Re: Partial success enabling TPM2 in an existing qemu guest VM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sam Varshavchik writes:

Ed Greshko writes:

On 20/09/2021 00:08, Sam Varshavchik wrote:
Is anyone else getting this error in the "Security processor troubleshooting" (21H1, with all updates installed)?

It has been nearly 2 months since I worked on this. But, yes, that is what I was seeing.  No matter what I did I could not get passed that issue.  I gave up and moved on to installing Win11.

I think I figured it out. That message has nothing to do with the TPM chip per se, real or emulated. In "Security Processor" there was a similar, vague message, but with a "more information" link. That goes to a web page, which is full of Microsoftese. Rather than describing what it wants in clear technical terms, it meanders on topics like "basic security requirements", "enhanced security requirements", and similar handwaving. I reread that five times, then I figured out that it wants UEFI+Secure Boot, to make this warning message go away.

All the Win11 press was about the TPM 2.0 requirement, there was no mention of a UEFI+Secure Boot requirement for upgrading, but I wouldn't want to draw any conclusions.

I tried to give one more college try with another, licensed, VM. I found very useful reading material here: https://ogris.de/howtos/windows-uefi- virtio.html

So, I took my other, licensed, Windows 10 VM and tried the same thing I did with the other one, except that this time I also converted the raw disk image to qcow2. Afterwards, like before, I created a new VM from scratch, pointed it to the new disk image and manually added TPM 2.0 hardware. The new VM booted fine.

This looked promising. I shut it down, created a qcow2 snapshot, booted the VM, ran mbr2gpt, as described there, to convert the MBR to GPT. mbr2gpt first claimed that it succeeded, but also complained something about ReAgent.xml, and told me that I need to enable EFI in my firmware, when I reboot. So I shut down the VM, creating another VM, this time selecting the secboot EFI firmware.

Windows did boot, but came up in 640x480 mode with basic drivers, unactivated, and refused to activate, wanting me to pay for a license. The explanation it gave me: new hardware. This was a retail license, though, which should be transferable.

I cut the experiment short, shut down the EFI VM, restored the qcow2 snapshot, and went back to the BIOS VM. It came up fine.

I see two possible reasons: 1) It's been documented how Windows unactivates after what it considers to be too many hardware changes, or maybe 2) it is necessary to update to EFI first, then add a TPM module. The new EFI VM has its own separate TPM module, so Windows doesn't find the same TPM chip it already saw, so it does not activate.

It's unclear if Win11 requires just a TPM chip, or TPM+secure boot. I don't recall anyone mentioning a secure boot requirement, just TPM, which does seem to work, by creating a new VM.

In a couple of months, if neither one of my VMs offer a Win11 upgrade I'll try to switching to an EFI VM, and copy swtpm's data to the new VM's swtpm, before the first boot, and see what happens…



Attachment: pgpReIYgxhNSz.pgp
Description: PGP signature

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux