Bitlocker-tripping hardware change with 5.2.0?

qemu-discuss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bitlocker-tripping hardware change with 5.2.0?

From:	Michael Weiser
Subject:	Bitlocker-tripping hardware change with 5.2.0?
Date:	Wed, 16 Dec 2020 16:18:09 +0100

Hello,

I have a Windows 10 with BitLocker activated running happily in
libvirtd/virt-manager.

After upgrading to qemu 5.2.0 it refuses to boot and presents a screen
with blue background where Bitlocker explains that the hardware
configuration has changed and I need to enter a recovery key.
Going back to 5.1.0 makes it boot again.

Is this expected behaviour?
How can I figure out what trips Bitlocker?

I was expecting to work around this kind of issue by using a VM and
keeping the virtualised hardware stable (e.g. -machine pc-q35-5.1).

IIRC I needed to activate swtpm in TIS and version 1.2 mode by trial and
error because that was the only combo that worked for Bitlocker. The
machine runs in BIOS mode and thus without SecureBoot because I wanted
internal snapshots to work.

I have extracted and simplified the qemu command from libvirtd somewhat
and can reproduce the issue while running swtpm manually.

I have verified the behaviour with a freshly installed Windows 10 and
qemu 5.2.0 and today's git HEAD compiled from source.

The following exact same commands have the machine booting when using
qemu 5.1.0 and end up in the Bitlocker recovery screen when using 5.2.0
or git HEAD:

/usr/bin/swtpm socket
--ctrl type=unixio,path=11-win10-bitlocker-swtpm.sock,mode=0600
--tpmstate dir=bf566263-35e3-4dba-af8c-8ca85dba6a85/tpm1.2,mode=0600

qemu-system-x86_64 -machine pc-q35-5.1 -m 4096
-uuid bf566263-35e3-4dba-af8c-8ca85dba6a85 -no-user-config
-blockdev
'{"driver":"file","filename":"win10-bitlocker.qcow2","node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}'
-blockdev
'{"node-name":"libvirt-2-format","read-only":false,"driver":"qcow2","file":"libvirt-2-storage","backing":null}'
-device ide-hd,bus=ide.0,drive=libvirt-2-format,id=sata0-0-0,bootindex=1
-tpmdev emulator,id=tpm-tpm0,chardev=chrtpm
-chardev socket,id=chrtpm,path=11-win10-bitlocker-swtpm.sock
-device tpm-tis,tpmdev=tpm-tpm0,id=tpm0

This appears to be the minimum set of options. Any change to any of them
and the machine won't boot with 5.1.0 either.
--
Thanks,
Michael

[Prev in Thread]

Current Thread

[Next in Thread]

Bitlocker-tripping hardware change with 5.2.0?, Michael Weiser <=
- Re: Bitlocker-tripping hardware change with 5.2.0?, Marc-André Lureau, 2020/12/16
  - Re: Bitlocker-tripping hardware change with 5.2.0?, Michael Weiser, 2020/12/16
    - Re: Bitlocker-tripping hardware change with 5.2.0?, Marc-André Lureau, 2020/12/17
    - Re: Bitlocker-tripping hardware change with 5.2.0?, Stefan Berger, 2020/12/19
    - Re: Bitlocker-tripping hardware change with 5.2.0?, Michael Weiser, 2020/12/20
    - Re: Bitlocker-tripping hardware change with 5.2.0?, Stefan Berger, 2020/12/20

Prev by Date: Re: Sound error: Could not initialize DirectSoundCapture
Next by Date: Re: Bitlocker-tripping hardware change with 5.2.0?
Previous by thread: qemu-nbd trouble: UPD
Next by thread: Re: Bitlocker-tripping hardware change with 5.2.0?
Index(es):
- Date
- Thread