Creating secure-boot VM in virt-manager in 22.04

Ralf Mardorf kde.lists at yahoo.com
Fri Jun 7 00:51:50 UTC 2024 

On Wed, 2024-06-05 at 08:01 -0400, Sam Varshavchik wrote:
> I have an existing qemu VM that's using UEFI firmware and secure boot  
> (Windows 11), running in Fedora 40 that I want to move to 22.04

Hi,

I'm neither using QEMU for my Windows guests, nor *buntu as host for a
hypervisor. However, why do you care for secure boot at all? I seriously
doubt that secure boot gains much on bare metal. So what does secure
boot gain when running Windows 11 as guest on a Linux host?

My Windows 11 guest (on an Arch Linux host, hypervisor VBox) was
installed with the following
HKEY_LOCAL_MACHINE\SYSTEM\Setup LabConfig key configuration:
BypassTPMCheck 1
BypassRAMCheck 1
BypassSecureBootCheck 1

      OS Name	Microsoft Windows 11 Pro
      Version	10.0.22000 Build 22000
      Other OS Description 	Not Available
      OS Manufacturer	Microsoft Corporation
      System Name	ROCKMOUSE
      System Manufacturer	innotek GmbH
      System Model	VirtualBox
      System Type	x64-based PC
      System SKU	Unsupported
      Processor	13th Gen Intel(R) Core(TM) i3-13100, 3418 Mhz, 1 Core(s), 1 Logical Processor(s)
      BIOS Version/Date	innotek GmbH VirtualBox, 01/12/2006
      SMBIOS Version	2.5
      BIOS Mode	UEFI
      BaseBoard Manufacturer	Oracle Corporation
      BaseBoard Product	VirtualBox
      BaseBoard Version	1.2
      Platform Role	Desktop
      Secure Boot State	Off
      PCR7 Configuration	Binding Not Possible
      Windows Directory	C:\Windows
      System Directory	C:\Windows\system32
      Boot Device	\Device\HarddiskVolume1
      Locale	United States
      Hardware Abstraction Layer	Version = "10.0.22000.1696"
      User Name	rockmouse\unkno
      Time Zone	Romance Daylight Time
      Installed Physical Memory (RAM)	16,0 GB
      Total Physical Memory	16,0 GB
      Available Physical Memory	13,7 GB
      Total Virtual Memory	18,4 GB
      Available Virtual Memory	16,4 GB
      Page File Space	2,38 GB
      Page File	C:\pagefile.sys
      Kernel DMA Protection	Off
      Virtualization-based security	Not enabled
      Device Encryption Support	Reasons for failed automatic device encryption: TPM is not usable, PCR7 binding is not supported, Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected, TPM is not usable
      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

IOW, my recommendation is to open regedit and to add the key

  LabConfig

to HKEY_LOCAL_MACHINE\SYSTEM\Setup

and to at least add

  BypassSecureBootCheck

with the value

  1

to the key LabConfig .

Regards,
Ralf

More information about the ubuntu-users mailing list