Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-36448

vTPM without persistence passes Windows BitLocker system checks

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • CNV v4.14.1
    • CNV Documentation
    • None
    • 0.42
    • False
    • Hide

      None

      Show
      None
    • False
    • No
    • No way to verify from the guest OS whether the vTPM is persistent or not.
    • Known Issue
    • Proposed
    • ---
    • ---
    • Medium

      Description of problem:

      
There appears to be no way to verify from the guest OS whether the vTPM is persistent or not.

The non-persistent vTPM setup successfully stores and recovers encryption keys using ephemeral storage for the lifetime of the virt-launcher Pod. Once the Pod is deleted, the encryption keys are gone, so allowing key storage and recovery against an ephemeral backend gives a false positive to MS Windows' BitLocker Disk Encryption system check.

The result is that a VM with tpm, but without persistence will successfully check that the vTPM can store keys, encrypt its drive using Bitlocker, and reboot successfully while the VM is assigned the same virt-launcher Pod.

As soon as the VM migrates or is shut down and restarts, the vTPM will be wiped, and subsequent startups will go into key recovery.

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

      1.
2.
3.

      Actual results:

      Expected results:

      Additional info:

            Unassigned Unassigned
            rh_cwilkers Chandler Wilkerson
            Kedar Bidarkar Kedar Bidarkar
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated: