swTPM for Unraid
NOTE: The latest UnRaid version should support TPM out of the box, you may rather have a look at that one. I kept this one for reference
So couple of years ago I decided to virtualize my desktop environment. Simply because it is much easier to maintain a thin abstraction layer on the bare metal and run the "fat" OS in a Virtual Machine. Lately I switched over to Unraid which has the primary focus on storing media but has some great virtualization capabilities based on KVM. It has great tutorials on how to passthrough GPU and USB devices, check out Spaceinvader One's YouTube channel for more information (https://www.youtube.com/channel/UCZDfnUn74N0WeAPvMqTOrtA). The other day I had to use Bitlocker to comply with enterprise requirements on an Azure AD joined computer. Normally Bitlocker requires a TPM (Trusted Platform Module) chip, this chip generates and stores your encryption keys. Windows 11 said to be also requiring a TPM module in the future. On virtual machines you have two options, you can passthrough the TPM module of the host or if you are in the situation like me you need to use a TPM emulator (swTPM implemented by Stefan Berger, THX!!!) as I don't have a TPM module in my host. So what do you need to run a Virtual Machine with swTPM in Unraid?
Though the qemu binaries supplied with Unraid supports TPM emulator, the swTPM binaries are missing. So I needed to compile the binaries and the required libraries for Unraid. You can download them (all .txz files) from here (https://github.com/rezo552/unraid-swtpm) and you should put into your /boot/extra folder of your Unraid. On the next reboot it will load the libraries and install the swTPM binaries.
If you don't have the "User scripts" plugin install, you need to install it at this stage and create a script which runs at the startup of the array. You should add the following content to the script (startup_script). Im not going into too much details of the script, the key thing is the last line. When you first startup the virtual machine during the runtime it will create a folder under /var/lib/libvirt/swtpm/ something like this /var/lib/libvirt/swtpm/141d5517-bb66-23b3-6373-c4288xxxxxx, you need to make sure that you copy this whole folder into the VM storage area and symlink it back on the next boot as /var/lib/libvirt/swtpm/ is not persistent.
The very last thing that you will need the right OVMF files as those coming with Unraid does not support TPM. You need to grab it also from my GitHub repo and uploaded to your virtual machine folder.
Finally you need to edit the Virtual machine XML file in Unraid first to use the new OVMF files:
<loader readonly='yes' type='pflash'>/mnt/disk1/domains/Windows 10/OVMF_CODE.fd</loader>
领英推荐
<nvram>/mnt/disk1/domains/Windows 10/OVMF_VARS.fd</nvram>
And you need to define the TPM emulator under the device section:
??<tpm model='tpm-tis'>
???<backend type='emulator' version='2.0'/>
???<alias name='tpm0'/>
??</tpm>
If all goes fine you should see a TPM device under Security Processor in Windows.
IT Operations Manager | Driving Operational Excellence & Vendor Success
2 年I should note that if you're running docker, some of them may stop working correctly. No need to panic though. Just stop the docker service, delete the docker vdisk, and reenable the service. You will need to reinstall all your apps, but everything should be back to like nothing happened. May need to do this again if you decide to undo and remove swtpm support.
Mekanisk ingeni?r hos Stansomatic A/S
3 年Thank you for this amazing article! Worked in the first try!
Chemical Engineer
3 年That's great, thank you very much! I usually don't like "black boxes" so I'm trying to understand how and if you compiled yourself the ovmf package to build OVMF_CODE.fd and OVMF_VARS.fd. If I use these files: https://github.com/rezo552/unraid-swtpm Windows 11 installation goes smooth. However if I boot into ovmf settings secure boot model is DISABLED with that ovmf files, so here is the first question: why windows 11 doesn't complain about secure boot being disabled? So, I tried to compile myself the OVMF package with secure boot enabled: git clone https://github.com/tianocore/edk2.git cd edk2 git clean -ffdx git reset --hard git submodule deinit --force --all git checkout edk2-stable202011 git submodule update --init --force source edksetup.sh nice make -C "$EDK_TOOLS_PATH" -j $(getconf _NPROCESSORS_ONLN) build -a X64 -b RELEASE -DSECURE_BOOT_ENABLE=TRUE -p OvmfPkg/OvmfPkgX64.dsc -t GCC5 Notes: -DSECURE_BOOT_ENABLE=TRUE allows to build a secboot version of ovmf. I prefer 202011 stable version. Now, time to inject the keys, I tried 2 ways: 1- inject keys with EnrollDefaultKeys.efi (built within the ovmf package)--> I put it on another raw image and run it from the uefi shell; from OVMF settings I can see that PK, KEK and DB keys are injected, but windows 11 tells me that the system is not compatible to run windows 11... 2- downloaded: MicCorUEFCA2011_2011-06-27.cer (2nd import in DB) MicWinProPCA2011_2011-10-19.cer (1st import in DB) MicCorKEKCA2011_2011-06-24.cer (imported as KEK) and generated a DER self-signed certificated, imported as PK. Here I have another issue, because if I look at the KEK and DB keys (for example by deleting them from the ovmf settings), they seem to be imported as 00000-0000-00000 (only zeroes...???), so something is wrong... Obviously same issue with 2nd method as the first one, no compatible system. Note that the xml is the same, what changes is only OVMF_CODE.fd and OVMF_VARS.fd. If you have some time, can you clarify if and how you setup the OVMF_VARS.fd? Thank you
Aluno na Universidade Federal de Sergipe
3 年Thanks for this post my friend! I have a question. I would like to passthrough the TPM that's already plugged on my motherboard. I believe I just need to edit my VM XML file, right? What would be the correct configuration? Thank you very much!
Student at St. Xavier's College
3 年This looks good, imma try it, however is there any option to passthrough instead of using swTPM? As my CPU and Mobo, both are modern, 570 & 3700x.