Alright, so to make Windows 11 work on a GNU/Linux VM with virt-manager you need UEFI-based secure boot and a TPM module. Here's what I did after searching online for a few days. First, set up a TPM module on your host OS:
sudo apt -y install dpkg-dev debhelper libssl-dev libtool net-tools libfuse-dev libglib2.0-dev libgmp-dev expect libtasn1-dev socat python3-twisted gnutls-dev gnutls-bin libjson-glib-dev gawk git python3-setuptools softhsm2 libseccomp-dev automake autoconf libtool gcc build-essential libssl-dev dh-exec pkg-config dh-autoreconf dh-apparmor
git clone https://github.com/stefanberger/libtpms.git cd libtpms ./autogen.sh --with-openssl make dist dpkg-buildpackage -us -uc -j4 sudo apt install ../libtpms*.deb
git clone https://github.com/stefanberger/swtpm.git cd swtpm dpkg-buildpackage -us -uc -j4 sudo apt install ../swtpm*.deb
These instructions are pulled from the
swtpm maintainer's git, which had instructions for building
swtpm on both Debian and Ubuntu, but also a big thanks to sej7278 on Reddit who consolidated and simplified them into a recipe. The only thing I found missing on my end, was I needed to add
dh-apparmor to the above package dependency list. Now that the software TPM is running, the next step is to add UEFI support to virt-manager, by creating a UEFI / secure boot environment using the ovmf package. To do that, I located the Debian wiki on the topic and headed over to the package download page and then used
dpkg -i to install it. After this, I rebooted my machine and started up virt-manager. In virt-manager, create a new machine, select the Windows 11 .iso file, create a virtual disk that you prefer, and then select “customize before finishing.” In the machine configuration window that comes next, first set up Overview as follows:
The Overview pane allows you to pick a chipset and specify the bootloader you want to use. These options were specified on many Wikis, so I followed suit. After this was done, I then changed the Boot Options so that the CD-ROM was punched, and so that it was at the top of the list. This is because virt-manager interprets the .iso as a CD-ROM and won't find the installer media unless this is done. It might already be set this way on your virt-manager instance but it was not on mine because I had disabled it before. I only figured this out after searching through random forums and banging my head. Super obvious in hindsight; thanks to shawnsg's random ltt post!
Lastly, once virt-manager was configured for using secure boot and to load the installer media, it was now time to configure this virtual machine to use the software based TPM module we created earlier. To do that, I clicked “Add Hardware” in the virt-manager GUI, selected TPM, and left the default settings.
Once those two environments were built, the ovfm package installed, and virt-manager configured to leverage all of those properly, the machine booted flawlessly. Here's the splash screen after the core parts of the OS installed:
— oemb1905 2022/07/30 18:24