vTPM based SmartCards unstable on VBox7?

[MTG]

On virtual box 7, I'm using virtual SmartCards "TPMVSC" as described at https://learn.microsoft.com/de-de/windo ... et-started

Just a short time after setting it up on two devices, I notice that they work very unstable: after several restarts, the TPMVSC suddenly changes its state to “Device cannot be started” and loses all functionality. Only deleting and recreating the TPMVSC can help - unfortunately, after several restarts the problem repeats itself.

Is anyone here familiar with this problem?

I have used TPMVSC for ages on both physical machines and VMs (Hyper-V!) - never a problem. Just on virtual box, there seems to be this glitch.

[scottgus1]

Use of the TPM is new for Virtualbox. There could be further implementations needed. You may need to wait for a bit for a forum guru to look into this. Meanwhole a full VM log where the smart card works and another where it is failing (two logs one working one failing) may help:

Please start the VM from full normal shutdown, not save-state. Run until you see the problem happen, then shut down the VM from within the VM's OS if possible. If not possible, close the Virtualbox window for the VM with the Power Off option set.

Right-click the VM in the main Virtualbox window's VM list, choose Show in Explorer/Finder/File Manager. In the "Logs" subfolder, zip the VM's "vbox.log", and post the zip file, using the forum's Attachments tab. (Configure your host OS to show all extensions so you can find the "vbox.log", not "vbox.log.1", etc.)

[fth0]

FWIW, there have been reports from a few users that the virtual TPM data (the permall file) sometimes gets corrupted, with the consequence of the Windows guest OS not recognizing the TPM any more. See TCG2 Configuration not appear on Win 11 guest for the gory details.

[MTG]

Sorry for one week of silence - it took time to get things sorted, but now I see clearer,
The problem does ONLY happen, when the hypervisor restarts.
It does NOT happen, when the VMs shutdown/restart.

Logging at the host is not that easy since we use a proprietary adaptation of virtual box that runs on a customized linux with very few ways to interact with it. I will ask the manufacturer about logging options, soon.

For the progress:
At the VM's system event log, I find event 15:

The device driver for the Trusted Platform Module (TPM) encountered a non-recoverable error in the TPM hardware, which prevents TPM services (such as data encryption) from being used. For further help, please contact the computer manufacturer.

This event is seen after setting up the TPM-based SmartCard and then doing a hypervisor restart.

Conclusion so far: Windows' 10's implementation of TPM based SmartCards ("TPMVSC") does work on VBox 7.0.12 (latest extension pack installed as well). However, there seems to be something going on at hypervisor restarts that mangles with something that the TPMVSC expects to find, so it does not start afterwards (device manager "This device cannot start. (Code 10)") while the TPM itself is listed "This device is working properly" in device manager.

Side note: as I have seen in other threads here, people have noticed, that VBox' vTPM does not support attestation. Please look into that yourselves: windows->settings->update and security-> windows security->device security->security processor->security processor details->Attestation:"not supported". Also, if you click on "Security processor troubleshooting", you get "Can't get TPM information".
So it seems to be true that VBox' implementation of vTPM has issues in its latest version at least.

Next will be the logs. Possibly, some of you will be interested in reproducing the issue as well, so I offer here the commands for creating a virtual SmartCard (and for destroying it after a test):

Code: Select all

tpmvscmgr.exe  create /name tpmvsc /pin default /adminkey random /generate

(creates it and sets the PIN to 12345678)
TpmVscMgr destroy /instance root\smartcardreader\0000
(destroys it). Both need to be executed on an elevated command prompt.

[MTG]

More tests, more results!

Using VBox 7.0.14 on Windows, I see error ID 15 in the system log as well, however, the TPM works as expected, at least when it comes to virtual SmartCards and Bitlocker.

On the customized Linux that I have problems with, I can't use bitlocker (TPM protector fails to work after a host restart), nor TPMVSC (as said. So it seems either this customized Linux has a customized VBox as well (and its vTPM implementation is broken!), or the linux version in general is not capable of correctly supplying a vTPM.

Could someone of you running VBox 7.x on a Linux with Windows guests test and confirm that, please? I have just one mere Linux machine here to test with apart from that customized "problem machine".

[ZZZT]

@MTG - The link you posted is in German. Is there an English version?

[fth0]

Try replacing "de-de" with "en-us" inside the URL.

[MTG]

Exactly, https://learn.microsoft.com/en-us/windo ... et-started is the english version.

In the meantime, I have had someone test it on Ubuntu 22 - no problems!
And on the latest SuSe: vTPM is not even available, the TPM device does not start correctly.

So it looks as if different distributions show different results in this respect. The manufacturer of our linux product is looking into it as well, but they haven't produced results, yet.