I tried to upgrade My KVM guest Windows 10 to Windows 11 following the official documentation and there are some problems:
- The CPU is not supported and I tried with Skylake, Broadwell, etc with no luck
- Windows 11 requires secure boot capable computer with UEFI. And my VM is BIOS
- Windows 11 requires TPM 2.0
The point 3 was very straight forward, but 1) and specially 2) are more difficult
I worked with KVM on ubuntu 22.04 and latest KVM from Ubuntu repository. My KVM guest is a W1ndows 10 with the latest updates and q35 chipset. All the changes are done with the VM turned off, except if indicated.
The problems I faced to upgrade to Windows 11 were:
- CPU not supported
- Secure boot is required
- Windows 11 requires TPM version 2.0 or later
The point three was the first I tackle and it is easy, you just need to add TPM hardware to your KVM guest using the GUI. Look for the TPM and set the version 2.
For the point 1 it depends on your real hardware, any of the 64 bits processors at the day I am writing this (Sept 2022) are not apt to install Windows 11. The solution is to select passthrough CPU if your host runs in a 9th generation Intel or newer.
Point 2 was more challenging. This are the steps to solve it:
- Change from BIOS to UEFI
- Setup secure boot for KVM.
- Apparmor issue to be solved if happen
1) Changing BIOS to UEFI
With the guest KVM Windows 10 Version 21H1 or newer open cmd (command line) as administrator and type from Windows/system32
mbr2gpt /validate /allowFullOS. If the output is successful, then type
mbr2gpt /convert /allowFullOS. If you see error messages starting MBR2GPT at the end ignore them (more precise instructions and troubleshooting, see this page: https://geekflare.com/change-bios-mode-from-legacy-to-uefi/)
If all goes well turn off the VM and continue with
2) Setup secure boot for KVM
In ubuntu 22.04 if you have installed KVM this is not necessary, but check the directory /usr/share/OVMF/. If it exists and have many files with extension .fd, all is there; otherwise, type
sudo apt install ovmf.
From terminal type
virsh edit <Domain Name> and look for the entry
<smm state='on'/> inside features tag. If it is not there, type it.
Now look for the entry tag os and make it something like this:
<os> <type arch='x86_64' machine='pc-q35-3.1'>hvm</type> <loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader> <nvram template='/usr/share/OVMF/OVMF_CODE.secboot.fd'>/usr/share/OVMF/OVMF_CODE.secboot.fd</nvram> <boot dev='hd'/> <bootmenu enable='yes'/> //Can be 'no' if you want </os>
Due to the fact that the VM was BIOS before, eliminate the entry
<boot order='1'/> which is inside disk which is inside devices tag. Now save (ctrl+o) and exit (ctrl+x). If all went well it returns something like "Domain Domain Name XML configuration edited.". Part of the information to make this configuration in ubuntu came from https://specs.openstack.org/openstack/nova-specs/specs/train/approved/allow-secure-boot-for-qemu-kvm-guests.html
At this point if all goes well Windows 10 guest is ready to start to upgrade to Windows 11. However, if there is a problem with apparmor this is the work around I did because I tried other solutions like reinstall apparmor but it does not work.
3) Apparmor issue to be solved if happen
Just when the VM starts there is an error with Apparmor that does not found a file for the libvirt-hard drive UUID- The work around is to create a new VM using virsh or the GUI with UEFI and secure boot adding all the hardware required (TPM 2.0 and passthrough CPU) and all the other hardware you have had on the not bootable one, but the hard drive to be used is the same hard drive used by the non-bootable one. If you come up with a solution to this problem please give me a hand. Last time I solved an apparmor issue was reconfiguring it and I don’t remember the steps.
Start your VM with Windows 10 and follow the official steps. Hope this be useful.