bhyve bhyve secure boot for Windows 11 bitlocker

J

jardows

At my work, we enforce pinless bitlocker on Windows computers and VM's. This creates a problems when running a Windows 11 VM in bhyve, as everytime the VM is started or restarted, it triggers bitlocker recovery due to secure boot not being enabled. From what I can tell, the bhyve-firmware can support secure boot, but it does not come with any of the Microsoft keys. Does anyone have experience loading up the Microsoft keys into the edk2 firmware in bhyve to enable secure boot and can provide steps on how to do this?
 
This isn't answering your question and I don't know if it would work for your situation, but Tomshardware has an article on how to disable a secure boot requirement (and TPM), which worked for me, putting Windows 11 on bhyve.

So, I'm putting it up here--maybe, if it's useless to you, it might help someone.
www.tomshardware.com

How to Bypass Windows 11's TPM, CPU and RAM Requirements

Use simple utilities to install Windows 11 on any PC.
www.tomshardware.com www.tomshardware.com
 
scottro said:
This isn't answering your question and I don't know if it would work for your situation, but Tomshardware has an article on how to disable a secure boot requirement (and TPM), which worked for me, putting Windows 11 on bhyve.

So, I'm putting it up here--maybe, if it's useless to you, it might help someone.
www.tomshardware.com

How to Bypass Windows 11's TPM, CPU and RAM Requirements

Use simple utilities to install Windows 11 on any PC.
www.tomshardware.com www.tomshardware.com
Click to expand...
That works to install Windows 11, but it does not resolve the issue with bitlocker. Though with tpm passthrough, we don't even need this to install Windows 11 on bhyve.
 
jardows said:
From what I can tell, the bhyve-firmware can support secure boot, but it does not come with any of the Microsoft keys.
Click to expand...
Probably not allowed to redistribute them.

No idea if this would work, but if the EUFI firmware supports the option and you can save the keys in the firmware, they will likely be saved in the varfile where all the other EUFI settings (like the boot selection) are saved. So I kind of expect this to work.

Code: 
   Boot ROM device backends
     •   romfile[,varfile]

     Map romfile in the guest address space reserved for boot firmware.

     If varfile is provided, that file is also mapped in the boot firmware
     guest address space, and any modifications the guest makes will be saved
     to that file.

     Fwcfg types:

     fwcfg       The fwcfg interface is used to pass information such as the
                 CPU count or ACPI tables to the guest firmware.  Supported
                 values are ‘bhyve’ and ‘qemu’.  Due to backward compatibility
                 reasons, ‘bhyve’ is the default option.  When ‘bhyve’ is
                 used, bhyve's fwctl interface is used.  It currently reports
                 only the CPU count to the guest firmware.  The ‘qemu’ option
                 uses QEMU's fwcfg interface.  This interface is widely used
                 and allows user-defined information to be passed to the
                 guest.  It is used for passing the CPU count, ACPI tables, a
                 boot order and many other things to the guest.  Some
                 operating systems such as Fedora CoreOS can be configured by
                 qemu's fwcfg interface as well.
 
You must log in or register to reply here.
Back
Top