How To Enable TPM 2.0 on KVM and install Windows 11

Microsoft officially announced the public availability of Windows 11 on October 5th, 2021. This Windows version comes with a lot of amazing features. Among the features is the system security that allows Windows 11 to run only on a device with a Trusted Platform Module 2.0 security co-processor. This poses an error when installing Windows 11 that requires you to enable TPM.

What is TPM?

TPM is an abbreviation of Trusted Platform Module. This is a technology that provides hardware-based security functions on a system. The TPM chip is a secure crypto-processor that carries out cryptographic operations. This chip consists of multiple security mechanisms that make it tamper-proof. Therefore, malicious software cannot meddle with its security functions. The main advantages associated with the TPM technology are:

It allows one to generate, store, and limit the use of cryptographic keys.
It can be used for platform device authentication with the TPM’s unique RSA key, burned into it.
It takes and stores security measurements to help ensure the platform’s integrity

Mostly, TPM is used for system integrity measurements and key creation/use. When the system boots, the boot code, including firmware and the operating system components, is measured and recorded in the TPM. This can provide statistics on how a system started and ensure that the TPM-based key was used correctly.

This guide illustrates how to enable TPM 2.0 on KVM and install Windows 11.

Before You Begin.

This guide requires you to have the following:

Windows 11 iso file obtained from the Microsoft Downloads page
KVM installed and configured.

The guides below can be used to install and configure KVM on your system:

Once installed, proceed as below.

Install Required Packages

Once KVM has been installed, you need the below packages to be able to enable TPM 2.0. Depending on your system, pick the appropriate command:

On Debian/Ubuntu

Add the PPA for swtpm-tools.

sudo tee  /etc/apt/sources.list.d/swtpm-tools.list<<EOF
deb [trusted=yes] http://ppa.launchpad.net/stefanberger/swtpm-focal/ubuntu focal main
EOF

Replace “focal” with the codename for your Ubuntu version. Then proceed and install the required tools with the command:

sudo apt update -y && sudo apt -y install ovmf swtpm swtpm-tools virt-manager virt-viewer

On RHEL/CentOS/Rocky Linux/ Alma Linux

sudo yum install epel-release -y
sudo yum install edk2-ovmf swtpm swtpm-tools virt-manager virt-install virt-viewer

Enable TPM 2.0 and Install Windows 11 on KVM

Once the required tools have been installed, you can easily install Windows 11 on KVM with TPM 2.0 and Secure Boot enabled.

Normally, there are two ways to create and run a VM on KVM. These includes:

Using GUI
Using the CLI

To create a network bridge for KVM, use the aid from the guides below:

Option 1 – Using the Virtual Machine Manager GUI tool

You can use the Virtual Machine Manager to easily create and manage Virtual Machines on KVM. Launch the Virtual Machine Manager from the App menu.

Enable TPM 2.0 on KVM and install Windows 11

Begin by creating a new VM.

Enable TPM 2.0 on KVM and install Windows 11 1

You will be required to load the Windows 11 ISO file.

Enable TPM 2.0 on KVM and install Windows 11 2

Browse and load the ISO file:

Enable TPM 2.0 on KVM and install Windows 11 3

Next, configure the CPU and Memory for the VM.

Enable TPM 2.0 on KVM and install Windows 11 4

Create a hard disk for the VM and set the disk size

Enable TPM 2.0 on KVM and install Windows 11 5

On this page, allow customization before installation by checking the box. You can also configure the VM network. For this guide I have used a bridged network.

Enable TPM 2.0 on KVM and install Windows 11 6

On the overview windows, select add hardware.

Enable TPM 2.0 on KVM and install Windows 11 7

Add TPM 2.0 and make the settings as shown. Then click Finish to apply the changes.

Enable TPM 2.0 on KVM and install Windows 11 8

You can also enable VNC by adding hardware as shown:

Enable TPM 2.0 on KVM and install Windows 11 9

Once done click finish and go back to the overview window.

Enable TPM 2.0 on KVM and install Windows 11 10

Just before you begin the installation, remember to change the Chipset and Firmware. Apply the changes and begin the installation.

Enable TPM 2.0 on KVM and install Windows 11 11

Proceed with the normal Windows 11 installation.

Enable TPM 2.0 on KVM and install Windows 11 12

Select the install Windows option and proceed.

Enable TPM 2.0 on KVM and install Windows 11 13

Option 2 – Using the virt-install CLI tool

It is easier to spin Windows 11 on KVM from the CLI, all you need is to run the below command and pass all the required variables:

On Debian/Ubuntu

sudo virt-install \
--name Windows11 \
--ram 4096 \
--disk path=/var/lib/libvirt/images/Windows_11.img,size=55 \
--vcpus=2 \
--os-variant=win10 \
--network bridge=virbr0 \
--cdrom /home/Win11_English_x64v1.iso \
--graphics vnc,listen=0.0.0.0,password=StrongPassw0rd \
--video virtio \
--features kvm_hidden=on,smm=on \
--tpm backend.type=emulator,backend.version=2.0,model=tpm-tis \
--boot loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash,nvram_template=/usr/share/OVMF/OVMF_VARS.ms.fd

On RHEL/CentOS/Rocky Linux/ Alma Linux

sudo virt-install \
--name Windows11 \
--ram 4096 \
--disk path=/var/lib/libvirt/images/Windows_11.img,size=55 \
--vcpus=2 \
--os-variant=win10 \
--network bridge=virbr0 \
--cdrom /home/Win11_English_x64v1.iso \
--graphics vnc,listen=0.0.0.0,password=StrongPassw0rd \
--video virtio \
--features kvm_hidden=on,smm=on \
--tpm backend.type=emulator,backend.version=2.0,model=tpm-tis \
--boot loader=/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash,nvram_template=/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd

Remember to edit the variables where required. You might need to edit the CPUs, disk size(recommended size above 52GB), memory, network bridge e.t.c. Provide the set password for the VNC and proceed with the installation.