<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    how do i install swtpm?<br>
    is it a package in my repo or do i need to compile the source code?<br>
    i dont use libvert, i run a qemu script to launch windows 10<br>
    how do i tell qemu that it needs to use it?<br>
    is it an additional switch on the command line?<br>
    thanks<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 8/3/21 2:20 AM, Brett Peckinpaugh
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAHqR-v_xzgsL4aiz36KbsRvaEHPsD=gqa37=85qLQgDEf00EQA@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">I found my issue, it was mainly I was still using
        the i440fx and needed to switch to q35.  Which required a bit
        more work, and as I had to rebuild and reinstall windows I used
        the secure boot OVMF and with that I should be if I decide to
        100% windows 11 compliant.  You will need to install swtpm and
        might have to correct some permissions based on your install,
        and what user and it's permissions that are running your qemu
        and libvirt.</div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr" class="gmail_attr">On Mon, Aug 2, 2021 at 9:39 PM
          Roger Lawhorn <<a href="mailto:rll@twc.com"
            moz-do-not-send="true">rll@twc.com</a>> wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px
          0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
          <div> We are all facing a forced upgrade to windows 11 so we
            must answer this question.<br>
            Thanks for asking it.<br>
            I am not familiar with TPM in virt machines so I decline to
            comment.<br>
            <br>
            <div>On 7/2/21 2:03 AM, Brett Peckinpaugh wrote:<br>
            </div>
            <blockquote type="cite">
              <div dir="ltr">With Win 11 coming I figured I would spend
                a bit of time tinkering and see I could be ready if I
                decided it isn't the junk OS that every other windows OS
                is.  I run a guest with OVMF for UEFI and pass through a
                PCIE video card.  Everything works fine.
                <div><br>
                </div>
                <div>Challenge I am running into is I installed swtpm,
                  then added a software TPM to my guest.  System boots
                  and runs fine but the TPM fails to start in the
                  Windows guest with a code of 10.  From Linux it all
                  looks good.  Windows events just say generic failure
                  messages.</div>
                <div><br>
                </div>
                <div>To confuse me more, I have a server with a guest
                  running windows that is just virtual.  Added the TPM
                  and it shows up and is working on that guest.  Host is
                  Manjaro flavor of Arch.</div>
                <div><br>
                </div>
                <div>Linux logs for the TPM seems good.  Any ideas?  I
                  tried to boot using a secure boot enabled version of
                  OVMF and guest would not even start.</div>
                <div><br>
                </div>
                <div>Starting vTPM manufacturing as root:root @ Thu 01
                  Jul 2021 10:48:40 PM PDT<br>
                  Successfully created RSA 2048 EK with handle
                  0x81010001.<br>
                    Invoking /usr/share/swtpm/swtpm-localca --type ek
                  --ek
ac3b97418acfd724aed5d9dcc0f0e10a1a90b04ab21525115e7bb00009b9ea63525acc5ac367deef59d99620f129417f21e1419edaebd8b1f385a5b874b463d744c609b2f4c6fc00bfe5712bea7d7506e29ba8b4cb34e1b3c90d3f5a1805ba52628751aef659959d12a33d5238ec82bfa0b04ebab52bde403c9291f80a949de6303af04aa1a706ca4b054f45e94d4749b729ddf2b50849abaae1f681c3bb48ddfce1166fd804b9197d14af5fff9a52e48b0707916091516ed67c4c1e519b51478ecc25c89d9ad7a6f1e29e263b35cb54ca75ebe8bc2d7a82a3f262108abc75592467ccf5defe9e46f3706cc90ae67a4b38910e61a05ff62a9d3ec383bd352143
                  --dir
                  /var/lib/libvirt/swtpm/5e3c8d62-c0ef-41d7-9b7f-cddf618df88a/tpm2
                  --logfile
                  /var/log/swtpm/libvirt/qemu/Megaera-swtpm.log --vmid
                  Megaera:5e3c8d62-c0ef-41d7-9b7f-cddf618df88a
                  --tpm-spec-family 2.0 --tpm-spec-level 0
                  --tpm-spec-revision 162 --tpm-manufacturer id:00001014
                  --tpm-model swtpm --tpm-version id:20191023 --tpm2
                  --configfile /etc/swtpm-localca.conf --optsfile
                  /etc/swtpm-localca.options<br>
                  Successfully created EK certificate locally.<br>
                    Invoking /usr/share/swtpm/swtpm-localca --type
                  platform --ek
ac3b97418acfd724aed5d9dcc0f0e10a1a90b04ab21525115e7bb00009b9ea63525acc5ac367deef59d99620f129417f21e1419edaebd8b1f385a5b874b463d744c609b2f4c6fc00bfe5712bea7d7506e29ba8b4cb34e1b3c90d3f5a1805ba52628751aef659959d12a33d5238ec82bfa0b04ebab52bde403c9291f80a949de6303af04aa1a706ca4b054f45e94d4749b729ddf2b50849abaae1f681c3bb48ddfce1166fd804b9197d14af5fff9a52e48b0707916091516ed67c4c1e519b51478ecc25c89d9ad7a6f1e29e263b35cb54ca75ebe8bc2d7a82a3f262108abc75592467ccf5defe9e46f3706cc90ae67a4b38910e61a05ff62a9d3ec383bd352143
                  --dir
                  /var/lib/libvirt/swtpm/5e3c8d62-c0ef-41d7-9b7f-cddf618df88a/tpm2
                  --logfile
                  /var/log/swtpm/libvirt/qemu/Megaera-swtpm.log --vmid
                  Megaera:5e3c8d62-c0ef-41d7-9b7f-cddf618df88a
                  --tpm-spec-family 2.0 --tpm-spec-level 0
                  --tpm-spec-revision 162 --tpm-manufacturer id:00001014
                  --tpm-model swtpm --tpm-version id:20191023 --tpm2
                  --configfile /etc/swtpm-localca.conf --optsfile
                  /etc/swtpm-localca.options<br>
                  Successfully created platform certificate locally.<br>
                  Successfully created NVRAM area 0x1c00002 for RSA 2048
                  EK certificate.<br>
                  Successfully created NVRAM area 0x1c08000 for platform
                  certificate.<br>
                  Successfully created ECC EK with handle 0x81010016.<br>
                    Invoking /usr/share/swtpm/swtpm-localca --type ek
                  --ek
x=0ecc2c9a02316295724304fcdeb9802c6d2f2d5fa40c34717ea9ff64f4d5e969c79f6eaba9bf4f8e6c67416057542a7e,y=6d54604b00bbbc83f8e9d02983c3486514218c9eabf29dbfc692058506828b299cec8605be490173ebe1727719ff5c90,id=secp384r1
                  --dir
                  /var/lib/libvirt/swtpm/5e3c8d62-c0ef-41d7-9b7f-cddf618df88a/tpm2
                  --logfile
                  /var/log/swtpm/libvirt/qemu/Megaera-swtpm.log --vmid
                  Megaera:5e3c8d62-c0ef-41d7-9b7f-cddf618df88a
                  --tpm-spec-family 2.0 --tpm-spec-level 0
                  --tpm-spec-revision 162 --tpm-manufacturer id:00001014
                  --tpm-model swtpm --tpm-version id:20191023 --tpm2
                  --configfile /etc/swtpm-localca.conf --optsfile
                  /etc/swtpm-localca.options<br>
                  Successfully created EK certificate locally.<br>
                  Successfully created NVRAM area 0x1c00016 for ECC EK
                  certificate.<br>
                  Successfully activated PCR banks sha1,sha256 among
                  sha1,sha256,sha384,sha512.<br>
                  Successfully authored TPM state.<br>
                  Ending vTPM manufacturing @ Thu 01 Jul 2021 10:48:40
                  PM PDT<br>
                </div>
              </div>
              <br>
              <fieldset></fieldset>
              <pre>_______________________________________________
vfio-users mailing list
<a href="mailto:vfio-users@redhat.com" target="_blank" moz-do-not-send="true">vfio-users@redhat.com</a>
<a href="https://listman.redhat.com/mailman/listinfo/vfio-users" target="_blank" moz-do-not-send="true">https://listman.redhat.com/mailman/listinfo/vfio-users</a>
</pre>
            </blockquote>
            <br>
          </div>
          _______________________________________________<br>
          vfio-users mailing list<br>
          <a href="mailto:vfio-users@redhat.com" target="_blank"
            moz-do-not-send="true">vfio-users@redhat.com</a><br>
          <a
            href="https://listman.redhat.com/mailman/listinfo/vfio-users"
            rel="noreferrer" target="_blank" moz-do-not-send="true">https://listman.redhat.com/mailman/listinfo/vfio-users</a><br>
        </blockquote>
      </div>
    </blockquote>
    <br>
  </body>
</html>