how to enable Win 11 Secure Boot on OVMF TPM enabled bios?

[takkkkkkk]

I have a VM connected to my company's domain. and my company changed their policy to force all connected PCs to have windows secure boot. Although I rebuilt my VM with OVMF TPM, I can't figure out how to enable secure boot. Could someone help me understand what I may have to do?

[ghost82]

 

[takkkkkkk]

25 minutes ago, ghost82 said:

 

oh wow, this looks super complicated...

[ghost82]

It's not, read carefully, there are files attached ready to be used, or alternatively instructions to build yours.

[takkkkkkk]

  

On 6/5/2023 at 5:04 PM, ghost82 said:

It's not, read carefully, there are files attached ready to be used, or alternatively instructions to build yours.

 

Hi, thank you so much for the instruction, although it is relatively simple to follow, there are some instructions where I'm having issues following.. when you say mount the vdisk, where do you plug in below code?

terminal?

where would "/path/to/mount/" be, could it be any folder within a share? I tried mounting it via adding the vdisk in windows, but it didn't work...

mount /path/to/vdisk.img /path/to/mount/

 

[ghost82]

8 hours ago, takkkkkkk said:

terminal?

Yes, unraid terminal (mount is a linux command)

8 hours ago, takkkkkkk said:

where would "/path/to/mount/" be, could it be any folder within a share? I tried mounting it via adding the vdisk in windows, but it didn't work...

Not sure I understood..the vdisk has to be saved somewhere that could be accessed by the host (unraid) with read/write permissions.

To see if your share folder "works" try to access it with the cd command in the unraid terminal (cd /path/to/the/share) and try to create a file (touch test.txt).

If it doesn't work, choose another folder or fix what it doesn't work.

Edited November 2 by ghost82

[xtrap225]

i got it to work, at least i thought i did ..

 

oh first i should say i am doing the same thing.

 

i was at first using a virtual TPM like in the instructions.  i had to reset the bitlocker and i am not sure if it was the virtual TPM or resetting the bitlocker or something else.  like the system not being able to see 'serial'/'servicetag', but although i could login with my work account and almost everything worked. the system ripped out my 'personal' machine cert from certlm.msc and that prevented my work vpn from working.

 

as i was typing this i seem to remember a way to passthrough the system serial? maybe i saw that in a video by 'spaceinvader one'?

EDIT* found the thing  i was thinking of and will add it to my next attempt i hope it helps."wmic csproduct get UUID'

 

i am going to try again. but this time passthrough the TPM on first boot. oh i forgot to mention i am passing through an nvme drive where this install is. and the install must be done from the bare metal.  then boot back into unraid.

 

i am going to edit and passthrough the TPM without it ever seeing a virtual one. any idea if i should tell it that it is TIS or CRB?

and try to do that serial thing, which i hope i am not misremembering.

 

the only issue is i a going away for a week and a bit, but when i get back and if i can get it all going. i would certainly be happy to help you.  that is if you  haven't already got it all figured out.

 

 

Edited November 2 by xtrap225

[ghost82]

33 minutes ago, xtrap225 said:

i am going to edit and passthrough the TPM without it ever seeing a virtual one. any idea if i should tell it that it is TIS or CRB?

and try to do that serial thing, which i hope i am not misremembering.

When you passthrough the tpm device you need to choose a model.

In this example:

<devices>
  <tpm model='tpm-tis'>
    <backend type='passthrough'>
      <device path='/dev/tpm0'/>
    </backend>
  </tpm>
</devices>

 

you are passing through a tpm device located at /dev/tpm0 'tis' type.

If the device is crb just use 'tpm-crb' instead of 'tpm-tis' for the model.

[takkkkkkk]

9 hours ago, ghost82 said:

Yes, unraid terminal (mount is a linux command)

Not sure I understood..the vdisk has to be saved somewhere that could be accessed by the host (unraid) with read/write permissions.

To see if your share folder "works" try to access it with the cd command in the unraid terminal (cd /path/to/the/share) and try to create a file (touch test.txt).

If it doesn't work, choose another folder or fix what it doesn't work.

I'm used to simple windows ways where mounting an image/iso would mean windows would simply create "C:" or "D:" so that I can access it, I never thought of being asked of "where do you want to mount to", it just doesn't really click to me that it wouldn't automatically get mounted as another unassigned devices. Once it gets mounted, does it act as folder within share? this concept seems really unusual to me...

 

Edited November 2 by takkkkkkk

[xtrap225]

1 hour ago, ghost82 said:

When you passthrough the tpm device you need to choose a model.

In this example:

<devices>
  <tpm model='tpm-tis'>
    <backend type='passthrough'>
      <device path='/dev/tpm0'/>
    </backend>
  </tpm>
</devices>

 

you are passing through a tpm device located at /dev/tpm0 'tis' type.

If the device is crb just use 'tpm-crb' instead of 'tpm-tis' for the model.

how can you know which is correct?

[ghost82]

tis and crb are interfaces that are exposed by tpm. Either you check the hardware specifications or you simply try one or the other and see if it is detected.

[ghost82]

34 minutes ago, takkkkkkk said:

I'm used to simple windows ways where mounting an image/iso would mean windows would simply create "C:" or "D:" so that I can access it, I never thought of being asked of "where do you want to mount to", it just doesn't really click to me that it wouldn't automatically get mounted as another unassigned devices. Once it gets mounted, does it act as folder within share? this concept seems really unusual to me...

The tutorial refers to mount the img disk in the host (unraid). In linux in general, you create an empty folder and you mount the img inside that folder (the mounting point): files on the disk will be shown inside the mounting point, and you will have read/write permissions.

If you mount the img in windows I think you will have only read permissions, but I may be wrong.

[takkkkkkk]

5 hours ago, ghost82 said:

The tutorial refers to mount the img disk in the host (unraid). In linux in general, you create an empty folder and you mount the img inside that folder (the mounting point): files on the disk will be shown inside the mounting point, and you will have read/write permissions.

If you mount the img in windows I think you will have only read permissions, but I may be wrong.

thank you, how do I know if I have successfully mounted? I have typed below in the terminal, and I didn't get any returns...

 

root@ZEUS:~# mount /mnt/aegis/domains/test/vdisk.img /mnt/aegis/domains/test/test/
root@ZEUS:~#

 

[ghost82]

No errors means it's mounted successfully.

Then you need to use linux commands in the terminal, cp to copy files, ls to list files etc.

Edited November 2 by ghost82

[takkkkkkk]

15 hours ago, ghost82 said:

No errors means it's mounted successfully.

Then you need to use linux commands in the terminal, cp to copy files, ls to list files etc.

thank you!!! it looks like it is working. TBH I do think this is way more technical than it needs to be, but your instruction has greatly helped.

[ghost82]

58 minutes ago, takkkkkkk said:

TBH I do think this is way more technical than it needs to be

I agree, but take into account that secure boot must be SECURE, so it should be outside of unraid scope to include a VARS file with injected certificates with sec boot enabled, because unraid will have the private key of that certificates, so not secure!

[xtrap225]

sorry i just wanted to come back and say all the moving of files etc is no longer necessary as it is built into the latest q35 efi settings  already on unraid.  i tested the available procedure against what is just built into unraid. and i think  you will find you can just change the settings to secure and it will work.

 

the thing that i needed to make it work for my work was to add one line to the <os>..</os> .. This took a ton of time and research and  many re-images.

<smbios mode='host'/>

which passes through block 0 and block 1 of the smbios ,,,which is basically vendor, version, release, serial, manufacturer ,... etc etc.

 

this allowed the Microsoft intune company portal to work even more properly, because it served back my 'machine' certificate back to my certlm.msc>Personal>Certificates folder.  this was a requirement to get my VPN working.

 

also  i would decrypt my bitlocker. then run a company portal sync to get it to re-encrypt and no longer have to use the bitlocker recovery key.

 

considering the above this may NOT be necessary but i also opted to passthrough my tpm as follows

 

    <tpm model='tpm-tis'>
      <backend type='passthrough'>
        <device path='/dev/tpmrm0'/>
      </backend>
      <alias name='tpm0'/>
    </tpm>

[KaiUno]

Well... f-me I guess. I just spent an entire day setting up my work VM. After manually adding serial numbers and device ID's and whatnot into the XML, by way of <smbios mode = sysinfo> and I was finally able to extract a CSV that our IT department was able to import into Entra. And it worked! All except Secure Boot, so I had to manually install the company portal app. This is now telling me I have a couple of days to whip my PC into shape, or the access is revoked. 

 

You're saying secure boot is feasible by just passing through the TPM?

[xtrap225]

do you need secureboot only or bitlocker as well?

i actually switched from using pass-through to this for bitlocker. but if you dont' need bitlocker than i would do either and disable bitlocker.

also that is an example encryption secret from the webpage i got the xml info from.. put your own in, obviously

<tpm model='tpm-tis'>
<backend type='emulator' version='2.0'>
<encryption secret='6dd3e4a5-1d76-44ce-961f-f119f5aad935'/>
<active_pcr_banks>
<sha256/>
</active_pcr_banks>
</backend>
</tpm>