I checked the name on boot now, it says "TianoCore", that's the name of the UEFI firmware stored in /usr/share/qemu/ovmf-x86_64-smm-ms-code.bin that can't seem to boot the standard official Windows 10 ISO. Whatever default BIOS gnome-boxes uses without TPM used to work fine with that. But since Windows 11 wants TPM and I'm preparing for an upgrade, I can't just disable TPM again as a workaround. If someone knows how to fix it, would be very appreciated!

What would be the upstream place to forward this to? QEMU maybe? It seems like the Tiano UEFI project doesn't really directly accept bug reports from inexperienced people like me, which I guess makes sense since I have no clue where exactly the bug is.

Have you tried installing your Windows VM with virt-manager directly? I'm not familiar with gnome-boxes and will leave that to the gnome developers. But we (virt team) should be able to help you install Win10 or 11 using virt-manager, virt-install, and other virt tools.

Created attachment 870572 [details]
Video of cd rom boot not working virt-manager

I can use virt-manager's UI if you want but it really doesn't make a difference, see this video.

Are you connected to the system or session libvirtd [1]? Likely the system one if using virt-manager as root. If running virt-manager as root, please attach /root/.cache/virt-manager/*.log and /var/log/libvirt/qemu/<vm-name>.log.

[1]
https://libvirt.org/daemons.html#operating-modes
https://wiki.libvirt.org/FAQ.html#what-is-the-difference-between-qemu-system-and-qemu-session-which-one-should-i-use
https://blog.wikichoon.com/2016/01/qemusystem-vs-qemusession.html

It doesn't run as root, which now that you say it, seems like a security issue. Should I file a separate bug for that?

(In reply to ell1e from comment #6)
> It doesn't run as root, which now that you say it, seems like a security
> issue. Should I file a separate bug for that?

virt-manager doesn't run as root? How are you starting it? Are there any errors telling why it didn't start?

Created attachment 870576 [details]
virt-manager.log with VM that fails to boot cd rom being named "boxes-unknown"

virt-manager launches and works fine without root here, which is the part that worries me. I assume to create HW accelerated VMs it should normally require some sort of elevation? Maybe I'm over-thinking it, I don't know that much about security in that specific area.

(In reply to ell1e from comment #9)
> virt-manager launches and works fine without root here, which is the part
> that worries me. I assume to create HW accelerated VMs it should normally
> require some sort of elevation?

A normal user should be able to start a kvm-accelerated VM, but it will have limited privileges and functionality. See some of the links I referenced in #5. BTW, I'm not sure if vTPM works with an unprivileged VM. It's clear the type of VM you are trying to create does not work unprivileged.

From your virt-manager log, I see it's unable to connect to the system daemon:

[Wed, 01 Nov 2023 20:55:01 virt-manager 5426] DEBUG (engine:180) Autostart connection error: Unable to connect to libvirt qemu:///system.
Failed to connect socket to '/var/run/libvirt/virtqemud-sock': No such file or directory
Libvirt URI is: qemu:///system

I think the socket path is a little misleading. Perhaps virt-manager is only reporting the last one it tried. On Leap 15.5, the monolithic libvirtd is still the "preferred" deployment, so the path should be /var/run/libvirt/libvirt-sock. But that's a cosmetic detail. Do you have the libvirtd service enabled? E.g. is it shown as enabled and running in the output of 'systemctl status libvirtd.service'? If not, enable and start it (systemctl enable libvirtd.service && systemctl start libvirtd.service), then see if you can connect to the system daemon with virt-manager. You should be prompted for root passwd before you can actually do anything useful on the privileged connection.

KVM+TPM2.0+Win10/11 has been tested on SLES 15 SP5, which has the same virtualization components as Leap 15.5, but only with the libvirt system daemon. I think you will also have success after connecting virt-manager to your system daemon.

I tried enabling libvirtd now, it indeed wasn't running. I also was then prompted for the root password by virt-manager. However, starting the VM after that made no difference, as far as I can tell everything behaves the same way, including the CD ROM not booting. For what it's worth the VM is currently set to TPM 1.2 since I couldn't get TPM 2.0 to work, maybe that would be solved by libvirtd. But from my understanding of Windows 10, it shouldn't matter for being able to boot a Windows 10 ISO. (While I eventually plan to upgrade to Windows 11 which is more picky there I imagine, I would first have to manage to make my Windows 10 install boot again.)

This is unrelated but I guess shows qemu/kvm on openSUSE generally has issues: when I start this VM it often also just plain crashes:

[808495.284276] qemu-kvm[6408]: segfault at 55e00766e9b0 ip 00007fd18d4a66de sp 00007ffdb1c1e8f0 error 4 in libc-2.31.so[7fd18d409000+1e8000]
[808495.284299] Code: 84 5c ff ff ff 0f 1f 80 00 00 00 00 48 8d 0c 68 0f b7 11 66 85 d2 0f 84 45 ff ff ff 48 8d 04 e8 83 ea 01 4c 8b 80 80 00 00 00 <49> 8b 30 48 89 b0 80 00 00 00 66 89 11 4c 89 c0 49 c7 40 08 00 00

When I retry a few times, it always runs eventually. This VM was migrated from Fedora originally, where no such issues were present.

Created attachment 870641 [details]
Screenshot of Windows 10 disk install

Sometimes I still manage to somehow get into the disk install, or at least I think that's what I'm seeing. However it just tells me to get a Windows 10 ISO to fix it, which is what I have been trying to do. But since the ISO doesn't boot at all, I'm currently stuck.

(I assume the disk install breaking is because I switched from whatever is the default firmware to this secure boot Tiago one, and therefore whatever registration of the EFI bootloader of the disk install existed is either invalid or gone, and the BIOS no longer quite knows how to boot this without it being fixed and adjusted. Not that I would understand any details.)

Anything useful I can still provide? TPM 2.0 also isn't repaired by the elevated VM either, it doesn't really seem to change anything at all: TPM 1.2 only, and Windows 10 ISO doesn't boot.

I have an openSUSE Leap 15.5 box so I thought I would see what I could reproduce.  First made sure the box was fully up to date.  All commands were done as a regular user.

I first tried installing Win10 and Win11 vms via virt-manager.
- Added UEFI x86_64: /usr//share/qemu/ovmf-x86_t40smm-ms-code.bin
- Added Emulated TPM 2.0

Both the Win10 and Win11 vms could boot off the Windows installation ISOs and the vms were successfully installed.

Installed gnome-boxes.  I haven't used gnome-boxes before so it was a bit of trial and error to get things going.

Gnome-boxes saw the previously installed win10 and win11 vms.  Gnome-boxes could boot and run both vms.

Tried to install a win11 vm from within gnome-boxes.
- Clicked +
- Create virtual machine from file
- Select Windows 11 ISO.  Gnome-boxes could not identify the ISO so I manually selected Microsoft Windows 11.
- Adjust Memory to 4 Gig
- Adjust Storage limit to 60 Gig
- Enable EFI
- Create
- TianoCore logo shows on the screen
- Press any key to boot from CD or DVD...
- Pressed space bar, the installation started.
- Clicked Install
- Select Windows 11 Pro
- Error: This PC can't run Windows 11.

I didn't know how to add the emulated TPM from within gnome-boxes.  Clicking Preferences and clicking Edit Configuration did nothing.

Went back into virt-manager.  Virt-manager could see the Windows 11 vm configuration started in gnome-boxes.  I added the TPM 2.0 emulated device and exited out of virt-manager.

Went back into gnome-boxes.  Started the Win11 vm from before:
- TianoCore logo shows on the screen
- Press any key to boot from CD or DVD...
- Start the installation
- Install Now
- Select Windows 11 Pro
- Click on accept
- Select Custom install
- Installation starts
- After a couple of reboots, the installation completes successfully.

After the win11 vm was installed and running.  Shutdown the vm.  Started the vm:
- Press Esc to get into UEFI configuration
- Select Boot Manager
- Select UEFI QEMU DVD_ROM_QM00005
- Press any key to boot from CD or DVD...
- Pressed space bar and the installation ISO booted up.
- Shutdown the vm and let it boot back up to win11 as normal.

Unfortunately I'm not able to see the issues described in this bug.  As far as I can tell, Things are working OK for me.

Created attachment 870733 [details]
broken VM's config file (.xml)

The problem is likely in the detailed VM setup, since that changed with various gnome-boxes versions. Something in how my VM is configured must be breaking TPM 2.0, cause crashes, and break booting a Windows 11 ISO. Sadly, I compared to a blank new Windows 11 VM config and couldn't spot what looked like any relevant difference, so I'm really not sure where it went off the rails. But there has to be something somewhere.

For what it's worth, this is the error I'm getting when I try to use TPM 2.0:

Error starting domain: internal error: qemu unexpectedly closed the monitor: 2023-11-13T23:01:06.815311Z qemu-kvm: tpm-emulator: TPM result for CMD_INIT: 0x101 operation failed

I also attached the VM config of that as XML file.

Created attachment 870811 [details]
My working win11 xml file

The attachment shows my working win11 xml configuration that is running in gnome-boxes on leap 15.5.  This was obtained via `virsh dumpxml`.  I don't know if there is a gnome-boxes way of getting the xml file. 

I'm not sure what else I can look at.  On my Leap 15.5 system I can create and run a win11 vm with virtual-manager.  That same vm is seen by gnome-boxes and gnome-boxes can run that vm.  I can create a win11 vm with gnome-boxes as well.

It might be possible that you have an outdated component on your system somewhere but I wouldn't know what you should look for.

Did you try to boot the Windows 10 ISO? I didn't ever try the Win11 one (since that wouldn't be helpful to me). The XML files clearly have many differences, now I guess the question is which ones are relevant.

Created attachment 870812 [details]
win10 xml file

I was also able to install a win10 vm without issue.  For some reason gnome-boxes thought that the ISO was a win11 ISO so there are some win11 label references in the xml file.  But the actual ISO was a win10 ISO.

I see! I even copied the TPM 2.0 setting over from your one working VM, gets me the instant fatal boot error still. I'm really not sure what the problem is, but something sure isn't quite working with TPM and cdrom booting.

I just moved from Leap 15.5 to Slowroll, now I can't even look at the VM graphical output anymore in virt-manager since that gives me a crash:

[ 3541.018622] traps: virt-manager[1038] trap int3 ip:7f35a8b6fc37 sp:7ffc733e5720 error:0 in libglib-2.0.so.0.7800.0[7f35a8b2c000+97000]

When I try to open gnome-boxes it instant-crashes as well (without me even trying to open up the VM, I imagine maybe this happens because unlike virt-manager it shows a thumbnail of the VM's graphical output and that alone maybe already crashes it):

[ 3660.744215] traps: bijiben-shell-s[2323] trap int3 ip:7fe3f2efdc37 sp:7fe3e11f7710 error:0 in libglib-2.0.so.0.7800.0[7fe3f2eba000+97000]
[ 3661.559542] traps: bijiben-shell-s[2402] trap int3 ip:7f5be3a07c37 sp:7f5bcd7f8710 error:0 in libglib-2.0.so.0.7800.0[7f5be39c4000+97000]
[ 3661.939805] traps: gnome-boxes[2410] trap int3 ip:7fb32115cc37 sp:7ffd9258f380 error:0 in libglib-2.0.so.0.7800.0[7fb321119000+97000]

Here's what gdb managed to show me about the gnome-boxes crash (the zypper debuginfo install line sadly didn't work with the default slowroll repos, I assume that's why there's no line numbers):

(gdb) exec /usr/bin/gnome-boxes
(gdb) run
Starting program: /usr/bin/gnome-boxes 
Missing separate debuginfos, use: zypper install gnome-boxes-debuginfo-45.0-1.1.x86_64
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New Thread 0x7fffeb41b6c0 (LWP 21377)]
[New Thread 0x7fffeac1a6c0 (LWP 21378)]
[New Thread 0x7fffea4196c0 (LWP 21379)]
[New Thread 0x7fffe9c136c0 (LWP 21380)]
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
EGLDisplay Initialization failed: EGL_NOT_INITIALIZED
[New Thread 0x7fffe8dd26c0 (LWP 21381)]
[New Thread 0x7fff83fff6c0 (LWP 21382)]
[New Thread 0x7fff7bfff6c0 (LWP 21383)]
[New Thread 0x7fff837fe6c0 (LWP 21384)]
[New Thread 0x7fff82ffd6c0 (LWP 21385)]
[New Thread 0x7fff827fc6c0 (LWP 21386)]
[New Thread 0x7fff81ffb6c0 (LWP 21387)]
[New Thread 0x7fff817fa6c0 (LWP 21388)]
[Thread 0x7fff817fa6c0 (LWP 21388) exited]
[Thread 0x7fff81ffb6c0 (LWP 21387) exited]
[Thread 0x7fff827fc6c0 (LWP 21386) exited]
[Thread 0x7fff82ffd6c0 (LWP 21385) exited]

(gnome-boxes:21374): Gtk-CRITICAL **: 03:53:15.517: _gtk_css_lookup_resolve: assertion '(((__extension__ ({ GTypeInstance *__inst = (GTypeInstance*) ((provider)); GType __t = ((_gtk_style_provider_private_get_type ())); gboolean __r; if (!__inst) __r = (0); else if (__inst->g_class && __inst->g_class->g_type == __t) __r = (!(0)); else __r = g_type_check_instance_is_a (__inst, __t); __r; }))))' failed

(gnome-boxes:21374): GLib-GObject-CRITICAL **: 03:53:15.517: g_object_set_data_full: assertion 'G_IS_OBJECT (object)' failed

(gnome-boxes:21374): Gtk-ERROR **: 03:53:15.517: Can't create a GtkStyleContext without a display connection

Thread 1 "gnome-boxes" received signal SIGTRAP, Trace/breakpoint trap.
0x00007ffff7d8b2da in g_log_writer_default () from /lib64/libglib-2.0.so.0
(gdb) bt
#0  0x00007ffff7d8b2da in g_log_writer_default () at /lib64/libglib-2.0.so.0
#1  0x00007ffff7d88ba1 in g_log_structured_array () at /lib64/libglib-2.0.so.0
#2  0x00007ffff7d8976f in g_log_structured_standard () at /lib64/libglib-2.0.so.0
#3  0x00007ffff76a2c7b in  () at /lib64/libgtk-3.so.0
#4  0x00007ffff7ea6db9 in g_type_create_instance () at /lib64/libgobject-2.0.so.0
#5  0x00007ffff7e8a460 in  () at /lib64/libgobject-2.0.so.0
#6  0x00007ffff7e8bb06 in g_object_new_with_properties () at /lib64/libgobject-2.0.so.0
#7  0x00007ffff7e8c9b1 in g_object_new () at /lib64/libgobject-2.0.so.0
#8  0x00007ffff77a82ef in  () at /lib64/libgtk-3.so.0
#9  0x00007ffff77a856e in gtk_style_new () at /lib64/libgtk-3.so.0
#10 0x00007ffff77ad7a1 in gtk_widget_get_default_style () at /lib64/libgtk-3.so.0
#11 0x00007ffff773bc34 in  () at /lib64/libgtk-3.so.0
#12 0x00007ffff7ea6d7b in g_type_create_instance () at /lib64/libgobject-2.0.so.0
#13 0x00007ffff7e8a460 in  () at /lib64/libgobject-2.0.so.0
#14 0x00007ffff7e8c633 in g_object_new_valist () at /lib64/libgobject-2.0.so.0
#15 0x00007ffff7e8c989 in g_object_new () at /lib64/libgobject-2.0.so.0
#16 0x00007ffff2bcca58 in  () at /lib64/libwebkit2gtk-4.1.so.0
#17 0x00007ffff1a9528f in __pthread_once_slow () at /lib64/libc.so.6
#18 0x00007ffff2bccbe6 in  () at /lib64/libwebkit2gtk-4.1.so.0
#19 0x00007ffff2bd72eb in  () at /lib64/libwebkit2gtk-4.1.so.0
#20 0x00007ffff2be6b78 in  () at /lib64/libwebkit2gtk-4.1.so.0
#21 0x00007ffff2a40371 in  () at /lib64/libwebkit2gtk-4.1.so.0
#22 0x00007ffff2a0dabb in  () at /lib64/libwebkit2gtk-4.1.so.0
#23 0x00007ffff2a0e062 in  () at /lib64/libwebkit2gtk-4.1.so.0
#24 0x00007ffff2a607c2 in  () at /lib64/libwebkit2gtk-4.1.so.0
#25 0x00007ffff2a61257 in  () at /lib64/libwebkit2gtk-4.1.so.0
#26 0x00007ffff2b070bf in  () at /lib64/libwebkit2gtk-4.1.so.0
#27 0x00007ffff7e8a533 in  () at /lib64/libgobject-2.0.so.0
#28 0x00007ffff7e8bb06 in g_object_new_with_properties () at /lib64/libgobject-2.0.so.0
#29 0x00007ffff7e8c9b1 in g_object_new () at /lib64/libgobject-2.0.so.0
#30 0x00007ffff2b021d9 in  () at /lib64/libwebkit2gtk-4.1.so.0
#31 0x00007ffff7dad53d in g_once_impl () at /lib64/libglib-2.0.so.0
#32 0x000055555558b039 in  ()
#33 0x00007fffffffeb50 in  ()
#34 0x00007fffffffeb44 in  ()
#35 0x00007fffffffeb48 in  ()
#36 0x000055555560a0c2 in  ()
#37 0x00007fffffffec98 in  ()
#38 0x00007ffff7ffd000 in _rtld_local () at /lib64/ld-linux-x86-64.so.2
#39 0x0000555555685230 in  ()
#40 0x0000555555587104 in  ()
#41 0x00000001f1bf3020 in  ()
#42 0x00007fffffffec88 in  ()
#43 0x0000000000000000 in  ()
(gdb)

Nevermind, some ugprades fixed the crash now. So slowroll is now back to the previous state: UEFI firmware comes up fine, but Windows 10 install disk won't boot. I compared the XMLs again, and the only notable difference seems to be my VM uses VirtIO for the disk install instead of SATA. But I fail to understand how that would affect the CD ROM, that one is SATA for both.

It really surprises me a little that TPM and Windows 11 still are so flaky. One would think these are pretty commonly used. I mean it's nice that it works on freshly created VMs, but especially with the machine-bound licensing of Windows it's not that feasible to just throw away the install all the time.

I have a suspicion now after more testing that the error screen I'm seeing IS actually the Windows 10 ISO and not the disk install showing that error.

In that case everything would actually be working fine on the virtualization side. I'll close this for now until I get any evidence saying otherwise, while I'm working with some folks hopefully smarter than me to figure out why the install or repair part doesn't quite want to get going.

Sorry for all the ticket noise! As for TPM 2.0, I made a new VM now after all and moved the pre-existing storage over, and now it just works with no real explanation why. I'll take it, I guess.

Sorry, I dug some more and got some responses on a windows forum, it appears the "Press Any Key To Boot from CD or DVD..." is the ISO, but the other error is NOT. Therefore, I think it might still be a virtualization bug because the ISO/DVD doesn't show me an error but rather doesn't even seem to really try to boot past the initial text line when it should. (Rather than what I thought in the previous comment, boot and recognize the disk install but then give me some error because it doesn't like it.)

So I see the initial launch text from the ISO/DVD, but then some sort of compatibility issue with libvirt seems to throw me out of it immediately and to the next boot option. Really odd. Is there a known problem with this of any kind?

Hi Ellie,

in terms of the errors with gnome-boxes I hope that someone from the gnome-bugs list can help you out.

Have you given a thought to try to use virt-manager instead of gnome-boxes, if virt-manager works fine for your use? Or are you seeing problems with that tool too?

In virt-manager I can't currently create any VMs due to https://github.com/virt-manager/virt-manager/issues/596 so I'm forced to create them with gnome-boxes.

I can launch them however with either virt-manager or gnome-boxes as a UI, and no matter which I pick, the DVD will show that single text line but then when I press a key abort boot and jump to the disk booting as I described. So this problem isn't depending on what UI was used to launch it. Whether it depends on how gnome-boxes specifically created the VM I wouldn't know, I used gnome-boxes's default Windows 11 template.

For what it's worth, I just created a blank new VM from gnome-boxes via "Install from media" and picked the Windows 11 ISO and the ISO doesn't boot either. Strange.

I got around to trying a Windows 11 ISO! Sadly, the same problem. It shows the "Windows failed to start screen" in a VM created via gnome-boxes's "Install from file" with no disk image attached, so all fresh and new.

There really seems to be a major problem concerning this OVMF firmware and secure boot and the setup via gnome-boxes. I now made a new VM from the Windoww 11 ISO again, and now it boots - but it just uses SeaBIOS and no secure boot, which isn't compatible with Windows 11 to start with. Once I try to manually switch it over again to the TiagoCore, everything breaks. It seems to be completely impossible to set up a Windows 11 compatible machine that can actually boot the official ISO, or if there's a way I'm all ears because I can't get it to work no matter what I try.

I finally found a workaround for https://github.com/virt-manager/virt-manager/issues/596 and managed to create a VM with virt-manager. This VM, unlike what gnome-boxes does, has TPM 2 and secure boot via TianoCore enabled and, unlike doing this manually for gnome-boxes via common blog post approaches, it actually boots the Windows 11 ISO just fine.

After some reviewing of my tickets I also found with https://bugzilla.opensuse.org/show_bug.cgi?id=1218452 I basically unintentionally made a duplicate of this one here, but it describes the problem better. So I'm closing this one here.

*** This bug has been marked as a duplicate of bug 1218452 ***