Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-36448

vTPM without persistence passes Windows BitLocker system checks

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • CNV v4.14.1
    • CNV Documentation
    • None
    • 0.42
    • False
    • Hide

      None

      Show
      None
    • False
    • No way to verify from the guest OS whether the vTPM is persistent or not.
    • Known Issue
    • Proposed
    • ---
    • ---
    • Medium
    • No

      Description of problem:

      
There appears to be no way to verify from the guest OS whether the vTPM is persistent or not.

The non-persistent vTPM setup successfully stores and recovers encryption keys using ephemeral storage for the lifetime of the virt-launcher Pod. Once the Pod is deleted, the encryption keys are gone, so allowing key storage and recovery against an ephemeral backend gives a false positive to MS Windows' BitLocker Disk Encryption system check.

The result is that a VM with tpm, but without persistence will successfully check that the vTPM can store keys, encrypt its drive using Bitlocker, and reboot successfully while the VM is assigned the same virt-launcher Pod.

As soon as the VM migrates or is shut down and restarts, the vTPM will be wiped, and subsequent startups will go into key recovery.

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

      1.
2.
3.

      Actual results:

      Expected results:

      Additional info:

              Unassigned Unassigned
              rh_cwilkers Chandler Wilkerson
              Kedar Bidarkar Kedar Bidarkar
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: