Bug 1774158

Summary: Support Secured Windows Guests running on QEMU/KVM
Product: Red Hat Enterprise Linux Advanced Virtualization Reporter: Amnon Ilan <ailan>
Component: libtpmsAssignee: ybendito
Status: CLOSED CURRENTRELEASE QA Contact: Qinghua Cheng <qcheng>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: coli, hhei, jen, jinzhao, juzhang, leidwang, lijin, lmiksik, marcandre.lureau, mdean, qcheng, virt-maint, xiagao, xuli, yacao, yvugenfi
Target Milestone: rcKeywords: TestOnly
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-08 16:29:13 UTC Type: Task
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1744045, 1828045    
Bug Blocks:    
Attachments:
Description Flags
Win10 attestation none

Description Amnon Ilan 2019-11-19 17:36:27 UTC 
Windows has the Windows 10 Enterprise E5 version which is hardened with many scurity/protection features.
We would like to support running such Windows VM on QEMU/KVM
The purpose of this BZ is to test this version of Windows (in it's most secured mode) on QEMU/KVM, and check whether it works already, or identify our gaps in supporting it.

Some relevant links:
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2O8jv
https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs
Comment 1 lijin 2019-11-20 06:31:29 UTC 
Hi Amnon,

I can' find Windows 10 Enterprise E5 version in visual studio subscription channel, seems it's only provided by CSP channel.

Does developer get the win10 E5 iso? If yes, could you share it with QE?
Comment 2 lijin 2019-11-20 06:38:11 UTC 
(In reply to lijin from comment #1)
> Hi Amnon,
> 
> I can' find Windows 10 Enterprise E5 version in visual studio subscription
> channel, seems it's only provided by CSP channel.

typo, can' ---> can't 

> Does developer get the win10 E5 iso? If yes, could you share it with QE?
Comment 5 Yvugenfi@redhat.com 2019-12-30 08:59:02 UTC 
E5 a license model that can be enabled on the installation Windows 10 pro:
https://docs.microsoft.com/en-us/windows/deployment/deploy-enterprise-licenses

There is a description in the link on how to turn E3\E5 for installed Windows 10 pro.
Comment 22 Qinghua Cheng 2020-07-28 02:39:48 UTC 
Hi Amnon,

Do you mean bug 1744045 and bug 1858821 both will be moved to phase 2? 

If yes, it is ok to move this one ON_QA.

Thanks!
Comment 24 Meirav Dean 2020-08-05 12:41:16 UTC 
hi Cong Li,

Answering on behalf of Amnon :-)
In regard to you question in comment #23 the answer is yes. 
This bug refers to security level 1 only (basic functionally)
Comment 25 Qinghua Cheng 2020-09-14 01:31:16 UTC 
Created attachment 1714708 [details]
Win10 attestation
Comment 28 Jeff Nelson 2021-01-08 16:29:13 UTC 
RHEL AV 8.3.0 has been shipped, therefore marking this BZ CLOSED CURRENTRELEASE.