[vfio-users] UEFI Windows and SWTPM

Brett Peckinpaugh bp10 at erylflynn.com
Fri Jul 2 06:03:54 UTC 2021 

With Win 11 coming I figured I would spend a bit of time tinkering and see
I could be ready if I decided it isn't the junk OS that every other windows
OS is.  I run a guest with OVMF for UEFI and pass through a PCIE video
card.  Everything works fine.

Challenge I am running into is I installed swtpm, then added a software TPM
to my guest.  System boots and runs fine but the TPM fails to start in the
Windows guest with a code of 10.  From Linux it all looks good.  Windows
events just say generic failure messages.

To confuse me more, I have a server with a guest running windows that is
just virtual.  Added the TPM and it shows up and is working on that guest.
Host is Manjaro flavor of Arch.

Linux logs for the TPM seems good.  Any ideas?  I tried to boot using a
secure boot enabled version of OVMF and guest would not even start.

Starting vTPM manufacturing as root:root @ Thu 01 Jul 2021 10:48:40 PM PDT
Successfully created RSA 2048 EK with handle 0x81010001.
  Invoking /usr/share/swtpm/swtpm-localca --type ek --ek
ac3b97418acfd724aed5d9dcc0f0e10a1a90b04ab21525115e7bb00009b9ea63525acc5ac367deef59d99620f129417f21e1419edaebd8b1f385a5b874b463d744c609b2f4c6fc00bfe5712bea7d7506e29ba8b4cb34e1b3c90d3f5a1805ba52628751aef659959d12a33d5238ec82bfa0b04ebab52bde403c9291f80a949de6303af04aa1a706ca4b054f45e94d4749b729ddf2b50849abaae1f681c3bb48ddfce1166fd804b9197d14af5fff9a52e48b0707916091516ed67c4c1e519b51478ecc25c89d9ad7a6f1e29e263b35cb54ca75ebe8bc2d7a82a3f262108abc75592467ccf5defe9e46f3706cc90ae67a4b38910e61a05ff62a9d3ec383bd352143
--dir /var/lib/libvirt/swtpm/5e3c8d62-c0ef-41d7-9b7f-cddf618df88a/tpm2
--logfile /var/log/swtpm/libvirt/qemu/Megaera-swtpm.log --vmid
Megaera:5e3c8d62-c0ef-41d7-9b7f-cddf618df88a --tpm-spec-family 2.0
--tpm-spec-level 0 --tpm-spec-revision 162 --tpm-manufacturer id:00001014
--tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile
/etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Successfully created EK certificate locally.
  Invoking /usr/share/swtpm/swtpm-localca --type platform --ek
ac3b97418acfd724aed5d9dcc0f0e10a1a90b04ab21525115e7bb00009b9ea63525acc5ac367deef59d99620f129417f21e1419edaebd8b1f385a5b874b463d744c609b2f4c6fc00bfe5712bea7d7506e29ba8b4cb34e1b3c90d3f5a1805ba52628751aef659959d12a33d5238ec82bfa0b04ebab52bde403c9291f80a949de6303af04aa1a706ca4b054f45e94d4749b729ddf2b50849abaae1f681c3bb48ddfce1166fd804b9197d14af5fff9a52e48b0707916091516ed67c4c1e519b51478ecc25c89d9ad7a6f1e29e263b35cb54ca75ebe8bc2d7a82a3f262108abc75592467ccf5defe9e46f3706cc90ae67a4b38910e61a05ff62a9d3ec383bd352143
--dir /var/lib/libvirt/swtpm/5e3c8d62-c0ef-41d7-9b7f-cddf618df88a/tpm2
--logfile /var/log/swtpm/libvirt/qemu/Megaera-swtpm.log --vmid
Megaera:5e3c8d62-c0ef-41d7-9b7f-cddf618df88a --tpm-spec-family 2.0
--tpm-spec-level 0 --tpm-spec-revision 162 --tpm-manufacturer id:00001014
--tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile
/etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Successfully created platform certificate locally.
Successfully created NVRAM area 0x1c00002 for RSA 2048 EK certificate.
Successfully created NVRAM area 0x1c08000 for platform certificate.
Successfully created ECC EK with handle 0x81010016.
  Invoking /usr/share/swtpm/swtpm-localca --type ek --ek
x=0ecc2c9a02316295724304fcdeb9802c6d2f2d5fa40c34717ea9ff64f4d5e969c79f6eaba9bf4f8e6c67416057542a7e,y=6d54604b00bbbc83f8e9d02983c3486514218c9eabf29dbfc692058506828b299cec8605be490173ebe1727719ff5c90,id=secp384r1
--dir /var/lib/libvirt/swtpm/5e3c8d62-c0ef-41d7-9b7f-cddf618df88a/tpm2
--logfile /var/log/swtpm/libvirt/qemu/Megaera-swtpm.log --vmid
Megaera:5e3c8d62-c0ef-41d7-9b7f-cddf618df88a --tpm-spec-family 2.0
--tpm-spec-level 0 --tpm-spec-revision 162 --tpm-manufacturer id:00001014
--tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile
/etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Successfully created EK certificate locally.
Successfully created NVRAM area 0x1c00016 for ECC EK certificate.
Successfully activated PCR banks sha1,sha256 among
sha1,sha256,sha384,sha512.
Successfully authored TPM state.
Ending vTPM manufacturing @ Thu 01 Jul 2021 10:48:40 PM PDT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/vfio-users/attachments/20210701/61f8a883/attachment.htm>

More information about the vfio-users mailing list