View Single Post
Old 06-26-2021, 17:24
deepzero's Avatar
deepzero deepzero is offline
Join Date: Mar 2010
Location: Germany
Posts: 293
Rept. Given: 106
Rept. Rcvd 63 Times in 41 Posts
Thanks Given: 146
Thanks Rcvd at 186 Times in 87 Posts
deepzero Reputation: 63
So what's happening is that the security of a TPM relies on the fact that it's not software but a physical chip. This is obv not the case for a virtual one, so they had to shift the security-anchor to somewhere else, in this case the encrypted VM. Indeed the entire TPM-config is contained encrypted in the key of the .vmx file.
But you probably know all this already .. I am guessing this is related to Windows 11?

Technically all that should be necessary is to dump the encrypted TPM hw-settings on vm-hw initialization right after the password prompt. And then decrypt the VM, and inject the decrypted TPM-config in the right place on startup... (i wonder if they left behind some way to load a decrypted TPM for debugging...).

Any attempt will probably keep you busy for a solid weekend. I am not aware of any work on this so far. If it's an option for you, I think QEMU offers virtualized TPM without VM encryption. If it's really required for windows 11 to work, pressure will rise on virtualbox to add it. Which will be considerable easier to work around, even if they do tie it to VM encryption.
Reply With Quote
The Following 3 Users Say Thank You to deepzero For This Useful Post:
binarylaw (02-22-2022), DavidXanatos (06-26-2021), tonyweb (06-27-2021)