To make this process simpler, this walk-thought uses binaries that I have compiled for the Debian packages and the UEFI bios.
If you are uncomfortable downloading these, please refer to my other walk-though that compiles all of these from source.
Note: Any and all comments/improvements are welcomed.
What is Secure Boot?
Secure Boot is a security standard that helps make sure that a device boots using trusted software. This feature and the underling hardware Trusted Platform Module (TPM) is also required by Windows to enable certain features such as Bit Locker disk encryption.
Secure Boot and Windows 11
Whist this feature has been around since Microsoft Windows 8, it has gained a lot of coverage in the press because initially Microsoft stated that Microsoft Windows 11 would only install on machines that supported and had Secure Boot enabled. Currently it is unknown if Microsoft will eventually require Secure Boot for Windows 11.
It could be said that using Secure Boot with a Virtual Machines is pointless, however, certain corporate environments require features like Bit Locker to be enabled for a machine to be “compliant” and join their corporate network.
Proxmox and Secure Boot
Proxmox 7.x does not currently support Secure Boot but there has been a significant amount of work done to enable it in the underlying QEMU open source machine emulation and virtualization technology.
This walkthrough leverages that work to provide an updated OVMF UEFI virtual machine bios and a Virtual TPM to support it.
This process is by no means integrated into the Proxmox web interface, virtual machines need to be started from the shell.
Note: This guide is based on the excellent work by the following people, many thanks for all your hard work.
- vTPM and Secureboot capability in a Proxmox-KVM by zimsneexh
- Common EDK II Build Instructions for Linux
- Software emulation of a Trusted Platform Module by rayures
- libtpms & swtpm by Stefan Berger
First we need to download the Debian packages for swtpm and libtpms which emulate a TPM, the recompiled UEFI bios – OVMF and the launch script vTPM-launch.sh.
wget https://github.com/garjones/gareth.com/raw/main/libtpms_0.9-1_amd64.deb wget https://github.com/garjones/gareth.com/raw/main/swtpm_0.7.0-1_amd64.deb wget https://raw.githubusercontent.com/garjones/gareth.com/main/OVMF.fd wget https://raw.githubusercontent.com/garjones/gareth.com/main/vTPM-launch.sh
Install Debian Packages
Install the two Debian packages using dpkg –
dpkg -i ./libtpms_0.9-1_amd64.deb dpkg -i ./swtpm_0.7.0-1_amd64.deb
Starting your VM
The launch script creates a temporary copy of your Virtual machine configuration and modifies it to use the new custom OVMF bios and adds entries to connect to the virtual TPM. It then starts the swtpm socket service and finally launches the virtual machine. The socket service runs in the background until the virtual machine is stopped.
#!/bin/bash # launch script for Proxmox VM with a virtual TPM # check for VMID re='^[0-9]+$' if ! [[ $1 =~ $re ]] ; then echo "Usage: $0 <VMID>" ; exit 1 ; fi # dump vm configuration into temp launch script qm show $1 --pretty > launch$1.sh chmod +x launch$1.sh # replace OVMF with our updated one # -drive 'if=pflash,unit=0,format=raw,readonly=on,file=/usr/share/pve-edk2-firmware//OVMF_CODE.fd' \ # -drive 'if=pflash,unit=0,format=raw,readonly,file=/root//OVMF.fd' \ sed -i 's/usr\/share\/pve-edk2-firmware\/\/OVMF_CODE.fd/root\/vtpm\/\/OVMF.fd/' launch$1.sh # add a \ to the last line sed -i '$ s/$/ \\/' launch$1.sh # appen file with required extra lines echo " -chardev 'socket,id=chrtpm,path=//var/tpm$1/swtpm-sock' \\" >> launch$1.sh echo " -tpmdev 'emulator,id=tpm$1,chardev=chrtpm' \\" >> launch$1.sh echo " -device 'tpm-tis,tpmdev=tpm$1' \\" >> launch$1.sh echo " -bios /root/OVMF.fd" >> launch$1.sh # create folder for the socket [ ! -d "/var/tpm$1" ] && mkdir /var/tpm$1 # launch the service in the background swtpm socket --tpmstate dir=/var/tpm$1 --tpm2 --ctrl type=unixio,path=/var/tpm$1/swtpm-sock & # launch VM ./launch$1.sh # delete temp launch script rm ./launch$1.sh
First, configure the virtual machine in Proxmox as you would normally making a note of the VMID (101 etc).
Next run the script passing in the VMID
Looking at the Proxmox console you will see that the machine is using the custom OVMF UEFI bios.
After Windows is booted, opening the TPM Microsoft Management Console shows that Windows recognizes a valid TPM!
1. [Guide] vTPM and Secureboot capability in a Proxmox-KVM [For Windows 11] – https://www.reddit.com/r/Proxmox/comments/oai5cr/guide_vtpm_and_secureboot_capability_in_a/
2. Common EDK II Build Instructions for Linux – https://github.com/tianocore/tianocore.github.io/wiki/Common-instructions
3. VTPM [rayures] – https://github.com/rayures/vTPM
4. Stefan Berger – libtpms and swtpm – https://github.com/stefanberger/
4. Gareth Jones – https://github.com/garjones/gareth.com/blob/main/vTPM-install.sh