Re: qemu and windows 11

[Pascal]

hi,

I managed to virtualize W$11 in TPM/SB mode as well as in "BIOS" mode (with the BypassTPMCheck and BypassSecureBootCheck register keys set to 1).

I didn't go further with W$11 in TPM/SB mode, but I was able to start it, once the installation was done, with the SB disabled (file=./OVMF_CODE.fd) and without the TPM device.

here are the command lines used in both cases :

# TPM/SB mode

$ swtpm socket --ctrl type=unixio,path=./swtpm.sock --terminate --tpmstate dir=. --tpm2 &
$ qemu-system-x86_64 \
  `# acceleration` \
  -accel kvm \
  `# CPU / 4G memory` \
  -machine q35 \
  -cpu host \
  -smp cores=2 \
  -m 4096 \
  `# 720p` \
  -device VGA,edid=on,xres=1280,yres=720 \
  `# USB support` \
  -device qemu-xhci \
  -device usb-tablet \
  `# secure boot` \
  -global ICH9-LPC.disable_s3=1 \
  -drive if=pflash,format=raw,file=./OVMF_CODE.secboot.fd,readonly=on \
  -drive if=pflash,format=raw,file=./OVMF_VARS.fd \
  `# tpm2` \
  -chardev socket,id=chrtpm,path=./swtpm.sock \
  -tpmdev emulator,id=tpm0,chardev=chrtpm \
  -device tpm-tis,tpmdev=tpm0 \
  `# 64G hard drive` \
  -hda ./11.disk \
  -cdrom ./11.iso

# "BIOS" mode with HKLM LabConfig register keys

$ qemu-system-x86_64 \
  `# acceleration` \
  -accel kvm \
  `# CPU / 4G memory` \
  -machine q35 \
  -cpu host \
  -smp cores=2 \
  -m 4096 \
  `# 720p` \
  -device VGA,edid=on,xres=1280,yres=720 \
  `# USB support` \
  -device qemu-xhci \
  -device usb-tablet \
  `# 64G hard drive` \
  -hda ./11.disk \
  -cdrom ./11.iso

regards, lacsaP.

Le lun. 18 oct. 2021 à 10:50, Pascal <patatetom@gmail.com> a écrit :

hi,

I simply prefer the manipulation of a few keys in the Windows registry at the time of installation to the "complex" Qemu boot (SecureBoot and TPM).

however, I tried to install W$11 with native (passthrough) and emulated (swtpm) TPM support, but I always get the warning that the (virtual) computer is not compatible.
unfortunately, this warning does not specify at what level the incompatibility is.
I would lean towards SecureBoot that I can't implement with Qemu (the screen stays frozen on "Guest has not initialized the display (yet).").

# chmod 666 /dev/tpm0

$ /usr/bin/qemu-system-x86_64 -accel kvm -machine q35 -m 4096 -device nec-usb-xhci -device usb-tablet -cpu host -parallel null -serial mon:stdio -bios /usr/share/edk2-ovmf/x64/OVMF.fd -hda 11.disk -cdrom 11.iso -tpmdev passthrough,id=tpm0,path=/dev/tpm0 -device tpm-tis,tpmdev=tpm0

$ swtpm socket --tpm2 --tpmstate dir=/tmp/mytpm --ctrl type=unixio,path=/tmp/mytpm/swtpm-sock

$ /usr/bin/qemu-system-x86_64 -accel kvm -machine q35 -m 4096 -device nec-usb-xhci -device usb-tablet -cpu host -parallel null -serial mon:stdio -bios /usr/share/edk2-ovmf/x64/OVMF.fd -hda 11.disk -cdrom 11.iso -chardev socket,id=chrtpm,path=/tmp/mytpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0

Le ven. 15 oct. 2021 à 18:36, Stefano Cappa <stefano.cappa.ks89@gmail.com> a écrit :

Totally agree with Friedrich, there is no reason to use workaround or hacks. You can simply use a tpm emulator. I'm using swtpm (it's open source and available on github) since this August and it works perfectly.

Stefano

Il ven 15 ott 2021, 18:31 Friedrich Oslage <friedrich@oslage.de> ha scritto:

Why do you want to use the registry workarounds? It's a lot easier to
just emulate a TPM and Secure-Boot. And yes, Windows 11 works just fine
in a Qemu VM which meets the requirements.

Also, I'd recommend using libvirt instead of executing qemu directly, it
just makes everything easier. For instance in libvirt adding a TPM is
just "<tpm model='tpm-crb'><backend type='emulator'
version='2.0'/></tpm>", with plain Qemu you need to manage everything
yourself, including control socket and state directory.

Regards
Friedrich

On 10/15/21 1:42 PM, Pascal wrote:
> hi everyone,
> here is the "environment" used (but it still doesn't work :-() :