Trying to install Windows11 ARM on QEMU

bin/recipes/edk2/make

@@ -0,0 +1,108 @@
+#!/usr/bin/env bash
+
+rm -rf edk2
+rm -rf output
+
+git clone https://github.com/tianocore/edk2.git
+cd edk2
+git checkout fc0fffa7e9089e7b79b9ae7babb950f1f153e0ae
+
+
+# 0) Make sure LLVM is installed
+brew install llvm acpica nasm
+brew install lld
+
+# 1) Point PATH and tool vars to Homebrew’s LLVM (Apple Silicon path shown)
+export LLVM_PREFIX="/opt/homebrew/opt/llvm"        # Intel Macs: /usr/local/opt/llvm
+export LLD_PREFIX="/opt/homebrew/opt/lld"
+export PATH="$LLVM_PREFIX/bin:$LLD_PREFIX/bin:$PATH"
+
+hash -r
+
+# 2) Explicitly select LLVM tools so EDK2 doesn’t fall back to Apple’s
+export CC="$LLVM_PREFIX/bin/clang"
+export CXX="$LLVM_PREFIX/bin/clang++"
+export LD="$LLD_PREFIX/bin/ld.lld"
+export AR="$LLVM_PREFIX/bin/llvm-ar"
+export RANLIB="$LLVM_PREFIX/bin/llvm-ranlib"
+export NM="$LLVM_PREFIX/bin/llvm-nm"
+export STRIP="$LLVM_PREFIX/bin/llvm-strip"
+export OBJCOPY="$LLVM_PREFIX/bin/llvm-objcopy"
+export OBJDUMP="$LLVM_PREFIX/bin/llvm-objdump"
+
+# 3) Sanity check — these MUST point into .../opt/llvm/bin
+which clang; clang --version
+which ld.lld
+which llvm-ar
+
+# 4) Rebuild tools & firmware
+make -C BaseTools -j
+source ./edksetup.sh
+
+build -a AARCH64 -t CLANGDWARF \
+      -p ShellPkg/ShellPkg.dsc \
+      -m ShellPkg/Application/KeyTools/KeyTool/KeyTool.inf \
+      -b RELEASE
+
+
+cd ..
+
+mkdir -p output/keys/EFI/Boot
+openssl x509 -in "microsoft corporation kek 2k ca 2023.crt" -outform DER -out output/keys/kek2023.cer
+openssl x509 -in "windows uefi ca 2023.crt" -outform DER -out output/keys/db2023.cer
+
+open /Users/artur/projs/edk2
+
+exit 0
+
+
+# (Optional) clean the previous failed build to avoid stale flags/objects
+rm -rf Build/ArmVirtQemu-AARCH64
+
+build -a AARCH64 \
+      -t CLANGDWARF \
+      -p ArmVirtPkg/ArmVirtQemu.dsc \
+      -D SECURE_BOOT_ENABLE=TRUE \
+      -b DEBUG
+
+
+
+# CODE="/Volumes/Cache/vms/image/win11-arm64/win11/QEMU_EFI.fd"
+# VARS="/Volumes/Cache/vms/image/win11-arm64/win11/QEMU_VARS.fd"
+
+
+# # Make blank 64 MiB raws
+# qemu-img create -f raw QEMU_EFI-pflash.raw 64M
+# qemu-img create -f raw QEMU_VARS-pflash.raw 64M
+
+# # Copy firmware into the front of each file without truncating the 64 MiB size
+# dd if="$CODE" of=QEMU_EFI-pflash.raw  conv=notrunc
+# dd if="$VARS" of=QEMU_VARS-pflash.raw conv=notrunc
+
+# # Confirm size is exactly 67108864 bytes
+# stat -f "%z %N" QEMU_EFI-pflash.raw QEMU_VARS-pflash.raw
+
+
+
+# https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11
+# https://go.microsoft.com/fwlink/?linkid=2239775
+# https://go.microsoft.com/fwlink/?linkid=2239776
+
+
+# -drive if=none,id=mskeys,format=raw,file=fat:rw:keys
+# -device usb-storage,drive=mskeys
+
+
+# 5. Enroll the certs in firmware
+# Boot into UEFI shell, run FS0:\EFI\Boot\KeyTool.efi.
+
+# In KeyTool:
+# Go to Edit Keys → KEK → Add New Key, pick kek2023.cer.
+# Go to Edit Keys → db → Add New Key, pick db2023.cer.
+# If no PK is present yet, you must enroll a Platform Key (PK) first (can be self-signed with OpenSSL; KeyTool can also generate). Without a PK, Secure Boot remains “greyed out.”
+
+# ✅ After PK + KEK + DB are enrolled, reboot → go into firmware setup → Secure Boot option will be toggleable → set it to Enabled.
+# Now Windows 11 installer/bootloader should run under Secure Boot.
+# Ref: 68adf715-f29c-832e-89d7-a37025f63cf3
+
+

bin/recipes/edk2/notes.md

@@ -0,0 +1,61 @@
+That error means your **WORKSPACE** points to a *different* edk2 tree:
+
+```
+/Users/artur/.dat/bin/recipes/edk2/edk2
+```
+
+so `build` is looking for `ShellPkg/.../KeyTool.inf` **there**, not in `~/projs/edk2`.
+
+Fix by resetting your env and sourcing `edksetup.sh` from the repo you actually want to build.
+
+## Do this exactly
+
+```bash
+# 0) Go to the edk2 you want to use
+cd ~/projs/edk2
+git rev-parse --show-toplevel   # should print /Users/artur/projs/edk2
+
+# 1) Clear any stale EDK2 env from previous shells
+unset WORKSPACE EDK_TOOLS_PATH PACKAGES_PATH
+
+# 2) Rebuild BaseTools (with your LLVM/lld PATH still set like earlier)
+make -C BaseTools -j
+
+# 3) Reset Conf inside THIS tree and re-source
+rm -f Conf/target.txt Conf/tools_def.txt
+source ./edksetup.sh
+
+# Sanity checks — these must point into ~/projs/edk2
+echo "WORKSPACE=$WORKSPACE"
+echo "EDK_TOOLS_PATH=$EDK_TOOLS_PATH"
+test -f "$WORKSPACE/ShellPkg/Application/KeyTools/KeyTool/KeyTool.inf" && echo "KeyTool found"
+
+# 4) Build KeyTool for AArch64 with clang/lld
+build -a AARCH64 -t CLANGDWARF \
+      -p ShellPkg/ShellPkg.dsc \
+      -m ShellPkg/Application/KeyTools/KeyTool/KeyTool.inf \
+      -b RELEASE
+```
+
+### If you still see it picking the wrong path
+
+You probably have these variables exported in your shell config. Force them for this shell:
+
+```bash
+export WORKSPACE="$PWD"
+export EDK_TOOLS_PATH="$WORKSPACE/BaseTools"
+export PACKAGES_PATH="$WORKSPACE"
+source ./edksetup.sh
+```
+
+Then re-run the `build` command above.
+
+### Where the binary will land
+
+Typical output path (adjust for your build target):
+
+```
+Build/Shell/RELEASE_CLANGDWARF/AARCH64/ShellPkg/Application/KeyTools/KeyTool/KeyTool/OUTPUT/KeyTool.efi
+```
+
+Once you’ve got `KeyTool.efi`, mount it along with your `kek2023.cer` and `db2023.cer`, enroll **PK → KEK → db**, reboot into the firmware UI, and enable **Secure Boot**.