Windows 11 is no longer compatible with Oracle VirtualBox VMs
bleepingcomputer.comUntil VirtualBox implements TPM 2.0 pass through, which they've already started working on: https://www.virtualbox.org/changeset/90946/vbox
Qemu already supports TPM pass through and secure boot.
As a QEMU user, why would I ever allow a Windows VM to talk to a real TPM? The entire point of a VM is to isolate Windows in a predictable and secure manner. Giving it access to a unmanageable coprocessor that has been designed to undermine my own interests completely destroys this goal. Hopefully this restriction will simply be cracked in the popular Windows torrents, or better yet some real TPM keys leak for use with emulators. But more likely by the time any application specifically requires Windows 11 to run, Windows will have faded even further into irrelevance.
I don’t understand the rationale here. You don’t want real tpm exposed to a vm because of security.. but you are okay with running unknown code (cracked software) to do who knows what to your runtime environment? o_O
It's all unknown code - pirated/cracked software just adds to the number of parties.
Backdoors only really became a pressing concern due to ubiquitous Internet access. When I first setup a Windows VM and install whatever application software and updates, its Internet access is through a public VPN only. And it contains no information to tie it back to me.
Before I put any sensitive information on it, I kill its Internet access and never reenable it. So there is no way to exfiltrate data that I care about. Any produced information leaves via a local Samba share.
Leaking fixed identifying information about my hardware, or forming a side channel to a new VM instance would violate this security. I doubt the TPM would store persistent personal application data, but I don't need to be the first one to find out.
I fear that might not be a good thing. Wouldn't it be better and safer to just emulate TPM in the VM?
Errr they want real TPM functionality. Emulation kinda nerfs the whole point of it. It's a hardware key. If you could just emulate it what would stop you spoofing it?
Edit: autocorrect TPM
Well, modules can be designed to protect my security, or to harm my security (e.g. to enforce DRM). I'm unclear on how "real TPM" functionality helps me. If it helps secure Microsoft, and hurts my security, that's a good reason to not use Windows.
I have not found good docs on what TPM exactly does in Windows 11, but people I trust tell me to distrust it, so I do.
It’s used to store BitLocker (Full Disk Encryption) keys so you don’t have to type a password for the system to boot. If you don’t use BitLocker, it’s not used for much else.
One could conclude that they are requiring TPM so they can eventually turn on BitLocker by default.
This is really stupid. So you can use your hard drive only in the first computer.
If VirtualBox takes the pass though approach, will we be able to migrate Windows 11 VMs between computers?
How would they detect the difference?
Probably built-in crypto keys signed by Intel/AMD keys.
That would be unfortunate for Infineon who create the majority of TPM chips. Who’s going to be the gatekeeper who decides who can create TPM chips and what’s going to happen when a new manufacturer wants to enter the stage?
I should have said TPM manufacturers, but it’s the same basic idea. Here’s Infineon’s key: https://www.infineon.com/cms/en/product/promopages/optiga_tp... I guess new manufacturers have to beg people to recognize their root key as legitimate.
It sounds like VMWare agrees with you.
> Unlike VMware, which creates a virtual TPM, VirtualBox's new driver will require a host to have a TPM 2.0 processor for this feature to work.
VMWare's is the right approach. I wouldn't want a Linux system's TPM polluted with MS keys.
Because that would break TPM or mean adding another chain of trust to the OS verifying TPM which also has problems.
I'm ever so glad that my Windows machines are still running Win 7 with auto updates nuked.
That's the way it'll remain until the hardware fails. Of course, newer hardware runs Linux and replacements will also run Linux.
Microsoft Windows is now so out of kilter with users' actual realworld needs that I don't fully understand why people haven't migrated away from it droves.
Hopefully I don't use windows, but it is incredible that it does not piss off more people that you can't use an entire OS just because of a hw module required only for a small feature used by a minority of users. Mostly corporate.
But if you think long term, it makes sense for Microsoft:
They dream about having the same control as apple and Google have on their devices. The problem is that nothing prevent users to be the master of their machine and doing whatever they want with it. With the tpm module, they can start to restrict some things to you on your own computer, controlled by the tpm, and as an user you will have not way to do anything about it. Like copy your data to another computer.
My life is no longer compatible with Windows.
Indeed. With the existence of Proton my last reason for keeping Windows around is gone. I'm about to switch my last computer to Linux.
I’m actually considering just blowing away Windows on my gaming media center and just replacing it with Ubuntu. Most of my games work on proton anyway, anti cheat support is coming (thanks Stram Deck) and I’m just fed up with Microsoft’s constant built-in ads and notifications nagging, constant intrusive updates if I don’t use it for a while and even just the other day my video driver was corrupt and had to do a factory reset reinstall. Tired of the nonsense.
If everything goes well, there will be finally be enough top engineers working on making Linux more fully substitute for Windows, than there have been Microsoft employees.
This is a very critical milestone.
Does TPM pass though mean that the virtualized OS knows the identity of the host hardware?
Yes, and I can't help but think this will be used for more draconian DRM. I'm equally sure that soon people will have emulated TPMs that will act as a plug-in too.
I've used the below tool (W11 Boot and Upgrade FiX KiT v2.0) to resolve this on an old VMware host.
Password MDL2021
Simple to do, works fine for me. I built the original image using uudump.net
Im not the creator or author of either tool just a satisfied user.
Is there a way around this restriction? Does the registry hack that floated around when the first beta came out still work?
I always preferred VMWare workstation anyway. The downside is its harder to install a small easy VM on work PCs.
Virtualbox license is better.
What does this do for the end user?
It separates end users from more of their money for hardware, operating systems, and software as well as IT effort.
In ways that are more immediate and more costly than anyone was anticipating, and can only get worse in future years.
Looks like the idea of intentionally but unnecessarity requiring only the latest hardware could be just what the hardware makers have been wanting, and they were the majority of the customers paying Microsoft for Windows licenses since the free user upgrades to W10 from W7, W8, & W8.1.
Because for years now most of the end users paying for a Windows license do it only when buying a new W10 computer.
And Windows 11 may not be intended as a free upgrade from W10.
But if W11 is only going to install on the newest hardware anyway, that's going to rule out retail purchases of Windows 11 upgrades for the majority of established users.
So they're really going to try to push as many sales of new PCs as possible
So far it looks like W11 could still end up being shunned no differently than W8, and only be used with disdain by those who have no other choice when purchasing a new PC.
And it may not be possible to get much adoption of W11 unless it is offered as a free upgrade from W10 after all.
In that case you can expect W12 to arrive shortly, not be a free upgrade, and for W11 to have an early EOL.
How come I currently have an instance of Windows 11 working just fine under VirtualBox?
Because it is not RTM. More restrictions on the way.
Sigh. Already happened, went to update my Windows 11 instance to latest and I was greeted with a message TPM now required.
Hopefully some big corps will get annoyed and start twisting arms to make it optional. To upgrade computers can run to the millions.
Why they they so hot on needing the TPM?
So they can sell more computers and Windows licenses.
Several reasons, but the biggest I see is Passwordless.
Windows 10 can act as a FIDO2 authenticator like a Yubikey, but needs a TPM to do so. They want this to be something that actually happens for the average user in windows 11.