it's empty!

 

You need to add the tpm to your xml and start the vm for the first time for the files to be created. If you get "Could not run '/usr/bin/swtpm_setup'" error starting the vm, for fix is in this post above (chmod to fix permissions): 

 

  • Like 1
Link to comment
seems like I don't have the extra folder in /boot/ 
 
Did you guys create this folder manually? And if so, how? I am using Cloud Commander as primary file manager on my host, but seems like this container has no permissions to create a new folder in /boot/. 
 
Any advise? I am running 6.10 RC1
 
Thanks! smile.png
Follow this guide you just need to edit your VM settings shown in the post.

If you want me to share my modified iso link I can
https://forums.unraid.net/index.php?/topic/114471-Windows-10-VM-missing-Secure-boot-and-TPM-for-Windows-11-upgrade&do=findComment&comment=1044181

It's better than messing with unraid settings

Sent from my SM-A305F using Tapatalk



Link to comment

Does it matter where i put this in my VM xml?  Is there a certain location i should put these?

 

<loader readonly='yes' type='pflash'>/mnt/disk1/domains/Windows 10/OVMF_CODE.fd</loader>

<nvram>/mnt/disk1/domains/Windows 10/OVMF_VARS.fd</nvram>

 

<tpm model='tpm-tis'>

   <backend type='emulator' version='2.0'/>

   <alias name='tpm0'/>

  </tpm>

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.