Although this has not yet made it to be default release channel, if you subscribe to their pve-no-subscription repository, you'll get a software vTPM that you can pass to virtual machines. Also, now when you add an EFI disk to a VM, it's allow you to pre-enroll the default set of vendor certificates/keys.
I just gave this a try with a Debian testing machine on UEFI boot and with a vTPM added. The installer does not even ask questions; it just does the right thing. From dmesg, relevant sections:
[ 0.000000] efi: EFI v2.70 by EDK II
[ 0.000000] efi: SMBIOS=0x7e9d6000 TPMFinalLog=0x7ebd5000 ACPI=0x7eb7d000 ACPI 2.0=0x7eb7d014 MEMATTR=0x7d746018 MOKvar=0x7d735000 TPMEventLog=0x7ce48018
[ 0.000000] Kernel is locked down from EFI Secure Boot; see man kernel_lockdown.7
[ 0.000000] secureboot: Secure boot enabled
...
[ 0.012642] ACPI: TPM2 0x000000007EB74000 00004C (v04 BOCHS BXPC 00000001 BXPC 00000001
[ 0.012658] ACPI: Reserving TPM2 table memory at [mem 0x7eb74000-0x7eb7404b]
...
[ 0.470573] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1, rev-id 1)
...
[ 1.021915] integrity: Loading X.509 certificate: UEFI:db
[ 1.022219] integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
[ 1.022792] integrity: Loading X.509 certificate: UEFI:db
[ 1.023103] integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
[ 1.024003] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[ 1.024494] integrity: Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
And from the command line:
# mokutil --sb-state
SecureBoot enabled
This means that it should be possible to install the release version of Windows 11 now in a VM under Proxmox VE :-D
I just gave this a try with a Debian testing machine on UEFI boot and with a vTPM added. The installer does not even ask questions; it just does the right thing. From dmesg, relevant sections:
[ 0.000000] efi: EFI v2.70 by EDK II
[ 0.000000] efi: SMBIOS=0x7e9d6000 TPMFinalLog=0x7ebd5000 ACPI=0x7eb7d000 ACPI 2.0=0x7eb7d014 MEMATTR=0x7d746018 MOKvar=0x7d735000 TPMEventLog=0x7ce48018
[ 0.000000] Kernel is locked down from EFI Secure Boot; see man kernel_lockdown.7
[ 0.000000] secureboot: Secure boot enabled
...
[ 0.012642] ACPI: TPM2 0x000000007EB74000 00004C (v04 BOCHS BXPC 00000001 BXPC 00000001
[ 0.012658] ACPI: Reserving TPM2 table memory at [mem 0x7eb74000-0x7eb7404b]
...
[ 0.470573] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1, rev-id 1)
...
[ 1.021915] integrity: Loading X.509 certificate: UEFI:db
[ 1.022219] integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
[ 1.022792] integrity: Loading X.509 certificate: UEFI:db
[ 1.023103] integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
[ 1.024003] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[ 1.024494] integrity: Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
And from the command line:
# mokutil --sb-state
SecureBoot enabled
This means that it should be possible to install the release version of Windows 11 now in a VM under Proxmox VE :-D
Last edited: