Windows 11 System Requirements Announced - does it pose any issues?

Mantene

By Mantene
in VM Engine (KVM)

Recommended Posts

Sjaddy Noob

Sjaddy

Posted
Posted

According to MS post here (https://download.microsoft.com/download/7/8/8/788bf5ab-0751-4928-a22c-dffdc23c27f2/Minimum%20Hardware%20Requirements%20for%20Windows%2011.pdf) VM machines are exempt from the requirements:

There will be some exceptions to Microsoft’s new rules, though. “Windows 11 does not apply the hardware-compliance check for virtualized instances either during setup or upgrade,” notes a Microsoft document (PDF) on minimum hardware requirements for Windows 11. That means if you run Windows 11 as a virtual machine, you can ignore the CPU and security requirements. That flies in the face of Microsoft’s big security push here, but the reality is that most consumers and commercial customers won’t be running Windows 11 in a VM.

Link to comment
quasihellfish Noob

quasihellfish

Posted
Posted
23 hours ago, Sjaddy said:

That means if you run Windows 11 as a virtual machine, you can ignore the CPU and security requirements. That flies in the face of Microsoft’s big security push here


Does it though? The point of MS's security requirements is to prevent malware from affecting the PC at boot time. Well, we're talking about VMs here, which does not have the same risk associated with it. By definition, the VM is separated from the hardware boot BIOS/firmware, right? It's one of the reasons to run a VM: to separate the OS from the hardware layer.

Link to comment
ghost82 Proficient

ghost82

Posted
Posted (edited)
17 hours ago, quasihellfish said:

Well, we're talking about VMs here, which does not have the same risk associated with it. By definition, the VM is separated from the hardware boot BIOS/firmware, right?

It really depends on how you use the vm.

Most of users, including me, are using one or more vm just as if they use a traditional pc: if this is the case, we want performance on our vm, so we start to passthrough hardware, cpu, gpu, sata controllers. nvme drives, usb controllers, ethernet cards, etc.

Why we do this?

In my case I'm using a mac os vm with most hardware passed through, I decided to go with a vm because it's faster to set up the environment and you have less headache, moreover I have a complete separated environment, so the bootloader cannot mess with windows 10 installed on another drive, which I boot bare metal.

Others prefer performance vms because they can have "more computers" into the same pc, for example different vms for different operating systems, different vms for different fields (school, work, media, firewall, gaming, etc.).

Virtual machines can boot uefi with ovmf, so the malware will act the same if it finds a vulnerability in the firmware: but in this case the firmware is a file (OVMF_CODE and its OVMF_VARS), so if it gets infected all you need to do is delete the files and replace instead of flashing the bios chip.

But if a malware infects the os in the cases I described above it's near the same as having a malware on a bare metal installation.

Another case is if you use vms in a different way, consider for example online services for antivirus scan, all the malwares run on virtual machines which are created and deleted before and as soon as the scan finishes: the base os can be in a vdisk and all you have to do to start fresh is delete and replace the vdisk (some seconds?).

Or if you need only few apps in your vm, installed in vdisk: again backup a copy of the base vdisk and of the firmware and if you get infected just start fresh in few minutes.

What microsoft is choosing, i.e. add secure boot and tpm as mandatory (in addition to a series of other things), doesn't agree with me (but this is a personal opinion, I am the owner of my pc and I want to do all that I want, without having limits).

Edited by ghost82
  • Like 3
Link to comment
  • 2 months later...
ich777 Grand Master

ich777

Posted
Posted
On 9/25/2021 at 9:06 AM, unrateable said:

since Win 11 also requires a certain CPU Gen. Is it possible to change the CPUID of my guest VM to a newer Gen CPU, and advisable at all ?

I wonder by doing that there may be other implications for security/proper ISA functions ?

The latest Windows 11 build doesn't even complains about the CPU when you install it... ;)

Link to comment
alturismo Mentor

alturismo

Posted
Posted
19 hours ago, Cliff said:

Is there any guides of how to fix my VM so that I can update again ?

 

19 hours ago, Mantene said:

That worked for me.

 

when its integrated it will be sure easier and you dont have to play with more manual entries in your xml's ... so i d suggest to wait a few days until limetech is ready.

 

also a removal will work then regular etc etc ... now after adjusting you have to revert to remove a vm and so on ...

 

and whoever is now capable to run the script, edit his xml's etc etc pretty sure can also make the 2 steps on updating to bypass the checks ..

  • Like 1
Link to comment
  • 2 weeks later...
ghost82 Proficient

ghost82

Posted
Posted

I really can't understand how the linkedin author was able to compile (if he compiled) the OVMF files..

 

I usually don't like "black boxes" so I'm trying to understand how and if he compiled the ovmf package to build OVMF_CODE.fd and OVMF_VARS.fd.
If I use OVMF files from here:
https://github.com/rezo552/unraid-swtpm

Windows 11 installation goes smooth, system is seen as compatible.
However if I boot into ovmf settings secure boot model is DISABLED with that ovmf files, so the first question: why windows 11 doesn't complain about secure boot being disabled?

After trying the "black box" ovmf files, I tried to compile myself the OVMF package with secure boot enabled:
  

git clone https://github.com/tianocore/edk2.git
cd edk2
git clean -ffdx
git reset --hard
git submodule deinit --force --all
git checkout edk2-stable202011
git submodule update --init --force
source edksetup.sh
nice make -C "$EDK_TOOLS_PATH" -j $(getconf _NPROCESSORS_ONLN)
build -a X64 -b RELEASE -DSECURE_BOOT_ENABLE=TRUE -p OvmfPkg/OvmfPkgX64.dsc -t GCC5


Notes:
-DSECURE_BOOT_ENABLE=TRUE allows to build a secboot version of ovmf.
I prefer 202011 stable version.

Now, time to inject the keys, I tried 2 ways:
1- inject keys with EnrollDefaultKeys.efi (built within the ovmf package)--> I put it on another raw image and run it from the uefi shell; from OVMF settings I can see that PK, KEK and DB keys are injected, but windows 11 tells me that the system is not compatible to run windows 11...

2- downloaded:
MicCorUEFCA2011_2011-06-27.cer (2nd import in DB)
MicWinProPCA2011_2011-10-19.cer (1st import in DB)
MicCorKEKCA2011_2011-06-24.cer (imported as KEK)

and generated a DER self-signed certificated, imported as PK.

Here I have another issue, because if I look at the KEK and DB keys (for example by deleting them from the ovmf settings), they seem to be imported as 00000-0000-00000 (only zeroes...???), so something is wrong...

Obviously same issue with 2nd method as the first one, no compatible system.

Note that the xml is the same, what changes is only OVMF_CODE.fd and OVMF_VARS.fd.

Anybody with some lights?I'm currently walking in the dark :D

 

Link to comment
ghost82 Proficient

ghost82

Posted
Posted
15 hours ago, ghost82 said:

Obviously same issue with 2nd method as the first one, no compatible system.

Problem solved, I was missing some flags for building a proper version of ovmf.

I didn't know tpm has flags too, that need to be enabled.

 

So, summarizing, if one wants to compile himself/herself ovmf (following example build latest stable version at the time of writing, 202108):

  

git clone https://github.com/tianocore/edk2.git
cd edk2
git clean -ffdx
git reset --hard
git submodule deinit --force --all
git checkout edk2-stable202108
git submodule update --init --force
source edksetup.sh
nice make -C "$EDK_TOOLS_PATH" -j $(getconf _NPROCESSORS_ONLN)
build -a X64 -b RELEASE -D SECURE_BOOT_ENABLE -D TPM_ENABLE -D FD_SIZE_4MB -p OvmfPkg/OvmfPkgX64.dsc -t GCC5

 

SECURE_BOOT_ENABLE: build a secure boot compatible ovmf

TPM_ENABLE: enable tpm in ovmf

FD_SIZE_4MB: not sure this is needed, but I read that Microsoft Hardware Certification Kit expects to be able to populate the variable store up to roughly 64 KB, without this flag ovmf varstore area is only 56 KB, this flag increases it to 256 KB

 

-D TPM_CONFIG_ENABLE is not needed, tpm will be auto configured

Link to comment
  • 2 weeks later...
RiDDiX Explorer

RiDDiX

Posted
Posted (edited)
6 hours ago, Cliff said:

are there any new on when the unraid update will be released ?

 

I dont know if I am supposed to post a 6.10.0-rc2h Build here... But with this no "external" Patches are needed.

 

Decided to do because it is visible within the forums itself:

https://s3.amazonaws.com/dnld.lime-technology.com/test/unRAIDServer.plg

 

This will bring into the "Test"-Branche but you will be able to get the "OVMF TPM"-BIOS. Just edit then your xml or from the drop down menu..

 

Edited by RiDDiX
  • Like 1
Link to comment
Ninnetyer Noob

Ninnetyer

Posted
Posted
12 hours ago, RiDDiX said:

 

I dont know if I am supposed to post a 6.10.0-rc2h Build here... But with this no "external" Patches are needed.

 

Decided to do because it is visible within the forums itself:

https://s3.amazonaws.com/dnld.lime-technology.com/test/unRAIDServer.plg

 

This will bring into the "Test"-Branche but you will be able to get the "OVMF TPM"-BIOS. Just edit then your xml or from the drop down menu..

 

 

Hey, not sure if I will be able to go back to stable version if something goes wrong, you know, like the usual behaviour of standard update, or  is it that the link just simply provides an extra branch additional to "stable" and "next"?

  • Like 1
Link to comment
NLS Community Regular

NLS

Posted
Posted
23 hours ago, RiDDiX said:

 

I dont know if I am supposed to post a 6.10.0-rc2h Build here... But with this no "external" Patches are needed.

 

Decided to do because it is visible within the forums itself:

https://s3.amazonaws.com/dnld.lime-technology.com/test/unRAIDServer.plg

 

This will bring into the "Test"-Branche but you will be able to get the "OVMF TPM"-BIOS. Just edit then your xml or from the drop down menu..

 

 

"plugin: not installing older version"
 

  • Like 1
Link to comment
okkies Rookie

okkies

Posted
Posted (edited)

- stopped the userscript

- deleted everything in /boot/extra/ 
- upgraded to Rc2 

seems to work better already, i had an issue where windows 11 became sluggish for no real reason. That seems to work better, for now

 

- network shares actually work after a reboot

- docker containers dont have any any issues starting up


i probaly have to reset some Bitlocker keys (disable tpm and enable tpm) due to these changes, but thats something for tommorow

Edited by okkies
  • Like 1
Link to comment
  • 2 months later...
ghost82 Proficient

ghost82

Posted
Posted
On 10/12/2021 at 9:41 AM, ghost82 said: 
build -a X64 -b RELEASE -D SECURE_BOOT_ENABLE -D TPM_ENABLE -D FD_SIZE_4MB -p OvmfPkg/OvmfPkgX64.dsc -t GCC5

 

Just to let you know that with this commit:

https://github.com/tianocore/edk2/commit/4de8d61bcec02a13ceed84f92b0cf3ea58adf9c5

 

from release > 202111 (excluded) "-D TPM_ENABLE" doesn't exist anymore and it's replaced by -D TPM1_ENABLE for tpm 1.2 or -D TPM2_ENABLE for tpm 2.0.

I spent a couple of hours trying to figure out why my emulated tpm didn't start in win 11.

 

TPM_CONFIG_ENABLE is also removed from the code.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing