The latest KVM on Ubuntu Desktop 22.04 supports both TPM2.0 and Secure Boot for Windows 11 guests. To use it you'll need to make sure the ovmf package is installed.
If using Virtual Machine Manager (VMM, or virt-manager) to install Windows 11 from a Microsoft iso, be sure to check "Customize configuration before install" before clicking on the "Finish" button. While VMM will automatically detect the operating system version and customize many things, including TPM, it will not choose the correct setting for Secure Boot.
When you get to the VM's configuration screen in VMM, you'll find that a TPM vNone device has already been added. Setting up Secure Boot properly will require manually selecting the correct firmware. To do that:
- Select Overview
- Under Hypervisor Details, go to Furmware
- From the drop-down select "UEFI x86_64:/usr/share/OVMF/OVMF_CODE_4M.secboot.fd"
References:
"UEFI/OVMF". Ubuntu Wiki, https://wiki.ubuntu.com/UEFI/OVMF, last edited 23 December 2023.
suprjami. "UEFI boot and different OVMF firmware files when building a VM". AskUbuntu, 15 August 2022, https://askubuntu.com/questions/1409590/uefi-boot-and-different-ovmf-firmware-files-when-building-a-vm.