takkkkkkk Posted June 5, 2023 Share Posted June 5, 2023 I have a VM connected to my company's domain. and my company changed their policy to force all connected PCs to have windows secure boot. Although I rebuilt my VM with OVMF TPM, I can't figure out how to enable secure boot. Could someone help me understand what I may have to do? Quote Link to comment
takkkkkkk Posted June 5, 2023 Author Share Posted June 5, 2023 25 minutes ago, ghost82 said: oh wow, this looks super complicated... Quote Link to comment
ghost82 Posted June 5, 2023 Share Posted June 5, 2023 It's not, read carefully, there are files attached ready to be used, or alternatively instructions to build yours. Quote Link to comment
takkkkkkk Posted November 1, 2023 Author Share Posted November 1, 2023 On 6/5/2023 at 5:04 PM, ghost82 said: It's not, read carefully, there are files attached ready to be used, or alternatively instructions to build yours. Hi, thank you so much for the instruction, although it is relatively simple to follow, there are some instructions where I'm having issues following.. when you say mount the vdisk, where do you plug in below code? terminal? where would "/path/to/mount/" be, could it be any folder within a share? I tried mounting it via adding the vdisk in windows, but it didn't work... mount /path/to/vdisk.img /path/to/mount/ Quote Link to comment
ghost82 Posted November 2, 2023 Share Posted November 2, 2023 (edited) 8 hours ago, takkkkkkk said: terminal? Yes, unraid terminal (mount is a linux command) 8 hours ago, takkkkkkk said: where would "/path/to/mount/" be, could it be any folder within a share? I tried mounting it via adding the vdisk in windows, but it didn't work... Not sure I understood..the vdisk has to be saved somewhere that could be accessed by the host (unraid) with read/write permissions. To see if your share folder "works" try to access it with the cd command in the unraid terminal (cd /path/to/the/share) and try to create a file (touch test.txt). If it doesn't work, choose another folder or fix what it doesn't work. Edited November 2, 2023 by ghost82 Quote Link to comment
xtrap225 Posted November 2, 2023 Share Posted November 2, 2023 (edited) i got it to work, at least i thought i did .. oh first i should say i am doing the same thing. i was at first using a virtual TPM like in the instructions. i had to reset the bitlocker and i am not sure if it was the virtual TPM or resetting the bitlocker or something else. like the system not being able to see 'serial'/'servicetag', but although i could login with my work account and almost everything worked. the system ripped out my 'personal' machine cert from certlm.msc and that prevented my work vpn from working. as i was typing this i seem to remember a way to passthrough the system serial? maybe i saw that in a video by 'spaceinvader one'? EDIT* found the thing i was thinking of and will add it to my next attempt i hope it helps."wmic csproduct get UUID' i am going to try again. but this time passthrough the TPM on first boot. oh i forgot to mention i am passing through an nvme drive where this install is. and the install must be done from the bare metal. then boot back into unraid. i am going to edit and passthrough the TPM without it ever seeing a virtual one. any idea if i should tell it that it is TIS or CRB? and try to do that serial thing, which i hope i am not misremembering. the only issue is i a going away for a week and a bit, but when i get back and if i can get it all going. i would certainly be happy to help you. that is if you haven't already got it all figured out. Edited November 2, 2023 by xtrap225 Quote Link to comment
ghost82 Posted November 2, 2023 Share Posted November 2, 2023 33 minutes ago, xtrap225 said: i am going to edit and passthrough the TPM without it ever seeing a virtual one. any idea if i should tell it that it is TIS or CRB? and try to do that serial thing, which i hope i am not misremembering. When you passthrough the tpm device you need to choose a model. In this example: <devices> <tpm model='tpm-tis'> <backend type='passthrough'> <device path='/dev/tpm0'/> </backend> </tpm> </devices> you are passing through a tpm device located at /dev/tpm0 'tis' type. If the device is crb just use 'tpm-crb' instead of 'tpm-tis' for the model. Quote Link to comment
takkkkkkk Posted November 2, 2023 Author Share Posted November 2, 2023 (edited) 9 hours ago, ghost82 said: Yes, unraid terminal (mount is a linux command) Not sure I understood..the vdisk has to be saved somewhere that could be accessed by the host (unraid) with read/write permissions. To see if your share folder "works" try to access it with the cd command in the unraid terminal (cd /path/to/the/share) and try to create a file (touch test.txt). If it doesn't work, choose another folder or fix what it doesn't work. I'm used to simple windows ways where mounting an image/iso would mean windows would simply create "C:" or "D:" so that I can access it, I never thought of being asked of "where do you want to mount to", it just doesn't really click to me that it wouldn't automatically get mounted as another unassigned devices. Once it gets mounted, does it act as folder within share? this concept seems really unusual to me... Edited November 2, 2023 by takkkkkkk Quote Link to comment
xtrap225 Posted November 2, 2023 Share Posted November 2, 2023 1 hour ago, ghost82 said: When you passthrough the tpm device you need to choose a model. In this example: <devices> <tpm model='tpm-tis'> <backend type='passthrough'> <device path='/dev/tpm0'/> </backend> </tpm> </devices> you are passing through a tpm device located at /dev/tpm0 'tis' type. If the device is crb just use 'tpm-crb' instead of 'tpm-tis' for the model. how can you know which is correct? Quote Link to comment
ghost82 Posted November 2, 2023 Share Posted November 2, 2023 tis and crb are interfaces that are exposed by tpm. Either you check the hardware specifications or you simply try one or the other and see if it is detected. Quote Link to comment
ghost82 Posted November 2, 2023 Share Posted November 2, 2023 34 minutes ago, takkkkkkk said: I'm used to simple windows ways where mounting an image/iso would mean windows would simply create "C:" or "D:" so that I can access it, I never thought of being asked of "where do you want to mount to", it just doesn't really click to me that it wouldn't automatically get mounted as another unassigned devices. Once it gets mounted, does it act as folder within share? this concept seems really unusual to me... The tutorial refers to mount the img disk in the host (unraid). In linux in general, you create an empty folder and you mount the img inside that folder (the mounting point): files on the disk will be shown inside the mounting point, and you will have read/write permissions. If you mount the img in windows I think you will have only read permissions, but I may be wrong. Quote Link to comment
takkkkkkk Posted November 2, 2023 Author Share Posted November 2, 2023 5 hours ago, ghost82 said: The tutorial refers to mount the img disk in the host (unraid). In linux in general, you create an empty folder and you mount the img inside that folder (the mounting point): files on the disk will be shown inside the mounting point, and you will have read/write permissions. If you mount the img in windows I think you will have only read permissions, but I may be wrong. thank you, how do I know if I have successfully mounted? I have typed below in the terminal, and I didn't get any returns... root@ZEUS:~# mount /mnt/aegis/domains/test/vdisk.img /mnt/aegis/domains/test/test/ root@ZEUS:~# Quote Link to comment
ghost82 Posted November 2, 2023 Share Posted November 2, 2023 (edited) No errors means it's mounted successfully. Then you need to use linux commands in the terminal, cp to copy files, ls to list files etc. Edited November 2, 2023 by ghost82 Quote Link to comment
takkkkkkk Posted November 3, 2023 Author Share Posted November 3, 2023 15 hours ago, ghost82 said: No errors means it's mounted successfully. Then you need to use linux commands in the terminal, cp to copy files, ls to list files etc. thank you!!! it looks like it is working. TBH I do think this is way more technical than it needs to be, but your instruction has greatly helped. Quote Link to comment
ghost82 Posted November 3, 2023 Share Posted November 3, 2023 58 minutes ago, takkkkkkk said: TBH I do think this is way more technical than it needs to be I agree, but take into account that secure boot must be SECURE, so it should be outside of unraid scope to include a VARS file with injected certificates with sec boot enabled, because unraid will have the private key of that certificates, so not secure! Quote Link to comment
xtrap225 Posted November 20, 2023 Share Posted November 20, 2023 sorry i just wanted to come back and say all the moving of files etc is no longer necessary as it is built into the latest q35 efi settings already on unraid. i tested the available procedure against what is just built into unraid. and i think you will find you can just change the settings to secure and it will work. the thing that i needed to make it work for my work was to add one line to the <os>..</os> .. This took a ton of time and research and many re-images. <smbios mode='host'/> which passes through block 0 and block 1 of the smbios ,,,which is basically vendor, version, release, serial, manufacturer ,... etc etc. this allowed the Microsoft intune company portal to work even more properly, because it served back my 'machine' certificate back to my certlm.msc>Personal>Certificates folder. this was a requirement to get my VPN working. also i would decrypt my bitlocker. then run a company portal sync to get it to re-encrypt and no longer have to use the bitlocker recovery key. considering the above this may NOT be necessary but i also opted to passthrough my tpm as follows <tpm model='tpm-tis'> <backend type='passthrough'> <device path='/dev/tpmrm0'/> </backend> <alias name='tpm0'/> </tpm> Quote Link to comment
KaiUno Posted December 4, 2023 Share Posted December 4, 2023 Well... f-me I guess. I just spent an entire day setting up my work VM. After manually adding serial numbers and device ID's and whatnot into the XML, by way of <smbios mode = sysinfo> and I was finally able to extract a CSV that our IT department was able to import into Entra. And it worked! All except Secure Boot, so I had to manually install the company portal app. This is now telling me I have a couple of days to whip my PC into shape, or the access is revoked. You're saying secure boot is feasible by just passing through the TPM? Quote Link to comment
xtrap225 Posted December 7, 2023 Share Posted December 7, 2023 do you need secureboot only or bitlocker as well? i actually switched from using pass-through to this for bitlocker. but if you dont' need bitlocker than i would do either and disable bitlocker. also that is an example encryption secret from the webpage i got the xml info from.. put your own in, obviously <tpm model='tpm-tis'> <backend type='emulator' version='2.0'> <encryption secret='6dd3e4a5-1d76-44ce-961f-f119f5aad935'/> <active_pcr_banks> <sha256/> </active_pcr_banks> </backend> </tpm> Quote Link to comment
okkies Posted January 14 Share Posted January 14 if anyone would make a youtube video for this or unraid would build something for this to make it Way easier i would be soooooo happy.... @SpaceInvaderOne ... wink wink nudge nudge.... Quote Link to comment
Hammerfest Posted April 3 Share Posted April 3 (edited) It is actually maddening that they allow you to select Windows 11 as an option for making a VM yet it doesn't work out of box. Windows 11 issues because secure boot is disabled and cannot be enabled without jumping through hoops. Just remove the Windows 11 option, save lots of headache, I can do custom all day, but I EXPECT an option to work if its presented. Edited April 3 by Hammerfest Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.