Description of problem: Windows 10 1903 and up powershell 'get-tpm' cmdlet does not return correct information about emulated TPM 2.0 Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. Create VM with Q35,UEFI,TPM 2.0 emulator 2. Install Win10 1903 or 1909 on VM with SWTPM 2.0 emulation. 3. Use Powershell - 'get-tpm' Actual results: The command returns error "Object was not found. (Exception from HRESULT: 0x80090011)" FullyQualifiedErrorId : Microsoft.Tpm.Commands.TpmWmiException,Microsoft.Tpm.Commands.GetTpmCommand Expected results: Additional info: Fresh Windows 10 1809 works OK Fresh Windows Server 2019 works OK tpm.msc shows correct information about TPM 2.0 in both 1809 and 1903+ Probably the same root cause cause HCK failures with TPM 2.0 device
Attempt to find a solution via Microsoft support (pointing on regression between 1809 and 1903) was unsuccessful. Ticket number: 120020625000478;
Is get-tpm just one command that doesn't work or is TPM 2 via swtpm generally not usable on this version of Windows? Do you have a list of the HLK failures? I know certificates can be an issue with the TPM 2, I have heared about HLK now complaining about CRB not using interrupts, but what other ones are there?
Can be also related to https://bugzilla.redhat.com/show_bug.cgi?id=1744045
The explanation required doing reverse engineering of TPM providers (tpm.sys/TpmCoreProvisioning.dll). On newest version of Windows (>=1903) Microsoft decided that ManufacturerVersion field is manadatory when get-tpm command is executed. If it is not somehow provided, get-tpm command is finished with exception. The question is what is that ManufacturerVersion? TPM specification doesn't define it or even mentions it (or at least I've not found it). So in short: this is just a primitive security check done by Windows OS to make sure that TPM device is real hardware. Microsoft called function responsilbe for doing this check HWSecurityBooster. When TPM emulator provides manufacturer name ("IBM " in our case) in response TPM_CAP_TPM_PROPERTIES, this function checks manufacturer's name against list of predefined names (Altera, AMD, Rockhip, ...). However, for IBM case it checks predefined "IBM" against our "IBM ". And because there is a space instead of 0, it throws an exception. To the solution is to remove space: -#define MANUFACTURER "IBM " +#define MANUFACTURER "IBM" in file src/tpm2/VendorString.h After that get-tpm command works and ManufacturerVersion provides info. It works also on older systems.
Ok, we may be able to fix this. Does this help with the HLK tests, though?
Checked with banch stable-0.7.0.next of libtpm - this fix also helps with one of the HLK test which was previously failing.
(In reply to Marek Kedzierski from comment #7) > Checked with banch stable-0.7.0.next of libtpm - this fix also helps with > one of the HLK test which was previously failing. Merge now into stable-0.7.0. I'll tag it as 0.7.1 soon.
Yes, ON_QA is ok.
(In reply to Marek Kedzierski from comment #14) > Let's summary: > > When Windows OS communicates with vTPM (libtpms) in one of requests it asks > for TPM manufacturer name. > libtpms responds with 'IBM ' string (space at the end). > However, Windows OS keeps predefined list of supported manufacturers and IBM > is defined there as > 'IBM' (without space). So comparison fails because of difference. > > This check is used in at least two places in Windows OS: > - the mentioned Windows command (get-tpm) crashes and doesn't display > information about > TPM status because 'IBM ' is not on the list of supported vendors. > - one of the HLK tests is failing for the same reason ('IBM ' is not on the > list > of supported vendors) > > That's why changing the name from 'IBM ' to 'IBM' in libtpms solves the > problem. For reference that's: https://github.com/stefanberger/libtpms/commit/819caa4be844161deeac457ac98d26295a0a1995 Change was made for libtpms 0.8.0 (although no tag exists in the repo)
Verified on rhel 8.3 Kernel: 4.18.0-223.el8.x86_64 qemu-kvm: qemu-kvm-5.0.0-0.module+el8.3.0+6620+5d5e1420.x86_64 libtpms: libtpms-0.7.2-1.20200527git7325acb477.module+el8.3.0+7068+4e1b8df5.x86_64 swtpm: swtpm-0.3.0-1.20200218git74ae43b.module+el8.3.0+7102+0b79cc3a.x86_64 windows 10 (2004) Attach a vtpm device to guest VM, run get-tpm command in powershell got following output: get-tpm TpmPresent : True TpmReady : True TpmEnabled : True TpmActivated : True TpmOwned : True RestartPending : False ManufacturerId : 1229081856 ManufacturerIdTxt : IBM ManufacturerVersion : 8215.1561.22.13878 ManufacturerVersionFull20 : 8215.1561.22.13878 ManagedAuthLevel : Full OwnerAuth : gpbrzOZEUlNi8mflQ5roRHniy80= OwnerClearDisabled : False AutoProvisioning : Enabled LockedOut : False LockoutHealTime : 10 minutes LockoutCount : 0 LockoutMax : 31 SelfTest : {}