Microsoft officially announced the public availability of Windows 11 on October 5th, 2021. This Windows version comes with a lot of amazing features. Among the features is the system security that allows Windows 11 to run only on a device with a Trusted Platform Module 2.0 security co-processor. This poses an error when installing Windows 11 that requires you to enable TPM.
What is TPM?
TPM is an abbreviation of Trusted Platform Module. This is a technology that provides hardware-based security functions on a system. The TPM chip is a secure crypto-processor that carries out cryptographic operations. This chip consists of multiple security mechanisms that make it tamper-proof. Therefore, malicious software cannot meddle with its security functions. The main advantages associated with the TPM technology are:
- It allows one to generate, store, and limit the use of cryptographic keys.
- It can be used for platform device authentication with the TPM’s unique RSA key, burned into it.
- It takes and stores security measurements to help ensure the platform’s integrity
Mostly, TPM is used for system integrity measurements and key creation/use. When the system boots, the boot code, including firmware and the operating system components, is measured and recorded in the TPM. This can provide statistics on how a system started and ensure that the TPM-based key was used correctly.
This guide illustrates how to enable TPM 2.0 on KVM and install Windows 11.
Before You Begin.
This guide requires you to have the following:
- Windows 11 iso file obtained from the Microsoft Downloads page
- KVM installed and configured.
The guides below can be used to install and configure KVM on your system:
- Install KVM Hypervisor on Ubuntu
- How To Install KVM Hypervisor on Debian
- How To Install KVM on RHEL 8 / CentOS 8
- Install KVM, QEMU and Virt Manager on Arch Linux / Manjaro
Once installed, proceed as below.
Install Required Packages
Once KVM has been installed, you need the below packages to be able to enable TPM 2.0. Depending on your system, pick the appropriate command:
- On Debian/Ubuntu
Add the PPA for swtpm-tools.
sudo tee /etc/apt/sources.list.d/swtpm-tools.list<<EOF deb [trusted=yes] http://ppa.launchpad.net/stefanberger/swtpm-focal/ubuntu focal main EOF
Replace “focal” with the codename for your Ubuntu version. Then proceed and install the required tools with the command:
sudo apt update -y && sudo apt -y install ovmf swtpm swtpm-tools virt-manager virt-viewer
- On RHEL/CentOS/Rocky Linux/ Alma Linux
sudo yum install epel-release -y sudo yum install edk2-ovmf swtpm swtpm-tools virt-manager virt-install virt-viewer
Enable TPM 2.0 and Install Windows 11 on KVM
Once the required tools have been installed, you can easily install Windows 11 on KVM with TPM 2.0 and Secure Boot enabled.
Normally, there are two ways to create and run a VM on KVM. These includes:
- Using GUI
- Using the CLI
To create a network bridge for KVM, use the aid from the guides below:
- How to Create and Configure Bridge Networking For KVM in Linux
- How to Create a Linux Network Bridge on RHEL / CentOS 8
- How to Create and use Network Bridge on Arch Linux and Manjaro
Option 1 – Using the Virtual Machine Manager GUI tool
You can use the Virtual Machine Manager to easily create and manage Virtual Machines on KVM. Launch the Virtual Machine Manager from the App menu.
Begin by creating a new VM.
You will be required to load the Windows 11 ISO file.
Browse and load the ISO file:
Next, configure the CPU and Memory for the VM.
Create a hard disk for the VM and set the disk size
On this page, allow customization before installation by checking the box. You can also configure the VM network. For this guide I have used a bridged network.
On the overview windows, select add hardware.
Add TPM 2.0 and make the settings as shown. Then click Finish to apply the changes.
You can also enable VNC by adding hardware as shown:
Once done click finish and go back to the overview window.
Just before you begin the installation, remember to change the Chipset and Firmware. Apply the changes and begin the installation.
Proceed with the normal Windows 11 installation.
Select the install Windows option and proceed.
Option 2 – Using the virt-install CLI tool
It is easier to spin Windows 11 on KVM from the CLI, all you need is to run the below command and pass all the required variables:
- On Debian/Ubuntu
sudo virt-install \ --name Windows11 \ --ram 4096 \ --disk path=/var/lib/libvirt/images/Windows_11.img,size=55 \ --vcpus=2 \ --os-variant=win10 \ --network bridge=virbr0 \ --cdrom /home/Win11_English_x64v1.iso \ --graphics vnc,listen=0.0.0.0,password=StrongPassw0rd \ --video virtio \ --features kvm_hidden=on,smm=on \ --tpm backend.type=emulator,backend.version=2.0,model=tpm-tis \ --boot loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash,nvram_template=/usr/share/OVMF/OVMF_VARS.ms.fd
- On RHEL/CentOS/Rocky Linux/ Alma Linux
sudo virt-install \ --name Windows11 \ --ram 4096 \ --disk path=/var/lib/libvirt/images/Windows_11.img,size=55 \ --vcpus=2 \ --os-variant=win10 \ --network bridge=virbr0 \ --cdrom /home/Win11_English_x64v1.iso \ --graphics vnc,listen=0.0.0.0,password=StrongPassw0rd \ --video virtio \ --features kvm_hidden=on,smm=on \ --tpm backend.type=emulator,backend.version=2.0,model=tpm-tis \ --boot loader=/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash,nvram_template=/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd
Remember to edit the variables where required. You might need to edit the CPUs, disk size(recommended size above 52GB), memory, network bridge e.t.c. Provide the set password for the VNC and proceed with the installation.
Also here, the normal Windows 11 installation will proceed
Configure the hard disk.
Sita back and wait for the installation to finish:
Once everything is complete, verify if TPM 2.0 is enabled
That marks the end of this guide on how to enable TPM 2.0 on KVM and install Windows 11. I hope this was significant to you.