[vfio-users] UEFI Windows and SWTPM

Roger Lawhorn rll at twc.com
Tue Aug 3 04:30:57 UTC 2021 

We are all facing a forced upgrade to windows 11 so we must answer this 
question.
Thanks for asking it.
I am not familiar with TPM in virt machines so I decline to comment.

On 7/2/21 2:03 AM, Brett Peckinpaugh wrote:
> With Win 11 coming I figured I would spend a bit of time tinkering and 
> see I could be ready if I decided it isn't the junk OS that every 
> other windows OS is.  I run a guest with OVMF for UEFI and pass 
> through a PCIE video card.  Everything works fine.
>
> Challenge I am running into is I installed swtpm, then added a 
> software TPM to my guest.  System boots and runs fine but the TPM 
> fails to start in the Windows guest with a code of 10.  From Linux it 
> all looks good.  Windows events just say generic failure messages.
>
> To confuse me more, I have a server with a guest running windows that 
> is just virtual.  Added the TPM and it shows up and is working on that 
> guest.  Host is Manjaro flavor of Arch.
>
> Linux logs for the TPM seems good.  Any ideas?  I tried to boot using 
> a secure boot enabled version of OVMF and guest would not even start.
>
> Starting vTPM manufacturing as root:root @ Thu 01 Jul 2021 10:48:40 PM PDT
> Successfully created RSA 2048 EK with handle 0x81010001.
>   Invoking /usr/share/swtpm/swtpm-localca --type ek --ek 
> ac3b97418acfd724aed5d9dcc0f0e10a1a90b04ab21525115e7bb00009b9ea63525acc5ac367deef59d99620f129417f21e1419edaebd8b1f385a5b874b463d744c609b2f4c6fc00bfe5712bea7d7506e29ba8b4cb34e1b3c90d3f5a1805ba52628751aef659959d12a33d5238ec82bfa0b04ebab52bde403c9291f80a949de6303af04aa1a706ca4b054f45e94d4749b729ddf2b50849abaae1f681c3bb48ddfce1166fd804b9197d14af5fff9a52e48b0707916091516ed67c4c1e519b51478ecc25c89d9ad7a6f1e29e263b35cb54ca75ebe8bc2d7a82a3f262108abc75592467ccf5defe9e46f3706cc90ae67a4b38910e61a05ff62a9d3ec383bd352143 
> --dir /var/lib/libvirt/swtpm/5e3c8d62-c0ef-41d7-9b7f-cddf618df88a/tpm2 
> --logfile /var/log/swtpm/libvirt/qemu/Megaera-swtpm.log --vmid 
> Megaera:5e3c8d62-c0ef-41d7-9b7f-cddf618df88a --tpm-spec-family 2.0 
> --tpm-spec-level 0 --tpm-spec-revision 162 --tpm-manufacturer 
> id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 
> --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
> Successfully created EK certificate locally.
>   Invoking /usr/share/swtpm/swtpm-localca --type platform --ek 
> ac3b97418acfd724aed5d9dcc0f0e10a1a90b04ab21525115e7bb00009b9ea63525acc5ac367deef59d99620f129417f21e1419edaebd8b1f385a5b874b463d744c609b2f4c6fc00bfe5712bea7d7506e29ba8b4cb34e1b3c90d3f5a1805ba52628751aef659959d12a33d5238ec82bfa0b04ebab52bde403c9291f80a949de6303af04aa1a706ca4b054f45e94d4749b729ddf2b50849abaae1f681c3bb48ddfce1166fd804b9197d14af5fff9a52e48b0707916091516ed67c4c1e519b51478ecc25c89d9ad7a6f1e29e263b35cb54ca75ebe8bc2d7a82a3f262108abc75592467ccf5defe9e46f3706cc90ae67a4b38910e61a05ff62a9d3ec383bd352143 
> --dir /var/lib/libvirt/swtpm/5e3c8d62-c0ef-41d7-9b7f-cddf618df88a/tpm2 
> --logfile /var/log/swtpm/libvirt/qemu/Megaera-swtpm.log --vmid 
> Megaera:5e3c8d62-c0ef-41d7-9b7f-cddf618df88a --tpm-spec-family 2.0 
> --tpm-spec-level 0 --tpm-spec-revision 162 --tpm-manufacturer 
> id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 
> --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
> Successfully created platform certificate locally.
> Successfully created NVRAM area 0x1c00002 for RSA 2048 EK certificate.
> Successfully created NVRAM area 0x1c08000 for platform certificate.
> Successfully created ECC EK with handle 0x81010016.
>   Invoking /usr/share/swtpm/swtpm-localca --type ek --ek 
> x=0ecc2c9a02316295724304fcdeb9802c6d2f2d5fa40c34717ea9ff64f4d5e969c79f6eaba9bf4f8e6c67416057542a7e,y=6d54604b00bbbc83f8e9d02983c3486514218c9eabf29dbfc692058506828b299cec8605be490173ebe1727719ff5c90,id=secp384r1 
> --dir /var/lib/libvirt/swtpm/5e3c8d62-c0ef-41d7-9b7f-cddf618df88a/tpm2 
> --logfile /var/log/swtpm/libvirt/qemu/Megaera-swtpm.log --vmid 
> Megaera:5e3c8d62-c0ef-41d7-9b7f-cddf618df88a --tpm-spec-family 2.0 
> --tpm-spec-level 0 --tpm-spec-revision 162 --tpm-manufacturer 
> id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 
> --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
> Successfully created EK certificate locally.
> Successfully created NVRAM area 0x1c00016 for ECC EK certificate.
> Successfully activated PCR banks sha1,sha256 among 
> sha1,sha256,sha384,sha512.
> Successfully authored TPM state.
> Ending vTPM manufacturing @ Thu 01 Jul 2021 10:48:40 PM PDT
>
> _______________________________________________
> vfio-users mailing list
> vfio-users at redhat.com
> https://listman.redhat.com/mailman/listinfo/vfio-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/vfio-users/attachments/20210803/6c629a99/attachment.htm>

More information about the vfio-users mailing list