So, I decided to install Linux and install KVM and it was easier than I thought.
I then installed a W10 machine (some steps in various web guides seemed to be a bit different but it seems a bit easier on ubuntu at least.
So I want to try W11 but could not see a way to emulate TPM 2 as per Hyper-V.
Do does anybody know if it is possible on KVM?
Yes it is.
I believe there are multiple ways to do it.
Here's where we may need @jimbo45 for some advice.
To keep it simple:
By using virt-manager as the GUI for managing KVM VMs you could compare the steps a bit with Hyper-V's.
There is an option to add hardware to the VM and a TPM 2 can be added.
Hi there
@cereberus
install package swtpm on your distro -- you don't need to start any daemons / configure it -- the VM should do it all for you.
There's a version in git-hub as well if there isn't a package for your distro. I think ubuntu has a package so shouldn't be any problem.
then in the vm (install virtmanager for the GUI) simply specify :
In the VM you should see the TPM as the IBM emulator. Run command tpm.msc in the guest.
if you are doing everything from the command line then edit the VM's xml config file
add this :
<tpm model="tpm-crb">
<backend type="emulator" version="2.0"/>
<alias name="tpm0"/>
</tpm>
(of course the emulator has to be installed first on the HOST !!).
Note also you will need the VM to at least have UEFI boot (preferably sec boot too). For this to be enabled install package ovmf on your distro. Then when setting up the GUEST ensure sec boot is available.
Depending on your hardware networking might work better with emulated e1000e NICs rather than virtio.
Also for HOST / GUEST communication you need to do the following : (OK it's a little bit if a pain but :)
1) create an Isolated network on the Host say in /tmp/isolated.xml (XML file) -- give it a fixed IP address e.g as shown.
<network>
<name>isolated</name>
<ip address="192.168.254.1" netmask="255.255.255.0"> ===== Your VM will use this addr 192.168.254.1 for accessing the Host
<dhcp>
<range start="192.168.254.2" end="192.168.254.254"/>
</dhcp>
</ip>
</network>
2) define it via virsh net-define
root@hestur hrafn]# virsh net-define /tmp/isolated.xml you should see response : Network isolated defined from /tmp/isolated.xml
3)auto start it and also start it (virsh-net start)
[root@hestur hrafn]# virsh net-autostart isolated response from console should be : Network isolated marked as autostarted
4) in the Virtual Machines configuration :
a) Ist Nic define as Host device <nic interface e'g ethx or empxx or whatever>:macvtap device
b) add in the VM a second NIC defined as Virtual network <name --in my case isolated> device model virtio
5) start guest
6) Host will be accessible always as 192.168.254.1
Works fine for Windows VM's on Arch and Fedora. Should also work if the real NIC is a wifi card too. Should also work on any other Linux distro that supports KVM/QEMU Virtual Machines e.g OPENSUSE / LINUX MINT / UBUNTU/DEBIAN.
The XML generated file will look something like this for NIC 2 --depending on your hardware --this is generated automatically if everything is setup correctly.
<interface type="network">
<mac address="52:54:00:b0:3c:94"/>
<source network="isolated" portid="4afe495d-53a4-49fa-84e1-85d5c658bf78" bridge="virbr0"/>
<target dev="vnet0"/>
<model type="virtio"/>
<alias name="net0"/>
<address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
</interface>
If you've done it correctly you should see as the output on the host of ifconfig (or equivalent command these days probably ip -c a) the network virbr1 at the bottom of the screenshot with IP address 192.168.254.1 which is what the Windows VM will use to access the Host. (Note the VM can access other machines on Lan / Internet in the normal way - this is only for the VM to get HOST access).
BTW leave the tablet in as well --that gives proper full screen VM - to get out of full screen move mouse to top of screen or hit esc.
I suggest you also enable openssh-server on the GUEST (it's in the add optional features) -- makes it easier accessing Windows files FROM THE HOST. Install on the HOST package ssh if not already installed and enable it at boot (systemctl enable sshd)
Filezilla is also a great GUI transfer program - works both on Windows and Linux --much better than file explorer, You'll probably need SAMBA on the HOST as well and if not already installed by default package ntfs-3g to directly read / write ntfs files.
Have fun
Cheers
jimbo
Last edited by jimbo45; 07 Sep 2021 at 10:40. Reason: Added info on Guest Host communication and swtpm
Hi there
@cereberus
install package swtpm on your distro -- you don't need to start any daemons / configure it -- the VM should do it all for you.
There's a version in git-hub as well if there isn't a package for your distro. I think ubuntu has a package so shouldn't be any problem.
then in the vm (install virtmanager for the GUI) simply specify :
In the VM you should see the TPM as the IBM emulator. Run command tpm.msc in the guest.
if you are doing everything from the command line then edit the VM's xml config file
add this :
<tpm model="tpm-crb">
<backend type="emulator" version="2.0"/>
<alias name="tpm0"/>
</tpm>
(of course the emulator has to be installed first on the HOST !!).
Note also you will need the VM to at least have UEFI boot (preferably sec boot too). For this to be enabled install package ovmf on your distro. Then when setting up the GUEST ensure sec boot is available.
Depending on your hardware networking might work better with emulated e1000e NICs rather than virtio.
Also for HOST / GUEST communication you need to do the following : (OK it's a little bit if a pain but :)
1) create an Isolated network on the Host say in /tmp/isolated.xml (XML file) -- give it a fixed IP address e.g as shown.
<network>
<name>isolated</name>
<ip address="192.168.254.1" netmask="255.255.255.0"> ===== Your VM will use this addr 192.168.254.1 for accessing the Host
<dhcp>
<range start="192.168.254.2" end="192.168.254.254"/>
</dhcp>
</ip>
</network>
2) define it via virsh net-define
root@hestur hrafn]# virsh net-define /tmp/isolated.xml you should see response : Network isolated defined from /tmp/isolated.xml
3)auto start it and also start it (virsh-net start)
[root@hestur hrafn]# virsh net-autostart isolated response from console should be : Network isolated marked as autostarted
4) in the Virtual Machines configuration :
a) Ist Nic define as Host device <nic interface e'g ethx or empxx or whatever>:macvtap device
b) add in the VM a second NIC defined as Virtual network <name --in my case isolated> device model virtio
5) start guest
6) Host will be accessible always as 192.168.254.1
Works fine for Windows VM's on Arch and Fedora. Should also work if the real NIC is a wifi card too. Should also work on any other Linux distro that supports KVM/QEMU Virtual Machines e.g OPENSUSE / LINUX MINT / UBUNTU/DEBIAN.
The XML generated file will look something like this for NIC 2 --depending on your hardware --this is generated automatically if everything is setup correctly.
<interface type="network">
<mac address="52:54:00:b0:3c:94"/>
<source network="isolated" portid="4afe495d-53a4-49fa-84e1-85d5c658bf78" bridge="virbr0"/>
<target dev="vnet0"/>
<model type="virtio"/>
<alias name="net0"/>
<address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
</interface>
If you've done it correctly you should see as the output on the host of ifconfig (or equivalent command these days probably ip -c a) the network virbr1 at the bottom of the screenshot with IP address 192.168.254.1 which is what the Windows VM will use to access the Host. (Note the VM can access other machines on Lan / Internet in the normal way - this is only for the VM to get HOST access).
BTW leave the tablet in as well --that gives proper full screen VM - to get out of full screen move mouse to top of screen or hit esc.
I suggest you also enable openssh-server on the GUEST (it's in the add optional features) -- makes it easier accessing Windows files FROM THE HOST. Install on the HOST package ssh if not already installed and enable it at boot (systemctl enable sshd)
Filezilla is also a great GUI transfer program - works both on Windows and Linux --much better than file explorer, You'll probably need SAMBA on the HOST as well and if not already installed by default package ntfs-3g to directly read / write ntfs files.
Have fun
Cheers
jimbo
wow - a lot to take in. Many thanks.
I would think sooner or later KVM should build TPM into base package like HyperV.
Hi there
@cereberus
Linux basically uses a different philosophy -- it's usually designed to be incredibly small and basic --that's why I love Arch Linux - but everything extra needs a bit of work. For decent GUI's though you can install KDE (my preference) or GNOME.
True some Distros are almost "more Windows than Windows" but that's the users choice. While a lot of people just want essentially a "Turnkey OS" like Windows --just boot and go -Linux users on the whole are prepared to work a bit more with the system.
It's of course a choice -- but it's rewarding once you get it all working.
If you actually have a physical TPM then it can be done as well but you need to do a whole slew of stuff to get it to work including creating keys etc. Much simpler for GUESTS to use the TPM emulator.
Once you've got the thing working -- try to change the Virtual Disk to "RAW" and the NIC to virtio -- get the Windows virtio drivers from the fedora site -- and install in the VM.
Then have a go with passthru of devices if you have sufficient hardware -- the performance improvment in the VM is phenomenal. !!
For Windows virtio drivers get here :
virtio-win-pkg-scripts/README.md at master . virtio-win/virtio-win-pkg-scripts . GitHub
or here :
Index of /groups/virt/virtio-win/direct-downloads
add the ISO to your VM and then install the drivers . For W11 simply use W10 , W2K19 server etc drivers - they all work. Then create a new Virtusl HDD and clone the old one to the new RAW HDD -- Macrium free is the best way for that. Then you can delete the original Virtual HDD.
Enjoy !!! --This stuff gets quite addictive after a while !!!
Cheers
jimbo
@jimbo45
Thanks for all the details. I've also managed to get it working!
Important note:
- when you setup virtualization tools on your distro for first time, swtpm package might not be installed with KVM: virt-manager UI includes the TPM option but after adding it to VM you'll get an error if you start the VM.
Obviously the package was not installed.
- after installing swtpm (I tested on CentOS S8 host) there was another error:
Error starting domain: Unable to find 'swtpm_setup' binary in $PATH: No such file or directory . Issue #463 . stefanberger/swtpm . GitHub
Seems swtpm-tools is also needed.
EDIT: indeed, Windows 11 sees the IBM TPM in tpm.msc.
I decided to so something bananas i.e. run a linux vm on a W10 HyperV host, and then run Windows inside the Linux KVM i.e. a nested VM. I rather expected it to fail big time, but to my gasted flabber, it worked well once I sorted out the drivers.
The tricky bit was getting sound out of the nested Windows. Between a combo of installing pulsaudio and messing with KVN settings, I managed to get it working!
Quote
