[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: vtpmmgr stubdom

To: xen-users <xen-users@xxxxxxxxxxxxxxxxxxxx>
From: "Manfred Haertel, DB3HM" <Manfred.Haertel@xxxxxxxxxxxx>
Date: Sat, 19 Oct 2024 14:53:47 +0200
Delivery-date: Sat, 19 Oct 2024 13:01:05 +0000
List-id: Xen user discussion <xen-users.lists.xenproject.org>

James Dingwall schrieb:

Windows refers to the ACPI tables when recognizing TPM. So you have to
define a SSDT that defines a TPM 2.0 device and disables the TPM 1.2 device.

KVM contains ASL code for this, but this code is incorrect and has probably
never worked since a patch for it was applied in 2013. The code before 2013
works though.

In addition, a separate ACPI table with the name TPM2 is needed.

And last but not least Windows requires TPM to be started by the "BIOS", so
you will need a TPM2 capable OVMF.


Do you have any guides/references that we might find useful to get this
working in our environment?  Building an ACPI table isn't something that
I've ever had any experience doing.


I've uploaded a tarball tpm2_override.tar.gz to my Google drive:

https://drive.google.com/file/d/1mPL6Cc7eJt74zyztIIW9sSkjbU_5gxtA/view?usp=drive_link

It contains all the source files I used to build my tpm2_override.amland a prebuilt tpm2_override.aml is also included. You can start thebuild process by executing the included make.sh .

You can use it simply by adding the following line to your xl.cfg forthe Windows VM:


acpi_firmware = '/usr/local/tpm2/tpm2_override.aml'

(or whereever you store your tpm2_override.aml).

There isn't any guide for this that I know of. I found it out by myselfby trial and error. But it runs without problems for more than two yearsnow on two laptops.

Note that you also need a TPM2 capable OVMF binary, as Windows expectsTPM to be started by UEFI. If your distribution does not contain a TPM2capable OVMF binary, you have to build it yourself.

And of course, you have to start and configure swtpm, but this works byusing existing guides. You have to put the QEMU option to thedevice_model_override line in your xl.cfg .

And Windows requires also Secure Boot, and this requires persistent UEFIvariables which Xen does not support out of the box. However you can useuefistored, actually written for XCP-NG, which compiles on every Linuxdistribution. But it requires a patched OVMF...


--
Manfred Härtel, DB3HM    mailto:Manfred.Haertel@xxxxxxxxxxxx
                         http://rz-home.de/mhaertel

References:
- vtpmmgr stubdom
  - From: Brian Woods
- Re: vtpmmgr stubdom
  - From: James Dingwall
- Re: vtpmmgr stubdom
  - From: Manfred Haertel, DB3HM
- Re: vtpmmgr stubdom
  - From: James Dingwall

Prev by Date: Re: vtpmmgr stubdom
Previous by thread: Re: vtpmmgr stubdom
Next by thread: XEN PROJECT MEETUP: SIGN UP TODAY!
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.