TPM for KVM please?


Recommended Posts

25 minutes ago, esaru said:

Hey,

 

I followed the swTPM guide (link below) and installed Windows 11. Could someone explain what parts I need to undo (and how) when the new unraid version hits and we have this functionality built in? I don't have Bitlocker activated.

 

Really don't want to break anything or leave some problematic stuff behind.

 

https://www.linkedin.com/pulse/swtpm-unraid-zoltan-repasi/

 

 

You have to undo basically everything you've done, change the BIOS type to OVMF-TPM in the VM template and then reactivate Windows again.

But I really can't tell if it is working properly after you did this since I've not tested this and that is just a guess.

 

That's why I don't recommend installing through this method and wait for the official way.

Link to comment

I guess people just want to get a bit more info (timelines) on when the swTPM unraid version will be released. If it's indeed just a few days like you mentioned, then it is indeed better and easier to wait. But if it's weeks, or even months, than I can image some people can't wait. 

 

 

31 minutes ago, ich777 said:

You have to undo basically everything you've done, change the BIOS type to OVMF-TPM in the VM template and then reactivate Windows again.

But I really can't tell if it is working properly after you did this since I've not tested this and that is just a guess.

 

That's why I don't recommend installing through this method and wait for the official way.

 

Link to comment
I guess people just want to get a bit more info (timelines) on when the swTPM unraid version will be released. If it's indeed just a few days like you mentioned, then it is indeed better and easier to wait. But if it's weeks, or even months, than I can image some people can't wait. 
 
 
 
As @itimpi said it will be part of 6.10.0-RC2 and I only can recommend to wait a few more days.

Sent from my C64

  • Like 1
Link to comment
39 minutes ago, ich777 said:

You have to undo basically everything you've done, change the BIOS type to OVMF-TPM in the VM template and then reactivate Windows again.

But I really can't tell if it is working properly after you did this since I've not tested this and that is just a guess.

 

That's why I don't recommend installing through this method and wait for the official way.

Ok so this is what I need to do?

 

1. Remove the swTPM binaries from /boot/extra. Do I need to uninstall them somehow? If so, how?

 

2. Delete the script (or at least change it so that it doesn't run at startup). Do I need to undo any changes made by the script manually or is this solved by just rebooting?

 

3. Undo the changes in the VM xml.

 

I'm not really worried about any effects on the VM itself. I can easily just do a clean install if needed. I just want my unraid install to be pristine :)

 

Link to comment
Ok so this is what I need to do?
 
1. Remove the swTPM binaries from /boot/extra. Do I need to uninstall them somehow? If so, how?
 
2. Delete the script (or at least change it so that it doesn't run at startup). Do I need to undo any changes made by the script manually or is this solved by just rebooting?
 
3. Undo the changes in the VM xml.
 
I'm not really worried about any effects on the VM itself. I can easily just do a clean install if needed. I just want my unraid install to be pristine
 
Yes, just undo everything.
As said a reactivation from Windows may be necessary.

Sent from my C64

  • Like 2
Link to comment
4 minutes ago, esaru said:

1. Remove the swTPM binaries from /boot/extra.

Just remove

5 minutes ago, esaru said:

2. Delete the script (or at least change it so that it doesn't run at startup). Do I need to undo any changes made by the script manually or is this solved by just rebooting?

Just delete, script changes are resetted at boot

5 minutes ago, esaru said:

3. Undo the changes in the VM xml.

Yes

  • Like 2
Link to comment
30 minutes ago, ghost82 said:

Just remove

Just delete, script changes are resetted at boot

Yes

Thank you!

 

Some people mentioned that this guide breaks their dockers. Could this be the reason that my jackett docker randomly stopped working? It boots up alright, log seems fine but I can't access the webui.

Link to comment
Thank you!
 
Some people mentioned that this guide breaks their dockers. Could this be the reason that my jackett docker randomly stopped working? It boots up alright, log seems fine but I can't access the webui.
Maybe...
I haven't looked into what the script does.

Also don't unterstand why this is even needed.

As said I would recommend to revert the changes, maybe reboot unRAID and wait for RC2. ;)

Sent from my C64

Link to comment

I don't understand why can't UNRAID release a TPM patch for 6.9.2. Win 11 is out for a while and the requirements have been known long before that. 

We are being told to wait just a few more days for weeks.  I don't care about any of the changes in the 6.10 but this seems quite significant :(

Edited by Norbs
Link to comment
7 hours ago, Norbs said:

I don't understand why can't UNRAID release a TPM patch for 6.9.2. Win 11 is out for a while and the requirements have been known long before that.

Because this is not a security issue but a feature addition.

What is mandatory for you (running win11) should not be mandatory for others.

For me running mac os is mandatory, so should I ask to unraid to include a patch with the opencore bootloader?I think no...

Moreover if you want to run win11 with 6.9.2, you can.

 

  • Like 1
Link to comment
2 hours ago, ghost82 said:

Because this is not a security issue but a feature addition.

What is mandatory for you (running win11) should not be mandatory for others.

For me running mac os is mandatory, so should I ask to unraid to include a patch with the opencore bootloader?I think no...

Moreover if you want to run win11 with 6.9.2, you can.

 


Running Windows is not a new feature, if running OSX would be possible but when the new OSX version comes out and that wouldn't work I am sure it would be more annoying for you. 

I understand the point, what I don't if they see that the new release takes this much time a patch would be possible. As far as I understand that patch is ready for a long time so I guess the release is blocked because of some other feature. Why can't we get an interim release then? 6.10-RC1.2 or anything similar with the TPM patch but without the others?

Edited by Norbs
Link to comment
22 minutes ago, Norbs said:

As far as I understand that patch is ready for a long time

I can only speak for myself and I started looking at the beginning of October into it how swTPM is working and also support BitLocker without recovering the drive every time you reboot the host (unRAID), BitLocker is with the current method possible but you have to recover the driver every time you reboot the host.

 

The other way also involves to create a user script that maybe break your Dockers <- this is a thing that I can't confirm but if you read back in the thread you will see that some users reported that some Docker containers are broken on reboot with the other way.

 

22 minutes ago, Norbs said:

some other feature

Please also keep in mind a template needs to be created for Windows 11 and a more or less easy way of upgrading or changing the BIOS type from the VM to the new TPM type is also needed, this also involves writing tutorials on how to do this step by step and so on...

Keep in mind this is all time consuming and needs to be tested so that everything is working correctly and not breaking anything.

 

22 minutes ago, Norbs said:

Running Windows is not a new feature

But the requirement for TPM and that secure boot is available is. ;)

 

 

Keep in mind this is all from my perspective as a community developer.

  • Like 3
Link to comment
21 minutes ago, Norbs said:

I understand the point, what I don't if they see that the new release takes this much time a patch would be possible

You call it "patch", but it's not a patch!

 

If you are worried about reverting changes after following the tutorial to enable tpm and use ovmf compatible secure boot uefi bios, why don't you install win11 with the registry hacks to bypass them?

A friend of mine told me he was able to receive patch tuesday update too.

Once unraid will be upgraded you can add tpm and change ovmf uefi bios type.

  • Like 4
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.