Win X, Fedora, And A KVM

Most of you know that for almost the last two years I've been running a Linux daily driver with a Windows 7 KVM (kernel based virtual machine), I've been really happy with the setup, it has been basically trouble free, robust, and offers the best of both Windows and Linux has to offer.

As we all know Win 7 is coming to the end of it's service life and I was starting to see issues with drivers and some newer programs not performing as expected, I've lived with the issues because they haven't been much more than a annoyance until I bought Just Cause 3, trying to play the game is almost impossible on my setup, lots of latency in the entire system that never appeared on any other game or piece of software.

At the same time I've been wanting to do a fresh install of Fedora 25 and build a new Windows KVM to address a few problems that I created because of being a total noob at Linux when I originally built the system, I've updated the host system over the years from Fedora 22 to 23 then to 24 then to 25, but I really wanted to start fresh.

I also had the idea of trying to move to Windows 8.1 (I know) I've stated here on the forum many times in threads that I would be staying with Win 7 but it just isn't going to workout, I've already had issues with video drivers (Crimson) not installing correctly and creating lots of BSDs, newer programs not wanting to play nice, and just the general sluggishness that Win 7 has at times.

So a friend of mine offered me a copy of Win X enterprise which is the version that does allow you to shut off at least some of the telemetry (MS's term for built-in spyware), only problem is he didn't have a activation key I could use, so a little research and it seems you can run it without activation but no one can say just how long and I figured I'd give it a try and worse case I'd have to buy a key from one of the re-sellers.

I decided to give it a try, building the KVM this time I wanted to use UEFI instead of the SeaBIOS I had been using which is suppose to boot much faster, I also wanted to change the USB controller I was passing through from a USB 2 to a USB 3 and change a few other pieces of hardware into a better configuration for a more modern OS to run as a guest.

Installation went great, I've done the hardware pass through on my system so may times that I almost know the IDs of the devices by heart, I wanted to use Fedora with the KDE DE and built the system that way on the first attempt but Plasma 5.8 was just flaky on my hardware, I had problems with Samba shares, had problems with it not using Wayland, and other assorted issues that would creep up over normal usage that seemed to be related to graphic drivers but it was so sporadic it was hard to pin down.

So goodby KDE and back to Gnome which has always just flat worked for me, I got my host installed and configured, updated, and tweaked to my liking, on to the KVM, I had a little problem with pointing at the ISO I wanted to use first putting it on a thumb drive that QEMU/vert-manager couldn't find but just pointing the installer at my directory where the ISO resided did the trick, the install of the enterprise edition is pretty much the same as a normal Win X or 8.1 install with the exception of a few questions about domains and such, unlike a install of previous MS operating systems it doesn't ask or try to shove you towards a MS account just to install the OS.

Using UEFI to boot the guest prolly cut the boot up time down to about 1/3 of what it took for Win 7 using SeaBIOS but I have no way to know if that is totally based on the different BIOSs or partially because of a more modern operating system...either way it boots pretty fast like 20sec or so to get to the login screen...not too bad.

I used the custom install not the express that was of course recommended by the installer, lots of switches to turn off, probably more options or switches then I've seem mentioned before and while it looks like your turning off stuff including updates (you can only put them off to a later date, not just opt out from what I could tell) but we will see just how much is actually turned off and what has a useless switch that does nothing.

It really didn't like that I turned off Windows firewall and Windows defender which cause multiple pop ups from the action center, but I installed GlassWire to monitor what is going on, I don't use any AV software on guest system since they are in a VM container, Steam installed just fine and JC2 and JC3 loaded faster and ran better than on the old system, when I was finished I took a snap shot of the VM to create a restore or new build point....all in all so far so good!

The lack of activation so far hasn't been a issue but I doubt it will let me go very long (maybe long enough to cast judgment...we will see) but from what I've read it just nags you from time to time, I wasn't able to join our "home group" even with the correct password, it kept error-ing out saying it didn't detect a home group even though 5 minuets before it said there was one and told you where you could get the password, I have a feeling this is a side effect of not activating it, they can keep you from network resources like shared printers, but network-wise it sees my network, can access any server on the network (ie Ubuntu, FreeNas) so the lack of being able to access a network printer isn't a deal breaker just yet....lol.

Anyway thanks for taking the time to read my post, sorry I'm re-nigging on never using Win X.... and it's way too early for me to give any hard facts about how the enterprise edition behaves operating in a KVM but so far it looks like it ill be just fine.

As always comments and suggestions are welcome.

I should work on my dual boot and vm stuff for win 10? Win 10 :( becoming only for the bleeting sheep.( I say that because it is all i hear every month at least once a month :) I kind of dig fedora now whereas i did not use to. The first linux distro that I installed and it was broke :) Opensuse Leap is still my fav for main. Unless there is something specific in Fedora you need. I am a Fan of KDE but avoided this time around in Fedora just to not have some of the flakey issues :) It will be interesting to watch your progress with this.

Yeah, I've used KDE before and have always liked it better than Gnome which is why I gave it a try, but it was just flaky, not really unstable but just had a bunch of random issues that seemed to change with each reboot, I had installed it on Fedora 24 and would switch back and forth between it and Gnome but on Fedora 25 it was just bad.

I use Fedora for only one reason and that is the KVM, the Kernel and QEMU, IOMMU, and vert-manager being constantly updated, and it challenges me to use the CLI which if I was using OpenSuse I would not, while I originally was scared to death of the CLI today I'm pretty comfortable with using it, if Fedora wasn't so dedicated to virtualization I would be running Suse...it's just one of the best modern up-to-date distros out there and using VaST makes it easy to edit and configure.

I have Fedora on my new media storage/ media machine for now with Opensuse for my main. I personally have yet to dig that far into linux as i am just configuring basic machines by simple purpose. So much wasted time on windows.

.......72 hours later!

A couple things to add to my original post that might be of interest, first and foremost Just Cause 3 runs great, keep in mind I did not change any type of hardware physically I only changed the USB controller being passed to the guest from a USB 2 to a USB 3, the amount of memory (16g) and the number of CPU cores (6) is the same along with the GPU (270x) as my previous setup. In that setup running Win 7 the game was absolutely not playable even with everything at the lowest settings and not running full screen, the only real difference here is the guest OS the game is running on top of, now the game runs as expected with the install defaults....

Second, I was able to activate Win X, I used a little program that prolly is against the forum rules to talk about, but just do a search on YouTube and you will find it, now to see just how long it works, but I was able to use the "personalize" function that Win X locks you out of until activated, I have yet to try joining a home group but will try that tonight to see if activating had any effect.

Third, even though the "Enterprise edition" gives you lots of settings to turn off and on that the standard Win X doesn't offer GlassWire shows a lot of traffic when the system is idle and even more when in use (I'll do a screen shot eventually to show what is going on) which makes me believe that no matter what you change the telemetry is "hard coded" into the OS and the switches provided to the user interface is just to give the casual user peace of mind, but so far I've had no prompts to install updates I have waiting even though they are shown in the notification center as pending updates, so far it's letting me hold off on installing them.

Forth, the most interesting thing to me and was a question floating around was "Does Win X write to the UEFI BIOS" I can confirm that it does indeed make changes to the UEFI BIOS. Case in point..... I had to reboot my host system last night and when it tried to boot back up I got a blue screen (not a BSD) that was telling me I needed to run diagnostic tools because the boot up had problems, it gave you several choices of things to run that all looped back to the original screen, the last entry was something about a BIOS check, entering the UEFI I found that a entry had been added to the boot order that said Windows bla bla and made the default, changing that entry back to my boot SSD allowed Fedora to boot again.

This was the first reboot of the host system since installing Win X and came as a surprise since it is running in a VM (KVM), I would have though that Win X would have been contained and restrained to that container but obviously that isn't the case which opens up lots of other questions about hardware upgrades in the future and if the guest Win X OS is going to create problems? It also begs the question as to what it can see of the underlying host system? and what effect it can have or impose, or even try to impose on the host...hopefully nothing but we will see what the future has to bring.

I might add that I did not set up the guest to boot with the host, they boot independently even though I rarely run one without the other, but I wanted the flexibility of independent operation, still I'm pretty happy with the operation, Win X is stable and the system seems to be better than the old setup but it's still way to early to know what the total picture is going to look like. I might also add part of my reasoning for doing this is I have plans to build a new PC in 2017 based a Ryzen CPU after we see real world benchmarks and pricing stabilizes, and this will also be a hardware pass through setup.

Here's a couple screen grabs of the activity Win X is creating along with the normal traffic since midnight...

gw1.PNG786x575 63.3 KB

gw2.PNG903x747 53.1 KB

There are a few interesting entries like Windows media player which I've never used, along with the search and cortana that haven't been used by me either...

Still won't join the "home group" and I'm not sure if that is because the other Windows PCs on the network are Win 7 boxes but it seems to be able to access everything that is shared from those boxes except a printer....weird.

WX wrote uefi settings from a vm? WTH that should at least not be possible with default settings, if at all.
Even if isolation handled in virtual machines isn't necessarily 100% isolated every time, depending on what settings you set, both for the VM and the host... the VM can access i.e. hardware straight, and the host might not block obscure access calls, which SElinux in Fedora /should/ block unless SElinux is disabled, or you're running it as an unconfined user and there's some serious borks.

If you enable a vm access to the host uefi you can basically kiss every security measure good bye.

I question this too. My understanding is that the file specified in nvram normally stores the UEFI settings for the VM. e.g.

<nvram>/var/lib/libvirt/qemu/nvram/vmname_VARS.fd</nvram>

I suppose a test I would like to see is if you remove the Windows UEFI entry in your hardware, does the Windows VM still boot straight to disk? If you recreate or create another Windows VM, does the entry come back?

Interested :)

I need to do more research but the Windows entry in the boot order of the UEFI did not exist as a boot option prior to installing Win X , I'm thinking it is because I'm using UEFI to boot the KVM instead of SeaBIOS that I had been using the last couple years and that is the cause or ?? but I've never read or heard of anyone else mentioning it, but lots of speculation on Win X, hardware, and UEFI and Win X effecting hardware upgrades after the fact requiring re-activation . In my mind since a bare metal install of Win X can have this effect I'm assuming it is happening in my case for the same reasons...may not be the case though.

I only know it didn't exist before installing Win X enterprise in the VM.

It is no longer the first boot device I had to change to my SSD to get the host system back up, but it booted normally loading grub after changing it back and the VM started without any error messages, the VM has been shut down, rebooted, restarted several times without any errors but I have yet to reboot the host to see if it changes the boot order again, but I'll do that tonight and see what happens, I'll also look at the UEFI and get the exact name of the boot entry that was added.

On a semi-related note the friend that gave me the copy of enterprise asked if it installed and activated which I told him it had just fine, he said he though they had a .iso of the LTSB version but again no key (he is the IT security guy for a local bank), I had originally asked him about the LTSB version because that was what I really wanted to use since it lacks much of the BS that even the enterprise version still has in it like cortana and the app store along with the ability to stave off updates for a long time if I understand how it works....anyway he is renewing his search for it...lol

If the LTSB version shows up I will be building another VM using it, which may or may not answer a few questions.

The odd thing which made me mention the effect on UEFI in the first place was the "Windows Blue Screen" I got when I tried to reboot the host which I should have wrote down or taken a picture of, it just freaked me out and I went into panic mode with the thought that I had wasted a lot of hours (two days actually), I was more interested in getting the host back up than documenting what was going on, I'm reasonably sure that changing the boot entry back will recreate the screen, I'll do that and post a picture in the next few days.

Both the host and guest seem to be working fine, everything is stable with no errors, the only issue I have is that the guest will not join the existing Win 7 "home group", it's not a big deal but is the only remaining issue I have to solve.

Agreed 100%

I'm also curious if this has anything to do with the "secure boot" that Windows has implemented since Win 8 that allows you to access UEFI setting from the OS, it would explain the windows blue screen I got rebooting the host if the guest had written to the FAT of the host drive which Windows would need to do.....

Looking around on the net this is very similar to the "windows blue screen" I got rebooting my Fedora host, while it had many of the same options it also had a enter UEFI option that I don't see in this list.....

I'll keep looking to see if I find the exact screen......but will take a picture of it on my system if I can recreate it again.

That looks like you just booted to an existing (orphan?) efi partition, my guess

I really don't see how that is possible since the boot SSD I used for the host system was brand new right out of a sealed box, it had Fedora 25 with KDE installed then formatted and Fedora 25 Gnome installed, then had the KVM created and Win 10 enterprise installed to a separate 2tb WD black conventional HD.

I made a point of replacing the boot SSD with a new unit on this computer since the original SSD I was using was smaller capacity and a couple years old, now the WD black drive has been around for a number of years and has been in a few different computers, I'm sure at some point it could have been a boot drive for a Win 7 machine and of course it was formatted in Linux to ext4 before letting QEMU create a qcow2 partition for the VM to reside.

I might also mention I've never installed or used a Windows OS newer than Win 7, so the chance of having a HD laying around that had Win 8 or 10 on from a previous install isn't a possibility. I also pulled all of the storage drives from this computer prior to doing this build and they are still out of the computer and have never been put back in the system yet.

Ok so here are the images of my UEFI entry that was added during the Win X install...

IMG_20170119_163812834.jpg2592x1456 793 KB

IMG_20170119_163746463.jpg2592x1456 590 KB

And here the pic of the error message I get at bootup if I enable that choice...

IMG_20170119_163907986.jpg1456x2592 520 KB

Sorry for the size and poor quality they are cell phone pictures....

So after rebooting the guest several times then shutting it down and rebooting the host it appears that the entry was created when I installed Win X, but it's happy being a 3rd boot option and doesn't try to change back, once I chose my SSD grub loaded as normal and has now every time I reboot the host, I did change the boot option back to windows in the UEFI to get the error screen to pop up for a picture.

Another thing that I noticed is that while doing a clean up of my host system I deleted the .iso that I used to install Win X enterprise, trying to boot the guest afterwards gave me a error that the file was missing, I had to put the file back in my home folder (from the trash) and the guest boots as intended with no errors....weird!

Out of curiousity, did you pass a physical disk (/dev/sdxy) through to the vm rather than an image?

I've found that when you do that, your UEFI will find disk and say "Oh, you've got windows on here, you must want to boot to it." It has nothing to do with windows writing UEFI vars from within the VM.

To resolve this, I just passed through a partition of my SSD to the VM.

That's especially odd. I can't explain that, but I'd be interested in figuring it out.

Do you have AD set up on your network? I've never been able to get WX EE installed without connecting to AD.

Yes I did, a entire 2tb WD conventional HD, my boot SSD that houses the host system is only 256g and since I tend to run my computers for a couple years before upgrading I wanted to leave myself plenty of room/options, a 20 or 40g partition isn't going to do me a lot of good considering the kinds of things I do in the guest system, a 1tb might have worked out but really wanted the extra space for Windows/Programs/files.

But what your saying does make sense and is a logical conclusion......I believe you hit the nail on the head. :)

Not a clue what AD is....help me out here..lol Oh Active Directory?

And I guess just in case there are any doubts.....

gw21.PNG930x438 21.5 KB

The UEFI thing makes sense now.

That actually doesn't sound strange. If you define a disk device of any kind and point it to a file or device that doesn't exist, it should raise an error. If you remove the virtual CD device, there should be no problem with deleting the image file.