Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
poc
I have successfully installed Win 11 build 21996.1 as a VMware Guest; (used the ISO that was leaked several days ago)
On 02.07.2021 18:02, Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
On Fri, 2 Jul 2021 18:24:03 +0200 Walter H. via users wrote:
I have successfully installed Win 11 build 21996.1 as a VMware Guest; (used the ISO that was leaked several days ago)
On 02.07.2021 18:02, Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
This article looks promising:
https://www.windowslatest.com/2021/06/28/youll-be-able-to-bypass-windows-11-...
On Fri, 2021-07-02 at 12:30 -0400, Tom Horsley wrote:
On Fri, 2 Jul 2021 18:24:03 +0200 Walter H. via users wrote:
I have successfully installed Win 11 build 21996.1 as a VMware Guest; (used the ISO that was leaked several days ago)
On 02.07.2021 18:02, Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
This article looks promising:
https://www.windowslatest.com/2021/06/28/youll-be-able-to-bypass-windows-11-...
I was hoping for something along the lines of a new OVMF release with included TPM support. I'll give it time.
poc
On Fri, 2021-07-02 at 18:24 +0200, Walter H. via users wrote:
I have successfully installed Win 11 build 21996.1 as a VMware Guest; (used the ISO that was leaked several days ago)
On 02.07.2021 18:02, Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
OK. Not that interested for now, but I guess I'll try it when it appears.
poc
On 2021-07-02 9:02 a.m., Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
qemu has support for a TPM 2.0 either as a passthrough or an emulation. I haven't tested it yet, but I assume it works.
Samuel Sieb writes:
On 2021-07-02 9:02 a.m., Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
qemu has support for a TPM 2.0 either as a passthrough or an emulation. I haven't tested it yet, but I assume it works.
Now, if qemu could also emulate the more recent CPUs (that Win11 is rumored as being restricted to) on the older CPUs that Win11 won't support, then I can't decide whether that's going to be awesome, or funny. Or both, since I'm pretty sure that qemu can emulate it (so the awesome part is guaranteed, and the funny part is the only one that's in question).
On 2021-07-02 4:03 p.m., Samuel Sieb wrote:
On 2021-07-02 9:02 a.m., Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
qemu has support for a TPM 2.0 either as a passthrough or an emulation. I haven't tested it yet, but I assume it works.
I tested it and Windows 10 let me enable bitlocker, so it definitely accepts it.
On Fri, 2021-07-02 at 23:02 -0700, Samuel Sieb wrote:
On 2021-07-02 4:03 p.m., Samuel Sieb wrote:
On 2021-07-02 9:02 a.m., Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
qemu has support for a TPM 2.0 either as a passthrough or an emulation. I haven't tested it yet, but I assume it works.
I tested it and Windows 10 let me enable bitlocker, so it definitely accepts it.
Nice. That would seem to make the whole underlying concept of a TPM absurd, given that you can emulate it (unless that means it has actually been signed by some authority of course).
poc
On July 3, 2021 at 6:38 AM Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Fri, 2021-07-02 at 23:02 -0700, Samuel Sieb wrote:
On 2021-07-02 4:03 p.m., Samuel Sieb wrote:
On 2021-07-02 9:02 a.m., Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
qemu has support for a TPM 2.0 either as a passthrough or an emulation. I haven't tested it yet, but I assume it works.
I tested it and Windows 10 let me enable bitlocker, so it definitely accepts it.
Nice. That would seem to make the whole underlying concept of a TPM absurd, given that you can emulate it (unless that means it has actually been signed by some authority of course).
What is a TPM, and does it come with the win 11 package, or must it be obrained elsewhere? --doug
On Sat, 3 Jul 2021 19:46:01 -0400 (EDT) mcgarrett wrote:
What is a TPM, and does it come with the win 11 package, or must it be obrained elsewhere?
It is a piece of hardware that either comes with your motherboard if it is new enough, or you have to add (if it has a header to allow adding) or you can't get at all without buying a new computer.
Apparently all the add-in modules for motherboards which were around $15 before Microsoft announced the requirement are all around $150 now on ebay and out of stock everywhere else :-).
On July 3, 2021 at 7:55 PM Tom Horsley horsley1953@gmail.com wrote:
On Sat, 3 Jul 2021 19:46:01 -0400 (EDT) mcgarrett wrote:
What is a TPM, and does it come with the win 11 package, or must it be obrained elsewhere?
It is a piece of hardware that either comes with your motherboard if it is new enough, or you have to add (if it has a header to allow adding) or you can't get at all without buying a new computer.
Apparently all the add-in modules for motherboards which were around $15 before Microsoft announced the requirement are all around $150 now on ebay and out of stock everywhere else :-).
I'm glad I don't need Windows for anything! If the upgrade turns out to be free, I'll put it on my almost new machine, IF it has the TPM. (How would I know?_ ==doug
On 2021-07-03 5:14 p.m., mcgarrett wrote:
On July 3, 2021 at 7:55 PM Tom Horsley horsley1953@gmail.com wrote:
On Sat, 3 Jul 2021 19:46:01 -0400 (EDT) mcgarrett wrote:
What is a TPM, and does it come with the win 11 package, or must it be obrained elsewhere?
It is a piece of hardware that either comes with your motherboard if it is new enough, or you have to add (if it has a header to allow adding) or you can't get at all without buying a new computer.
Apparently all the add-in modules for motherboards which were around $15 before Microsoft announced the requirement are all around $150 now on ebay and out of stock everywhere else :-).
I'm glad I don't need Windows for anything! If the upgrade turns out to be free, I'll put it on my almost new machine, IF it has the TPM. (How would I know?_ ==doug
Anything made in the last few years should have one. If you're running Linux, you can check with "ls /dev/tpm*" or "journalctl | grep -i tpm".
On Sat, 3 Jul 2021 23:09:20 -0700 Samuel Sieb samuel@sieb.net wrote:
On 2021-07-03 5:14 p.m., mcgarrett wrote:
On July 3, 2021 at 7:55 PM Tom Horsley horsley1953@gmail.com wrote:
On Sat, 3 Jul 2021 19:46:01 -0400 (EDT) mcgarrett wrote:
What is a TPM, and does it come with the win 11 package, or must it be obrained elsewhere?
It is a piece of hardware that either comes with your motherboard if it is new enough, or you have to add (if it has a header to allow adding) or you can't get at all without buying a new computer.
Apparently all the add-in modules for motherboards which were around $15 before Microsoft announced the requirement are all around $150 now on ebay and out of stock everywhere else :-).
I'm glad I don't need Windows for anything! If the upgrade turns out to be free, I'll put it on my almost new machine, IF it has the TPM. (How would I know?_ ==doug
Anything made in the last few years should have one. If you're running Linux, you can check with "ls /dev/tpm*" or "journalctl | grep -i tpm".
Mine is too old?
[~]$ journalctl | grep -i tpm Jun 17 19:54:01 smicro.local.lan kernel: ima: No TPM chip found, activating TPM-bypass! ... Jun 25 13:42:31 smicro.local.lan kernel: ima: No TPM chip found, activating TPM-bypass! Jun 30 15:14:54 smicro.local.lan dracut[141707]: dracut module 'tpm2-tss' will not be installed, because command 'tpm2' could not be found! Jun 30 15:14:55 smicro.local.lan dracut[141707]: dracut module 'tpm2-tss' will not be installed, because command 'tpm2' could not be found! Jun 30 15:15:16 smicro.local.lan dracut[141707]: -rw-r--r-- 1 root root 6708 Jun 10 17:56 usr/lib/modules/5.12.13-200.fc33.x86_64/kernel/crypto/asymmetric_keys/asym_tpm.ko.xz Jun 30 15:15:16 smicro.local.lan dracut[141707]: -rw-r--r-- 1 root root 2072 Jun 10 17:56 usr/lib/modules/5.12.13-200.fc33.x86_64/kernel/crypto/asymmetric_keys/tpm_key_parser.ko.xz Jun 30 16:57:00 smicro.local.lan kernel: ima: No TPM chip found, activating TPM-bypass! ... Jul 04 10:58:45 smicro.local.lan kernel: ima: No TPM chip found, activating TPM-bypass!
[~]$ sudo lshw smicro.local.lan description: Desktop Computer product: MS-7C37 (To be filled by O.E.M.) vendor: Micro-Star International Co., Ltd. version: 3.0 serial: To be filled by O.E.M. width: 64 bits capabilities: smbios-2.8 dmi-2.8 smp vsyscall32 configuration: boot=normal chassis=desktop family=To be filled by O.E.M. sku=To be filled by O.E.M. uuid=24B01ED7-4A68-1996-A90D-2CF05DD19CEE *-core description: Motherboard product: X570-A PRO (MS-7C37) vendor: Micro-Star International Co., Ltd. physical id: 0 version: 3.0 serial: 07C3731_KA1C043394 slot: To be filled by O.E.M. *-firmware description: BIOS vendor: American Megatrends International, LLC. physical id: 0 version: H.C0 date: 01/25/2021 size: 64KiB capacity: 32MiB
... capabilities: pci upgrade shadowing cdboot bootselect socketedrom edd int13floppynec int13floppytoshiba int13floppy360 int13floppy1200 int13floppy720 int13floppy2880 int5printscreen int9keyboard int14serial int17printer int10video acpi usb biosbootspecification uefi *-cpu description: CPU product: AMD Ryzen 5 3400G with Radeon Vega Graphics vendor: Advanced Micro Devices [AMD] physical id: 15 bus info: cpu@0 version: AMD Ryzen 5 3400G with Radeon Vega Graphics serial: Unknown slot: AM4 size: 4014MHz capacity: 4200MHz width: 64 bits clock: 100MHz capabilities: lm fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp x86-64 constant_tsc rep_good nopl nonstop_tsc cpuid extd_apicid aperfmperf pni pclmulqdq monitor ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw skinit wdt tce topoext perfctr_core perfctr_nb bpext perfctr_llc mwaitx cpb hw_pstate ssbd ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xgetbv1 xsaves clzero irperf xsaveerptr arat npt lbrv svm_lock nrip_save tsc_scale vmcb_clean flushbyasid decodeassists pausefilter pfthreshold avic v_vmsave_vmload vgif overflow_recov succor smca sme sev sev_es cpufreq configuration: cores=4 enabledcores=4 threads=8
On 2021-07-04 2:58 a.m., Bob Marcan wrote:
On Sat, 3 Jul 2021 23:09:20 -0700 Samuel Sieb samuel@sieb.net wrote:
Anything made in the last few years should have one. If you're running Linux, you can check with "ls /dev/tpm*" or "journalctl | grep -i tpm".
Mine is too old?
[~]$ journalctl | grep -i tpm Jun 17 19:54:01 smicro.local.lan kernel: ima: No TPM chip found, activating TPM-bypass!
[~]$ sudo lshw
Interesting, I thought it was a default thing for computers now. Check your BIOS settings, maybe it's disabled.
On Sat, 2021-07-03 at 23:09 -0700, Samuel Sieb wrote:
On 2021-07-03 5:14 p.m., mcgarrett wrote:
On July 3, 2021 at 7:55 PM Tom Horsley horsley1953@gmail.com wrote:
On Sat, 3 Jul 2021 19:46:01 -0400 (EDT) mcgarrett wrote:
What is a TPM, and does it come with the win 11 package, or must it be obrained elsewhere?
It is a piece of hardware that either comes with your motherboard if it is new enough, or you have to add (if it has a header to allow adding) or you can't get at all without buying a new computer.
Apparently all the add-in modules for motherboards which were around $15 before Microsoft announced the requirement are all around $150 now on ebay and out of stock everywhere else :-).
I'm glad I don't need Windows for anything! If the upgrade turns out to be free, I'll put it on my almost new machine, IF it has the TPM. (How would I know?_ ==doug
Anything made in the last few years should have one. If you're running Linux, you can check with "ls /dev/tpm*" or "journalctl | grep -i tpm".
My mobo is about 8 years old, so I don't have the hardware, however QEMU/KVM apparently emulates it well enough to fool Windows.
Which as I said earlier, makes the whole thing ridiculous.
poc
On 2021-07-04 9:08 a.m., Patrick O'Callaghan wrote:
On Sat, 2021-07-03 at 23:09 -0700, Samuel Sieb wrote: My mobo is about 8 years old, so I don't have the hardware, however QEMU/KVM apparently emulates it well enough to fool Windows.
Which as I said earlier, makes the whole thing ridiculous.
Why? If you're running it in a VM, you've made a conscious choice to use the emulated TPM. What is ridiculous about that? No matter what the hardware, if you use a VM, you can fool the OS.
On Sun, 2021-07-04 at 10:33 -0700, Samuel Sieb wrote:
On 2021-07-04 9:08 a.m., Patrick O'Callaghan wrote:
On Sat, 2021-07-03 at 23:09 -0700, Samuel Sieb wrote: My mobo is about 8 years old, so I don't have the hardware, however QEMU/KVM apparently emulates it well enough to fool Windows.
Which as I said earlier, makes the whole thing ridiculous.
the hardware, if you use a VM, you can fool the OS.
Indeed, however as I understand it one supposed purpose of a TPM (among others) is to be able to guarantee that the operating system running on the machine has a solid trust base. Quoting from https://en.wikipedia.org/wiki/Trusted_Platform_Module#TPM_implementations:
Software TPMs are software emulators of TPMs that run with no more protection than a regular program gets within an operating system. They depend entirely on the environment that they run in, so they provide no more security than what can be provided by the normal execution environment, and they are vulnerable to their own software bugs and attacks that are penetrating the normal execution environment.
In the case of Windows 11 under a VM, as you say the software TPM can do what it likes. In effect, there is no more guarantee than with a system without a TPM and the message that Windows 11 can only be used where a TPM provides a trust base might give a false sense of security.
poc
On 05/07/2021 06:27, Patrick O'Callaghan wrote:
On Sun, 2021-07-04 at 10:33 -0700, Samuel Sieb wrote:
On 2021-07-04 9:08 a.m., Patrick O'Callaghan wrote:
On Sat, 2021-07-03 at 23:09 -0700, Samuel Sieb wrote: My mobo is about 8 years old, so I don't have the hardware, however QEMU/KVM apparently emulates it well enough to fool Windows.
Which as I said earlier, makes the whole thing ridiculous.
the hardware, if you use a VM, you can fool the OS.
Indeed, however as I understand it one supposed purpose of a TPM (among others) is to be able to guarantee that the operating system running on the machine has a solid trust base. Quoting from https://en.wikipedia.org/wiki/Trusted_Platform_Module#TPM_implementations:
Software TPMs are software emulators of TPMs that run with no more protection than a regular program gets within an operating system. They depend entirely on the environment that they run in, so they provide no more security than what can be provided by the normal execution environment, and they are vulnerable to their own software bugs and attacks that are penetrating the normal execution environment.In the case of Windows 11 under a VM, as you say the software TPM can do what it likes. In effect, there is no more guarantee than with a system without a TPM and the message that Windows 11 can only be used where a TPM provides a trust base might give a false sense of security.
Aren't the terms "Windows" and "Security" oxymoronic? :-) :-)
Patrick O'Callaghan writes:
In the case of Windows 11 under a VM, as you say the software TPM can do what it likes. In effect, there is no more guarantee than with a system without a TPM and the message that Windows 11 can only be used where a TPM provides a trust base might give a false sense of security.
That depends on the implementation of the virtual TPM. Although from what I'm reading it shouldn't transparently virtualize the hardware TPM (if present), the hardware TPM can be used to provide a trust root for the virtual TPM, which can then attest to the VM. I would assume that to really trust any system, you'd need to have out-of-band knowledge of the TPM's identity, whether hardware or software. It's true that there's more room for malware to wedge itself in in this setup, but in theory it should work.
As for "false sense of security", that has been a Microsoft business model at least since they trumpeted "Orange Book Level C" security (the highest you can get without physically securing the device) for Windows NT in the 1990s -- which certification was invalid if you changed the physical configuration of the device (insert floppy!), connect to a network, or install software.
Security is hard, the weakest link is often your personnel, you shouldn't say you care about security unless you have a specialist auditing your systems, and any other generic statements about security are marketing drivel. ;-)
Regards, Steve
On Mon, 2021-07-05 at 10:29 +0900, Stephen J. Turnbull wrote:
Security is hard, the weakest link is often your personnel, you shouldn't say you care about security unless you have a specialist auditing your systems, and any other generic statements about security are marketing drivel. ;-)
I reckon the default thought of most people who're suddenly faced with a computer failing a security test is not going to be that something has changed on them without authority, but that something has gone wrong. They're going to try and reset something, rather than work out if they've been compromised.
Tim writes:
I reckon the default thought of most people who're suddenly faced with a computer failing a security test is not going to be that something has changed on them without authority, but that something has gone wrong. They're going to try and reset something, rather than work out if they've been compromised.
Indeed. Pragmatically speaking, I don't think they're wrong, do you?
Patrick writes:
I think much depends on what the TPM is used for. Certainly if the user takes care not to subvert the intention, it can reasonably be used to ensure that only trusted software is run.
"Pragmatically speaking ..." ;-) Seriously, I think TPM mostly makes sense with VMs. People who write programs are generally going to be very unhappy with the amount of kissing up to the TPM they have to do. Like, on Mac every time LLVM releases a new version of the debugger I have to go through the self-signing dance. So far I have been satisfied with the results every time (there really are new features or performance improvements), but it's infrequent enough that I have no memory of the procedure, let alone muscle memory.
OTOH, I think one application of TPM (at least when originally proposed) was to prevent the user from bypassing DRM, in which case the trust goes in the other direction and the situation is different.
Yeah, there was a *lot* of angst about potential DRM applications at the time. I'm willing to bet it's possible to distinguish a hardware TPM from a software TPM for that application, though. I didn't look hard enough to see if the Xen folk had proposed a protocol to get a token from the hardware TPM to vouch for a VM in that case.
Steve
On Tue, 2021-07-06 at 14:34 +0900, Stephen J. Turnbull wrote:
Patrick writes:
> I think much depends on what the TPM is used for. Certainly if the > user takes care not to subvert the intention, it can reasonably be > used to ensure that only trusted software is run.
"Pragmatically speaking ..." ;-) Seriously, I think TPM mostly makes sense with VMs. People who write programs are generally going to be very unhappy with the amount of kissing up to the TPM they have to do. Like, on Mac every time LLVM releases a new version of the debugger I have to go through the self-signing dance. So far I have been satisfied with the results every time (there really are new features or performance improvements), but it's infrequent enough that I have no memory of the procedure, let alone muscle memory.
Indeed. I have no particular interest in TPM as such. My original question was aimed at anticipating possible issues with VMs and Windows 11 if I ever get round to installing it, but that seems to be resolved.
poc
On 06/07/2021 18:56, Patrick O'Callaghan wrote:
On Tue, 2021-07-06 at 14:34 +0900, Stephen J. Turnbull wrote:
Patrick writes:
> I think much depends on what the TPM is used for. Certainly if the > user takes care not to subvert the intention, it can reasonably be > used to ensure that only trusted software is run.
"Pragmatically speaking ..." ;-) Seriously, I think TPM mostly makes sense with VMs. People who write programs are generally going to be very unhappy with the amount of kissing up to the TPM they have to do. Like, on Mac every time LLVM releases a new version of the debugger I have to go through the self-signing dance. So far I have been satisfied with the results every time (there really are new features or performance improvements), but it's infrequent enough that I have no memory of the procedure, let alone muscle memory.
Indeed. I have no particular interest in TPM as such. My original question was aimed at anticipating possible issues with VMs and Windows 11 if I ever get round to installing it, but that seems to be resolved.
Yes, I installed Windows 11 in a VM just fine with an emulated TPM. I don't actually use Windows all that much. But, for what I use it Windows 11 does seem to do it better. I only use it mainly for the WebATM of the Taiwan Post Office Bank. In Windows 10 I had to get the sequence just right for plugging in the USB smart card reader and inserting my bank card.
Still sucks that the Post Office doesn't support Linux. :-(
On Tue, 2021-07-06 at 19:21 +0800, Ed Greshko wrote:
On 06/07/2021 18:56, Patrick O'Callaghan wrote:
On Tue, 2021-07-06 at 14:34 +0900, Stephen J. Turnbull wrote:
Patrick writes:
> I think much depends on what the TPM is used for. Certainly if the > user takes care not to subvert the intention, it can reasonably be > used to ensure that only trusted software is run.
"Pragmatically speaking ..." ;-) Seriously, I think TPM mostly makes sense with VMs. People who write programs are generally going to be very unhappy with the amount of kissing up to the TPM they have to do. Like, on Mac every time LLVM releases a new version of the debugger I have to go through the self-signing dance. So far I have been satisfied with the results every time (there really are new features or performance improvements), but it's infrequent enough that I have no memory of the procedure, let alone muscle memory.
Indeed. I have no particular interest in TPM as such. My original question was aimed at anticipating possible issues with VMs and Windows 11 if I ever get round to installing it, but that seems to be resolved.
Yes, I installed Windows 11 in a VM just fine with an emulated TPM. I don't actually use Windows all that much. But, for what I use it Windows 11 does seem to do it better. I only use it mainly for the WebATM of the Taiwan Post Office Bank. In Windows 10 I had to get the sequence just right for plugging in the USB smart card reader and inserting my bank card.
Still sucks that the Post Office doesn't support Linux. :-(
It's annoying when banks decide to "improve" security by requiring their customers to use a specific platform rather than a general standard. All banks here use smartcards but the personal terminal is just an offline card reader with a display.
oic
On 06/07/2021 20:08, Patrick O'Callaghan wrote:
It's annoying when banks decide to "improve" security by requiring their customers to use a specific platform rather than a general standard. All banks here use smartcards but the personal terminal is just an offline card reader with a display.
It is only the Post Office Bank here that requires the Smart Card Reader. The Post Office also sells the a reader to make things "easier". I suspect they take a piece of the action. :-) :-)
On Tue, 2021-07-06 at 20:22 +0800, Ed Greshko wrote:
On 06/07/2021 20:08, Patrick O'Callaghan wrote:
It's annoying when banks decide to "improve" security by requiring their customers to use a specific platform rather than a general standard. All banks here use smartcards but the personal terminal is just an offline card reader with a display.
It is only the Post Office Bank here that requires the Smart Card Reader. The Post Office also sells the a reader to make things "easier". I suspect they take a piece of the action. :-) :-)
And require a Windows machine to use it? Personally. I'd look for a different bank. Here the bank just gives you the card reader when you open an account.
poc
On 06/07/2021 20:40, Patrick O'Callaghan wrote:
On Tue, 2021-07-06 at 20:22 +0800, Ed Greshko wrote:
On 06/07/2021 20:08, Patrick O'Callaghan wrote:
It's annoying when banks decide to "improve" security by requiring their customers to use a specific platform rather than a general standard. All banks here use smartcards but the personal terminal is just an offline card reader with a display.
It is only the Post Office Bank here that requires the Smart Card Reader. The Post Office also sells the a reader to make things "easier". I suspect they take a piece of the action. :-) :-)
And require a Windows machine to use it? Personally. I'd look for a different bank. Here the bank just gives you the card reader when you open an account.
We have accounts at other banks. But the P O account is tied into paying house taxes, electric bill, gas bill and others. Too much of a pain to change.
On Tue, 2021-07-06 at 22:19 +0800, Ed Greshko wrote:
On 06/07/2021 20:40, Patrick O'Callaghan wrote:
On Tue, 2021-07-06 at 20:22 +0800, Ed Greshko wrote:
On 06/07/2021 20:08, Patrick O'Callaghan wrote:
It's annoying when banks decide to "improve" security by requiring their customers to use a specific platform rather than a general standard. All banks here use smartcards but the personal terminal is just an offline card reader with a display.
It is only the Post Office Bank here that requires the Smart Card Reader. The Post Office also sells the a reader to make things "easier". I suspect they take a piece of the action. :-) :-)
And require a Windows machine to use it? Personally. I'd look for a different bank. Here the bank just gives you the card reader when you open an account.
We have accounts at other banks. But the P O account is tied into paying house taxes, electric bill, gas bill and others. Too much of a pain to change.
Getting way off-topic here, but in the UK you can switch bank accounts for all such payments (direct debits) in a single operation. The two banks coordinate the handover between themselves. Takes a few days but is no more complicated than changing your phone service provider. I did it a couple of years ago and as I recall didn´t need to contact any of the payees myself.
poc
On 07/07/2021 05:27, Patrick O'Callaghan wrote:
On Tue, 2021-07-06 at 22:19 +0800, Ed Greshko wrote:
On 06/07/2021 20:40, Patrick O'Callaghan wrote:
On Tue, 2021-07-06 at 20:22 +0800, Ed Greshko wrote:
On 06/07/2021 20:08, Patrick O'Callaghan wrote:
It's annoying when banks decide to "improve" security by requiring their customers to use a specific platform rather than a general standard. All banks here use smartcards but the personal terminal is just an offline card reader with a display.
It is only the Post Office Bank here that requires the Smart Card Reader. The Post Office also sells the a reader to make things "easier". I suspect they take a piece of the action. :-) :-)
And require a Windows machine to use it? Personally. I'd look for a different bank. Here the bank just gives you the card reader when you open an account.
We have accounts at other banks. But the P O account is tied into paying house taxes, electric bill, gas bill and others. Too much of a pain to change.
Getting way off-topic here, but in the UK you can switch bank accounts for all such payments (direct debits) in a single operation. The two banks coordinate the handover between themselves. Takes a few days but is no more complicated than changing your phone service provider. I did it a couple of years ago and as I recall didn´t need to contact any of the payees myself.
You are 100% right about being OT. And I violate my own rules again.
I'll just leave you with "Don't Get Me Started on Banks in Taiwan"!!! And especially "Don't get me stated on Banks in Taiwan and their treatment of non-citizens".
See below
-----Original Message----- From: Ed Greshko ed.greshko@greshko.com Sent: Tuesday, July 6, 2021 2:23 PM To: users@lists.fedoraproject.org Subject: Re: Windows 11 VMs
On 06/07/2021 20:08, Patrick O'Callaghan wrote:
It's annoying when banks decide to "improve" security by requiring their customers to use a specific platform rather than a general standard. All banks here use smartcards but the personal terminal is just an offline card reader with a display.
It is only the Post Office Bank here that requires the Smart Card Reader. The Post Office also sells the a reader to make things "easier". I suspect they take a piece of the action. :-) :-)
-- Remind me to ignore comments which aren't germane to the thread. _______________________________________________
Smartcard readers are tricky beasts. The type-2 and type-3 (pinpad-readers) are the worst. I know Vasco distributes them through the banking-channels.
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
Tim, with mangled quoting by crapmail programs, come on you've had decades to get this shit right:
I reckon the default thought of most people who're suddenly faced
with
a computer failing a security test is not going to be that
something
has changed on them without authority, but that something has gone wrong. They're going to try and reset something, rather than work
out
if they've been compromised.
Stephen J. Turnbull
Indeed. Pragmatically speaking, I don't think they're wrong, do you?
Quite probably it *is* a fault, nine times out of ten (which makes you ignore the time it's really a problem).
With badly engineered hardware, software, and stupidly worded error messages, the blame is really not on the user.
On July 6, 2021 at 1:34 AM "Stephen J. Turnbull" stephen@xemacs.org wrote:
Tim writes:
I reckon the default thought of most people who're suddenly faced with a computer failing a security test is not going to be that something has changed on them without authority, but that something has gone wrong. They're going to try and reset something, rather than work out if they've been compromised.
Indeed. Pragmatically speaking, I don't think they're wrong, do you?
Patrick writes:
I think much depends on what the TPM is used for. Certainly if the user takes care not to subvert the intention, it can reasonably be used to ensure that only trusted software is run.
"Pragmatically speaking ..." ;-) Seriously, I think TPM mostly makes sense with VMs. People who write programs are generally going to be very unhappy with the amount of kissing up to the TPM they have to do. Like, on Mac every time LLVM releases a new version of the debugger I have to go through the self-signing dance. So far I have been satisfied with the results every time (there really are new features or performance improvements), but it's infrequent enough that I have no memory of the procedure, let alone muscle memory.
OTOH, I think one application of TPM (at least when originally proposed) was to prevent the user from bypassing DRM, in which case the trust goes in the other direction and the situation is different.
Yeah, there was a *lot* of angst about potential DRM applications at the time. I'm willing to bet it's possible to distinguish a hardware TPM from a software TPM for that application, though. I didn't look hard enough to see if the Xen folk had proposed a protocol to get a token from the hardware TPM to vouch for a VM in that case.
Steve
From the mail, it appears that a software TPM should solve the problem on older computers, but it occurs to me that you might not be permitted to install the software unless a TPM is found. So, for those who have already tried version 11, has any one of you tried installing on an older laptop, and then adding a software TPM, or is this impossible? --doug
On Tue, 2021-07-06 at 15:01 -0400, mcgarrett wrote:
From the mail, it appears that a software TPM should solve the problem on older computers, but it occurs to me that you might not be permitted to install the software unless a TPM is found. So, for those who have already tried version 11, has any one of you tried installing on an older laptop, and then adding a software TPM, or is this impossible? --doug
As stated earlier, my system doesn´t have a hardware TPM, but adding a software TPM in virt-manager was enough.
poc
On July 6, 2021 at 5:29 PM Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Tue, 2021-07-06 at 15:01 -0400, mcgarrett wrote:
From the mail, it appears that a software TPM should solve the problem on older computers, but it occurs to me that you might not be permitted to install the software unless a TPM is found. So, for those who have already tried version 11, has any one of you tried installing on an older laptop, and then adding a software TPM, or is this impossible? --doug
As stated earlier, my system doesn´t have a hardware TPM, but adding a software TPM in virt-manager was enough.
poc
Three questions: Background: I have Windows 10 on the computer, even tho there are no apps on it--I only use Linux. There may someday be a need for Windows? Q1: Could you install the win 11 and then add the TPM s/w, or must the TPM be on the machine already. Q2: If it must be on the machine already, do you install it from a previous version of Windows, i.e., Win 10? If not then how? Q3: Would you please direct me to the source of the TPM you installed? Thank you--doug
On 14/07/2021 06:49, mcgarrett wrote:
On July 6, 2021 at 5:29 PM Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Tue, 2021-07-06 at 15:01 -0400, mcgarrett wrote:
From the mail, it appears that a software TPM should solve the problem on older computers, but it occurs to me that you might not be permitted to install the software unless a TPM is found. So, for those who have already tried version 11, has any one of you tried installing on an older laptop, and then adding a software TPM, or is this impossible? --doug
As stated earlier, my system doesn´t have a hardware TPM, but adding a software TPM in virt-manager was enough.
poc
Three questions: Background: I have Windows 10 on the computer, even tho there are no apps on it--I only use Linux. There may someday be a need for Windows? Q1: Could you install the win 11 and then add the TPM s/w, or must the TPM be on the machine already. Q2: If it must be on the machine already, do you install it from a previous version of Windows, i.e., Win 10? If not then how? Q3: Would you please direct me to the source of the TPM you installed? Thank you--doug
The "software" TPM being talked about is more like TPM emulation. It can be added to any VM via virt-manager on the "Hardware" screen and using the button in the lower left to add hardware.
The TPM can be added to any VM. The one caveat is that the VM must have been created to boot via UEFI and not BIOS. That option needs to be specified when the VM was created.
None of my motherboards have a TPM. So I use the emulation. However, if you're motherboard does have a TPM, I believe there is an option when adding TPM to a VM to use "Pass Thru".
It isn't possible, AFAIK, to simply change a VM from BIOS to UEFI.
On 14/07/2021 07:29, Samuel Sieb wrote:
On 7/13/21 3:59 PM, Ed Greshko wrote:
It isn't possible, AFAIK, to simply change a VM from BIOS to UEFI.
I expect you could by editing the XML, but the installed system would need to be adjusted as well, including the hard drive partitioning, so not likely to be worth the effort.
Right. It wouldn't be "simple". Much better to just start over.
On 14/7/21 08:59, Ed Greshko wrote:
On 14/07/2021 06:49, mcgarrett wrote:
On July 6, 2021 at 5:29 PM Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Tue, 2021-07-06 at 15:01 -0400, mcgarrett wrote:
From the mail, it appears that a software TPM should solve the problem on older computers, but it occurs to me that you might not be permitted to install the software unless a TPM is found. So, for those who have already tried version 11, has any one of you tried installing on an older laptop, and then adding a software TPM, or is this impossible? --doug
As stated earlier, my system doesn´t have a hardware TPM, but adding a software TPM in virt-manager was enough.
poc
Three questions: Background: I have Windows 10 on the computer, even tho there are no apps on it--I only use Linux. There may someday be a need for Windows? Q1: Could you install the win 11 and then add the TPM s/w, or must the TPM be on the machine already. Q2: If it must be on the machine already, do you install it from a previous version of Windows, i.e., Win 10? If not then how? Q3: Would you please direct me to the source of the TPM you installed? Thank you--doug
The "software" TPM being talked about is more like TPM emulation. It can be added to any VM via virt-manager on the "Hardware" screen and using the button in the lower left to add hardware.
The TPM can be added to any VM. The one caveat is that the VM must have been created to boot via UEFI and not BIOS. That option needs to be specified when the VM was created.
None of my motherboards have a TPM. So I use the emulation. However, if you're motherboard does have a TPM, I believe there is an option when adding TPM to a VM to use "Pass Thru".
It isn't possible, AFAIK, to simply change a VM from BIOS to UEFI.
I have a question about TPM hardware. Fedora 34 running as an image in a Vmware Player VM on a Windows 10 host reports that I don't have a TPM chip, and with Windows 10 running in a Virtualbox (both these VM' are the free versions of the VM's) VM on the same Windows 10 host when I try to update the image to Windows 11 it says the environment does not meet the install requirements. Vmware Player doesn't support UEFI but Virtualbox does and is active in the VM images. If I try upgrade the native Windows 10 host Windows 11 says it can install on my hardware. The Bios indicates that I have activated fTPM in my AMD Rizen cpu which Windows 11 seems to be finding, are the VM's suppressing the TPM functionality because I need to buy the commercial versions that allow a TPM to be added to the VM's as a device, or is Windows 11 and Fedora 34 not looking for the hardware the right way when running in a VM?
regards, Steve
On 14/07/2021 07:33, Stephen Morris wrote:
On 14/7/21 08:59, Ed Greshko wrote:
On 14/07/2021 06:49, mcgarrett wrote:
On July 6, 2021 at 5:29 PM Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Tue, 2021-07-06 at 15:01 -0400, mcgarrett wrote:
From the mail, it appears that a software TPM should solve the problem on older computers, but it occurs to me that you might not be permitted to install the software unless a TPM is found. So, for those who have already tried version 11, has any one of you tried installing on an older laptop, and then adding a software TPM, or is this impossible? --doug
As stated earlier, my system doesn´t have a hardware TPM, but adding a software TPM in virt-manager was enough.
poc
Three questions: Background: I have Windows 10 on the computer, even tho there are no apps on it--I only use Linux. There may someday be a need for Windows? Q1: Could you install the win 11 and then add the TPM s/w, or must the TPM be on the machine already. Q2: If it must be on the machine already, do you install it from a previous version of Windows, i.e., Win 10? If not then how? Q3: Would you please direct me to the source of the TPM you installed? Thank you--doug
The "software" TPM being talked about is more like TPM emulation. It can be added to any VM via virt-manager on the "Hardware" screen and using the button in the lower left to add hardware.
The TPM can be added to any VM. The one caveat is that the VM must have been created to boot via UEFI and not BIOS. That option needs to be specified when the VM was created.
None of my motherboards have a TPM. So I use the emulation. However, if you're motherboard does have a TPM, I believe there is an option when adding TPM to a VM to use "Pass Thru".
It isn't possible, AFAIK, to simply change a VM from BIOS to UEFI.
I have a question about TPM hardware. Fedora 34 running as an image in a Vmware Player VM on a Windows 10 host reports that I don't have a TPM chip, and with Windows 10 running in a Virtualbox (both these VM' are the free versions of the VM's) VM on the same Windows 10 host when I try to update the image to Windows 11 it says the environment does not meet the install requirements. Vmware Player doesn't support UEFI but Virtualbox does and is active in the VM images. If I try upgrade the native Windows 10 host Windows 11 says it can install on my hardware. The Bios indicates that I have activated fTPM in my AMD Rizen cpu which Windows 11 seems to be finding, are the VM's suppressing the TPM functionality because I need to buy the commercial versions that allow a TPM to be added to the VM's as a device, or is Windows 11 and Fedora 34 not looking for the hardware the right way when running in a VM?
I don't use Vmware or VirtualBox. So, I can't answer this.
On 7/13/21 4:33 PM, Stephen Morris wrote:
I have a question about TPM hardware. Fedora 34 running as an image in a Vmware Player VM on a Windows 10 host reports that I don't have a TPM chip, and with Windows 10 running in a Virtualbox (both these VM' are the free versions of the VM's) VM on the same Windows 10 host when I try to update the image to Windows 11 it says the environment does not meet the install requirements. Vmware Player doesn't support UEFI but Virtualbox does and is active in the VM images. If I try upgrade the native Windows 10 host Windows 11 says it can install on my hardware. The Bios indicates that I have activated fTPM in my AMD Rizen cpu which Windows 11 seems to be finding, are the VM's suppressing the TPM functionality because I need to buy the commercial versions that allow a TPM to be added to the VM's as a device, or is Windows 11 and Fedora 34 not looking for the hardware the right way when running in a VM?
The OS in the VM can't see any of the hardware on the host system unless the VM specifically passes it through. Normally, all "hardware" in the VM is virtual. qemu has an option to add a TPM by either creating a virtual one or passing the hardware one through. I have no idea about vmware or virtualbox.
On 14/7/21 10:49, Samuel Sieb wrote:
On 7/13/21 4:33 PM, Stephen Morris wrote:
I have a question about TPM hardware. Fedora 34 running as an image in a Vmware Player VM on a Windows 10 host reports that I don't have a TPM chip, and with Windows 10 running in a Virtualbox (both these VM' are the free versions of the VM's) VM on the same Windows 10 host when I try to update the image to Windows 11 it says the environment does not meet the install requirements. Vmware Player doesn't support UEFI but Virtualbox does and is active in the VM images. If I try upgrade the native Windows 10 host Windows 11 says it can install on my hardware. The Bios indicates that I have activated fTPM in my AMD Rizen cpu which Windows 11 seems to be finding, are the VM's suppressing the TPM functionality because I need to buy the commercial versions that allow a TPM to be added to the VM's as a device, or is Windows 11 and Fedora 34 not looking for the hardware the right way when running in a VM?
The OS in the VM can't see any of the hardware on the host system unless the VM specifically passes it through. Normally, all "hardware" in the VM is virtual. qemu has an option to add a TPM by either creating a virtual one or passing the hardware one through. I have no idea about vmware or virtualbox.
I thought that if the tpm is in the cpu as the bios in my motherboard is indicating, whether the vm supported adding the hardware tpm as a device or not, because the vm has access to the cpu, the tpm would then be automatically available to the vm.
regards, Steve
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Wed, 2021-07-14 at 21:34 +1000, Stephen Morris wrote:
The OS in the VM can't see any of the hardware on the host system unless the VM specifically passes it through. Normally, all "hardware" in the VM is virtual. qemu has an option to add a TPM by either creating a virtual one or passing the hardware one through. I have no idea about vmware or virtualbox.
I thought that if the tpm is in the cpu as the bios in my motherboard is indicating, whether the vm supported adding the hardware tpm as a device or not, because the vm has access to the cpu, the tpm would then be automatically available to the vm.
None of your hardware is automatically available. The virtual CPU may not even be the same as the real one.
poc
On 14/07/2021 20:30, Patrick O'Callaghan wrote:
On Wed, 2021-07-14 at 21:34 +1000, Stephen Morris wrote:
The OS in the VM can't see any of the hardware on the host system unless the VM specifically passes it through. Normally, all "hardware" in the VM is virtual. qemu has an option to add a TPM by either creating a virtual one or passing the hardware one through. I have no idea about vmware or virtualbox.
I thought that if the tpm is in the cpu as the bios in my motherboard is indicating, whether the vm supported adding the hardware tpm as a device or not, because the vm has access to the cpu, the tpm would then be automatically available to the vm.
None of your hardware is automatically available. The virtual CPU may not even be the same as the real one.
That's for sure. My VM's think they have Intel i7 CPU's while my host system is actually i5.
On 14/7/21 22:43, Ed Greshko wrote:
On 14/07/2021 20:30, Patrick O'Callaghan wrote:
On Wed, 2021-07-14 at 21:34 +1000, Stephen Morris wrote:
The OS in the VM can't see any of the hardware on the host system unless the VM specifically passes it through. Normally, all "hardware" in the VM is virtual. qemu has an option to add a TPM by either creating a virtual one or passing the hardware one through. I have no idea about vmware or virtualbox.
I thought that if the tpm is in the cpu as the bios in my motherboard is indicating, whether the vm supported adding the hardware tpm as a device or not, because the vm has access to the cpu, the tpm would then be automatically available to the vm.
None of your hardware is automatically available. The virtual CPU may not even be the same as the real one.
That's for sure. My VM's think they have Intel i7 CPU's while my host system is actually i5.
If I look at /proc/cpuinfo and it lists the 4 cpu's I've given to the vm as being the same name as the physical cpu and that it is an 8 core cpu in the modelname section and in the vendorid section is says it is an AuthenticAMD, isn't that telling me the vm is seeing the physical cpu?
regards, Steve
On 7/14/21 4:37 PM, Stephen Morris wrote:
On 14/7/21 22:43, Ed Greshko wrote:
On 14/07/2021 20:30, Patrick O'Callaghan wrote:
On Wed, 2021-07-14 at 21:34 +1000, Stephen Morris wrote:
The OS in the VM can't see any of the hardware on the host system unless the VM specifically passes it through. Normally, all "hardware" in the VM is virtual. qemu has an option to add a TPM by either creating a virtual one or passing the hardware one through. I have no idea about vmware or virtualbox.
I thought that if the tpm is in the cpu as the bios in my motherboard is indicating, whether the vm supported adding the hardware tpm as a device or not, because the vm has access to the cpu, the tpm would then be automatically available to the vm.
None of your hardware is automatically available. The virtual CPU may not even be the same as the real one.
That's for sure. My VM's think they have Intel i7 CPU's while my host system is actually i5.
If I look at /proc/cpuinfo and it lists the 4 cpu's I've given to the vm as being the same name as the physical cpu and that it is an 8 core cpu in the modelname section and in the vendorid section is says it is an AuthenticAMD, isn't that telling me the vm is seeing the physical cpu?
Not really. It depends on the VM system, but at least for some, the default is to pass the real CPU's cpuid into the VM's "CPU". The virtual OS is running on the physical CPU (emulation is *SLOW*), but the bits that identify the CPU are special instructions. These are intercepted by the VM and adjusted to give the answers you want. I suspect that the actual extended instructions (like AVX, SSEx, or whatever) would still be usable even if the cpuid was adjusted to exclude them.
On 15/7/21 16:15, Samuel Sieb wrote:
On 7/14/21 4:37 PM, Stephen Morris wrote:
On 14/7/21 22:43, Ed Greshko wrote:
On 14/07/2021 20:30, Patrick O'Callaghan wrote:
On Wed, 2021-07-14 at 21:34 +1000, Stephen Morris wrote:
The OS in the VM can't see any of the hardware on the host system unless the VM specifically passes it through. Normally, all "hardware" in the VM is virtual. qemu has an option to add a TPM by either creating a virtual one or passing the hardware one through. I have no idea about vmware or virtualbox.
I thought that if the tpm is in the cpu as the bios in my motherboard is indicating, whether the vm supported adding the hardware tpm as a device or not, because the vm has access to the cpu, the tpm would then be automatically available to the vm.
None of your hardware is automatically available. The virtual CPU may not even be the same as the real one.
That's for sure. My VM's think they have Intel i7 CPU's while my host system is actually i5.
If I look at /proc/cpuinfo and it lists the 4 cpu's I've given to the vm as being the same name as the physical cpu and that it is an 8 core cpu in the modelname section and in the vendorid section is says it is an AuthenticAMD, isn't that telling me the vm is seeing the physical cpu?
Not really. It depends on the VM system, but at least for some, the default is to pass the real CPU's cpuid into the VM's "CPU". The virtual OS is running on the physical CPU (emulation is *SLOW*), but the bits that identify the CPU are special instructions. These are intercepted by the VM and adjusted to give the answers you want. I suspect that the actual extended instructions (like AVX, SSEx, or whatever) would still be usable even if the cpuid was adjusted to exclude them.
Found an interesting issue with virtualbox on a Windows 10 host. As the Windows 11 installer I have requires Windows 10 to already be installed, I installed Windows 10 in a virtualbox vm, and with the vm running in the default window mode Windows 11 complained it wasn't an environment where Windows 11 could be installed, but if I switched the vm into fullscreen mode Windows 11 installed quite happily.
regards, Steve
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
In other Windows 11 VM news: I experimented with the mbr2gpt tool in Windows 10 to see if it could really switch my KVM to UEFI.
The /validate option works fine. It says my disk is good to convert, then the /convert option says:
Cannot perform layout conversion. Error: 0x00000001
The %errorlevel% is 10 which means "I can't do it, waah!" (or specifically "Conversion failed due to error while applying GPT layout.")
So I'll probably just give Windows 11 a pass :-).
Used the instructions here:
https://www.maketecheasier.com/convert-legacy-bios-uefi-windows10/
Also found I had to run
net user administrator /active:yes
before I could follow those instructions.
On Sun, 2021-07-18 at 19:38 -0400, Tom Horsley wrote:
The %errorlevel% is 10 which means "I can't do it, waah!" (or specifically "Conversion failed due to error while applying GPT layout.")
So I'll probably just give Windows 11 a pass :-).
I'd give it a fail, tell it to go back and repeat the training course.
On 7/14/21 4:34 AM, Stephen Morris wrote:
I thought that if the tpm is in the cpu as the bios in my motherboard is indicating, whether the vm supported adding the hardware tpm as a device or not, because the vm has access to the cpu, the tpm would then be automatically available to the vm.
Unless it's changed recently, the TPM isn't part of the CPU. It's a separate chip on the motherboard or apparently you can get one on an add-on card for computers that don't have one. Although I've heard that because of Windows 11, those cards have become expensive and hard to get.
On 15/7/21 04:25, Samuel Sieb wrote:
On 7/14/21 4:34 AM, Stephen Morris wrote:
I thought that if the tpm is in the cpu as the bios in my motherboard is indicating, whether the vm supported adding the hardware tpm as a device or not, because the vm has access to the cpu, the tpm would then be automatically available to the vm.
Unless it's changed recently, the TPM isn't part of the CPU. It's a separate chip on the motherboard or apparently you can get one on an add-on card for computers that don't have one. Although I've heard that because of Windows 11, those cards have become expensive and hard to get.
I thought the TPM was in the cpu, because someone I work with was indicating it was in the cpu, and in my motherboard's bios the activation/deactivation of the fTPM is in the cpu configuration section.
regards, Steve
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Once upon a time, Stephen Morris samorris@netspace.net.au said:
I thought the TPM was in the cpu, because someone I work with was indicating it was in the cpu, and in my motherboard's bios the activation/deactivation of the fTPM is in the cpu configuration section.
There are different implementations of the TPM spec. Both Intel and AMD have CPU-based versions in more recent models; for AMD, this is called fTPM. It's also possible to have a discrete TPM module, which a bunch of motherboards include a header for.
The rush to buy modules is uninformed; probably a lot of those systems could just enable the CPU-based TPM in their BIOS. I don't remember when Intel added it (5 years ago?) and don't know if they added it for all CPU models or just some. I think AMD added their fTPM when they introduced socket AM4 (almost 5 years ago).
I think the advantage of a discrete and socketed module would be that you can take it with you; either literally (unplug it when you leave the house for example) or just when you replace the motherboard.
Speaking of Windows 11 requiring UEFI. I found this article that says Windows 10 has tools already shipped with it to convert Windows 10 from BIOS to UEFI:
https://www.maketecheasier.com/convert-legacy-bios-uefi-windows10/
I may copy my VM image to a safe backup location and see if I can convert my existing Windows 10 KVM from BIOS to UEFI successfully (and not have Microsoft tell me it breaks my activation for my single PC only OEM Windows version).
What do I do to the KVM definition to switch to UEFI? I assume I need to point to a different bios in the xml or something like that?
On 15/07/2021 08:44, Tom Horsley wrote:
Speaking of Windows 11 requiring UEFI. I found this article that says Windows 10 has tools already shipped with it to convert Windows 10 from BIOS to UEFI:
https://www.maketecheasier.com/convert-legacy-bios-uefi-windows10/
I may copy my VM image to a safe backup location and see if I can convert my existing Windows 10 KVM from BIOS to UEFI successfully (and not have Microsoft tell me it breaks my activation for my single PC only OEM Windows version).
What do I do to the KVM definition to switch to UEFI? I assume I need to point to a different bios in the xml or something like that?
Probably..... I have a win10 (bios) and win11 (uefi). Looking at their xml definition.
win10 <os> <type arch='x86_64' machine='pc-q35-4.1'>hvm</type> <boot dev='hd'/> <bootmenu enable='yes'/> </os>
win11 <os> <type arch='x86_64' machine='pc-q35-5.2'>hvm</type> <loader readonly='yes' type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.fd</loader> <nvram>/var/lib/libvirt/qemu/nvram/win11_VARS.fd</nvram> </os>
So, I suppose you can use that as I guide.
I await the results of your "experiment". :-) :-)
On July 14, 2021 at 8:13 PM Chris Adams linux@cmadams.net wrote:
Once upon a time, Stephen Morris samorris@netspace.net.au said:
I thought the TPM was in the cpu, because someone I work with was indicating it was in the cpu, and in my motherboard's bios the activation/deactivation of the fTPM is in the cpu configuration section.
There are different implementations of the TPM spec. Both Intel and AMD have CPU-based versions in more recent models; for AMD, this is called fTPM. It's also possible to have a discrete TPM module, which a bunch of motherboards include a header for.
The rush to buy modules is uninformed; probably a lot of those systems could just enable the CPU-based TPM in their BIOS. I don't remember when Intel added it (5 years ago?) and don't know if they added it for all CPU models or just some. I think AMD added their fTPM when they introduced socket AM4 (almost 5 years ago).
I think the advantage of a discrete and socketed module would be that you can take it with you; either literally (unplug it when you leave the house for example) or just when you replace the motherboard. -- Chris Adams linux@cmadams.net
Is there some app that will tell you if your mobo (or cpu) has the tpm? --doug
On Thu, 2021-07-15 at 16:47 -0700, Samuel Sieb wrote:
On 7/15/21 3:47 PM, mcgarrett wrote:
Is there some app that will tell you if your mobo (or cpu) has the tpm?
If you're running Linux, you can check with "ls /dev/tpm*" or "journalctl | grep -i tpm". In Windows, it should be somewhere in the device manager.
Windows has a command-line utility called "tpm".
poc
On July 16, 2021 at 6:36 AM Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Thu, 2021-07-15 at 16:47 -0700, Samuel Sieb wrote:
On 7/15/21 3:47 PM, mcgarrett wrote:
Is there some app that will tell you if your mobo (or cpu) has the tpm?
If you're running Linux, you can check with "ls /dev/tpm*" or "journalctl | grep -i tpm". In Windows, it should be somewhere in the device manager.
Windows has a command-line utility called "tpm".
poc
Tested on almost new computer with OpenSUSE Leap 15-3:
doug@linux1:~> ls /dev/tpm ls: cannot access '/dev/tpm': No such file or directory (tried again as root--NG.)
journalctl | grep -i tpm (This command required root permission.) Jul 16 15:00:48 localhost kernel: efi: TPMFinalLog=0x7e3e4000 ACPI 2.0=0x7df30000 ACPI=0x7df30000 SMBIOS=0x7edc3000 SMBIOS 3.0=0x7edc2000 ESRT=0x79365818 MEMATTR=0x790e2018 MOKvar=0x79089000 RNG=0x7edc4718 TPMEventLog=0x7566b018 Jul 16 15:00:48 localhost kernel: ACPI: TPM2 0x000000007DF5E678 000034 (v04 ALASKA A M I 00000001 AMI 00000000) I don't know what all this means, but I guess it does indicate TPM presence. WOW!
--doug
On 2021-07-17 6:01 p.m., mcgarrett wrote:
On July 16, 2021 at 6:36 AM Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Thu, 2021-07-15 at 16:47 -0700, Samuel Sieb wrote:
On 7/15/21 3:47 PM, mcgarrett wrote:
Is there some app that will tell you if your mobo (or cpu) has the tpm?
If you're running Linux, you can check with "ls /dev/tpm*" or "journalctl | grep -i tpm". In Windows, it should be somewhere in the device manager.
Windows has a command-line utility called "tpm".
poc
Tested on almost new computer with OpenSUSE Leap 15-3:
doug@linux1:~> ls /dev/tpm ls: cannot access '/dev/tpm': No such file or directory (tried again as root--NG.)
You missed the asterisk. "ls /dev/tpm*"
journalctl | grep -i tpm (This command required root permission.) Jul 16 15:00:48 localhost kernel: efi: TPMFinalLog=0x7e3e4000 ACPI 2.0=0x7df30000 ACPI=0x7df30000 SMBIOS=0x7edc3000 SMBIOS 3.0=0x7edc2000 ESRT=0x79365818 MEMATTR=0x790e2018 MOKvar=0x79089000 RNG=0x7edc4718 TPMEventLog=0x7566b018 Jul 16 15:00:48 localhost kernel: ACPI: TPM2 0x000000007DF5E678 000034 (v04 ALASKA A M I 00000001 AMI 00000000) I don't know what all this means, but I guess it does indicate TPM presence. WOW!
Yes.
On July 17, 2021 at 11:03 PM Samuel Sieb samuel@sieb.net wrote:
On 2021-07-17 6:01 p.m., mcgarrett wrote:
On July 16, 2021 at 6:36 AM Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Thu, 2021-07-15 at 16:47 -0700, Samuel Sieb wrote:
On 7/15/21 3:47 PM, mcgarrett wrote:
Is there some app that will tell you if your mobo (or cpu) has the tpm?
If you're running Linux, you can check with "ls /dev/tpm*" or "journalctl | grep -i tpm". In Windows, it should be somewhere in the device manager.
Windows has a command-line utility called "tpm".
poc
Tested on almost new computer with OpenSUSE Leap 15-3:
doug@linux1:~> ls /dev/tpm ls: cannot access '/dev/tpm': No such file or directory (tried again as root--NG.)
You missed the asterisk. "ls /dev/tpm*"
You're absolutely right. Works fine that way! Doesn't even need root. doug@linux1:~> ls /dev/tpm* /dev/tpm0 /dev/tpmrm0
On July 13, 2021 at 6:59 PM Ed Greshko ed.greshko@greshko.com wrote:
On 14/07/2021 06:49, mcgarrett wrote:
On July 6, 2021 at 5:29 PM Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Tue, 2021-07-06 at 15:01 -0400, mcgarrett wrote:
From the mail, it appears that a software TPM should solve the problem on older computers, but it occurs to me that you might not be permitted to install the software unless a TPM is found. So, for those who have already tried version 11, has any one of you tried installing on an older laptop, and then adding a software TPM, or is this impossible? --doug
As stated earlier, my system doesn´t have a hardware TPM, but adding a software TPM in virt-manager was enough.
poc
Three questions: Background: I have Windows 10 on the computer, even tho there are no apps on it--I only use Linux. There may someday be a need for Windows? Q1: Could you install the win 11 and then add the TPM s/w, or must the TPM be on the machine already. Q2: If it must be on the machine already, do you install it from a previous version of Windows, i.e., Win 10? If not then how? Q3: Would you please direct me to the source of the TPM you installed? Thank you--doug
The "software" TPM being talked about is more like TPM emulation. It can be added to any VM via virt-manager on the "Hardware" screen and using the button in the lower left to add hardware.
The TPM can be added to any VM. The one caveat is that the VM must have been created to boot via UEFI and not BIOS. That option needs to be specified when the VM was created.
None of my motherboards have a TPM. So I use the emulation. However, if you're motherboard does have a TPM, I believe there is an option when adding TPM to a VM to use "Pass Thru".
It isn't possible, AFAIK, to simply change a VM from BIOS to UEFI.
I should apologize! I was thinking of this machine, which is almost new, and probably has the TPM in hardware. It's the laptop that's old, and has Windows 7! Probably just leave it that way. --doug
On Mon, 2021-07-05 at 10:29 +0900, Stephen J. Turnbull wrote:
Patrick O'Callaghan writes:
> In the case of Windows 11 under a VM, as you say the software TPM can do > what it likes. In effect, there is no more guarantee than with a system > without a TPM and the message that Windows 11 can only be used where a TPM > provides a trust base might give a false sense of security.
That depends on the implementation of the virtual TPM. Although from what I'm reading it shouldn't transparently virtualize the hardware TPM (if present), the hardware TPM can be used to provide a trust root for the virtual TPM, which can then attest to the VM. I would assume that to really trust any system, you'd need to have out-of-band knowledge of the TPM's identity, whether hardware or software. It's true that there's more room for malware to wedge itself in in this setup, but in theory it should work.
I think much depends on what the TPM is used for. Certainly if the user takes care not to subvert the intention, it can reasonably be used to ensure that only trusted software is run. OTOH, I think one application of TPM (at least when originally proposed) was to prevent the user from bypassing DRM, in which case the trust goes in the other direction and the situation is different.
As for "false sense of security", that has been a Microsoft business model at least since they trumpeted "Orange Book Level C" security (the highest you can get without physically securing the device) for Windows NT in the 1990s -- which certification was invalid if you changed the physical configuration of the device (insert floppy!), connect to a network, or install software.
Security is hard, the weakest link is often your personnel, you shouldn't say you care about security unless you have a specialist auditing your systems, and any other generic statements about security are marketing drivel. ;-)
Absolutely.
poc
On 03/07/2021 14:02, Samuel Sieb wrote:
On 2021-07-02 4:03 p.m., Samuel Sieb wrote:
On 2021-07-02 9:02 a.m., Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
qemu has support for a TPM 2.0 either as a passthrough or an emulation. I haven't tested it yet, but I assume it works.
I tested it and Windows 10 let me enable bitlocker, so it definitely accepts it.
I have zero experience with TPM. To utilize this do you need to make use of
swtpm - TPM Emulator for TPM 1.2 and 2.0
no the qemu host?
On Sat, 2021-07-03 at 19:17 +0800, Ed Greshko wrote:
On 03/07/2021 14:02, Samuel Sieb wrote:
On 2021-07-02 4:03 p.m., Samuel Sieb wrote:
On 2021-07-02 9:02 a.m., Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
qemu has support for a TPM 2.0 either as a passthrough or an emulation. I haven't tested it yet, but I assume it works.
I tested it and Windows 10 let me enable bitlocker, so it definitely accepts it.
I have zero experience with TPM. To utilize this do you need to make use of
swtpm - TPM Emulator for TPM 1.2 and 2.0
no the qemu host?
Apparently not: https://en.opensuse.org/Software_TPM_Emulator_For_QEMU (that's just the first one that popped up).
poc
On 03/07/2021 20:25, Patrick O'Callaghan wrote:
On Sat, 2021-07-03 at 19:17 +0800, Ed Greshko wrote:
On 03/07/2021 14:02, Samuel Sieb wrote:
On 2021-07-02 4:03 p.m., Samuel Sieb wrote:
On 2021-07-02 9:02 a.m., Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
qemu has support for a TPM 2.0 either as a passthrough or an emulation. I haven't tested it yet, but I assume it works.
I tested it and Windows 10 let me enable bitlocker, so it definitely accepts it.
I have zero experience with TPM. To utilize this do you need to make use of
swtpm - TPM Emulator for TPM 1.2 and 2.0
no the qemu host?
Apparently not: https://en.opensuse.org/Software_TPM_Emulator_For_QEMU (that's just the first one that popped up).
OK, so just following the instructions for libvirt and it will start it for you.
Just have to add the tpm device to your vm using virsh.
I'll have to give that a try. My Win10 VM doesn't have that device.
On 03/07/2021 20:46, Ed Greshko wrote:
On 03/07/2021 20:25, Patrick O'Callaghan wrote:
On Sat, 2021-07-03 at 19:17 +0800, Ed Greshko wrote:
On 03/07/2021 14:02, Samuel Sieb wrote:
On 2021-07-02 4:03 p.m., Samuel Sieb wrote:
On 2021-07-02 9:02 a.m., Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
qemu has support for a TPM 2.0 either as a passthrough or an emulation. I haven't tested it yet, but I assume it works.
I tested it and Windows 10 let me enable bitlocker, so it definitely accepts it.
I have zero experience with TPM. To utilize this do you need to make use of
swtpm - TPM Emulator for TPM 1.2 and 2.0
no the qemu host?
Apparently not: https://en.opensuse.org/Software_TPM_Emulator_For_QEMU (that's just the first one that popped up).
OK, so just following the instructions for libvirt and it will start it for you.
Just have to add the tpm device to your vm using virsh.
I'll have to give that a try. My Win10 VM doesn't have that device.
Oh, I'd never noticed. It is in virt-manager "add hardware" section.
On Sat, 2021-07-03 at 21:07 +0800, Ed Greshko wrote:
On 03/07/2021 20:46, Ed Greshko wrote:
On 03/07/2021 20:25, Patrick O'Callaghan wrote:
On Sat, 2021-07-03 at 19:17 +0800, Ed Greshko wrote:
On 03/07/2021 14:02, Samuel Sieb wrote:
On 2021-07-02 4:03 p.m., Samuel Sieb wrote:
On 2021-07-02 9:02 a.m., Patrick O'Callaghan wrote: > Since Microsoft is going to require a TPM module for > their new > system, > are there implications for KVM, VirtualBox and VMware, or > has > this > already been dealt with? qemu has support for a TPM 2.0 either as a passthrough or an emulation. I haven't tested it yet, but I assume it works.
I tested it and Windows 10 let me enable bitlocker, so it definitely accepts it.
I have zero experience with TPM. To utilize this do you need to make use of
swtpm - TPM Emulator for TPM 1.2 and 2.0
no the qemu host?
Apparently not: https://en.opensuse.org/Software_TPM_Emulator_For_QEMU (that's just the first one that popped up).
OK, so just following the instructions for libvirt and it will start it for you.
Just have to add the tpm device to your vm using virsh.
I'll have to give that a try. My Win10 VM doesn't have that device.
Oh, I'd never noticed. It is in virt-manager "add hardware" section.
You're right. Even better.
poc
On Sat, 2021-07-03 at 22:05 +0100, Patrick O'Callaghan wrote:
Just have to add the tpm device to your vm using virsh.
I'll have to give that a try. My Win10 VM doesn't have that device.
Oh, I'd never noticed. It is in virt-manager "add hardware" section.
You're right. Even better.
Just tried it using the default settings and it worked. After booting Windows 10, type 'tpm' into a Windows Shell (admin) instance and it confirms the module exists.
poc
On 04/07/2021 05:16, Patrick O'Callaghan wrote:
On Sat, 2021-07-03 at 22:05 +0100, Patrick O'Callaghan wrote:
Just have to add the tpm device to your vm using virsh.
I'll have to give that a try. My Win10 VM doesn't have that device.
Oh, I'd never noticed. It is in virt-manager "add hardware" section.
You're right. Even better.
Just tried it using the default settings and it worked. After booting Windows 10, type 'tpm' into a Windows Shell (admin) instance and it confirms the module exists.
Same here.
I've not installed a Windows machine in several years. I wonder if things have changed since my last install as I would have thought TPM hardware would have been added by default to the hardware.
On 04/07/2021 05:22, Ed Greshko wrote:
On 04/07/2021 05:16, Patrick O'Callaghan wrote:
On Sat, 2021-07-03 at 22:05 +0100, Patrick O'Callaghan wrote:
Just have to add the tpm device to your vm using virsh.
I'll have to give that a try. My Win10 VM doesn't have that device.
Oh, I'd never noticed. It is in virt-manager "add hardware" section.
You're right. Even better.
Just tried it using the default settings and it worked. After booting Windows 10, type 'tpm' into a Windows Shell (admin) instance and it confirms the module exists.
Same here.
I've not installed a Windows machine in several years. I wonder if things have changed since my last install as I would have thought TPM hardware would have been added by default to the hardware.
I don't know if my experience mirrors that of others. But I learned the following over the past 2 days.
While the TPM module did exist, it was not usable as Bitlocker could not be turned on. I found that in order to have the TPM module available and usable one had to boot in UEFI. My only Win10 VM was BIOS.
So, I had to create a new VM using UEFI.
I then learned that I could not display to resize. I was stuck at the lowest resolution. I subsequently found out that I needed to download the Latest virtio-win ISO from https://github.com/virtio-win/virtio-win-pkg-scripts/blob/master/README.md and run the script contained within.
Other than that, it is all working as it should.
On 05/07/2021 07:55, Ed Greshko wrote:
On 04/07/2021 05:22, Ed Greshko wrote:
On 04/07/2021 05:16, Patrick O'Callaghan wrote:
On Sat, 2021-07-03 at 22:05 +0100, Patrick O'Callaghan wrote:
Just have to add the tpm device to your vm using virsh.
I'll have to give that a try. My Win10 VM doesn't have that device.
Oh, I'd never noticed. It is in virt-manager "add hardware" section.
You're right. Even better.
Just tried it using the default settings and it worked. After booting Windows 10, type 'tpm' into a Windows Shell (admin) instance and it confirms the module exists.
Same here.
I've not installed a Windows machine in several years. I wonder if things have changed since my last install as I would have thought TPM hardware would have been added by default to the hardware.
I don't know if my experience mirrors that of others. But I learned the following over the past 2 days.
While the TPM module did exist, it was not usable as Bitlocker could not be turned on. I found that in order to have the TPM module available and usable one had to boot in UEFI. My only Win10 VM was BIOS.
So, I had to create a new VM using UEFI.
I then learned that I could not display to resize. I was stuck at the lowest resolution. I subsequently found out that I needed to download the Latest virtio-win ISO from https://github.com/virtio-win/virtio-win-pkg-scripts/blob/master/README.md and run the script contained within.
Other than that, it is all working as it should.
And I just installed a Windows 11 system in the same way. All's good.
On 4/7/21 07:16, Patrick O'Callaghan wrote:
On Sat, 2021-07-03 at 22:05 +0100, Patrick O'Callaghan wrote:
Just have to add the tpm device to your vm using virsh.
I'll have to give that a try. My Win10 VM doesn't have that device.
Oh, I'd never noticed. It is in virt-manager "add hardware" section.
You're right. Even better.
Just tried it using the default settings and it worked. After booting Windows 10, type 'tpm' into a Windows Shell (admin) instance and it confirms the module exists.
Interesting, the windows command you have listed indicates that I have an AMD V2.0 tpm, which I assume is in the ryzen cpu, but Fedora via journalctl | grep -i tpm tells me a tpm doesn't exist.
regards, Steve
poc _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Mon, 2021-07-05 at 21:42 +1000, Stephen Morris wrote:
On 4/7/21 07:16, Patrick O'Callaghan wrote:
On Sat, 2021-07-03 at 22:05 +0100, Patrick O'Callaghan wrote:
Just have to add the tpm device to your vm using virsh.
I'll have to give that a try. My Win10 VM doesn't have that device.
Oh, I'd never noticed. It is in virt-manager "add hardware" section.
You're right. Even better.
Just tried it using the default settings and it worked. After booting Windows 10, type 'tpm' into a Windows Shell (admin) instance and it confirms the module exists.
Interesting, the windows command you have listed indicates that I have an AMD V2.0 tpm, which I assume is in the ryzen cpu, but Fedora via journalctl | grep -i tpm tells me a tpm doesn't exist.
Is this directly on the hardware or in a VM? If the former, it would appear to be a bug. If the latter, presumably the VM is emulating the TPM.
poc
On 6/7/21 00:02, Patrick O'Callaghan wrote:
On Mon, 2021-07-05 at 21:42 +1000, Stephen Morris wrote:
On 4/7/21 07:16, Patrick O'Callaghan wrote:
On Sat, 2021-07-03 at 22:05 +0100, Patrick O'Callaghan wrote:
Just have to add the tpm device to your vm using virsh.
I'll have to give that a try. My Win10 VM doesn't have that device.
Oh, I'd never noticed. It is in virt-manager "add hardware" section.
You're right. Even better.
Just tried it using the default settings and it worked. After booting Windows 10, type 'tpm' into a Windows Shell (admin) instance and it confirms the module exists.
Interesting, the windows command you have listed indicates that I have an AMD V2.0 tpm, which I assume is in the ryzen cpu, but Fedora via journalctl | grep -i tpm tells me a tpm doesn't exist.
Is this directly on the hardware or in a VM? If the former, it would appear to be a bug. If the latter, presumably the VM is emulating the TPM.
Windows is Windows 10 and it is native, I boot the machine into Windows 10. Fedora is running inside a Vmware Player Vm hosted on the Windows 10 machine the screenshot is from. From the screenshot in the attachment I assume it is telling me that under Windows 10 it is finding a tpm, is that correct?
regards, Steve
poc _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Tue, 2021-07-06 at 19:42 +1000, Stephen Morris wrote:
Is this directly on the hardware or in a VM? If the former, it would appear to be a bug. If the latter, presumably the VM is emulating the TPM.
Windows is Windows 10 and it is native, I boot the machine into Windows 10. Fedora is running inside a Vmware Player Vm hosted on the Windows 10 machine the screenshot is from.
That would indicate that the hardware does have TPM but that the VM isn't detecting it, possibly because it hasn't been configured in VMware. In my case the host is Linux and the guest is Windows. The host doesn't have hardware TPM but the guest (using QEMU/KVM) is emulating it.
I don't know what the screenshot shows. I don't see anything related to TPM.
poc
On 6/7/21 20:33, Patrick O'Callaghan wrote:
On Tue, 2021-07-06 at 19:42 +1000, Stephen Morris wrote:
Is this directly on the hardware or in a VM? If the former, it would appear to be a bug. If the latter, presumably the VM is emulating the TPM.
Windows is Windows 10 and it is native, I boot the machine into Windows 10. Fedora is running inside a Vmware Player Vm hosted on the Windows 10 machine the screenshot is from.
That would indicate that the hardware does have TPM but that the VM isn't detecting it, possibly because it hasn't been configured in VMware. In my case the host is Linux and the guest is Windows. The host doesn't have hardware TPM but the guest (using QEMU/KVM) is emulating it.
I don't know what the screenshot shows. I don't see anything related to TPM.
Sorry, I thought the "TPM Manufacturer Section" of the TPM output was indicating there was a TPM when it indicated the version. Maybe I don't actually have the hardware.
regards, Steve
poc _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Sat, 2021-07-03 at 19:17 +0800, Ed Greshko wrote:
On 03/07/2021 14:02, Samuel Sieb wrote:
On 2021-07-02 4:03 p.m., Samuel Sieb wrote:
On 2021-07-02 9:02 a.m., Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
qemu has support for a TPM 2.0 either as a passthrough or an emulation. I haven't tested it yet, but I assume it works.
I tested it and Windows 10 let me enable bitlocker, so it definitely accepts it.
I have zero experience with TPM. To utilize this do you need to make use of
swtpm - TPM Emulator for TPM 1.2 and 2.0
no the qemu host?
Another reference: https://www.smoothnet.org/qemu-tpm/
poc
On 03.07.2021 08:02, Samuel Sieb wrote:
On 2021-07-02 4:03 p.m., Samuel Sieb wrote:
On 2021-07-02 9:02 a.m., Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
qemu has support for a TPM 2.0 either as a passthrough or an emulation. I haven't tested it yet, but I assume it works.
I tested it and Windows 10 let me enable bitlocker, so it definitely accepts it.
Are you sure, because enabling bitlocker is also possible without a TPM in Win10;
On 2021-07-03 5:27 a.m., Walter H. via users wrote:
On 03.07.2021 08:02, Samuel Sieb wrote:
On 2021-07-02 4:03 p.m., Samuel Sieb wrote:
On 2021-07-02 9:02 a.m., Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
qemu has support for a TPM 2.0 either as a passthrough or an emulation. I haven't tested it yet, but I assume it works.
I tested it and Windows 10 let me enable bitlocker, so it definitely accepts it.
Are you sure, because enabling bitlocker is also possible without a TPM in Win10;
There's an option to use a flash drive instead, but that's not what I used. I tried without the TPM added and it said no, then I added the TPM and it did it.
On 7/2/21 9:02 AM, Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
poc
Hi Poc,
Fedora 34 qemu-kvm-5.2.0-8.fc34.x86_64
I have Windows 11 Version Dev (OS Build 22000.1) running under qemu-kvm. I installed it from ISO on a blank VM.
-T
For those wondering what TPM is:
Trusted Platform Module https://en.wikipedia.org/wiki/Trusted_Platform_Module
On Sat, 2021-07-03 at 13:54 -0700, ToddAndMargo via users wrote:
On 7/2/21 9:02 AM, Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
poc
Hi Poc,
Fedora 34 qemu-kvm-5.2.0-8.fc34.x86_64
I have Windows 11 Version Dev (OS Build 22000.1) running under qemu-kvm. I installed it from ISO on a blank VM.
Thanks.
poc
On 03.07.2021 23:17, Patrick O'Callaghan wrote:
On Sat, 2021-07-03 at 13:54 -0700, ToddAndMargo via users wrote:
On 7/2/21 9:02 AM, Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
poc
Hi Poc,
Fedora 34 qemu-kvm-5.2.0-8.fc34.x86_64
I have Windows 11 Version Dev (OS Build 22000.1) running under qemu-kvm. I installed it from ISO on a blank VM.
may I ask where you got this ISO from?
On 7/4/21 12:36 AM, Walter H. via users wrote:
On 03.07.2021 23:17, Patrick O'Callaghan wrote:
On Sat, 2021-07-03 at 13:54 -0700, ToddAndMargo via users wrote:
On 7/2/21 9:02 AM, Patrick O'Callaghan wrote:
Since Microsoft is going to require a TPM module for their new system, are there implications for KVM, VirtualBox and VMware, or has this already been dealt with?
poc
Hi Poc,
Fedora 34 qemu-kvm-5.2.0-8.fc34.x86_64
I have Windows 11 Version Dev (OS Build 22000.1) running under qemu-kvm. I installed it from ISO on a blank VM.
may I ask where you got this ISO from?
CERTAINLY !
It downloads a zip file with a script inside. You run the script for your OS. The script will go out to M$'s update site and creates an ISO for you.
If the script crashes (mine did three times), rerun it and it will continue where it left off
-
Bob Marcan -
Chris Adams -
Ed Greshko -
J.Witvliet@mindef.nl -
Joe Zeff -
mcgarrett -
Patrick O'Callaghan -
Sam Varshavchik -
Samuel Sieb -
Stephen J. Turnbull -
Stephen Morris -
Tim -
ToddAndMargo -
Tom Horsley -
Walter H.