vTPM support - do we have guide to add the vTPM support?

FYI, the create wizard got some new additions in the latest pve-manager (7.0-13) that is available on pvetest at time of writing:
View attachment 30069

With that one can create a TPM there directly (also possible to add on existing VMs via their Hardware tabs "Add -> TPM" button)
Further, with a newer qemu-server one can select if the EFI-vars template should contain pre-enrolled keys (from Linux distros and Microsoft) with Secure boot enabled:

View attachment 30070

Those two things setup allow an up-to-date Windows 11 installation in a VM (note Windows 11's increased minimum requirements on memory/storage space).

If one then installs win11 only to install Firefox and open the same PVE interface the VM is installed on and opens the console for proof, one can get a nice infinite-mirror ;)
View attachment 30072
When will the pve-manager (7.0-13) be released to the community repository?
 
There's a pve-manager (7.0-12), qemu-server (7.0-15) and pve-edk2-firmware (3.20200531-2) package (with new tpm related dependencies) version available on pvetest. They implement support for adding a TPM v1.2 or v2.0 for VMs.

OVMF with secureboot (that also MS can use) is currently being worked on.


Setup a nested PVE to test this, my poor 32GB desktop Install is groaning... :) but it works.

Can confirm TPM works perfect, passing that side of the W11 health test.

Noticed there's a new qemu-server (7.0-16) and efi (3.20210831-1), do they implement the UEFI secure boot as above? if so, can they be retoactively applied to an existing W10 install? not seeing any secure boot options in the UEFI bios for myexisting test W10 VM.
 
Last edited:
Setup a nested PVE to test this, my poor 32GB desktop Install is groaning... :) but it works.

Can confirm TPM works perfect, passing that side of the W11 health test.

Noticed there's a new qemu-server (7.0-16) and efi (3.20210831-1), do they implement the UEFI boot? if so, can they be retoactively applied to an existing W10 install? not seeing any secure boot options in the UEFI bios for myexisting test W10 VM.

Couldn't enable UEFI secure boot on my existing VM - options were there in the UEFI bios but disabled. I did try resetting the keys, but that made no difference.

I did setup a new W10 VM, UEFI bios had secure boot enabled by default and my VM passes the W11 health check.

Thanks! this is really awesome.
 
Last edited:
Exciting developments then. Looks like I'll have to virtualise PVE 6.4 inside PVE 7X and PBS V1X for a specific 6.4 host as I cannot upgrade for the foreseeable future.
 
Setup a nested PVE to test this, my poor 32GB desktop Install is groaning... :) but it works.

Can confirm TPM works perfect, passing that side of the W11 health test.
Thanks for your nested-KVM-CPU-time sacrifice and your feedback! :)

Noticed there's a new qemu-server (7.0-16) and efi (3.20210831-1), do they implement the UEFI secure boot as above?
yes.

if so, can they be retoactively applied to an existing W10 install?
Well, yes but not straight forward. The thing is that existing VMs using a smaller build of OVMF (2 MB flash vs 4 MB flash), their size bump was required due to secure-boot and organic code-growth. Now, secure-boot basically needs the 4 MB firmware with SMM-enforcement support, but that one is not compatible with the legacy EFI vars file, as those are explicitly tailored for each build size.

So how can one switch the not-so-straight-forward-way you ask? You'd need to update to recent enough software in PVE 7.x, that'd be pve-manager (>= 7.0-13), qemu-server (>= 7.0-16) and pve-edk2-firmware (>= 3.20210831-1), then remove the EFIdisk completely (see NOTE below!) and re-add a new one. When re-adding, you'd ideally keep the new "Pre-enrolled Keys" setting checked (as that saves you of enrolling MS keys yourself). With the updated packages version Proxmox VE'll defaults to the 4 MB build of OVMF, that comes with more bells and (secure-boot) whistles than the 2 MB one.

NOTE: dropping the EFI vars disk and recreating it drops your boot entries from it, but you can re-add them for example see:
https://pve.proxmox.com/wiki/OVMF/UEFI_Boot_Entries
Or try to boot the Windows system manually once and then use the system repair thingy it has, also available on the ISO IIRC (not really a Windows-person though).
 
  • Like
Reactions: voarsh
Is there an easy way to spoof the processor while still passing through all flags in the same manner as Host? I have Intel E5-2697 v4 chips in my cluster, but MS has deemed those antiquated and incapable of running a basic OS...
The VM from my screenshot is hosted on a PVE with an Intel(R) Xeon(R) CPU E5-2620 v3, I used the default kvm64 as host but enabled a few CPU flags (as I usually do): flags=+md-clear;+pcid;+spec-ctrl;+ssbd;+aes, that worked out OK here.
 
will we get this in PVE 6.x as well?
No, all too much machinery updates and regression potential for a release that is in security-and-bugfix only maintenance mode. You need to upgrade to Proxmox VE 7.x for this.
 
I have broken all :/
I have added pvetest repo and upgrade the 3 paquets: pve-manager qemu-server pve-edk2-firmware
I had another version of trousers because of mortar framework installed:

root@pve:/mnt/temp/backup_ext# dpkg -l | grep trousers
iF trousers 0.3.14+fixed1-1.2 amd64 open-source TCG Software Stack (daemon)

It refuse to upgrade this packages:

trousers
swtpm-tools
qemu-server
proxmox-ve
pve-manager
pve-ha-manager


Job for trousers.service failed because the control process exited with error code.
See "systemctl status trousers.service" and "journalctl -xe" for details.
invoke-rc.d: initscript trousers, action "start" failed.
● trousers.service - LSB: starts tcsd
Loaded: loaded (/etc/init.d/trousers; generated)
Active: failed (Result: exit-code) since Wed 2021-10-06 08:12:12 CEST; 4ms ago
Docs: man:systemd-sysv-generator(8)
Process: 862242 ExecStart=/etc/init.d/trousers start (code=exited, status=30)
CPU: 8ms

oct. 06 08:12:12 pve systemd[1]: Starting LSB: starts tcsd...
oct. 06 08:12:12 pve trousers[862242]: Starting Trusted Computing daemon: tcsd/etc/init.d/trousers: 32: [: /dev/tpm0: unexpected operator
oct. 06 08:12:12 pve tcsd[862247]: TCSD TDDL[862247]: TrouSerS ioctl: (25) Inappropriate ioctl for device
oct. 06 08:12:12 pve tcsd[862247]: TCSD TDDL[862247]: TrouSerS Falling back to Read/Write device support.
oct. 06 08:12:12 pve tcsd[862247]: TCSD TCS[862247]: TrouSerS ERROR: TCS GetCapability failed with result = 0x1e
oct. 06 08:12:12 pve trousers[862248]: failed!
oct. 06 08:12:12 pve systemd[1]: trousers.service: Control process exited, code=exited, status=30/n/a
oct. 06 08:12:12 pve systemd[1]: trousers.service: Failed with result 'exit-code'.
oct. 06 08:12:12 pve systemd[1]: Failed to start LSB: starts tcsd.
dpkg: erreur de traitement du paquet trousers (--configure) :
installed trousers package post-installation script subprocess returned error exit status 1
Paramétrage de libpve-access-control (7.0-5) ...
Paramétrage de libuutil3linux (2.1.1-pve1) ...
Paramétrage de libpve-http-server-perl (4.0-3) ...
Paramétrage de libzfs4linux (2.1.1-pve1) ...
dpkg: des problèmes de dépendances empêchent la configuration de swtpm-tools :
swtpm-tools dépend de trousers (>= 0.3.9) ; cependant :
Le paquet trousers n'est pas encore configuré.

dpkg: erreur de traitement du paquet swtpm-tools (--configure) :
problèmes de dépendances - laissé non configuré
Paramétrage de libzpool5linux (2.1.1-pve1) ...
dpkg: des problèmes de dépendances empêchent la configuration de qemu-server :
qemu-server dépend de swtpm-tools ; cependant :
Le paquet swtpm-tools n'est pas encore configuré.

dpkg: erreur de traitement du paquet qemu-server (--configure) :
problèmes de dépendances - laissé non configuré
Paramétrage de zfsutils-linux (2.1.1-pve1) ...
Installation de la nouvelle version du fichier de configuration /etc/zfs/zfs-functions ...
zfs-import-scan.service is a disabled or a static unit, not starting it.
dpkg: des problèmes de dépendances empêchent la configuration de proxmox-ve :
proxmox-ve dépend de qemu-server ; cependant :
Le paquet qemu-server n'est pas encore configuré.

dpkg: erreur de traitement du paquet proxmox-ve (--configure) :
problèmes de dépendances - laissé non configuré
dpkg: des problèmes de dépendances empêchent la configuration de pve-manager :
pve-manager dépend de qemu-server (>= 6.2-17) ; cependant :
Le paquet qemu-server n'est pas encore configuré.

dpkg: erreur de traitement du paquet pve-manager (--configure) :
problèmes de dépendances - laissé non configuré
Paramétrage de zfs-zed (2.1.1-pve1) ...
Installation de la nouvelle version du fichier de configuration /etc/zfs/zed.d/zed-functions.sh ...
Traitement des actions différées (« triggers ») pour libc-bin (2.31-13) ...
Traitement des actions différées (« triggers ») pour man-db (2.9.4-2) ...
dpkg: des problèmes de dépendances empêchent le traitement des actions différées pour pve-ha-manager :
pve-ha-manager dépend de qemu-server (>= 6.0-15) ; cependant :
Le paquet qemu-server n'est pas encore configuré.

dpkg: erreur de traitement du paquet pve-ha-manager (--configure) :
problèmes de dépendances - actions différées non exécutées
Des erreurs ont été rencontrées pendant l'exécution :
trousers
swtpm-tools
qemu-server
proxmox-ve
pve-manager
pve-ha-manager
E: Sub-process /usr/bin/dpkg returned an error code (1)

I tried install -f and --reinstall, but no succes

Now somes packages are not correctly configured

proxmox-ve: not correctly installed (running kernel: 5.11.22-5-pve) pve-manager: not correctly installed (running version: 7.0-13/7aa7e488) pve-kernel-helper: 7.1-2 pve-kernel-5.11: 7.0-8 pve-kernel-5.11.22-5-pve: 5.11.22-10 pve-kernel-5.11.22-4-pve: 5.11.22-9 ceph-fuse: 14.2.21-1 corosync: 3.1.5-pve1 criu: 3.15-1+pve-1 glusterfs-client: 9.2-1 ifupdown2: 3.1.0-1+pmx3 ksmtuned: 4.20150326 libjs-extjs: 7.0.0-1 libknet1: 1.22-pve1 libproxmox-acme-perl: 1.3.0 libproxmox-backup-qemu0: 1.2.0-1 libpve-access-control: 7.0-5 libpve-apiclient-perl: 3.2-1 libpve-common-perl: 7.0-10 libpve-guest-common-perl: 4.0-2 libpve-http-server-perl: 4.0-3 libpve-storage-perl: 7.0-12 libspice-server1: 0.14.3-2.1 lvm2: 2.03.11-2.1 lxc-pve: 4.0.9-4 lxcfs: 4.0.8-pve2 novnc-pve: 1.2.0-3 proxmox-backup-client: 2.0.11-1 proxmox-backup-file-restore: 2.0.11-1 proxmox-mini-journalreader: 1.2-1 proxmox-widget-toolkit: 3.3-6 pve-cluster: 7.0-3 pve-container: 4.0-10 pve-docs: 7.0-5 pve-edk2-firmware: 3.20210831-1 pve-firewall: 4.2-3 pve-firmware: 3.3-2 pve-ha-manager: not correctly installed pve-i18n: 2.5-1 pve-qemu-kvm: 6.0.0-4 pve-xtermjs: 4.12.0-1 qemu-server: not correctly installed smartmontools: 7.2-pve2 spiceterm: 3.2-2 vncterm: 1.7-1 zfsutils-linux: 2.1.1-pve1
 
Was your system installed quite a while ago? E.g., with a PVE version older than 5.0? As this seems like some sysv-to-systemd compat package issue that one only gets if installed. Anyhow, I'll look into it and see if I can fix trousers init.d script, thanks for your report!
 
I had another version of trousers because of mortar framework installed:

root@pve:/mnt/temp/backup_ext# dpkg -l | grep trousers
iF trousers 0.3.14+fixed1-1.2 amd64 open-source TCG Software Stack (daemon)

It refuse to upgrade this packages:
We re-build the upstream package with a more resilient postinst and init script and uploaded that to pvetest as trousers in version 0.3.14+fixed1-1.2+pve1 (FWIW, the "fixed" part in the version was already there and not my invention ;))

An error may still get printed on update, but it should not fail the whole update itself anymore (which is not really useful to do then anyway).

Can you try apt update and another apt full-upgrade (or manual apt -f install trousers)
 
  • Like
Reactions: cromatn5
Well, yes but not straight forward.

Thanks! I'll look into that.

nb. Did a clean W11 ISO install, no drama's

Interesting thing was the .208 virtio ISO installed with no issues as well, it failed on the W11 insider releases.
 
Is there an easy way to spoof the processor while still passing through all flags in the same manner as Host? I have Intel E5-2697 v4 chips in my cluster, but MS has deemed those antiquated and incapable of running a basic OS...
I think this should work out of the box. If it doesn't work leave your CPU in common KVM, this will work for sure.
 
Ok, After remove and create another EFI disk with pre enrolled keys, i was able to had secure boot activated, but i had to disable signature vérification for storage controller. I will try later to change this driver.
 
You can also bypass most (all?) requirements of the windows installer if you just deploy it using command prompt. Press Shift + F10 and use diskpart for partitioning and dism /apply-image to apply the w11 image you want. I used this method to deploy latest w11 insider. I have no vTPM, or secure boot and it works. I'm using a fairly recent CPU in host mode though
 
You can also bypass most (all?) requirements of the windows installer if you just deploy it using command prompt. Press Shift + F10 and use diskpart for partitioning and dism /apply-image to apply the w11 image you want. I used this method to deploy latest w11 insider. I have no vTPM, or secure boot and it works. I'm using a fairly recent CPU in host mode though
Could you please tell me more precisely how you installed Windows 11 without TPM / SecureBoot?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!