#1
|
|||
|
|||
VMWare, emulated TPM without encryption
Hi,
VMWare requires a VM to be encrypted in order to add an emulated TPM, for obvious reasons that might not be desirable. Is there a known way to make the fake TPM work without encrypting the VM, i.e. a patch to bypass this requirement? Cheers David X. |
#2
|
||||
|
||||
So what's happening is that the security of a TPM relies on the fact that it's not software but a physical chip. This is obv not the case for a virtual one, so they had to shift the security-anchor to somewhere else, in this case the encrypted VM. Indeed the entire TPM-config is contained encrypted in the encryption.data key of the .vmx file.
But you probably know all this already .. I am guessing this is related to Windows 11? Technically all that should be necessary is to dump the encrypted TPM hw-settings on vm-hw initialization right after the password prompt. And then decrypt the VM, and inject the decrypted TPM-config in the right place on startup... (i wonder if they left behind some way to load a decrypted TPM for debugging...). Any attempt will probably keep you busy for a solid weekend. I am not aware of any work on this so far. If it's an option for you, I think QEMU offers virtualized TPM without VM encryption. If it's really required for windows 11 to work, pressure will rise on virtualbox to add it. Which will be considerable easier to work around, even if they do tie it to VM encryption. |
The Following 3 Users Say Thank You to deepzero For This Useful Post: | ||
#3
|
|||
|
|||
Well encrypting the TPM itself, is fine with me, but they insist on encrypting the virtual drives as well and that's just overkill and moreover unnecessary.
This way I can not quickly add a TPM to a VM and later remove it without going through a long process or en- and then de-cryptionof the virtual drives. That is imho unnecessary as if one wants the drive content to be secure one can use bit locker with the encrypted TPM or alike. I would like to add some proper TPM support to disccryptor and for that I would need some quick way to test many things without risking to brick real hardware. I'll check out QEMU it would be great if it would provide the needed functionality without all the hassle of VMware. |
#4
|
||||
|
||||
Quote:
The VM-encryption happens on the hypervisor level and is 100% invisible to the guest OS. So you can have Bitlocker full-disk active within an encrypted VM. The only danger is that you encrypt your guest OS with Bitlocker-on-TPM, then delete the virtual TPM -> now you have a very big problem... |
The Following 2 Users Say Thank You to deepzero For This Useful Post: | ||
DavidXanatos (06-27-2021), tonyweb (06-27-2021) |
#5
|
|||
|
|||
Ok right... still I would like to skip the initial encryption step as I have a few 100gb large VM's, although yea for the testing i could use a fresh one that is much smaller.
|
#6
|
|||
|
|||
Is it using AES-256-GCM? Their are good fast hardware implementations of it so would make sense. Even for a VM it shouldn't have too high a cost given that intrinsic have been in modern processors for some time.
Interestingly enough, differential power analysis can dump the keys from the chip and wikipedia purports the CIA already did this a few years back |
#7
|
|||
|
|||
An update on this thread -- virtualbox devs are planning to pass through the physical TPM rather than emulating one to the guest -- www.virtualbox.org/changeset/90946/vbox -- which has just been pushed.
I don't get how that's supposed to work if two devices are trying to use it at the same time. Similarly, I don't like the idea of people using it to break VM isolation, or alternatively hide keys. QEMU have already implemented tpm emulation but there are two currently "not supported" interrupts, fortunately not hugely relevant, but still -- https://qemu.readthedocs.io/en/latest/specs/tpm.html#. Fortunately, it's possible to directly inspect the TPM and its communication protocol (TIS) state by making a debug build: Quote:
Last edited by DominicCummings; 09-19-2021 at 17:24. |
#8
|
|||
|
|||
Passing through is a terrible idea, as then the host PC must have a TPM also it violates privacy as than the host of a VM can be uniquely identified.
Still waiting for a solution to enable TPM on vmware without having to encrypt the entire VM |
#9
|
|||
|
|||
I came across this Twitter thread and thought of your issue. Possibly this could be a solution?
https://twitter.com/mikeroySoft/status/1448675626714501122?ref_src=twsrc%5Etfw VMX flag: managedvm.autoAddVTPM="software" Supposedly it only encrypts enough for the “secure enclave”, so perf should be way better, & no pwd. |
The Following 2 Users Say Thank You to Stingered For This Useful Post: | ||
DavidXanatos (12-29-2021), LaDidi (12-29-2021) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Password Encryption | Dreamer | General Discussion | 4 | 10-19-2015 18:02 |
Issue: Programming a vUSB emulated dongle | ZeNiX | General Discussion | 4 | 06-26-2009 10:11 |
Find out Encryption | aldente | General Discussion | 9 | 01-07-2005 05:10 |