Adding TPM to Xen Guests for Windows 11

Dear All,

Maybe not the correct forum, but I need your help.

Have the Xen Hypervisor on an OES Server 24

Among my VM's I have 3 Windows VM's, and for upgrade to Windows 11, I need TPM and secureboot support. My idea is to use OVMF file as UEFI boot manager.

I can find a lot of information, but none seem to match our environment.

1) Here is an Item about adding Virtual TPM, but this need swtpm-tools, which is not in the oes repository

How to Emulate a TPM 2.0 Module on LibVirt/QEMU

2) This item shows I need to use firmware : ovmf-x86_64-smm-ms-code.bin

https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-vt-installation.html

But in my virt-manager I can only select : UEFI x86_64: /usr/share/qemu/ovmf-x86_64-xen-4m.bin

3) Some items tell us to generate a Secure Boot File, injected with keys :

https://forums.unraid.net/topic/128595-secure-boot-off-in-ovmf-tpm-bios-windows-11/

and some say, this ovmf-x86_64-smm-ms-code.bin already has the keys inside.

How have you managed?

  • 0  
    Have the Xen Hypervisor on an OES Server 24

    I haven't used Xen in quite a while but I am a little confused by this statement.

    Normally, you would have a physical server running Linux with the Xen kernel and have OES running as a Xen VM. Is this what you have?

    __________
    Kevin Boyle, 
    Knowledge Partner

    Calgary, Alberta, Canada

  • 0 in reply to   

    I have a physical server running OES with the Xen kernel. and multiple Xen VM's and 3 Windows VM's

  • 0   in reply to 
    Have the Xen Hypervisor on an OES Server 24

    That is what this statement implies. I just wanted to verify...

    I have never heard of OES running on Dom0, although it runs just fine as a Xen VM. I looked through the OES 24 documentation and nowhere does it say specifically that you can't do this but that's not surprising because there are so many things you can't or shouldn't do because they are unsupported. Another reason why this configuration may be problematic is that when you install OES using the OES media I'm not aware of any option to install it on a Xen kernel.

    __________
    Kevin Boyle, 
    Knowledge Partner

    Calgary, Alberta, Canada

  • 0 in reply to   

    I use to do this years ago on OES2. It attuallworked quite well. I actually clustered it at that time since at that time was sles 10 and you could actually get it to work quite well. After sles 10 everything actually changed and they ripped stuff out of ten that made it no longer work. Then you could still do it using sles ha on sles 11 and still at least had disk locking. But as of sles 12 they killed disk locking in sles 12 and was never the same. Sles 11 actually still works great to virtualize though it is unsupported. Yes I still have customers on it because it runs so solid. Have seen long up times with complete stability. Hard to find that anymore. And few things any longer support using raw disk on a san which in disk io just blows away using any kind of disk bottles or file backed vm's.

  • 0 in reply to 

    Tnx and I still work it, works like a charm.
    The question is how to handle secure boot with TPM and Windows 11 VM's ?