On virtual box 7, I'm using virtual SmartCards "TPMVSC" as described at https://learn.microsoft.com/de-de/windo ... et-started
Just a short time after setting it up on two devices, I notice that they work very unstable: after several restarts, the TPMVSC suddenly changes its state to “Device cannot be started” and loses all functionality. Only deleting and recreating the TPMVSC can help - unfortunately, after several restarts the problem repeats itself.
Is anyone here familiar with this problem?
I have used TPMVSC for ages on both physical machines and VMs (Hyper-V!) - never a problem. Just on virtual box, there seems to be this glitch.
vTPM based SmartCards unstable on VBox7?
-
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: vTPM based SmartCards unstable on VBox7?
Use of the TPM is new for Virtualbox. There could be further implementations needed. You may need to wait for a bit for a forum guru to look into this. Meanwhole a full VM log where the smart card works and another where it is failing (two logs one working one failing) may help:
Please start the VM from full normal shutdown, not save-state. Run until you see the problem happen, then shut down the VM from within the VM's OS if possible. If not possible, close the Virtualbox window for the VM with the Power Off option set.
Right-click the VM in the main Virtualbox window's VM list, choose Show in Explorer/Finder/File Manager. In the "Logs" subfolder, zip the VM's "vbox.log", and post the zip file, using the forum's Attachments tab. (Configure your host OS to show all extensions so you can find the "vbox.log", not "vbox.log.1", etc.)
Please start the VM from full normal shutdown, not save-state. Run until you see the problem happen, then shut down the VM from within the VM's OS if possible. If not possible, close the Virtualbox window for the VM with the Power Off option set.
Right-click the VM in the main Virtualbox window's VM list, choose Show in Explorer/Finder/File Manager. In the "Logs" subfolder, zip the VM's "vbox.log", and post the zip file, using the forum's Attachments tab. (Configure your host OS to show all extensions so you can find the "vbox.log", not "vbox.log.1", etc.)
-
- Volunteer
- Posts: 5678
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: vTPM based SmartCards unstable on VBox7?
FWIW, there have been reports from a few users that the virtual TPM data (the permall file) sometimes gets corrupted, with the consequence of the Windows guest OS not recognizing the TPM any more. See TCG2 Configuration not appear on Win 11 guest for the gory details.
Re: vTPM based SmartCards unstable on VBox7?
Sorry for one week of silence - it took time to get things sorted, but now I see clearer,
The problem does ONLY happen, when the hypervisor restarts.
It does NOT happen, when the VMs shutdown/restart.
Logging at the host is not that easy since we use a proprietary adaptation of virtual box that runs on a customized linux with very few ways to interact with it. I will ask the manufacturer about logging options, soon.
For the progress:
At the VM's system event log, I find event 15:
Conclusion so far: Windows' 10's implementation of TPM based SmartCards ("TPMVSC") does work on VBox 7.0.12 (latest extension pack installed as well). However, there seems to be something going on at hypervisor restarts that mangles with something that the TPMVSC expects to find, so it does not start afterwards (device manager "This device cannot start. (Code 10)") while the TPM itself is listed "This device is working properly" in device manager.
Side note: as I have seen in other threads here, people have noticed, that VBox' vTPM does not support attestation. Please look into that yourselves: windows->settings->update and security-> windows security->device security->security processor->security processor details->Attestation:"not supported". Also, if you click on "Security processor troubleshooting", you get "Can't get TPM information".
So it seems to be true that VBox' implementation of vTPM has issues in its latest version at least.
Next will be the logs. Possibly, some of you will be interested in reproducing the issue as well, so I offer here the commands for creating a virtual SmartCard (and for destroying it after a test):
(creates it and sets the PIN to 12345678)
TpmVscMgr destroy /instance root\smartcardreader\0000
(destroys it). Both need to be executed on an elevated command prompt.
The problem does ONLY happen, when the hypervisor restarts.
It does NOT happen, when the VMs shutdown/restart.
Logging at the host is not that easy since we use a proprietary adaptation of virtual box that runs on a customized linux with very few ways to interact with it. I will ask the manufacturer about logging options, soon.
For the progress:
At the VM's system event log, I find event 15:
This event is seen after setting up the TPM-based SmartCard and then doing a hypervisor restart.The device driver for the Trusted Platform Module (TPM) encountered a non-recoverable error in the TPM hardware, which prevents TPM services (such as data encryption) from being used. For further help, please contact the computer manufacturer.
Conclusion so far: Windows' 10's implementation of TPM based SmartCards ("TPMVSC") does work on VBox 7.0.12 (latest extension pack installed as well). However, there seems to be something going on at hypervisor restarts that mangles with something that the TPMVSC expects to find, so it does not start afterwards (device manager "This device cannot start. (Code 10)") while the TPM itself is listed "This device is working properly" in device manager.
Side note: as I have seen in other threads here, people have noticed, that VBox' vTPM does not support attestation. Please look into that yourselves: windows->settings->update and security-> windows security->device security->security processor->security processor details->Attestation:"not supported". Also, if you click on "Security processor troubleshooting", you get "Can't get TPM information".
So it seems to be true that VBox' implementation of vTPM has issues in its latest version at least.
Next will be the logs. Possibly, some of you will be interested in reproducing the issue as well, so I offer here the commands for creating a virtual SmartCard (and for destroying it after a test):
Code: Select all
tpmvscmgr.exe create /name tpmvsc /pin default /adminkey random /generate
TpmVscMgr destroy /instance root\smartcardreader\0000
(destroys it). Both need to be executed on an elevated command prompt.
Re: vTPM based SmartCards unstable on VBox7?
More tests, more results!
Using VBox 7.0.14 on Windows, I see error ID 15 in the system log as well, however, the TPM works as expected, at least when it comes to virtual SmartCards and Bitlocker.
On the customized Linux that I have problems with, I can't use bitlocker (TPM protector fails to work after a host restart), nor TPMVSC (as said. So it seems either this customized Linux has a customized VBox as well (and its vTPM implementation is broken!), or the linux version in general is not capable of correctly supplying a vTPM.
Could someone of you running VBox 7.x on a Linux with Windows guests test and confirm that, please? I have just one mere Linux machine here to test with apart from that customized "problem machine".
Using VBox 7.0.14 on Windows, I see error ID 15 in the system log as well, however, the TPM works as expected, at least when it comes to virtual SmartCards and Bitlocker.
On the customized Linux that I have problems with, I can't use bitlocker (TPM protector fails to work after a host restart), nor TPMVSC (as said. So it seems either this customized Linux has a customized VBox as well (and its vTPM implementation is broken!), or the linux version in general is not capable of correctly supplying a vTPM.
Could someone of you running VBox 7.x on a Linux with Windows guests test and confirm that, please? I have just one mere Linux machine here to test with apart from that customized "problem machine".
Re: vTPM based SmartCards unstable on VBox7?
@MTG - The link you posted is in German. Is there an English version?
-
- Volunteer
- Posts: 5678
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: vTPM based SmartCards unstable on VBox7?
Try replacing "de-de" with "en-us" inside the URL.
Re: vTPM based SmartCards unstable on VBox7?
Exactly, https://learn.microsoft.com/en-us/windo ... et-started is the english version.
In the meantime, I have had someone test it on Ubuntu 22 - no problems!
And on the latest SuSe: vTPM is not even available, the TPM device does not start correctly.
So it looks as if different distributions show different results in this respect. The manufacturer of our linux product is looking into it as well, but they haven't produced results, yet.
In the meantime, I have had someone test it on Ubuntu 22 - no problems!
And on the latest SuSe: vTPM is not even available, the TPM device does not start correctly.
So it looks as if different distributions show different results in this respect. The manufacturer of our linux product is looking into it as well, but they haven't produced results, yet.