Trying to install Windows11 ARM on QEMU

bin/recipes/edk2/make

@@ -0,0 +1,108 @@
+#!/usr/bin/env bash
+
+rm -rf edk2
+rm -rf output
+
+git clone https://github.com/tianocore/edk2.git
+cd edk2
+git checkout fc0fffa7e9089e7b79b9ae7babb950f1f153e0ae
+
+
+# 0) Make sure LLVM is installed
+brew install llvm acpica nasm
+brew install lld
+
+# 1) Point PATH and tool vars to Homebrew’s LLVM (Apple Silicon path shown)
+export LLVM_PREFIX="/opt/homebrew/opt/llvm"        # Intel Macs: /usr/local/opt/llvm
+export LLD_PREFIX="/opt/homebrew/opt/lld"
+export PATH="$LLVM_PREFIX/bin:$LLD_PREFIX/bin:$PATH"
+
+hash -r
+
+# 2) Explicitly select LLVM tools so EDK2 doesn’t fall back to Apple’s
+export CC="$LLVM_PREFIX/bin/clang"
+export CXX="$LLVM_PREFIX/bin/clang++"
+export LD="$LLD_PREFIX/bin/ld.lld"
+export AR="$LLVM_PREFIX/bin/llvm-ar"
+export RANLIB="$LLVM_PREFIX/bin/llvm-ranlib"
+export NM="$LLVM_PREFIX/bin/llvm-nm"
+export STRIP="$LLVM_PREFIX/bin/llvm-strip"
+export OBJCOPY="$LLVM_PREFIX/bin/llvm-objcopy"
+export OBJDUMP="$LLVM_PREFIX/bin/llvm-objdump"
+
+# 3) Sanity check — these MUST point into .../opt/llvm/bin
+which clang; clang --version
+which ld.lld
+which llvm-ar
+
+# 4) Rebuild tools & firmware
+make -C BaseTools -j
+source ./edksetup.sh
+
+build -a AARCH64 -t CLANGDWARF \
+      -p ShellPkg/ShellPkg.dsc \
+      -m ShellPkg/Application/KeyTools/KeyTool/KeyTool.inf \
+      -b RELEASE
+
+
+cd ..
+
+mkdir -p output/keys/EFI/Boot
+openssl x509 -in "microsoft corporation kek 2k ca 2023.crt" -outform DER -out output/keys/kek2023.cer
+openssl x509 -in "windows uefi ca 2023.crt" -outform DER -out output/keys/db2023.cer
+
+open /Users/artur/projs/edk2
+
+exit 0
+
+
+# (Optional) clean the previous failed build to avoid stale flags/objects
+rm -rf Build/ArmVirtQemu-AARCH64
+
+build -a AARCH64 \
+      -t CLANGDWARF \
+      -p ArmVirtPkg/ArmVirtQemu.dsc \
+      -D SECURE_BOOT_ENABLE=TRUE \
+      -b DEBUG
+
+
+
+# CODE="/Volumes/Cache/vms/image/win11-arm64/win11/QEMU_EFI.fd"
+# VARS="/Volumes/Cache/vms/image/win11-arm64/win11/QEMU_VARS.fd"
+
+
+# # Make blank 64 MiB raws
+# qemu-img create -f raw QEMU_EFI-pflash.raw 64M
+# qemu-img create -f raw QEMU_VARS-pflash.raw 64M
+
+# # Copy firmware into the front of each file without truncating the 64 MiB size
+# dd if="$CODE" of=QEMU_EFI-pflash.raw  conv=notrunc
+# dd if="$VARS" of=QEMU_VARS-pflash.raw conv=notrunc
+
+# # Confirm size is exactly 67108864 bytes
+# stat -f "%z %N" QEMU_EFI-pflash.raw QEMU_VARS-pflash.raw
+
+
+
+# https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11
+# https://go.microsoft.com/fwlink/?linkid=2239775
+# https://go.microsoft.com/fwlink/?linkid=2239776
+
+
+# -drive if=none,id=mskeys,format=raw,file=fat:rw:keys
+# -device usb-storage,drive=mskeys
+
+
+# 5. Enroll the certs in firmware
+# Boot into UEFI shell, run FS0:\EFI\Boot\KeyTool.efi.
+
+# In KeyTool:
+# Go to Edit Keys → KEK → Add New Key, pick kek2023.cer.
+# Go to Edit Keys → db → Add New Key, pick db2023.cer.
+# If no PK is present yet, you must enroll a Platform Key (PK) first (can be self-signed with OpenSSL; KeyTool can also generate). Without a PK, Secure Boot remains “greyed out.”
+
+# ✅ After PK + KEK + DB are enrolled, reboot → go into firmware setup → Secure Boot option will be toggleable → set it to Enabled.
+# Now Windows 11 installer/bootloader should run under Secure Boot.
+# Ref: 68adf715-f29c-832e-89d7-a37025f63cf3
+
+

bin/recipes/edk2/notes.md

@@ -0,0 +1,61 @@
+That error means your **WORKSPACE** points to a *different* edk2 tree:
+
+```
+/Users/artur/.dat/bin/recipes/edk2/edk2
+```
+
+so `build` is looking for `ShellPkg/.../KeyTool.inf` **there**, not in `~/projs/edk2`.
+
+Fix by resetting your env and sourcing `edksetup.sh` from the repo you actually want to build.
+
+## Do this exactly
+
+```bash
+# 0) Go to the edk2 you want to use
+cd ~/projs/edk2
+git rev-parse --show-toplevel   # should print /Users/artur/projs/edk2
+
+# 1) Clear any stale EDK2 env from previous shells
+unset WORKSPACE EDK_TOOLS_PATH PACKAGES_PATH
+
+# 2) Rebuild BaseTools (with your LLVM/lld PATH still set like earlier)
+make -C BaseTools -j
+
+# 3) Reset Conf inside THIS tree and re-source
+rm -f Conf/target.txt Conf/tools_def.txt
+source ./edksetup.sh
+
+# Sanity checks — these must point into ~/projs/edk2
+echo "WORKSPACE=$WORKSPACE"
+echo "EDK_TOOLS_PATH=$EDK_TOOLS_PATH"
+test -f "$WORKSPACE/ShellPkg/Application/KeyTools/KeyTool/KeyTool.inf" && echo "KeyTool found"
+
+# 4) Build KeyTool for AArch64 with clang/lld
+build -a AARCH64 -t CLANGDWARF \
+      -p ShellPkg/ShellPkg.dsc \
+      -m ShellPkg/Application/KeyTools/KeyTool/KeyTool.inf \
+      -b RELEASE
+```
+
+### If you still see it picking the wrong path
+
+You probably have these variables exported in your shell config. Force them for this shell:
+
+```bash
+export WORKSPACE="$PWD"
+export EDK_TOOLS_PATH="$WORKSPACE/BaseTools"
+export PACKAGES_PATH="$WORKSPACE"
+source ./edksetup.sh
+```
+
+Then re-run the `build` command above.
+
+### Where the binary will land
+
+Typical output path (adjust for your build target):
+
+```
+Build/Shell/RELEASE_CLANGDWARF/AARCH64/ShellPkg/Application/KeyTools/KeyTool/KeyTool/OUTPUT/KeyTool.efi
+```
+
+Once you’ve got `KeyTool.efi`, mount it along with your `kek2023.cer` and `db2023.cer`, enroll **PK → KEK → db**, reboot into the firmware UI, and enable **Secure Boot**.

bin/vm-cmd

@@ -1,5 +1,11 @@
 #!/usr/bin/env bash
 
+rm -rf /Volumes/Cache/vms/image/win11-arm64/win11/code.fd
+rm -rf /Volumes/Cache/vms/image/win11-arm64/win11/vars.fd
+cp /opt/homebrew/share/qemu/edk2-aarch64-code.fd /Volumes/Cache/vms/image/win11-arm64/win11/code.fd
+cp /opt/homebrew/share/qemu/edk2-arm-vars.fd /Volumes/Cache/vms/image/win11-arm64/win11/vars.fd
+
+
 # brew install qemu swtpm
 
 # qemu-system-aarch64 -drive if=pflash,format=raw,unit=0,readonly=on,file=/Volumes/Cache/vms/image/win11-arm64/win11/code.fd -drive if=pflash,format=raw,unit=1,file=/Volumes/Cache/vms/image/win11-arm64/win11/vars.fd -display cocoa -device qemu-xhci,id=xhci -device usb-kbd -device usb-tablet -device virtio-keyboard-device -device virtio-mouse-device -device virtio-gpu -device virtio-net,netdev=n0 -netdev user,id=n0 -accel hvf -machine virt -cpu max -m 16384 -smp 6 -name FirstVM -boot order=d -drive file=/Volumes/Cache/vms/image/win11-arm64/win11/root.img,if=virtio,cache=writeback,format=raw,id=nvme0 -drive id=cd,format=raw,file=/Volumes/Cache/downloads/win11arm64.iso,media=cdrom -device usb-storage,drive=cd,bootindex=1 -device ramfb -chardev socket,id=chrtpm,path=/Users/agurgul/Downloads/tpm/tpm.sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0
@@ -15,28 +21,36 @@
 #   -device virtio-keyboard-pci \
 #   -device virtio-tablet-pci \
 
+#    -device ich9-ahci,id=ahci0 \
+#    -device ide-hd,drive=drv0,bus=ahci0.0 \
 
-qemu-system-aarch64 \
-  -boot order=d \
-  -machine virt,accel=hvf \
-  -cpu host -smp 6 -m 8G \
-  -drive if=pflash,format=raw,file=/Volumes/Cache/vms/image/win11-arm64/win11/code.fd,readonly=on \
-  -drive if=pflash,format=raw,file=/Volumes/Cache/vms/image/win11-arm64/win11/vars.fd \
-  -drive file=/Volumes/Cache/vms/image/win11-arm64/win11/root.img,if=none,format=raw,id=drv0 \
-  -device ich9-ahci,id=ahci0 \
-  -device nvme,drive=drv0,serial=nvme0 \
-  -device virtio-scsi-pci,id=scsi0 \
-  -drive file=/Volumes/Cache/downloads/win11arm64.iso,if=none,media=cdrom,id=cd0 \
-  -device scsi-cd,drive=cd0,bus=scsi0.0,bootindex=1 \
-  -device ramfb \
-  -device qemu-xhci,id=xhci \
-  -device usb-kbd,bus=xhci.0,port=1 \
-  -device usb-tablet,bus=xhci.0,port=2 \
-  -netdev user,id=net0,hostfwd=tcp::33890-:3389 \
-  -device virtio-net-pci,netdev=net0 \
-  -chardev socket,id=chrtpm,path=/Users/artur/Downloads/tpm/tpm.sock \
-  -tpmdev emulator,id=tpm0,chardev=chrtpm \
-  -device tpm-tis-device,tpmdev=tpm0
+#    -device nvme,drive=drv0,serial=nvme0
+
+# -boot order=d \
+# -device usb-storage,drive=udisk,port=3\
+
+# wget http://http.us.debian.org/debian/pool/main/e/edk2/qemu-efi-aarch64_2025.02-8_all.deb
+# qemu-system-aarch64 \
+#   -machine virt,accel=hvf \
+#   -cpu host -smp 6 -m 8G \
+#   --boot order=d,menu=on \
+#   -bios /Users/artur/Downloads/tpm/QEMU_EFI.fd \
+#   -device qemu-xhci,id=xhci \
+#   \
+#     -drive file=/Volumes/Cache/vms/image/win11-arm64/win11/root.img,format=raw \
+#   \
+#   -device virtio-scsi-pci,id=scsi0 \
+#   -drive file=/Volumes/Cache/downloads/win11arm64.iso,if=none,media=cdrom,id=cd0 \
+#   -device scsi-cd,drive=cd0,bus=scsi0.0,bootindex=1 \
+#   -device ramfb \
+#   -device usb-kbd,bus=xhci.0,port=1 \
+#   -device usb-tablet,bus=xhci.0,port=2 \
+#   -netdev user,id=net0,hostfwd=tcp::35890-:3589 \
+#   -device virtio-net-pci,netdev=net0 \
+#   -chardev socket,id=chrtpm,path=/Users/artur/Downloads/tpm/tpm.sock \
+#   -tpmdev emulator,id=tpm0,chardev=chrtpm \
+#   -device tpm-tis-device,tpmdev=tpm0 \
+#   -monitor stdio
 
 
 # in Shell
@@ -46,4 +60,163 @@ qemu-system-aarch64 \
 
 
 # Disk driver: https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/
-# Used: https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.271-1/
+# Used: https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.271-1/
+
+
+
+
+
+
+
+
+# Attempt 1
+# qemu-system-aarch64 \
+#   -machine virt,accel=hvf \
+#   -cpu host -smp 6 -m 8G \
+#   --boot order=d,menu=on \
+#   -drive if=pflash,format=raw,file=/Volumes/Cache/vms/image/win11-arm64/win11/code.fd,readonly=on \
+#   -drive if=pflash,format=raw,file=/Volumes/Cache/vms/image/win11-arm64/win11/vars.fd \
+#   -drive file=/Volumes/Cache/vms/image/win11-arm64/win11/root.img,if=none,format=raw,id=drv0 \
+#    -device nvme,drive=drv0,serial=nvme0 \
+#   -device virtio-scsi-pci,id=scsi0 \
+#   -drive file=/Volumes/Cache/downloads/win11arm64.iso,if=none,media=cdrom,id=cd0 \
+#   -device scsi-cd,drive=cd0,bus=scsi0.0,bootindex=1 \
+#   -device ramfb \
+#   -device qemu-xhci,id=xhci \
+#   -device usb-kbd,bus=xhci.0,port=1 \
+#   -device usb-tablet,bus=xhci.0,port=2 \
+#   -netdev user,id=net0,hostfwd=tcp::33890-:3389 \
+#   -device virtio-net-pci,netdev=net0 \
+#   -chardev socket,id=chrtpm,path=/Users/artur/Downloads/tpm/tpm.sock \
+#   -tpmdev emulator,id=tpm0,chardev=chrtpm \
+#   -device tpm-tis-device,tpmdev=tpm0 \
+#   -monitor stdio
+
+
+# Attempt 2
+# qemu-system-aarch64 \
+#   -machine virt,accel=hvf \
+#   -cpu host -smp 6 -m 8G \
+#   --boot order=d,menu=on \
+#   -drive if=pflash,format=raw,file=/Volumes/Cache/vms/image/win11-arm64/win11/code.fd,readonly=on \
+#   -drive if=pflash,format=raw,file=/Volumes/Cache/vms/image/win11-arm64/win11/vars.fd \
+#   -drive file=/Volumes/Cache/vms/image/win11-arm64/win11/root.img,if=none,format=raw,id=drv0 \
+#     -device ich9-ahci,id=ahci0 \
+#     -device ide-hd,drive=drv0,bus=ahci0.0 \
+#   -device virtio-scsi-pci,id=scsi0 \
+#   -drive file=/Volumes/Cache/downloads/win11arm64.iso,if=none,media=cdrom,id=cd0 \
+#   -device scsi-cd,drive=cd0,bus=scsi0.0,bootindex=1 \
+#   -device ramfb \
+#   -device qemu-xhci,id=xhci \
+#   -device usb-kbd,bus=xhci.0,port=1 \
+#   -device usb-tablet,bus=xhci.0,port=2 \
+#   -netdev user,id=net0,hostfwd=tcp::33890-:3389 \
+#   -device virtio-net-pci,netdev=net0 \
+#   -chardev socket,id=chrtpm,path=/Users/artur/Downloads/tpm/tpm.sock \
+#   -tpmdev emulator,id=tpm0,chardev=chrtpm \
+#   -device tpm-tis-device,tpmdev=tpm0 \
+#   -monitor stdio
+
+
+
+
+
+
+
+
+
+# Attempt 3
+# qemu-system-aarch64 \
+#   -machine virt,accel=hvf \
+#   -cpu host -smp 6 -m 8G \
+#   --boot menu=on \
+#   \
+#   -drive if=pflash,format=raw,readonly=on,file=/Volumes/Cache/vms/image/win11-arm64/win11/code.fd \
+#   -drive if=pflash,format=raw,file=/Volumes/Cache/vms/image/win11-arm64/win11/vars.fd \
+#   \
+#   -drive if=none,file=/Volumes/Cache/vms/image/win11-arm64/win11/root.qcow2,format=qcow2,id=drv0 \
+#   -device nvme,drive=drv0,serial=nvme-1 \
+#   \
+#   -device qemu-xhci,id=xhci \
+#   -drive if=none,id=winiso,media=cdrom,readonly=on,file=/Volumes/Cache/downloads/win11arm64.iso \
+#   -device usb-storage,drive=winiso,bootindex=1 \
+#   \
+#   -device ramfb \
+#   -device usb-kbd \
+#   -device usb-tablet \
+#   -netdev user,id=net0,hostfwd=tcp::33890-:3389 \
+#   -device virtio-net-pci,netdev=net0 \
+#   \
+#   -chardev socket,id=chrtpm,path=/Users/artur/Downloads/tpm/tpm.sock \
+#   -tpmdev emulator,id=tpm0,chardev=chrtpm \
+#   -device tpm-tis-device,tpmdev=tpm0 
+  
+  
+  
+#  -serial mon:stdio
+
+# File: bypass.reg
+# Windows Registry Editor Version 5.00
+
+# [HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig]
+# "BypassTPMCheck"=dword:00000001
+# "BypassSecureBootCheck"=dword:00000001
+# "BypassCPUCheck"=dword:00000001
+# "BypassRAMCheck"=dword:00000001
+
+# hdiutil makehybrid -iso -joliet -o bypass.iso bypass.reg
+
+# Shift+F10
+# reg import D:\bypass.reg
+
+
+## Build EDK2
+# brew install nasm iasl python@3 openssl pkg-config
+# brew install llvm acpica nasm
+# git clone https://github.com/tianocore/edk2.git
+# cd edk2
+# git submodule update --init
+# make -C BaseTools
+# source ./edksetup.sh
+# export PATH="/opt/homebrew/opt/llvm/bin:$PATH"
+# build -a X64 \
+#       -t XCODE5 \
+#       -p OvmfPkg/OvmfPkgX64.dsc \
+#       -D SECURE_BOOT_ENABLE=TRUE
+# build -a AARCH64 \
+#       -t XCODE5 \
+#       -p ArmVirtPkg/ArmVirtQemu.dsc \
+#       -D SECURE_BOOT_ENABLE=TRUE
+
+# build -a AARCH64 \
+#       -t CLANGDWARF \
+#       -p ArmVirtPkg/ArmVirtQemu.dsc \
+#       -D SECURE_BOOT_ENABLE=TRUE \
+#       -b DEBUG
+# Steps moved to /bin/recipes/make-edk2
+
+# Attempt 4
+qemu-system-aarch64 \
+  -machine virt,accel=hvf \
+  -cpu host -smp 6 -m 8G \
+  --boot menu=on \
+  \
+  -drive if=pflash,format=raw,readonly=on,file=/Volumes/Cache/vms/image/win11-arm64/win11/QEMU_EFI-pflash.raw \
+  -drive if=pflash,format=raw,file=/Volumes/Cache/vms/image/win11-arm64/win11/QEMU_VARS-pflash.raw \
+  \
+  -drive if=none,file=/Volumes/Cache/vms/image/win11-arm64/win11/root.qcow2,format=qcow2,id=drv0 \
+  -device nvme,drive=drv0,serial=nvme-1 \
+  \
+  -device qemu-xhci,id=xhci \
+  -drive if=none,id=winiso,media=cdrom,readonly=on,file=/Volumes/Cache/downloads/win11arm64.iso \
+  -device usb-storage,drive=winiso,bootindex=1 \
+  \
+  -device ramfb \
+  -device usb-kbd \
+  -device usb-tablet \
+  -netdev user,id=net0,hostfwd=tcp::33890-:3389 \
+  -device virtio-net-pci,netdev=net0 \
+  \
+  -chardev socket,id=chrtpm,path=/Users/artur/Downloads/tpm/tpm.sock \
+  -tpmdev emulator,id=tpm0,chardev=chrtpm \
+  -device tpm-tis-device,tpmdev=tpm0 

lib/virtual-machine.rb

@@ -123,7 +123,7 @@ module VirtualMachine
 
         get_cdrom_image(options) do |path|
             disk_img_path = root_img_path(options)
-            create_disk_image(disk_img_path, 64000)
+            create_disk_image(disk_img_path, 64000 * 4)
             
             Qemu.launch(
                 options[:arch],