Emulated tpm under qemu doesn't work under windows anymore

[webczat]

Describe the bug

I admit I don't know whether this could possibly be a qemu bug or swtpm bug, and that configuration has worked before. I don't know which component update caused this
So generally, suddenly my windows vm that had bitlocker enabled stopped booting and asked for recovery key. After I disabled bitlocker and tried to reenable, I noticed that windows doesn't see a tpm beingpresent.
When I went to device manager: I saw the tpm module, but in properties something like: (this string is localized so unable to translate exactly):

Unable to start this device (code 10)

Protocol error has been detected

I have enabled debug logging, but this doesn't show enough information. I need some directions how to make it work, will attach debug logs (level 5) below.

Required: To Reproduce (without these steps your issue may be deleted)

Steps to reproduce the behavior/issue showing all commands on command line, needed XML or JSON (if necessary), etc.:

1. Create virtual machine with emulated tpm 2.0 (type crb or tis, doesn't matter) with default backend settings.
2. Install windows 11
3. Observe on the installed system whether tpm is present. If not, it might be installation will actually fail.

Expected behavior

I would expect tpm to be properly detected and working.

Desktop (please complete the following information):

• OS: Fedora
• Version 42

Versions of relevant components

• swtpm: 0.10.1
• libtpms: 0.10.1
• openssl: 3.2.6
• gnutls: 3.8.10
• ...:

Log files
Please attach any log files. If using a VM and it was started with libvirt, attach the logfile found in /var/log/swtpm/libvirt/qemu/VM-NAME-swtpm.log.

win11-swtpm.log

Additional context

I have tried switching profiles between default-v1 and null, of course removing tpm state when changing them. No luck.
Also, sometimes, rarely, the tpm seems to be detected and work. But it's likely random.

[stefanberger]

I have tried switching profiles between default-v1 and null, of course removing tpm state when changing them. No luck.
Also, sometimes, rarely, the tpm seems to be detected and work. But it's likely random.

Did you try this with the swtpm instance that was attached to the win11 VM? I hope you made a backup of its state because otherwise the Bitlocker key won't work anymore. You would have to restore the old TPM state.

Are you using UEFI with your VM? If so, can you enter the Device Manager and then do you see the "TCG2 Configuration" menu? Is it always there or only sometimes? Maybe there is an issue in edk2/UEFI. Do you happen to attach a GPU to your VM? Also, since when do you see the issue? Any correlation with updates?

[webczat]

First, note I am blind and don't see images.
Second: Last time I checked I didn't see tcg configuration. It's hard to compare the situations when tpm is there or not because it's like 99% not present, 1% present.
third: I can do whatever you want because as I've said I turned off bitlocker for now. So I don't need a tpm state backup and can freely delete it.
Also yeah, using ovmf/uefi with secureboot. I really don't remember when that started happening, but likely few months ago. like less than 6 I'd say, let's say up to 4 months ago. but only three days ago or such like I noticed that the cause is tpm not working.

[webczat]

ahh and... no, no gpu

[stefanberger]

I am on the same level of swtpm/libtpms/openssl/gnutls packages on F42 as you are but do not see the issue with a win10 VM.

[webczat]

does the log contain anything useful?

[stefanberger]

does the log contain anything useful?

Since the swtpm instance is working fine, I would not expect anything interesting in the log. There are only lines like this:

Warning: Profile-enabled algorithms contain disabled 'RSA-1024-sign(SHA1, pkcs1-pss)'
Warning: Setting OPENSSL_ENABLE_SHA1_SIGNATURES=1

[webczat]

Well, at the bottom of the log there are some reads and writes. I assumed it might be that windows received a tpm respponse that it deemed invalid. As in swtpm works but doesn't support something windows wants, or something along the lines.
Actually I see windows tries to communicate with it and it's visible in the logs, last read and write before the shutdown one.

[stefanberger]

Actually I see windows tries to communicate with it and it's visible in the logs, last read and write before the shutdown one.

Right. But I don't know where this is coming from:

 SWTPM_IO_Read: length 22
 80 01 00 00 00 16 00 00 01 7A 00 00 00 06 00 00 
 01 00 00 00 00 2A 
    IsEnEnabled(0x17a = 'GetCapability'): 1
 SWTPM_IO_Write: length 10
 80 01 00 00 00 0A 00 00 01 00 

The return code 0x100 (last two bytes from response) indicates that no TPM2_Startup was sent, which is typically what UEFI would do. So maybe there's something wrong with edk2, but I cannot reproduce it.

[webczat]

My ovmf version is 20250523
It might in theory be that ovmf is compiled without tpm support? but then why does it works one of thousant tries? weird

[stefanberger]

My ovmf version is 20250523 It might in theory be that ovmf is compiled without tpm support? but then why does it works one of thousant tries? weird

I tried it with the same version. I have not seen the VM not having its vTPM.

[webczat]

some difference in configuration? idk... I mean I don't get what's happening.

[webczat]

okay. It seems it works now.
ovmf changed something in the way it's build or something. I was using the .fd files, but suddenly it stopped working. when I removed in libvirt configuration and let it reselect the correct firmware files, it now works.
So it might be fedora packaging problem or something.

[RinCat]

I run into the same issue, and I found 20241117-5.fc41 build works fine, but not newer 20250523-16.fc42 or 20250812-21.fc43 .

https://packages.fedoraproject.org/pkgs/edk2/edk2-ovmf/

[webczat]

do what I did. remove the tag from the os element in libvirt vm config. and remove your efi variable file, I think that's also necessary.