This repo contains notes about running a Windows 10, Windows 11, or Windows Server VM in Linux (libvirt via QEMU/KVM) with good performance and with Secure Boot and BitLocker enabled.

• Table of contents
• Status
• Virtio
• SPICE
• Secure Boot
  • Using UEFI firmware with the required keys
  • Installing WHQL signed Virtio drivers
  • Installing the Virtio drivers in Windows
• BitLocker
• References

WIP: currently only covers setting up Secure Boot with Virtio drivers which are important for performance. See other guides in the references for additional performance improvements which will be added to this repo after I will benchmark them.

Virtio is a virtualization technology focused on improving the performance of emulated IO devices (storage and network). If you want to use Virtio in Secure Boot, see the Secure Boot section. Otherwise, all you need is to:

• Download the latest stable virtio-win iso from Fedora.
• Mount the iso as a CDROM in virt-manager
• Run virtio-win-guest-tools.exe from the drive inside the VM

This will also install QXL display drivers and the SPICE agent.

SPICE can improve graphics performance in VMs (especially remote ones), and has other nice features like host-guest clipboard syncing.

If you install Virtio using the method above, it should already contain the essential components (possibly only the WebDAV daemon is not installed, I need to verify this).

An (inferior) alternative is to download and install SPICE Windows guest tools (go to "Windows binaries" in "Guest") from inside the VM. This will install all of the SPICE components, and also outdated Virtio drivers.

Note that the Windows Guest tools repo is sometimes lagging. Another alternative is to install individual components (QXL driver, SPICE agent, and the WebDAV daemon for folder sharing). See the "Windows binaries" section in the SPICE downloads page.

The UEFI firmware (OVMF in our case) must have the Microsoft keys enrolled in order for it to boot Windows 10/11 in Secure Boot mode.

The OVMF package in Linux distros contain two files:

1. The UEFI code which can be named OVMF.fd, OVMF_CODE.fd, and OVMF_CODE.secboot.fd
2. The UEFI variables, usually named OVMF_VARS.fd.

In addition, distros with an updated OVMF package provide 4M variants which add a matching suffix, for example OVMF_4M.fd in Debian. You will want to use the 4M variant, since some updates require it.

To get Secure Boot working, you must use a OVMF_VARS.fd file that contains the Microsoft keys. Options you have:

• Some Linux distros ship a OVMF_VARS.fd file that already contains the keys, so you can just use it. In Debian/Ubuntu the file is /usr/share/OVMF/OVMF_VARS_4M.ms.fd. The build.sh script in will build an Ubuntu Docker container and copy the OVMF files to ./out.
• https://github.com/rhuefi/qemu-ovmf-secureboot can generate a file with the keys included
• You can enroll the keys manually in the UEFI firmware UI

The Virtio drivers available in Fedora are not WHQL-signed (a Microsoft hardware certification program), which will cause issues with Secure Boot (reference). Therefore, to use Virtio drivers (which is recommended for VM performance) and Secure Boot (which is needed for security compliance), you must get WHQL-signed drivers, which are only available in RHEL (RedHat Enterprise Linux) and CentOS.

The build.sh script automatically downloads and verifies the latest available virtio-win package from CentOS, and extracts virtio-win.iso to ./out.

You can also do this manually by downloading the rpm from the CentOS packages mirror. You will then need to extract the iso file from the rpm file and copy it to the host. This can be done in multiple ways, for example:

• file-roller --extract-here virtio-win-*.rpm
• rpm2cpio virtio-win-*.rpm | cpio -idmv (will definitely work inside the guest, may require installation in the host depending on the Linux distribution)

Mount the iso file with the drivers in the Windows VM and use it to install them (either individually or all of them by running virtio-win-guest-tools.exe). See this question for converting an existing VM to Virtio.

In UEFI with Secure Boot enabled, you can set BitLocker to automatically unlock using the TPM. In BIOS mode, you can add a small new virtual USB drive to the VM and use it to automatically unlock BitLocker.

• Improve QEMU VM performance section from the Arch wiki.
• Further performance tuning tips from the Arch Wiki article about PCI-passthrough (should be applicable to BIOS based VMs as well?)
• https://github.com/ohthehugemanatee/win10vm: libvirt config for a performant Windows 10 VM
• libvirt mailing list post with a great explanation on how UEFI works in QEMU and libvirt.
• OpenStack docs on enabling Secure Boot in libvirt/QEMU with some useful information (especially the low level section and file paths).