Emulating a physical TPM doesn't always help when you cannot get a valid certificate signed by AMD/Intel. These are stored on the TPM and cannot be easily dumped. You'll want to passthrough your PC's TPM to the VM rather than emulating one.

https://www.reddit.com/r/linux_gaming/comments/1mkb3s8/under... talks about an example of a timing check that games use to detect running in VMs. There's additional checks besides this, but give you an example of how it's possible to block VMs.

The post does cover that briefly.

> If the TPM is virtualised (vTPM), the EKpub and EKcert validation will fail, as the EK won’t be signed by AMD or Intel.

Using `swtpm` will not give you the ability to create quotes of your PCR that are signed by an Endorsement Key that is itself signed by Intel or AMD.

It will be very obvious that you are using a self-generated key, possibly from a virtualised TPM.

Passing through the host's TPM will lead to multiple boot events being recorded, which will be flagged as an anomaly.

By blocking KVM. Enable or fake hyper-v? Block various qemu drivers. Don't use any of the qemu drivers? Side channels to detect KVM. Stronger hyper-v purity integrity. Detect nested hypervisors, which will have poor performance anyway.

If you arent virtualizing disk drives and get banned. They will get serial banned, along with your other non virtualized hardware. GPU, monitors, ram, motherboard, keyboard, mice, headset serials. Yes, these are really all collected. No myth.

Some people think server side anticheat can help. It can to a degree. Then some things will always be possible client side. Game devs need more subtle client side integrity checks inside the game, not only ones that purely check the integrity of your overall system.

It's a losing battle, especially on games using the most popular engines like unreal and unity.

In practice, it’s essentially infeasible to make a non-detectable virtualization stack. Timing is really really hard to match (as is everything else). You can edit the binary that’s doing the detection, but this is time consuming. Every new feature they push costs you time and will poison your hardware id.

You can go further by, say, requiring fTPMs that are on the SoC (super common these days for most recent consumer CPUs). If you can’t boot into linux without the PCRs reflecting your virtualization stack being in the boot chain, you’re cheat is quite detectable.

As others have said, it was covered in the article.

In a word: attestation.

In more words, the CPU TPM contains a key signed by Intel / AMD or whoever, and can prove it. swtpm doesn't, and there is no way to fake it.

Various caches (or them being flushed) will instantly reveal a hypervisor being active.