artur/environment
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
environment/bin/recipes/edk2/make

109 lines
3.3 KiB
Text
Raw Normal View History

Trying to install Windows11 ARM on QEMU
2025-08-27 11:37:46 +02:00
#!/usr/bin/env bash
rm -rf edk2
rm -rf output
git clone https://github.com/tianocore/edk2.git
cd edk2
git checkout fc0fffa7e9089e7b79b9ae7babb950f1f153e0ae
# 0) Make sure LLVM is installed
brew install llvm acpica nasm
brew install lld
# 1) Point PATH and tool vars to Homebrews LLVM (Apple Silicon path shown)
export LLVM_PREFIX="/opt/homebrew/opt/llvm" # Intel Macs: /usr/local/opt/llvm
export LLD_PREFIX="/opt/homebrew/opt/lld"
export PATH="$LLVM_PREFIX/bin:$LLD_PREFIX/bin:$PATH"
hash -r
# 2) Explicitly select LLVM tools so EDK2 doesnt fall back to Apples
export CC="$LLVM_PREFIX/bin/clang"
export CXX="$LLVM_PREFIX/bin/clang++"
export LD="$LLD_PREFIX/bin/ld.lld"
export AR="$LLVM_PREFIX/bin/llvm-ar"
export RANLIB="$LLVM_PREFIX/bin/llvm-ranlib"
export NM="$LLVM_PREFIX/bin/llvm-nm"
export STRIP="$LLVM_PREFIX/bin/llvm-strip"
export OBJCOPY="$LLVM_PREFIX/bin/llvm-objcopy"
export OBJDUMP="$LLVM_PREFIX/bin/llvm-objdump"
# 3) Sanity check — these MUST point into .../opt/llvm/bin
which clang; clang --version
which ld.lld
which llvm-ar
# 4) Rebuild tools & firmware
make -C BaseTools -j
source ./edksetup.sh
build -a AARCH64 -t CLANGDWARF \
-p ShellPkg/ShellPkg.dsc \
-m ShellPkg/Application/KeyTools/KeyTool/KeyTool.inf \
-b RELEASE
cd ..
mkdir -p output/keys/EFI/Boot
openssl x509 -in "microsoft corporation kek 2k ca 2023.crt" -outform DER -out output/keys/kek2023.cer
openssl x509 -in "windows uefi ca 2023.crt" -outform DER -out output/keys/db2023.cer
open /Users/artur/projs/edk2
exit 0
# (Optional) clean the previous failed build to avoid stale flags/objects
rm -rf Build/ArmVirtQemu-AARCH64
build -a AARCH64 \
-t CLANGDWARF \
-p ArmVirtPkg/ArmVirtQemu.dsc \
-D SECURE_BOOT_ENABLE=TRUE \
-b DEBUG
# CODE="/Volumes/Cache/vms/image/win11-arm64/win11/QEMU_EFI.fd"
# VARS="/Volumes/Cache/vms/image/win11-arm64/win11/QEMU_VARS.fd"
# # Make blank 64 MiB raws
# qemu-img create -f raw QEMU_EFI-pflash.raw 64M
# qemu-img create -f raw QEMU_VARS-pflash.raw 64M
# # Copy firmware into the front of each file without truncating the 64 MiB size
# dd if="$CODE" of=QEMU_EFI-pflash.raw conv=notrunc
# dd if="$VARS" of=QEMU_VARS-pflash.raw conv=notrunc
# # Confirm size is exactly 67108864 bytes
# stat -f "%z %N" QEMU_EFI-pflash.raw QEMU_VARS-pflash.raw
# https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11
# https://go.microsoft.com/fwlink/?linkid=2239775
# https://go.microsoft.com/fwlink/?linkid=2239776
# -drive if=none,id=mskeys,format=raw,file=fat:rw:keys
# -device usb-storage,drive=mskeys
# 5. Enroll the certs in firmware
# Boot into UEFI shell, run FS0:\EFI\Boot\KeyTool.efi.
# In KeyTool:
# Go to Edit Keys → KEK → Add New Key, pick kek2023.cer.
# Go to Edit Keys → db → Add New Key, pick db2023.cer.
# If no PK is present yet, you must enroll a Platform Key (PK) first (can be self-signed with OpenSSL; KeyTool can also generate). Without a PK, Secure Boot remains “greyed out.”
# ✅ After PK + KEK + DB are enrolled, reboot → go into firmware setup → Secure Boot option will be toggleable → set it to Enabled.
# Now Windows 11 installer/bootloader should run under Secure Boot.
# Ref: 68adf715-f29c-832e-89d7-a37025f63cf3
Reference in a new issue Copy permalink