TPM for KVM please?


NLS

Recommended Posts

5 minutes ago, alturismo said:

 

no big deal, with the next unraid update it ll work again (also on the insiders dev channel users here ;))

and also easy and nice to handle with existing VM's, like @ich777 already pointed out, give it a few days ... windows wont stop working now ;)


You mean you know for a fact that a fix is coming in 6.10?
(haven't checked the beta threads)

Link to comment

i can say i made alot of tests with @ich777 and it looks all good to be coming soon (very)

 

its now a matter to make it as easy as possible due webgui which is also pretty far done, so no manual actions would be needed.

 

here from 1 of 3 VM's running simultan incl. vTPM etc ... so also more then 1 VM at a time is working flawlessly

 

tested on a rBar RTX 3070 VM Gaming, GT 1030 Desktop VM and a gvt-g VM (homeoffice), all good, so just be a little patient ;)

 

image.thumb.png.cdb1ce2b9124f3963101c8e1e0215aea.png

  • Like 6
Link to comment
25 minutes ago, okkies said:

already got TPM working with this 

Please note when TPM got integrated into unRAID (this would be sooner than soon ;) ) itself you have to undo everything and maybe have to reinstall Windows 11 new or if you encrypted the drive with Bitlocker you have to recovery the drive, but if you got it working already I think the necessary steps to undo the changes that you've made so far shouldn't be much of an issue for you.

 

Also this script isn't really necessary...

Link to comment
49 minutes ago, ich777 said:

Please note when TPM got integrated into unRAID (this would be sooner than soon ;) ) itself you have to undo everything and maybe have to reinstall Windows 11 new or if you encrypted the drive with Bitlocker you have to recovery the drive, but if you got it working already I think the necessary steps to undo the changes that you've made so far shouldn't be much of an issue for you.

 

Also this script isn't really necessary...

yeah, but i needed it now for my cloned work laptop, Now is earlier then sooner than soon :P
i backed up the recovery keys on a seperate drive, also i presume next week when i see an unraid update ill first disable the TPM then upgrade :P

Link to comment
24 minutes ago, Skrumpy said:

Is this unRAID update allowing pass-through or is everything going to be emulated?

For now it is emulated, haven't got time yet to look into it how to passtrough a real TPM device but when the new unRAID version drops, passthrough should also be possible. ;)

  • Like 2
Link to comment
28 minutes ago, ich777 said:

For now it is emulated, haven't got time yet to look into it how to passtrough a real TPM device but when the new unRAID version drops, passthrough should also be possible. ;)

 

Gotta check latest beta, as I am not sure how to interpret your statement. :D
You know for a fact that they will implement those in the very next update?

 

Link to comment
On 10/5/2021 at 5:11 PM, NLS said:

Gotta check latest beta

The only thing that you maybe have to do is that you have to add a "new" VM with the same settings and the same vdisk as you have right now in your current VM but with the OVMF TPM BIOS so that the TPM emulation kicks in like:

grafik.png.ce408c2c46badce51e09543835c5e349.png

 

When you have done this delete the "old" VM but keep the vdisks.

Please also keep in mind that you maybe have to reactivate Windows if you do it like that but that would be the easiest way to do it and if you have linked your VM to your Microsoft account you should be able to recover the activation/key.

 

Hope I explained that in an understandable way...

 

This changed a little bit to make the switching experience a little easier.

The things that are necessary are that your current installation from Windows 10/11 is OVMF based and you've linked your Windows 10 VM to your Microsoft account to reactivate Windows after you've switched from "OVMF" to "OVMF-TPM".

 

If you have a SeaBIOS VM you can convert that to OVMF with a little more steps involved.

  • Like 3
Link to comment
14 minutes ago, ich777 said:

The only thing that you maybe have to do is that you have to add a "new" VM with the same settings and the same vdisk as you have right now in your current VM but with the OVMF TPM BIOS so that the TPM emulation kicks in like:

grafik.png.ce408c2c46badce51e09543835c5e349.png

 

When you have done this delete the "old" VM but keep the vdisks.

 

Hope I explained that in an understandable way...

Hello, How to get this i would like to test this BETA. My Unraid is 6.9.2 do i need to install the Beta 6.10.0-rc1 to use the OVMF TPM? Please advise.

Link to comment
14 minutes ago, ich777 said:

The only thing that you maybe have to do is that you have to add a "new" VM with the same settings and the same vdisk as you have right now in your current VM but with the OVMF TPM BIOS so that the TPM emulation kicks in like:

 

 

When you have done this delete the "old" VM but keep the vdisks.

 

Hope I explained that in an understandable way...

 

Do you need to take a note and use the same UUID as well so that windows remains activated?  I vaguely remember having an issue a while back and that was the answer?  

Link to comment
9 minutes ago, Ryu091 said:

Hello, How to get this i would like to test this BETA. My Unraid is 6.9.2 do i need to install the Beta 6.10.0-rc1 to use the OVMF TPM? Please advise.

As said above, in the next beta release, you have to wait until it's released.

 

10 minutes ago, trig229 said:

Do you need to take a note and use the same UUID as well so that windows remains activated?  I vaguely remember having an issue a while back and that was the answer?

That may be possible but if you've linked the VM to your Microsoft account you should be able to recover it.

  • Like 1
Link to comment
On 10/3/2021 at 3:30 AM, okkies said:

yeah, but i needed it now for my cloned work laptop, Now is earlier then sooner than soon :P
i backed up the recovery keys on a seperate drive, also i presume next week when i see an unraid update ill first disable the TPM then upgrade :P

Cloned work laptop !! What the use for it - I am interested :) 

Link to comment
On 10/5/2021 at 5:58 PM, Ryu091 said:

My Unraid is 6.9.2 do i need to install the Beta 6.10.0-rc1 to use the OVMF TPM?

Advice is to wait for official unraid to be released with ovmf secure boot + tpm support, but if you can't wait, you can emulate tpm and run windows 11 also with 6.9.2; all you need to do is to add to the xml the emulated tpm (put inside <devices></devices> section):

<tpm model='tpm-tis'>
  <backend type='emulator' version='2.0'/>
</tpm>

 

AND add the additional swtpm as described here:

https://www.linkedin.com/pulse/swtpm-unraid-zoltan-repasi/

 

AND use OVMF compiled with secure boot and tpm flags.

If you want to compile yourself:

Or if you like "black boxes" just download the attached files and edit your vm xml template to point to these OVMF_CODE_SECBOOT.fd and OVMF_VARS_SECBOOT.fd

 

Note: secure boot is not enabled in these files, but capable, windows 11 will not complain about it.

If you need secure boot enabled (but really...you want it??) you need to use the EnrollDefaultKeys.efi run from inside a uefi shell.

EnrollDefaultKeys will inject microsoft certificates.

 

Another way is to download and extract the edk2 rpm file from the fedora 36 package:

https://kojipkgs.fedoraproject.org//packages/edk2/20210527gite1999b264f1f/3.fc36/noarch/edk2-ovmf-20210527gite1999b264f1f-3.fc36.noarch.rpm

 

This is v. 202105, not the latest.

Then extract files from the rpm:

rpm2cpio edk2-ovmf-20210527gite1999b264f1f-3.fc36.noarch.rpm | cpio -idmv

 

And you will find OVMF_CODE.secboot.fd and OVMF_VARS.secboot.fd inside ExtractedDirectory/usr/share/edk2/ovmf/

 

Again, point the xml code of the vm template to these files.

Files from Fedora have Secure Boot enabled, certificates are already imported.

 

At the time of writing, to install windows 11 without "hacks", the bios (ovmf) must be secure boot "capable", and you must have a tpm device (emulated or passed through), enough ram and storage (I didn't test these, but this should not be a great issue, just increase them if storage/ram is not enough).

 

Luckily unsupported cpus are not a stopper!

OVMF_202108_Stable_RELEASE_TPM_SECBOOT.zip

Edited by ghost82
  • Like 2
  • Thanks 1
Link to comment
On 10/2/2021 at 8:38 PM, ich777 said:

Please note when TPM got integrated into unRAID (this would be sooner than soon ;) ) itself you have to undo everything and maybe have to reinstall Windows 11 new or if you encrypted the drive with Bitlocker you have to recovery the drive, but if you got it working already I think the necessary steps to undo the changes that you've made so far shouldn't be much of an issue for you.

 

Also this script isn't really necessary...

 

You mention the script is not really necessary? because i think its breaking my docker permissions. on every reboot i have to reinstall some docker containers for them to work. 
(nzbhydra2, emby, radarr, jackett for example) 

i wont have this in the unraid version? Also i see people mentioning a new beta. How can i get in? i kinda need TPM for work and take a piss at the internal it manager who tought 8gb laptops are fast enough laptops. 

Very important stuff!

  • Like 1
Link to comment
2 minutes ago, okkies said:

You mention the script is not really necessary? because i think its breaking my docker permissions. on every reboot i have to reinstall some docker containers for them to work. 
(nzbhydra2, emby, radarr, jackett for example) 

i wont have this in the unraid version? Also i see people mentioning a new beta. How can i get in? i kinda need TPM for work and take a piss at the internal it manager who tought 8gb laptops are fast enough laptops. 

Very important stuff!

Thanks, now I understand the problem about my Emby docker always broken....!!!

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.