Jump to content
Sign in to follow this  
Rollo62

How do you handle TPM-Chip under virtual machines ?

Recommended Posts

Hi there,

I'm working cross-platform under Macos Monterey, Win10, VmWare Fusion for quite a while now, without using TPM in my VM's.
Now I am more and more forced to use TPM as well and after the current Macos Ventura I face a lot of performace issues, not only under Mac itself, so probably I consider real hardware issues too.
Thats why I try to move my projects now from VmWare to Parallels now, which should have a better hardware support and performance for Macos and M1 chips in general.

Currently I'm checking out Parallels Desktop Professional and the possible impacts when using it.

 

Generally speaking Parallels and VmWare offer many similar properties and its not too difficult to get it running.

Unfortunatly I cannot import my current VmWare VM's there, this always refuses, even Parallels support couldn'T help much.

Thats why I have to set up complete clean, new VM's now and I want to ensure they were future-proof (Win11), while my old VM's were not
So that means using the virtual TPM-Chip is a must, to allow an upgrade to Win11 later one day.

With TPM you cannot easily move or clone VM's anymore, so my workflow needs to be a bit updated then.
'No matter if VmWare or Parallels, when you move to another host PC, you have to transfer not only the VM but also the TPM-Password.
Here is a nice explanation how a transfer from one physical Mac to another Mac can be done, but the question is not Mac-related only.

Maybe someone had faced these TPM topics before and found a clever way howto ensure that VM's can be cloned and transferred without big hazzle, even if it includes TPM ?
Best of course to switch on/off the TPM, wherever needed.
Of course a "moved" VM has same MAC-Adress and UUID, so there should be only one VM active at the same time in a network.
Interesting for me is to clone with separate "MAC-Adress and UUID" to testing, which could be used for fast, separate test, but it should not crash the whole network than if accidentily running both.
Yes, I should use Snapshots for that, but I want to avoid to clutter and risk damage to my original VM, thats why I prefer complete cones instead.

 

Another use-case is to make clones from a general template VM, all this won't be easily possible with VM any longer.

 

How do you organize your VM-ecosystem including TPM, is there still a way to workaround TPM in VM's ?

 

 

Edited by Rollo62

Share this post


Link to post

I recently moved my Hyper-V Windows 11 VM from my old laptop to my new laptop. After using the Hyper-V manager Export / Import features, there was one extra step to make the TPM for the old VM work on the new machine. That step was essentially migrating a couple of certificates from the old machine to the new machine.

https://robinhobo.com/how-to-move-or-restore-a-windows-11-vm-in-hyper-v-with-tpm-enabled-shielded-vms/

(Also read the comments in the article for helpful tips)

 

I also have Windows 11 for ARM running with TPM enabled under Parallells on a MBP M1 Pro, but since I only have one Mac, I have not researched migration there.

 

I abandoned VMWare for Hyper-V some years ago.

Share this post


Link to post
1 hour ago, Lars Fosdal said:

I also have Windows 11 for ARM running with TPM enabled under Parallells on a MBP M1 Pro, but since I only have one Mac, I have not researched migration there.

Thanks for the info, I have two Macs, wile only one is for current development.
I also want to ensure that I won't end up in desaster when this maching breaks down one day, if I would consider TPM too late this will break my neck.

A breakdown of one host machine might breakdown 10 guest-VM too, I really get scared about that scenario and I want to do the right thing before its too late.

Regarding the workflow, I hope that still cloning variant, particular VM's from a generel "template" VM will still be easily possible.
Usually I use only one particular VM at a time, for lets say VM-Delphi, VM-WebDev, VM-VisualStudio, VM-TestEnv, ... so clones from one template VM was no problem in the past.

On one host machine I think that should be OK, since all the VM's relate to the same certificates set on that host machine ( at least I hope so ).

 

If I have a few VM's related to one host in that way, what happens if the host breaks down completely,  How do I prepare to be able to move quick and fast to a new machine then ?
I think backup of a VM must always contain the VM-image plus its VM-TPM-Certificate then, to be able to restore it.

On the Mac it seems that its possible to copy the KeyChain-Bundle as collection, like in my link above, which could be exchanged between different Mac's.

Maybe I should bundle all the TPM certificates to that single bundle in advance and backup this bundle.

That looks like a possible, clean way under Macos-Parallels, I'm not sure how it might look under Macos-VmWare or under Windows-VmWare hosts.

From yur example under Windows it is called "Shielded VM Certificates", which is maybe the way to use this under Windows.

Anyway, I see no way to exchange VM's interoperably between different hosts structures in the future, like moving from Macos-VmWare to Windows-VmWare or into the VmWare-Cloud and vice-versa.
To be honest, I never really used that feature aside testing it, but it was always good to have it.
 

Edited by Rollo62

Share this post


Link to post

With some experiments, it seems that it doesn't work  so seamlessly as described in the Parallels description:

 

image.thumb.png.53e76ab373e7c385d421032ea025fea9.png

 

There is not only one entry storing the TPM password, but there were two ( /System and /iCloud ).
Both contain the same Password, when I extract that from KeyChain, looks similar to this:

       0a9dfe9dbabcdfgdsddf4678fc3defsf5fs5fs67hd7n8899f086b795cc9a1509c3

The only difference seems what is so called "Location"

 - System: One time with Account number added
image.png.e1d3984558684ab49b748474044d50c6.png

 

 - iCloud: One time without
image.png.7cd4d1e636bec137776a6ed77466b043.png

 

All the rest, including password seems identical.

When I try to copy the entries into my own, custom KeyChain Bundle, then I can only copy one f the two versions, so I assume "System" is the right type.

IMHO the best way to copy that, is

 - Unlock the "System" and "Your Custom" Bundle by right click - Unlock

 - Select the left "System" KeyChain Bundle
 - Enter the "TPM" in the search field

 - Sort by the Key type "System"
 - Select and right click copy all the "System" entries

 - Ignore the "iCloud" entries, they seem to be not necessary
 - Select the left "Custom" KeyChain Bundle
 

image.thumb.png.d345673588be5353a5500cba5fc686ef.png

 

 - To right click and insert them all into the custom bundle

image.thumb.png.c0c19cd2d51f49afe9b92be547aac745.png

 

 - The Custom Keychain Bundle "MB02_Pls_TPM.keychain-db" is for example stored under /User/Library/Keychains,

    and can be copied to another machine.

 

 - Such KeyStore could be Added to another machine hopefully

image.png.e22d5532ac5106c6c004d82a4bab739f.png

 

 - From there, on the new macnine, the TPM could be copied from "Custom" to "System" to make the VM work again

 

Is there a better way to it ?

 

 

 

 

 

Share this post


Link to post
4 hours ago, Lars Fosdal said:

It doesn't say anything about TPMs, though, but https://kb.parallels.com/123975 mentions being able to run VMWare under Parallells - yet still no word on TPMs.

VmWare VM is not working under Parallels for me, at least not the ones I want to.
There is a conversion tool, right in the beginning, which immediately fails with little or no errors.
Even the Parallels support couldn't solve that, so I have to re-create a clean Parallels VM anyway.

More headache to come, it seems that Parallels VM on Intel cannot be ported easily between Parallels M1.
Only exchange by copy disk data is a way they provide.
https://kb.parallels.com/125344

So then a breakdown of Macos-Intel will require a brand new VM-Setup under M1 anyway, and M1 will be the next Macos for sure, as I think Macos-Intel will be deprecated.
Parallels VMs are not interchangeable between Intel <-> M1, no matter if TPM.

Copying of harddrives should be easily possible, if not using Bitlocker ( encrypting by TPM ), which I do not consider to use in my VMs, so thats OK for me, but I thought the TPM will encrypt or certify some parts of the Windows-OS.

https://www.linkedin.com/pulse/windows-11-requires-tpm-what-why-matters-rand-morimoto

 

Ok, at least the VM data seems to be safe by direkct access of the hard drive files, but the OS and probably all installations and configurations of applications seems to be lost.

Microsoft says
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasure

Quote

BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started. This mitigation is done by:
 

- Encrypting volumes on a computer. For example, BitLocker can be turned on for the operating system volume, a volume on a fixed drive. or removable data drive (such as a USB flash drive, SD card, etc.) Turning on BitLocker for the operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed.

 

- Ensuring the integrity of early boot components and boot configuration data. On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM
  to make data accessible only if the computer's BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer.
  On systems that use TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.

 

Is this meant as an option, when Bitlocker is activated ?
From my assumption TPM is doing the latter, no matter if Bitlocker is activated, or not.
If TPM recognizes any changes, then it prohibits booting the OS and I assume this cannot be reset somehow.

 

It seems my TPM-less days will be gone soon and I have to optimize the process of setting up a new, clean VM ( which I already did ).

At least the cloning and copying from "template VM" seems to work still on the same machine.

 

From my tests I can use the Parallels "Clone" function, as well as the copy-and-paste of the *.pvm images, to create a derivate of my template VM.
The derivate VMs seem to stay activated, as far as I can see.

Conditions: No Bitlocker used, No more than one of the  "cloned VM" active at a time


 

 

Edited by Rollo62
  • Thanks 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×