Re: [Qemu-devel] [Bug 1716132] [NEW] Win 10 bitlocker won't initialise pass-through TPM

[Stefan Berger]

On 09/09/2017 10:05 AM, Kelvin Middleton wrote:
> Public bug reported:
>
> All stock Ubuntu Zesty, Win10Pro KVM guest configured with OVMF and Q35.
> My host has an ASRock Z97 Extreme 6 board with a TPM header which is
> populated with v1.2 complaint device.
>
> Testing in my host the TPM device is function, I can tpm_takeownership
> and tpm_clear successfully and similar testing by passing the device
> through to a linux guest also succeeds.
>
> However using Bitlocker in Windows 10 Pro release 1703 Windows advises
> it cannot "Prepare" the device which I take to mean it cannot take
> ownership of it.  I believe this to be related to Windows inability to
> view the TCG Event Log which is evidenced in the below 2 screencaps,
> however I'm no expert.
>
> https://s26.postimg.org/vter35eh5/Screenshot_20170907_114644.png
> https://s26.postimg.org/klo854qyx/Screenshot_20170909_143841.png

There's no event log when you were to use it with SeaBIOS. I don't know 
about OVMF.

SeaBIOS, once it recognizes that the device has already been 
initialized, presumably by the host, will back off from using the device 
and extending PCRs 0-7. Extending them would otherwise mess up the state 
of the PCRs which has to correspond to the host's BIOS log entries. OVMF 
should probably behave the same way in this case. The problem the is 
that this can lead to certain software inside of VMs not working. 
Bitlocker may be one of them.

The solution that would probably get you the farthest is to use a 
software TPM emulator, possibly with SeaBIOS as the firmware if Windows 
10 accepts it. The issue here is that the patches implementing the TPM 
emulator driver are not commonly available upstream.

   Stefan


> I've also tested the scenario with qemu 2.10 which provided the exact
> same results.  The only difference in the test setup is that I had to
> make the guest boot with SeaBios instead of OVMF.  (Windows wouldn't
> boot with OVMF with the boot manager giving me an error pointing to a
> BCD issue.  Researching this it seemed related to an old ACPI problem, I
> believe this unrelated to my TPM issue so will do more research and
> raise a separate bug for this if needed.)
>
> Happy to provide further configurations and build logs as necessary so
> please advise me what is needed.
>
> Lastly for background reading.  I've been trying to get TPM passthrough
> working with Windows for a long time now and have hit several different
> issues which I believe have been addressed by both code maturity in Qemu
> but also in Windows releases.  An earlier bug report can be found here
> (https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1615722) which
> concludes advising me to raise this new/separate issue.
>
> Thanks in advance,
>
> Kelvin
>
> ** Affects: qemu
>       Importance: Undecided
>           Status: New