{"id":13683477,"url":"https://github.com/infokiller/win10-vm","last_synced_at":"2025-10-15T00:56:45.107Z","repository":{"id":37637188,"uuid":"331312822","full_name":"infokiller/win10-vm","owner":"infokiller","description":"Windows 10/11 VM on Linux (QEMU/libvirt/KVM) with Secure Boot, BitLocker, and good performance","archived":false,"fork":false,"pushed_at":"2022-12-25T09:17:58.000Z","size":24,"stargazers_count":109,"open_issues_count":1,"forks_count":6,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-02T00:23:29.724Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/infokiller.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-01-20T13:19:24.000Z","updated_at":"2025-03-30T18:12:23.000Z","dependencies_parsed_at":"2023-01-30T21:46:02.926Z","dependency_job_id":null,"html_url":"https://github.com/infokiller/win10-vm","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/infokiller/win10-vm","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infokiller%2Fwin10-vm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infokiller%2Fwin10-vm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infokiller%2Fwin10-vm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infokiller%2Fwin10-vm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/infokiller","download_url":"https://codeload.github.com/infokiller/win10-vm/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infokiller%2Fwin10-vm/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279032724,"owners_count":26089387,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-14T02:00:06.444Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T13:02:12.592Z","updated_at":"2025-10-15T00:56:45.074Z","avatar_url":"https://github.com/infokiller.png","language":"Shell","funding_links":[],"categories":["Shell"],"sub_categories":[],"readme":"# Modern Windows VM\n\nThis repo contains notes about running a Windows 10, Windows 11, or Windows\nServer VM in Linux (libvirt via QEMU/KVM) with good performance and with Secure\nBoot and BitLocker enabled.\n\n## Table of contents\n\n- [Table of contents](#table-of-contents)\n- [Status](#status)\n- [Virtio](#virtio)\n- [SPICE](#spice)\n- [Secure Boot](#secure-boot)\n  - [Using UEFI firmware with the required keys](#using-uefi-firmware-with-the-required-keys)\n  - [Installing WHQL signed Virtio drivers](#installing-whql-signed-virtio-drivers)\n  - [Installing the Virtio drivers in Windows](#installing-the-virtio-drivers-in-windows)\n- [BitLocker](#bitlocker)\n- [References](#references)\n\n## Status\n\nWIP: currently only covers setting up Secure Boot with [Virtio](#virtio) drivers\nwhich are important for performance. See other guides in the\n[references](#references) for additional performance improvements which will be\nadded to this repo after I will benchmark them.\n\n## Virtio\n\nVirtio is a virtualization technology focused on improving the performance of\nemulated IO devices (storage and network). If you want to use Virtio in Secure\nBoot, see the Secure Boot section. Otherwise, all you need is to:\n\n- Download the\n  [latest stable virtio-win iso](https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso)\n  from Fedora.\n- Mount the iso as a CDROM in virt-manager\n- Run `virtio-win-guest-tools.exe` from the drive inside the VM\n\nThis will also install QXL display drivers and the SPICE agent.\n\n## SPICE\n\n[SPICE](https://www.spice-space.org/spice-user-manual.html) can improve graphics\nperformance in VMs (especially remote ones), and has other nice features like\nhost-guest clipboard syncing.\n\nIf you install Virtio using the method above, it should already contain the\nessential components (possibly only the WebDAV daemon is not installed, I need\nto verify this).\n\nAn (inferior) alternative is to download and install\n[SPICE Windows guest tools](https://www.spice-space.org/download.html) (go to\n\"Windows binaries\" in \"Guest\") from inside the VM. This will install all of the\nSPICE components, and also outdated Virtio drivers.\n\nNote that the\n[Windows Guest tools repo](https://gitlab.freedesktop.org/spice/win32/spice-nsis)\nis sometimes lagging. Another alternative is to install individual components\n(QXL driver, SPICE agent, and the WebDAV daemon for folder sharing). See the\n\"Windows binaries\" section in the\n[SPICE downloads page](https://www.spice-space.org/download.html).\n\n## Secure Boot\n\n### Using UEFI firmware with the required keys\n\nThe UEFI firmware (OVMF in our case) must have the Microsoft keys enrolled in\norder for it to boot Windows 10/11 in Secure Boot mode.\n\nThe OVMF package in Linux distros contain two files:\n\n1. The UEFI code which can be named `OVMF.fd`, `OVMF_CODE.fd`, and\n   `OVMF_CODE.secboot.fd`\n2. The UEFI variables, usually named `OVMF_VARS.fd`.\n\nIn addition, distros with an updated OVMF package provide `4M` variants which\nadd a matching suffix, for example `OVMF_4M.fd` in Debian. You will want to use\nthe `4M` variant, since\n[some updates require it](https://github.com/tianocore/edk2/discussions/3221).\n\nTo get Secure Boot working, you must use a `OVMF_VARS.fd` file that contains the\nMicrosoft keys. Options you have:\n\n- Some Linux distros ship a `OVMF_VARS.fd` file that already contains the keys,\n  so you can just use it. In Debian/Ubuntu the file is\n  `/usr/share/OVMF/OVMF_VARS_4M.ms.fd`. The [build.sh](./build.sh) script in\n  will build an Ubuntu Docker container and copy the OVMF files to `./out`.\n- \u003chttps://github.com/rhuefi/qemu-ovmf-secureboot\u003e can generate a file with the\n  keys included\n- You can enroll the keys manually in the UEFI firmware UI\n\n### Installing WHQL signed Virtio drivers\n\nThe Virtio drivers\n[available in Fedora](https://docs.fedoraproject.org/en-US/quick-docs/creating-windows-virtual-machines-using-virtio-drivers/index.html#virtio-win-direct-downloads)\nare not WHQL-signed (a Microsoft hardware certification program), which will\ncause issues with Secure Boot\n([reference](https://teams.microsoft.com/l/message/19:c0b91625615749b7bab11ca6cacb4784@thread.skype/1590069755600?tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47\u0026groupId=5e84b409-683b-44b3-af81-a2900a48b8a7\u0026parentMessageId=1589810528154\u0026teamName=Microsoft%20%E2%9D%A4%20Linux\u0026channelName=Windows%20VM%20tips%2C%20tricks%2C%20and%20help\u0026createdTime=1590069755600)).\nTherefore, to use Virtio drivers (which is recommended for VM performance) and\nSecure Boot (which is needed for security compliance), you must get WHQL-signed\ndrivers, which are only available in RHEL (RedHat Enterprise Linux) and CentOS.\n\nThe [build.sh](./build.sh) script automatically downloads and verifies the\nlatest available virtio-win package from CentOS, and extracts `virtio-win.iso`\nto `./out`.\n\nYou can also do this manually by downloading the rpm from\n[the CentOS packages mirror](http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages).\nYou will then need to extract the iso file from the rpm file and copy it to the\nhost. This can be done\n[in multiple ways](https://stackoverflow.com/questions/18787375/how-do-i-extract-the-contents-of-an-rpm),\nfor example:\n\n- `file-roller --extract-here virtio-win-*.rpm`\n- `rpm2cpio virtio-win-*.rpm | cpio -idmv` (will definitely work inside the\n  guest, may require installation in the host depending on the Linux\n  distribution)\n\n### Installing the Virtio drivers in Windows\n\nMount the iso file with the drivers in the Windows VM and use it to install them\n(either\n[individually](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/virtualization_host_configuration_and_guest_installation_guide/form-virtualization_host_configuration_and_guest_installation_guide-para_virtualized_drivers-mounting_the_image_with_virt_manager)\nor all of them by running `virtio-win-guest-tools.exe`). See\n[this question](https://superuser.com/q/1057959) for converting an existing VM\nto Virtio.\n\n## BitLocker\n\nIn UEFI with Secure Boot enabled, you can set BitLocker to automatically unlock\nusing the TPM. In BIOS mode, you can add a small new virtual USB drive to the VM\nand use it to automatically unlock BitLocker.\n\n## References\n\n- [Improve QEMU VM performance](https://wiki.archlinux.org/index.php/QEMU#Improve_virtual_machine_performance)\n  section from the Arch wiki.\n- [Further performance tuning](https://wiki.archlinux.org/index.php/PCI_passthrough_via_OVMF#Performance_tuning)\n  tips from the Arch Wiki article about PCI-passthrough (should be applicable to\n  BIOS based VMs as well?)\n- \u003chttps://github.com/ohthehugemanatee/win10vm\u003e: libvirt config for a performant\n  Windows 10 VM\n- [libvirt mailing list post](https://www.redhat.com/archives/libvir-list/2019-January/msg01004.html)\n  with a great explanation on how UEFI works in QEMU and libvirt.\n- [OpenStack docs](https://specs.openstack.org/openstack/nova-specs/specs/train/approved/allow-secure-boot-for-qemu-kvm-guests.html)\n  on enabling Secure Boot in libvirt/QEMU with some useful information\n  (especially the\n  [low level section](https://specs.openstack.org/openstack/nova-specs/specs/train/approved/allow-secure-boot-for-qemu-kvm-guests.html#low-level-background-on-different-kinds-of-ovmf-builds)\n  and\n  [file paths](https://specs.openstack.org/openstack/nova-specs/specs/train/approved/allow-secure-boot-for-qemu-kvm-guests.html#ovmf-binary-files-and-variable-store-vars-file-paths)).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfokiller%2Fwin10-vm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finfokiller%2Fwin10-vm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfokiller%2Fwin10-vm/lists"}