Need some help with Vm on Xen libvirt, Windows 11, secure boot and tpm

Hello everyone.
I could really use your help
Currently have Windows 10 Vm’s on Xen libvirt,
but want to move to Windows 11, which needs secure boot and tpm.
Have installed swtpm package and manual says virt-manager starts a vTpm when needed.
But nothing is started, in the manual is something with Qemu that one has to create a vTpm socket, do I need to do that too ?

@stelgenkamp Hi and welcome to the Forum :smile: If your using virt-manager, then edit the system and add hardware and add the TPM device?
Screenshot from 2024-07-15 15-52-41

Or via virsh and add;

<tpm model="tpm-crb">
  <backend type="emulator" version="2.0"/>
</tpm>

Yes I use virt-manager and have added this TPM Device,
Unfortunately nothing happens. Do I need to do more then just install swtpm package?

@stelgenkamp If you boot the Windows 10 machine, do you see the TPM device listed in Device Manager?

@stelgenkamp Did you also setup secure boot? This requires a different chipset and var file?

<os firmware="efi">
    <type arch="x86_64" machine="pc-q35-8.1">hvm</type>
    <firmware>
      <feature enabled="yes" name="enrolled-keys"/>
      <feature enabled="yes" name="secure-boot"/>
    </firmware>
    <loader readonly="yes" secure="yes" type="pflash">/usr/share/qemu/ovmf-x86_64-smm-ms-code.bin</loader>
    <nvram template="/usr/share/qemu/ovmf-x86_64-smm-ms-vars.bin">/var/lib/libvirt/qemu/nvram/Windows_11_Pro_VARS.fd</nvram>
  </os>

Or can skip the TPM and CPU check The easy way to install Windows 11 on unsupported CPUs - The Verge

No, I had not.
When I enter this it throws an error :
Error changing VM configuration: unsupported configuration: Secure boot is not supported on Xen

No it does not

Also from your config :
var/lib/libvirt/qemu/nvram/Windows_11_Pro_VARS.fd
This file is not present…

@stelgenkamp yes, that vars entry was for my VM (it’s not Xen) . So no secure boot… might have to rethink your strategy going forward…

Docs :

[type or paste code here](https://documentation.suse.com/zh-tw/sles/15-SP5/html/SLES-all/cha-vt-installation.html)

At 6.3 :
Xen HVM guests support booting from the OVMF firmware as well, but they do not support UEFI Secure Boot.

Does anyone else know howto get these Windows VM’s Secure boot and TPM with Xen ?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.