QEMU/KVM: Create Windows 10/11 VM with TPM and Secure Boot

Mar 08, 2024 Comments trick-share

For lazy guys

If you are lazy, you can skip step-1 with my pre-deployed win10 base image: https://recolic.net/hms.php?/systems/win10pro-22h2-virtio-uefi.qcow2 (login password: 1)

If you are lazy, you can download WHQL-signed virtio iso from me: https://recolic.net/hms.php?/softwares/win10vm-secureboot-kit-2512.tar.xz

If you are lazy, you can download OVMF_***.fd from me: https://recolic.net/hms.php?/softwares/win10vm-secureboot-kit-2512.tar.xz

iso-to-qcow2.sh is also available in the link above.

Step 1: deploy a regular KVM windows VM with virtio

Firstly, deploy a regular windows VM, install virtio driver and QEMU guest addon. There are already lots of guides, and it should be easy to figure it out.

I will just give an example command:

qemu-img create -f qcow2 fresh.qcow2 200G
# use my iso-to-qcow2.sh to convert virtio.iso to qcow2

qemu-system-x86_64 -drive file=fresh.qcow2,if=virtio -cpu host --enable-kvm -m 8G -smp 6 -bios /usr/share/edk2-ovmf/x64/OVMF.fd -cpu host,hv_relaxed,hv_spinlocks=0x1fff,hv_vapic,hv_time -cdrom YOUR_WIN10_IMG.iso -drive YOUR_VIRTIO_IMG-iso.qcow2

# choose "Load Driver -> Browse -> C:/amd64/w10" during installation

Note that you must use a WHQL-signed virtio image, otherwise it will cause problem on secure boot. Ref: https://github.com/infokiller/win10-vm

Step 2: enable TPM and virtio

Start TPM daemon:

mkdir -p /tmp/swtpm/mytpm
nohup bash -c 'cd /tmp/swtpm ; while true; do swtpm socket --tpm2 --tpmstate dir=./mytpm --ctrl type=unixio,path=./mytpm.sock; done' & disown

Warning: if using BitLocker, DO NOT put tpm directory into /tmp. It will lost after reboot.

Get OVMF_CODE_4M.ms.fd and OVMF_VARS_4M.ms.fd. Ref: https://github.com/infokiller/win10-vm

Then start QEMU with some extra arguments: (note that -bios option should be removed)

qemu-system-x86_64 -drive file=fresh.qcow2,if=virtio -cpu host --enable-kvm -m 8G -smp 6 -cpu host,hv_relaxed,hv_spinlocks=0x1fff,hv_vapic,hv_time \
 -drive if=pflash,format=raw,readonly=on,file=out/OVMF_CODE_4M.ms.fd \
 -drive if=pflash,format=raw,file=out/OVMF_VARS_4M.ms.fd \
 -machine pc-q35-8.2 \
-chardev socket,id=chrtpm,path=/tmp/swtpm/mytpm.sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0

Windows 11 performance issue

Win11 sucks in KVM without GPU accel. GPT told me to try the following command, and it helps a lot. Use it at your own risk.

# Most Effective!
reg add "HKLM\SOFTWARE\Microsoft\Windows\DWM" /v CompositionPolicy /t REG_DWORD /d 2 /f

# Less Effective...
sysdm.cpl # Manual: GoTo Advanced → Performance, disable unnecessary shit.
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDisableWdp /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t REG_DWORD /d 2 /f

If you have any questions

Please ref: https://wiki.archlinux.org/title/QEMU (section 4.3 and 4.4)
https://github.com/infokiller/win10-vm
https://superuser.com/a/1798353/721846

Tags:
recolic

recolic

Enjoy opensource, enjoy linux, enjoy C++, enjoy life. https://github.com/recolic https://git.recolic.net/root

Share

Leave a Reply

Recent Comments