View Single Post
  #2  
Old 06-26-2021, 17:24
deepzero's Avatar
deepzero deepzero is online now
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 284
Rept. Given: 104
Rept. Rcvd 63 Times in 41 Posts
Thanks Given: 134
Thanks Rcvd at 178 Times in 84 Posts
deepzero Reputation: 63
So what's happening is that the security of a TPM relies on the fact that it's not software but a physical chip. This is obv not the case for a virtual one, so they had to shift the security-anchor to somewhere else, in this case the encrypted VM. Indeed the entire TPM-config is contained encrypted in the encryption.data key of the .vmx file.
But you probably know all this already .. I am guessing this is related to Windows 11?

Technically all that should be necessary is to dump the encrypted TPM hw-settings on vm-hw initialization right after the password prompt. And then decrypt the VM, and inject the decrypted TPM-config in the right place on startup... (i wonder if they left behind some way to load a decrypted TPM for debugging...).


Any attempt will probably keep you busy for a solid weekend. I am not aware of any work on this so far. If it's an option for you, I think QEMU offers virtualized TPM without VM encryption. If it's really required for windows 11 to work, pressure will rise on virtualbox to add it. Which will be considerable easier to work around, even if they do tie it to VM encryption.
Reply With Quote
The Following 2 Users Say Thank You to deepzero For This Useful Post:
DavidXanatos (06-26-2021), tonyweb (06-27-2021)