Windows 11 and Secure Boot

[directhex]

This is not a "how do I". It's a "I did it". Unmodified Windows 11 installer booting with full TPM emulation. In a single command, on Cobia:

Code:

cli -c "service vm update id=X machine_type=q35 arch_type=x86_64 trusted_platform_module=true"

As a result, my VM gets sign-off from my company's InTune enforced security policy.

 

[sretalla]

That also seems to work as a retrofit to an existing VM.

Good information to have, maybe it will also come to the GUI at some point.

It probably also enables the setting of the required options to run MacOS on KVM under SCALE.

 

[Patrick M. Hausen]

Work is ongoing and pretty near completion to bring TPM emulation to bhyve. I hope iX will pull from upstream for the next CORE release.

 

[directhex]

It's not 100% - something is not quite right, causing BitLocker to require recovery after every clean boot. And needing to enroll my own Secure Boot PK/KEK/DB before starting is a huge PITA (but not one I haven't gotten used to). Tools like https://github.com/rhuefi/qemu-ovmf-secureboot exist to make that suck less.

 

[sretalla]

It probably also enables the setting of the required options to run MacOS on KVM under SCALE.

Or it would if the CLI would accept the command_line_args argument as it suggests it does...

 

[directhex]

Okay, fixed up the command. Gotta pass -c and quote the whole command

 

[directhex]

Okay, a further development

I was having issues with errors in the Windows system log with registering an updated DBX

This is caused by the system having too little UEFI space to store the extra DBX, caused by using the obsolete 2 meg OVMF firmware not having enough variable space (See the changelog in the 2020.05-3 Debian package https://metadata.ftp-master.debian.org/changelogs//main/e/edk2/edk2_2020.05-3~bpo+1_changelog )

OVMF supplies five images:

• OVMF_CODE.fd, the basic 2M image
• OVMF_CODE.secboot.fd, the basic 2M image with Secure Boot enforcement enabled and MS default signatures
• OVMF_CODE_4M.fd, the expanded 4M image
• OVMF_CODE_4M.secboot.fd, the expanded 4M image with Secure Boot enforcement enabled and MS default signatures
• OVMF_CODE_4M.snakeoil.fd, the expanded 4M image with Secure Boot enforcement enabled and self-signed development signatures

TrueNAS only exposes two of those, OVMF_CODE.fd and OVMF_CODE_4M.fd:

Code:

[pandorica]> service vm bootloader_ovmf_choices
+-----------------+-----------------+
|    OVMF_CODE.fd | OVMF_CODE.fd    |
| OVMF_CODE_4M.fd | OVMF_CODE_4M.fd |
+-----------------+-----------------+

Switching a VM's boot image, and copying the matching VARS file from /usr/share/OVMF/ on top of the file in /var/lib/libvirt/qemu/nvram/, is enough to get Windows' DBX updates to succeed:

It would be much better if a) the default was the 4M image, in space year 2023, there's no reason to default to the 2M image, and b) the secboot/ms images already on disk were offered via the API, not just the basic images