ovirt-web-ui: WIndows 11/2022 VMs for cluster level >= 4.6 - failed to create/edit such VMs due to the TPM device

Since TPM is not set on backend automatically based on OS type and Cluster level version, the following 2 scenarios occur:

for cluster level >= 4.6: when trying to create a new VM with OS set to Windows 11 or 2022 or when editing an existing VM and set OS to Windows 11 or 2022, the creation/edit failed in rest backend with the following error: TPM device is required by the guest OS

E.g.

When trying to edit a VM with OS Windows 11 or 2022 and cluster level >= 4.6 by changing the OS to non supported TPM one, e.g. Linux, the following error appears:

Details:

On webadmin the TPM is enabled/disabled on frontend based on OS and cluster level: https://github.com/oVirt/ovirt-engine/blob/91bc0b8f9e4d0cbfa8799f860a008948f3e6ed0a/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/vms/UnitVmModel.java#L4047

So for fixing we should either enable/disbale the TPM on backend based on OS or the same logic as on webadmin frontend should be used by web-ui as well.

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 21 (21 by maintainers)

Commits related to this issue

Bump metamodel to 1.3.9 and model to 4.5.11 Following important changes on api-metamodel has been done since 1.3.7: * Change asciidoc link-generation https://github.com/oVirt/ovirt-engine-api-meta... — committed to mwperina/ovirt-engine by mwperina 2 years ago
Bump metamodel to 1.3.9 and model to 4.5.11 Following important changes on api-metamodel has been done since 1.3.7: * Change asciidoc link-generation https://github.com/oVirt/ovirt-engine-api-meta... — committed to oVirt/ovirt-engine by mwperina 2 years ago
Force UEFI Bios if required to enable TPM In order to enable TPM, the VM needs to use UEFI firmware. Currently oVirt supports 2 types of UEFI firmwares: 1. standard - 'q35_ovmf' 2. secure - 'q35_secu... — committed to rszwajko/ovirt-web-ui by rszwajko 2 years ago
Force UEFI Bios if required to enable TPM In order to enable TPM, the VM needs to use UEFI firmware. Currently oVirt supports 2 types of UEFI firmwares: 1. standard - 'q35_ovmf' 2. secure - 'q35_secu... — committed to rszwajko/ovirt-web-ui by rszwajko 2 years ago
Force UEFI Bios if required to enable TPM (#1636) In order to enable TPM, the VM needs to use UEFI firmware. Currently oVirt supports 2 types of UEFI firmwares: 1. standard - 'q35_ovmf' 2. secure ... — committed to oVirt/ovirt-web-ui by rszwajko 2 years ago

Most upvoted comments

I wouldn’t limit it only to admin users - I think the VM portal should specify UEFI for VMs that are set with Win 11/2022 also when they are created by non-admin users

ahadas on Jul 7, 2022

which warning do you refer to on webadmin? If I edit an existing VM with TPM-required=true OS (e.g. Windows 11) and I change the OS to a TPM-required=false (e.g. Linux) then no warning appears on webadmin while the TPM is disabled.

The warning is not displayed if there is no stored TPM data yet. After enabling TPM, run the VM for a couple of minutes (no guest OS needed) then stop it and try to change the OS. You should get a dialog saying “TPM was disabled and the current TPM data will be irrecoverably deleted. If you want to keep the data, cancel this dialog and enable TPM again before confirming your changes.”.

So the logic on VM portal should include the following: For new vms: Silently enable TPM for TPM-required OS only.

Yes.

For editing of existing vms:

if the vm with TPM-enabled/required OS is changed to a TPM-enabled=false OS then a confirmation warning should appear and the TPM should be disabled

Yes. Technically, it’s not needed if there is no TPM data stored yet, but it’s OK to always show the dialog in such a case.

if the vm with TPM-required=false OS is changed to TPM-required=true OS then silently enable the TPM

Yes.

leave TMP settings as is for all other cases

Yes.

Did I miss a use case?

I can’t think of any.

mz-pdm on Jun 14, 2022