Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   VMWare, emulated TPM without encryption (https://forum.exetools.com/showthread.php?t=19879)

DavidXanatos 06-26-2021 15:43

VMWare, emulated TPM without encryption

VMWare requires a VM to be encrypted in order to add an emulated TPM,
for obvious reasons that might not be desirable.

Is there a known way to make the fake TPM work without encrypting the VM, i.e. a patch to bypass this requirement?

David X.

deepzero 06-26-2021 17:24

So what's happening is that the security of a TPM relies on the fact that it's not software but a physical chip. This is obv not the case for a virtual one, so they had to shift the security-anchor to somewhere else, in this case the encrypted VM. Indeed the entire TPM-config is contained encrypted in the encryption.data key of the .vmx file.
But you probably know all this already .. I am guessing this is related to Windows 11?

Technically all that should be necessary is to dump the encrypted TPM hw-settings on vm-hw initialization right after the password prompt. And then decrypt the VM, and inject the decrypted TPM-config in the right place on startup... (i wonder if they left behind some way to load a decrypted TPM for debugging...).

Any attempt will probably keep you busy for a solid weekend. I am not aware of any work on this so far. If it's an option for you, I think QEMU offers virtualized TPM without VM encryption. If it's really required for windows 11 to work, pressure will rise on virtualbox to add it. Which will be considerable easier to work around, even if they do tie it to VM encryption.

DavidXanatos 06-26-2021 21:00

Well encrypting the TPM itself, is fine with me, but they insist on encrypting the virtual drives as well and that's just overkill and moreover unnecessary.
This way I can not quickly add a TPM to a VM and later remove it without going through a long process or en- and then de-cryptionof the virtual drives.
That is imho unnecessary as if one wants the drive content to be secure one can use bit locker with the encrypted TPM or alike.

I would like to add some proper TPM support to disccryptor and for that I would need some quick way to test many things without risking to brick real hardware.

I'll check out QEMU it would be great if it would provide the needed functionality without all the hassle of VMware.

deepzero 06-26-2021 23:56


This way I can not quickly add a TPM to a VM and later remove it without going through a long process or en- and then de-cryptionof the virtual drives.
You should be able to remove it (and re-add it) without decrypting and reencrypting the VM.
The VM-encryption happens on the hypervisor level and is 100% invisible to the guest OS. So you can have Bitlocker full-disk active within an encrypted VM. The only danger is that you encrypt your guest OS with Bitlocker-on-TPM, then delete the virtual TPM -> now you have a very big problem...

DavidXanatos 06-27-2021 03:59


Originally Posted by deepzero (Post 123268)
You should be able to remove it (and re-add it) without decrypting and re encrypting the VM.

Ok right... still I would like to skip the initial encryption step as I have a few 100gb large VM's, although yea for the testing i could use a fresh one that is much smaller.

chants 06-27-2021 17:21

Is it using AES-256-GCM? Their are good fast hardware implementations of it so would make sense. Even for a VM it shouldn't have too high a cost given that intrinsic have been in modern processors for some time.

Interestingly enough, differential power analysis can dump the keys from the chip and wikipedia purports the CIA already did this a few years back

DominicCummings 09-19-2021 16:52

An update on this thread -- virtualbox devs are planning to pass through the physical TPM rather than emulating one to the guest -- www.virtualbox.org/changeset/90946/vbox -- which has just been pushed.

I don't get how that's supposed to work if two devices are trying to use it at the same time. Similarly, I don't like the idea of people using it to break VM isolation, or alternatively hide keys.

QEMU have already implemented tpm emulation but there are two currently "not supported" interrupts, fortunately not hugely relevant, but still -- https://qemu.readthedocs.io/en/latest/specs/tpm.html#. Fortunately, it's possible to directly inspect the TPM and its communication protocol (TIS) state by making a debug build:


This patch uses the possibility to add a vendor-specific register and
adds a debug register useful for dumping the TIS's internal state. This
register is only active in a debug build (#define DEBUG_TIS).
Hopefully this won't last too long and won't protect too much...

DavidXanatos 10-01-2021 19:14

Passing through is a terrible idea, as then the host PC must have a TPM also it violates privacy as than the host of a VM can be uniquely identified.

Still waiting for a solution to enable TPM on vmware without having to encrypt the entire VM

Stingered 12-29-2021 08:42

I came across this Twitter thread and thought of your issue. Possibly this could be a solution?


VMX flag:

Supposedly it only encrypts enough for the “secure enclave”, so perf should be way better, & no pwd.

All times are GMT +8. The time now is 15:00.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2022, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX