-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
CNV v4.14.1
-
None
-
0.42
-
False
-
-
False
-
No way to verify from the guest OS whether the vTPM is persistent or not.
-
Known Issue
-
Proposed
-
---
-
---
-
-
Moderate
-
No
Description of problem:
There appears to be no way to verify from the guest OS whether the vTPM is persistent or not. The non-persistent vTPM setup successfully stores and recovers encryption keys using ephemeral storage for the lifetime of the virt-launcher Pod. Once the Pod is deleted, the encryption keys are gone, so allowing key storage and recovery against an ephemeral backend gives a false positive to MS Windows' BitLocker Disk Encryption system check. The result is that a VM with tpm, but without persistence will successfully check that the vTPM can store keys, encrypt its drive using Bitlocker, and reboot successfully while the VM is assigned the same virt-launcher Pod. As soon as the VM migrates or is shut down and restarts, the vTPM will be wiped, and subsequent startups will go into key recovery.
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1. 2. 3.
Actual results:
Expected results:
Additional info: