Uh oh. What is the state of vtpm for TPM 2.0?

So, M$ has a pretty strict TPM 2.0 requirement for Windows 11 (and if that involves encrypting all datapaths to the CPU, you can say goodbye to Looking Glass, as shared memory is just not possible) and since 2019, Keylime seems to have been mum on vtpm for TPM 2.0 according to the issue tracker:

VFIO could face a nearly insurmountable cliff soon. This means Proton and the Steam Deck was totally the right move from Valve. Unfortunately the Steam Deck’s number one complaint will be incompatible anti-cheat stuff.

So, is this a grim future for QEMU/KVM?

Valve is laying big claims that it will be fully compatible with the entire library. They may be working with the anti cheat companies.

1 Like

I’ll be happy when Hat in Time runs flawlessly, but with the primary compatibility layer tester for that game being an absolute jerk/asshole, (and on Valve’s payroll, nonetheless) I don’t have confidence in that.

Unfortunately, a 720p 30fps performance target is no different from the Nintendo Switch version of Hat in Time. I gotta wait till Zen4 APUs to get 1080p at 60fps.

Not sure what you’re expecting in terms of performance from a battery powered handheld device.

The performance we have today is nothing short of mind blowing.

Imagine telling the guys who did the Apollo missions that we would fit 10 billion transistors in 156mm² in the near future. Or how about telling them that we could run processors not only in the megahertz range, but even gigahertz.


very strange that the “proof” you linked should prove:

  • [quote=“FurryJackman, post:1, topic:175297”]
    you can say goodbye to Looking Glass, as shared memory is just not possible
  • [quote=“FurryJackman, post:1, topic:175297”]
    VFIO could face a nearly insurmountable cliff soon

I have reservation about this sensation seeking posting…

From what I understand of HDCP content policies and their encryption paths, there’s no way protected shared memory can be allocated out as unencrypted when the OS does encryption for all data paths in and out of the CPU. You would require a CPU vulnerability to even access the encrypted data in a unencrypted form. Quote me fully, because the “If they encrypt all data paths in and out of the CPU” part was important to my statement.

The leaked build only specifies TPM 1.2, but who knows what they will do when they finally release Windows 11? People are already panic buying TPM 2.0 modules as stated in the other TPM discussion thread post Windows 11 announcement.

Zen4 + RDNA3 is going to make a pretty good Steam Deck 1080p.

Aside from some people on Valve’s payroll who aren’t at their main office but working remotely being assholes, I want to wait out the natural progression towards something like 1080p 60hz in the same size and even more efficient power envelope. But this is Steam Deck discussion.

and i am done…

Well, if people can show me evidence functioning TPM 2.0 in QEMU is in the roadmap sooner than later, I’ll be less fucking “FUD.”

Also, sorry if I’m late to this whole discussion like beating a dead horse, but I had to deal with life for the past 2 months.

Where did people run to when Windows 7 was dead? Linux. (or AME)

Where did people run to when (certain) anti-cheats were their main problem? VFIO.

Where are people going to run to when Windows 11 takes over? It should be VFIO so UWP stuff (and you know there will be UWP exclusive games exclusive to Windows 11. We all saw what happened to Sea of Thieves at launch.) can work in a container away from your main machine via a hypervisor. This TPM requirement though is making so much uncertain.

VFIO has been a core part of some people’s containerization strategies. It would be nice if we knew Windows 11 won’t be severely affected when running in QEMU. VMware is a whole 'nother story, as the proprietary portions of it will indeed be ready.


No where for me since I will be one of the few people jumping on this first hand to understand how this can be used in an enterprise environment.

For now, I suggest you hold onto your fears and worries until the software actually drops and we see the impacts of it.

1 Like

I could see Microsoft doing the Home version vs Pro/Ent version they already do this so why not only push certain things to certain versions.

Don’t know what your problem is, but it already totally works… I installed win11 with tpm + secureboot some weeks ago. The only problem is optaining the secureboot friendly virtio drivers… Just launch virt-manager and add a TPM with the version 2.

1 Like

Here’s some proof. Swtpm does the trick (at least on fedora)


I’m jumping to it to make sure that I can iron out the passthrough bugs.

All I had was info from a issue tracker. Thank you for this clarification. Is there documentation for this for libvirt and QEMUless KVM?

That does stink you need Secure Boot capable virtio drivers. That’s where my Shared Memory fear came from.

also that said device would have more l2 cache on board that cpu die than core memory used for the entire mission (and took many physical box modules).

hell, even in my pc career, my currrent cpu has more (double) the l3 cache than my 486 had main memory.

it has almost as much cache as the pc network server’s hard disk that we had when i first started using PCs with dos in school.

1 Like

I don’t know. I just did it by myself without any documentation so I wouldn’t know. But I believe that you would need qemu for this, but that’s just my guess.

I found a way to obtain the WHQL drivers by making use of the RedHat developer program the opened because of the CentOS debacle. This is the package you need on rhel.

Here we go: https://forum.level1techs.com/t/running-windows-11-in-kvm-the-official-way/

Guess what. It wasn’t FUD. Windows 11 making TPM 2.0 mandatory for updates to function.

What I’m more worried about is they said the Desktop Window Manager wasn’t Win32 based… so is it UWP based? Cause that would instantly kill a Windows 11 AME.

It disables auto updates on systems without a TPM?
Ohhh, I like that, a good way to get windows without auto updates.

So long as I can find a way to download the updates manually, this sounds like a complete win.