QEMU/KVM: Create Windows 10/11 VM with TPM and Secure Boot

Mar 08, 2024 Comments trick-share

For lazy guys

If you are lazy, you can skip step-1 with my pre-deployed win10 base image: https://recolic.net/hms.php?/systems/win10pro-22h2-virtio-uefi.qcow2

If you are lazy, you can download WHQL-signed virtio iso from me: https://recolic.net/hms.php?/softwares/win10vm-secureboot-kit.tar.gz

If you are lazy, you can download OVMF_***.fd from me: https://recolic.net/hms.php?/softwares/win10vm-secureboot-kit.tar.gz

Step 1: deploy a regular KVM windows VM with virtio

Firstly, deploy a regular windows VM, install virtio driver and QEMU guest addon. There are already lots of guides, and it should be easy to figure it out.

I will just give an example command:

qemu-img create -f qcow2 fresh.qcow2 200G
qemu-system-x86_64 -drive file=fresh.qcow2,if=virtio -cpu host --enable-kvm -m 8G -smp 6 -bios /usr/share/edk2-ovmf/x64/OVMF.fd -cpu host,hv_relaxed,hv_spinlocks=0x1fff,hv_vapic,hv_time -cdrom YOUR_WIN10_IMG.iso -cdrom YOUR_VIRTIO_IMG.iso

Note that you must use a WHQL-signed virtio image, otherwise it will cause problem on secure boot. Ref: https://github.com/infokiller/win10-vm

Step 2: enable TPM and virtio

Start TPM daemon:

mkdir -p /tmp/swtpm/mytpm
nohup bash -c 'cd /tmp/swtpm ; while true; do swtpm socket --tpm2 --tpmstate dir=./mytpm --ctrl type=unixio,path=./mytpm.sock; done' & disown

Warning: if using BitLocker, DO NOT put tpm directory into /tmp. It will lost after reboot.

Get OVMF_CODE_4M.ms.fd and OVMF_VARS_4M.ms.fd. Ref: https://github.com/infokiller/win10-vm

Then start QEMU with some extra arguments: (note that -bios option should be removed)

qemu-system-x86_64 -drive file=fresh.qcow2,if=virtio -cpu host --enable-kvm -m 8G -smp 6 -cpu host,hv_relaxed,hv_spinlocks=0x1fff,hv_vapic,hv_time \
 -drive if=pflash,format=raw,readonly=on,file=out/OVMF_CODE_4M.ms.fd \
 -drive if=pflash,format=raw,file=out/OVMF_VARS_4M.ms.fd \
 -machine pc-q35-8.2 \
-chardev socket,id=chrtpm,path=/tmp/swtpm/mytpm.sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0

If you have any problems

Please ref: https://wiki.archlinux.org/title/QEMU (section 4.3 and 4.4)
https://github.com/infokiller/win10-vm
https://superuser.com/a/1798353/721846

Tags:
recolic

recolic

Enjoy opensource, enjoy linux, enjoy C++, enjoy life. https://github.com/recolic https://git.recolic.net/root

Share

Leave a Reply

Recent Comments