Secure Boot for Windows Virtual Machines on Proxmox – The easy way!

Guide on how to add Secure Boot and Trusted Platform Module (TPM) support for Proxmox Windows 11 Virtual Machines using pre-built binaries.


To make this process simpler, this walk-thought uses binaries that I have compiled for the Debian packages and the UEFI bios.

If you are uncomfortable downloading these, please refer to my other walk-though that compiles all of these from source.


Note: Any and all comments/improvements are welcomed.


What is Secure Boot?

Secure Boot is a security standard that helps make sure that a device boots using trusted software. This feature and the underling hardware Trusted Platform Module (TPM) is also required by Windows to enable certain features such as Bit Locker disk encryption.


Secure Boot and Windows 11

Whist this feature has been around since Microsoft Windows 8, it has gained a lot of coverage in the press because initially Microsoft stated that Microsoft Windows 11 would only install on machines that supported and had Secure Boot enabled. Currently it is unknown if Microsoft will eventually require Secure Boot for Windows 11.

It could be said that using Secure Boot with a Virtual Machines is pointless, however, certain corporate environments require features like Bit Locker to be enabled for a machine to be “compliant” and join their corporate network.


Proxmox and Secure Boot

Proxmox 7.x does not currently support Secure Boot but there has been a significant amount of work done to enable it in the underlying QEMU open source machine emulation and virtualization technology.

This walkthrough leverages that work to provide an updated OVMF UEFI virtual machine bios and a Virtual TPM to support it.

This process is by no means integrated into the Proxmox web interface, virtual machines need to be started from the shell.


Note: This guide is based on the excellent work by the following people, many thanks for all your hard work.


Download Binaries

First we need to download the Debian packages for swtpm and libtpms which emulate a TPM, the recompiled UEFI bios – OVMF and the launch script vTPM-launch.sh.

wget https://github.com/garjones/gareth.com/raw/main/libtpms_0.9-1_amd64.deb
wget https://github.com/garjones/gareth.com/raw/main/swtpm_0.7.0-1_amd64.deb
wget https://raw.githubusercontent.com/garjones/gareth.com/main/OVMF.fd
wget https://raw.githubusercontent.com/garjones/gareth.com/main/vTPM-launch.sh

Install Debian Packages

Install the two Debian packages using dpkg

dpkg -i ./libtpms_0.9-1_amd64.deb
dpkg -i ./swtpm_0.7.0-1_amd64.deb 

Starting your VM

The launch script creates a temporary copy of your Virtual machine configuration and modifies it to use the new custom OVMF bios and adds entries to connect to the virtual TPM. It then starts the swtpm socket service and finally launches the virtual machine. The socket service runs in the background until the virtual machine is stopped.

#!/bin/bash

# launch script for Proxmox VM with a virtual TPM

# check for VMID
re='^[0-9]+$'
if ! [[ $1 =~ $re ]] ; then echo "Usage: $0 <VMID>" ; exit 1 ; fi 

# dump vm configuration into temp launch script
qm show $1 --pretty > launch$1.sh
chmod +x launch$1.sh

# replace OVMF with our updated one
# -drive 'if=pflash,unit=0,format=raw,readonly=on,file=/usr/share/pve-edk2-firmware//OVMF_CODE.fd' \
# -drive 'if=pflash,unit=0,format=raw,readonly,file=/root//OVMF.fd' \
sed -i 's/usr\/share\/pve-edk2-firmware\/\/OVMF_CODE.fd/root\/vtpm\/\/OVMF.fd/' launch$1.sh

# add a \ to the last line
sed -i '$ s/$/ \\/' launch$1.sh

# appen file with required extra lines
echo " -chardev 'socket,id=chrtpm,path=//var/tpm$1/swtpm-sock' \\" >> launch$1.sh
echo " -tpmdev 'emulator,id=tpm$1,chardev=chrtpm' \\"              >> launch$1.sh
echo " -device 'tpm-tis,tpmdev=tpm$1' \\"                          >> launch$1.sh
echo " -bios /root/OVMF.fd"                                        >> launch$1.sh

# create folder for the socket
[ ! -d "/var/tpm$1" ] && mkdir /var/tpm$1

# launch the service in the background
swtpm socket --tpmstate dir=/var/tpm$1 --tpm2 --ctrl type=unixio,path=/var/tpm$1/swtpm-sock &

# launch VM
./launch$1.sh

# delete temp launch script
rm ./launch$1.sh

First, configure the virtual machine in Proxmox as you would normally making a note of the VMID (101 etc).

Next run the script passing in the VMID

./vTPM-launch.sh 201

Looking at the Proxmox console you will see that the machine is using the custom OVMF UEFI bios.

Proxmox vTPM boot screen

After Windows is booted, opening the TPM Microsoft Management Console shows that Windows recognizes a valid TPM!

TPM Management MMC

Job done.

References:
1. [Guide] vTPM and Secureboot capability in a Proxmox-KVM [For Windows 11] – https://www.reddit.com/r/Proxmox/comments/oai5cr/guide_vtpm_and_secureboot_capability_in_a/
2. Common EDK II Build Instructions for Linux – https://github.com/tianocore/tianocore.github.io/wiki/Common-instructions
3. VTPM [rayures] – https://github.com/rayures/vTPM
4. Stefan Berger – libtpms and swtpm – https://github.com/stefanberger/
4. Gareth Jones – https://github.com/garjones/gareth.com/blob/main/vTPM-install.sh

Leave a Reply