vagrant icon indicating copy to clipboard operation
vagrant copied to clipboard
verified publisher icon hashicorp

Add TPM functionality for Gen 2 Hyper-V machines

Open grottohub opened this issue 5 years ago • 7 comments

This allows for the Trusted Platform Module to be enabled for Hyper-V machines. I only have Windows 10 Home, so I can't actually test this out beyond unit testing in RSpec, and would appreciate if someone is able to do that.

Also, in general it's my first time contributing here so any pointers / changes just let me know.

Fixes #11861

grottohub avatar Oct 19 '20 20:10 grottohub

@soapy1 Thanks for the review! I'll take a look at these soon

grottohub avatar Oct 31 '20 16:10 grottohub

@grahamhub did you had a chance to look into this? :-)

rgl avatar Mar 26 '21 18:03 rgl

@rgl between the winter holidays and school I totally forgot about this! thanks for reminding me, I should have some time to dig back into this in the next week or so

grottohub avatar Mar 26 '21 18:03 grottohub

@soapy1 it's in a state where I'm almost ready to push my new commit, but I did have one question regarding the Isolated User Mode: the cmdlets that enable this setting require elevation (i.e. need to be run as admin). I checked the codebase and couldn't find any current scripts that handle elevation dynamically - how should I proceed?

I have a branch in configure_vm.ps1 that checks to see if the cmdlets need to be run, and if they do then it runs the necessary script (enable_isolated_user_mode.ps1, which has the #Requires -RunAsAdministrator flag so that the primary config script doesn't need it). I'm still a powershell novice so I'm not even sure if it's possible to elevate without the user confirming, or if there's a way to have a "custom" elevation confirmation (like having them confirm in the CLI, then run as admin vs. the usual route of right-clicking on something then running it again). If you have any ideas or if this has already been addressed somewhere else and I just missed it, I'd appreciate the guidance!

grottohub avatar Apr 05 '21 17:04 grottohub

Heya @grahamhub, thanks for sorting this out 🎉 It looks like it'll be quite an ordeal to do this kind of privileged escalation. Maybe correct me if I'm wrong, but the only part that needs admin access is enabling the isolated user mode. So, I think the best course of action here is for Vagrant to not try to enable that. But, rather kick back an error to the user saying that this windows mode needs to be enabled in order to use this feature. The error message can also tell the user what command they need to run to do that.

soapy1 avatar Apr 05 '21 23:04 soapy1

@grahamhub is attempting to deploy a commit to the HashiCorp Team on Vercel.

A member of the Team first needs to authorize it.

vercel[bot] avatar Apr 05 '21 23:04 vercel[bot]

interested to know the state of this PR ? I am also looking for such a solution to deal with The key protector could not be unwrapped issue

VishnuJin avatar May 22 '24 15:05 VishnuJin