Sorry also for my late replay as far as I know there is nothing special to it, I just have this in the xml for the guest:

<os>
    <type arch="x86_64" machine="pc-q35-4.2">hvm</type>
    <loader readonly="yes" secure="yes" type="pflash">/usr/share/edk2-ovmf/x64/OVMF_CODE.secboot.fd</loader>
    <nvram>/var/lib/libvirt/qemu/nvram/win10_VARS.fd</nvram>
    <bootmenu enable="no"/>
</os>

The loader line is the same for all guests, nvram is guest-specific. Then enable a TPM device in the guest config:

<tpm model="tpm-tis">
    <backend type="emulator" version="2.0"/>
    <alias name="tpm0"/>
</tpm>

That did it for me. Why did I want this: I assigned an NVME drive to each guest, so I wanted encryption. If you just use a qcow2 for guest disk it would be ok (for me) to just encrypt that drive where the qcow2’s reside.