SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I wanted to try Windows 11 in a KVM VM today. After install the swtpm package over at SBo I started to install Win 11 but keep getting the error "This PC can't run Windows 11" error. I have confirmed it is an issue with the TPM because if I passthrough my hardware TPM module windows 11 installs fine. Or if I edit the registry before install and disable the TPM check that also works. The log show the emulated TPM is created successfully so I am not sure what is going on
Code:
Invoking /usr/bin/swtpm_localca --type ek --ek x=b0c49dcf9625bd3d744f095e4f0740ddb97cea1f9bc15acc64c3971270c554c774729c888607c93e0639c1441b977fad,y=b6494628696eb7d841130231fc23fcad2afd2996d10bd6d117f31ec6d694b4080db9f7d8588e7315900457199fee2abc,id=secp384r1 --dir /tmp/swtpm_setup.certs.8Z1931 --logfile /var/log/swtpm/libvirt/qemu/win11-swtpm.log --vmid win11:69c8e5c3-bc56-4cb7-8dbe-fca8d4810667 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Successfully created EK certificate locally.
Successfully created NVRAM area 0x1c00016 for ECC EK certificate.
Successfully activated PCR banks sha256 among sha1,sha256,sha384,sha512.
Successfully authored TPM state.
Ending vTPM manufacturing @ Thu 04 May 2023 01:02:57 PM CDT
Has anyone here successfully installed Windows 11 in Qemu/KVM?
Yeah it you find a way to do it through virt-manager let me know. I checked the log file for the qemu command used to launch my win11 VM. I am going to create a script to launch win11 directly using the log file with the suggestions you mentioned above.
Distribution: Slackware64 {15.0,-current}, FreeBSD, stuff on QEMU
Posts: 454
Rep:
I believe this is a secure boot problem, not a tpm problem. I replaced the "loader" line in the XML code with the following, and the VM made it to the license dialog:
Those two files come with OVMF, which was formerly on SBo. I think the maintainer pulled it after UEFI firmware started being included in Qemu a few versions back, but I happen to have a local copy; the relevant documents are attached.
EDIT: I also set the tpm options to "TIS" and "2.0."
Last edited by pghvlaans; 05-05-2023 at 12:25 AM.
Reason: forgot something
Thank You. I already have that package installed with his updated sources over at sourceforge. I am still thinking it is a TPM issue since I can disable the TPM check before install and everything works fine. As a test I left the TPM check and disabled the secure boot check before the windows 11 install and still got the error "This PC can't run Windows 11"
Also I noticed in your post you are using OVMF_CODE.secboot.fd. When I built the ovmf package I did not get that file. Here is a list of the files in my package.
Well this makes no sense whatsoever, but setting the TPM to version 1.2 allows me to install Windows 11 with the emulated TPM. However this shouldn't technically work because Windows 11 requires a TPM 2.0 module according to its own system requirements. However since I am just playing around with Windows 11 this is good enough. I still don't like when things "work" but I don't understand why. I still have to try bypassing libvirt and launching the VM directly with Qemu later, but for now I will mark this as solved.
Distribution: Slackware64 {15.0,-current}, FreeBSD, stuff on QEMU
Posts: 454
Rep:
Mystery solved. I must have gotten it from a Fedora rpm. "OVMF_CODE.secboot.fd" and friends are now provided by the edk2-ovmf and edk2-ovmf-ia32 packages on Fedora. OVMF_CODE.secboot.fd and OVMF_VARS.secboot.fd from the extracted rpm are working as expected. I'll plan to submit edk2-ovmf to SBo.
Mystery solved. I must have gotten it from a Fedora rpm. "OVMF_CODE.secboot.fd" and friends are now provided by the edk2-ovmf and edk2-ovmf-ia32 packages on Fedora. OVMF_CODE.secboot.fd and OVMF_VARS.secboot.fd from the extracted rpm are working as expected. I'll plan to submit edk2-ovmf to SBo.
Thank You. I will definitely give them a try once you submit them.
Distribution: Slackware64 {15.0,-current}, FreeBSD, stuff on QEMU
Posts: 454
Rep:
This is what seems to be happening, to the best of my understanding:
Qemu comes with Secure Boot capable UEFI firmware at /usr/share/qemu/edk2-x86_64-secure-code.fd. In theory, this allows for running a VM with Secure Boot enabled. However...
The associated varstore, edk-i386-vars.fd, is empty, and contains no Microsoft keys or even a device-specific public key. This means that Secure Boot cannot be enabled.
It may be possible to enable Secure Boot with these two files by enrolling a public key and Microsoft's DB, KEK and (I think) DBX certificates (available online); haven't tested.
edk2-ovmf provides OVMF_VARS.secboot.fd, which does have the appropriate keys enrolled; Secure Boot is enabled automatically. The process of enrolling keys yourself seems onerous enough that submission to SBo is merited.
When running with TPM < 2, the Windows 11 installer apparently thinks disabled Secure Boot is fine and dandy. Like you said before, this is contrary to Microsoft's own documentation, and it's altogether possible that the bug will be fixed in future.
In summary, Windows 11 can only be run without the extra files from edk2-ovmf by (possibly) enrolling Secure Boot-related certificates or relying on a bug.
Let me know when you get that SlackBuild made. I'd like to try it out, I am sticking with Windows 10 until it goes EOL but I still like to tinker with getting Windows 11 running properly with virt-manager.
EDIT: I just saw the package in the pending SBO queue.
I saw your SlackBuild in the approved queue so I went ahead and tested it out. It does work with qemu, however just FYI your SlackBuild doesn't work with virt-manager. The reason is when you copy the files you changed the destination directory but the json files are still looking for them in their original location. I tweaked your script to fix this issue so that they can be accessed via virt-manager.
Code:
#!/bin/bash
#
# Slackware build script for edk2-ovmf
#
# Copyright 2023 K. Eugene Carlson Tsukuba, Japan
# All rights reserved.
#
# Redistribution and use of this script, with or without modification, is
# permitted provided that the following conditions are met:
#
# 1. Redistributions of this script must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
cd $(dirname $0) ; CWD=$(pwd)
PRGNAM=edk2-ovmf
VERSION=${VERSION:-20230301}
FEDVER=${FEDVER:-f80f052277c8-3.fc38}
BUILD=${BUILD:-1}
TAG=${TAG:-_SBo}
PKGTYPE=${PKGTYPE:-tgz}
ARCH=noarch
# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
# the name of the created package would be, and then exit. This information
# could be useful to other scripts.
if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE"
exit 0
fi
TMP=${TMP:-/tmp/SBo}
PKG=$TMP/package-$PRGNAM
OUTPUT=${OUTPUT:-/tmp}
set -e
rm -rf $PKG
mkdir -p $TMP $PKG $OUTPUT
cd $TMP
rm -rf $PRGNAM-$VERSION
mkdir $PRGNAM-$VERSION
cd $PRGNAM-$VERSION
rpm2cpio $CWD/$PRGNAM-$VERSION\git$FEDVER.noarch.rpm | cpio -idmv
rpm2cpio $CWD/$PRGNAM-ia32-$VERSION\git$FEDVER.noarch.rpm | cpio -idmv
chown -R root:root .
find -L . \
\( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
-o -perm 511 \) -exec chmod 755 {} \; -o \
\( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
-o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
mkdir -p $PKG/usr/share/edk2
cp -r usr/share/edk2/ovmf $PKG/usr/share/edk2/x64
cp -r usr/share/edk2/ovmf-ia32 $PKG/usr/share/edk2/ia32
# Firmware-loading specifications; the files do not conflict with Qemu.
cp -r usr/share/qemu $PKG/usr/share/qemu
for i in $(find $PKG/usr/share/qemu/firmware -type f -iname "*ia32*") ; do
sed -i 's/ovmf-ia32/ia32/g' $i
done
for k in $(find $PKG/usr/share/qemu/firmware -type f -iname "*x64*") ; do
sed -i 's|/usr/share/edk2/ovmf|/usr/share/edk2/x64|g' $k
done
mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
cp usr/share/licenses/edk2-ovmf/* $PKG/usr/doc/$PRGNAM-$VERSION
cp usr/share/doc/edk2-ovmf/* $PKG/usr/doc/$PRGNAM-$VERSION
mkdir -p $PKG/install
cat $CWD/slack-desc > $PKG/install/slack-desc
cd $PKG
/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE
However I ran into another problem, for what ever reason the ia32 bios files are not visible in virt-manager no matter what I have tried. In the end I just took the build from Arch and converted it to a SlackBuild using their binary and now all the bios files are showing in virt-manager (see screenshot). Here is a link to my SlackBuild just in case you are curious. But you lead me down the right path to get this fixed so Thank You.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.