View Single Post
  #2  
Old 06-26-2021, 17:24
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 300
Rept. Given: 111
Rept. Rcvd 64 Times in 42 Posts
Thanks Given: 178
Thanks Rcvd at 215 Times in 92 Posts
deepzero Reputation: 64
So what's happening is that the security of a TPM relies on the fact that it's not software but a physical chip. This is obv not the case for a virtual one, so they had to shift the security-anchor to somewhere else, in this case the encrypted VM. Indeed the entire TPM-config is contained encrypted in the encryption.data key of the .vmx file.
But you probably know all this already .. I am guessing this is related to Windows 11?

Technically all that should be necessary is to dump the encrypted TPM hw-settings on vm-hw initialization right after the password prompt. And then decrypt the VM, and inject the decrypted TPM-config in the right place on startup... (i wonder if they left behind some way to load a decrypted TPM for debugging...).


Any attempt will probably keep you busy for a solid weekend. I am not aware of any work on this so far. If it's an option for you, I think QEMU offers virtualized TPM without VM encryption. If it's really required for windows 11 to work, pressure will rise on virtualbox to add it. Which will be considerable easier to work around, even if they do tie it to VM encryption.
Reply With Quote
The Following 3 Users Say Thank You to deepzero For This Useful Post:
binarylaw (02-22-2022), DavidXanatos (06-26-2021), tonyweb (06-27-2021)