[FEATURE] TPM support

[abonillabeeche]

TPM Support is expected for certain Edge/secure deployments (FIDO Secure Onboarding).
Windows 11 requires TPM
Elemental requires TPM

[abonillabeeche]

This is achievable via virt-manager and this is an example with screenshots
https://rancher.github.io/elemental/tpm/#add-tpm-emulation-to-bare-metal-machine

[futuretea]

Refer to https://kubevirt.io/2022/KubeVirt-installing_Microsoft_Windows_11_from_an_iso.html
We need an option to add emulated TPM to VM in both UI and terraform-provider-harvester

[Martin-Weiss]

How can we add tpm: {} in the device section of a VM using the terraform provider harvester_virtualmachine (Resource) for harvester?

[futuretea]

How can we add tpm: {} in the device section of a VM using the terraform provider harvester_virtualmachine (Resource) for harvester?

I will submmit a PR to support it.

[abonillabeeche]

@futuretea did you manage to get this PR submitted? Wondering if will add tpm: {} to both a single instance and multiple instances when creating VMs.

[abonillabeeche]

@rebeccazzzz can we move this to 1.1.2 considering the low effort?

[harvesterhci-io-github-bot]

Pre Ready-For-Testing Checklist

* [ ] If labeled: require/HEP Has the Harvester Enhancement Proposal PR submitted?
The HEP PR is at:

• Where is the reproduce steps/test steps documented?
  The reproduce steps/test steps are at:
  Suppot TPM terraform-provider-harvester#75 (comment)

* [ ] Is there a workaround for the issue? If so, where is it documented?
The workaround is at:

• Have the backend code been merged (harvester, harvester-installer, etc) (including backport-needed/*)?
  The PR is at:
  Support more device type in builder #3247

* [ ] Does the PR include the explanation for the fix or the feature?

* [ ] Does the PR include deployment change (YAML/Chart)? If so, where are the PRs for both YAML file and Chart?
The PR for the YAML change is at:
The PR for the chart change is at:

• If labeled: area/ui Has the UI issue filed or ready to be merged?
  The UI issue/PR is at: HARVESTER: support TPM dashboard#638
  The terraform provider PR is at: Suppot TPM terraform-provider-harvester#75

• If labeled: require/doc, require/knowledge-base Has the necessary document PR submitted or merged?
  The documentation/KB PR is at:
  Add TPM docs docs#310

* [ ] If NOT labeled: not-require/test-plan Has the e2e test plan been merged? Have QAs agreed on the automation test case? If only test case skeleton w/o implementation, have you created an implementation issue?
- The automation skeleton PR is at:
- The automation test case PR is at:

* [ ] If the fix introduces the code for backward compatibility Has a separate issue been filed with the label release/obsolete-compatibility?
The compatibility issue is filed at:

[harvesterhci-io-github-bot]

Automation e2e test issue: harvester/tests#730

[irishgordo]

Validation Failed
@futuretea @WuJun2016

Currently, trying to validate this on Harvester Version: master-c9d8825c-head following Windows Install Instructions

And running into an issue where Windows 11 Enterprise Edition, based on Windows 11 Enterprise Evaluation, available from Microsoft and I'm not able to complete the install with TPM enabled.
Also seeing issues enabling EFI & Secure Boot, w/ TPM Enabled.

[futuretea]

@irishgordo Can you help to confirm whether the VM specifications used meet windows-11-requirements ?

[futuretea]

@irishgordo
Refer to harvester/docs#310
Both the TPM device and UEFI firmware with SecureBoot are hard requirements for Windows 11.

[irishgordo]

validation in progress, slight issues, will check with latest master-head

I'm noticing issues migrating but will be retrying the migration with the latest master-head release as:
#3399

Just got merged in earlier 😄

Also noticing that a WindowVM created -> create a snapshot -> restore to a new vm from snapshot
The vm will never spin up.
And will hang.
I will check if I can reproduce on the latest master-head prior to opening an issue 😄

supportbundle_d0a70753-473a-4de6-8b8c-24649bded98d_2023-05-16T19-42-24Z.zip

[irishgordo]

Validation Failed

@futuretea it seems that migration between nodes does not happen from the following scenario:

• create windows vm
• install drivers for virtio
• install windows
• allow to boot
• eject both CD-ROM containing Windows 11 ISO & Container Disk registry.suse.com/suse/vmdp/vmdp:2.5.3
• attempt to migrate VM

curl 'https://HARVESTERVIPIP/v1/harvester/kubevirt.io.virtualmachines/default/win-11-ent-eval-test?action=migrate' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0' -H 'Accept: application/json' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: application/json;charset=utf-8' -H 'x-api-csrf: d3511a4b1642481199ce7161e5fded4c' -H 'Origin: https://HARVESTERVIPIP' -H 'Connection: keep-alive' -H 'Referer: https://HARVESTERVIPIP/dashboard/harvester/c/local/kubevirt.io.virtualmachine' -H 'Cookie: R_PCS=light; R_LOCALE=en-us; R_REDIRECTED=true; CSRF=d3511a4b1642481199ce7161e5fded4c; R_SESS=token-44zqf:cdrgftlk92sn7nzvf859s5gfthtvph6645x5scrqjn4w56thfwfvss' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' -H 'TE: trailers' --data-raw '{"nodeName":"harvester-hzb6c"}'

Yields 500:

Volume disk-2 is container disk, needs to be removed before migration

There seems to be no, disk-2 attached to the VM currently however.

Tested with Harvester Version: master-0b495171-head.
That should have:
#3399
Within the source I believe 🤔

[futuretea]

@irishgordo View yaml by editing yaml, found container disk, It's a bug about enjectCDROM, not introduced by #3399, It has been around for a long time, but no one ever found it. Good job!

[futuretea]

@irishgordo issue #3914 created, I will fix it, fixed

[irishgordo]

@futuretea thanks for the fix 👍 😄 in #3914

Tested that migration now works off of: Harvester Version: master-25d478c0-head

Validation Failed

But I just opened:
#3929

As noticing (Win11 TPM VM) VM A -> Snapshot of A -> Restore to New VM (B) -> Take Snapshot of New VM (B) -> Stop New VM (B) -> Replace Existing (B)
Is hanging/failing

[irishgordo]

@futuretea thanks for the fix surrounding #3929 - I was able to validate on master-head: master-d739c2a4-head that the problem no longer exists and everything else surrounding this looks good 👍 😄

This looks good from my end 😄 - I'll go ahead and close this out