Windows 7 fails at Completing setup of Qubes Windows Tools

[NipponBill]

TLDR; Attempting to install Windows 7 and the script fails at

• Completing setup of Qubes Windows Tools...

from dom0 I run: qvm-create-windows-qube -n sys-firewall -soy -i win7x64sp1.iso -a win7x64-ultimate.xml win7

Everything runs normally until after the script gets through Installing Qubes Windows Tools...

Windows opens up to a Startup Repair dialog. It then restarts the VM to complete the repairs. Then the dom0 script does nothing. It seems to hang.

[user@dom0 Desktop]$ qvm-create-windows-qube -n sys-firewall -soy -i win7sp1.iso -a win7x64-ultimate.xml win7
[i] Preparing Windows media for automatic installation...
[i] Creating loop device from ISO...
[i] Mounting loop device...
[i] Creating new ISO...
Booting catalog starts at sector: 22 
Manufacturer of CD: Microsoft Corporation
Image architecture: x86
Boot media type is: no emulation
El Torito image starts at sector 734 and has 8 sector(s) of 512 Bytes

Image has been written to file "/tmp/boot.bin.aCqzb".
[i] Unmounting loop device...
Unmounted /dev/loop2.
[i] Deleting loop device...
[i] Deleting temporary boot image...
[+] Created automatic Windows installation media for win7sp1.iso successfully!
[i] Starting creation of win7
[i] Starting first part of Windows installation process...
[i] Starting second part of Windows installation process...
[i] Preparing Qubes Windows Tools for automatic installation...
[i] Installing Qubes Windows Tools...
[i] Completing setup of Qubes Windows Tools...

I have the tabit-pro QWT installed in dom0. This is a 64bit Win7 ISO with SP1. I'm uncertain how to get beyond this step.

[d2x]

I have the same issue on Windows 10 Pro with QWT I compiled myself using the 9.0.0 PV drivers. I get stuck at the line prior with the Windows machine powered off.

$ qvm-create-windows-qube -i Win10_x64.iso -a win10x64-pro.xml -toy -n sys-firewall win-10-template
[i] Preparing Windows media for automatic installation...
[i] Starting creation of win-10-template
[i] Starting first part of Windows installation process...
[i] Starting second part of Windows installation process...
[i] Preparing Qubes Windows Tools for automatic installation...

It looks like the auto-qwt was built to not pull in the QWT installer package from the ISO due to potential security risks.

installer/README.txt:

Qubes Windows Tools are currently unavailable due to security concerns.
See https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-091-2023.txt for details.

As Windows is properly installed, you can allow unsigned drivers, reboot and run the QWT installer manually. This is only advised with an updated QWT package that utilizes 9.0.0.

[d2x]

It looks like the auto-qwt was built to not pull in the QWT installer package from the ISO due to potential security risks.

installer/README.txt:

Qubes Windows Tools are currently unavailable due to security concerns.
See https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-091-2023.txt for details.

I imagine this part was because I didn't delete my windows-mgmt AppVM and run the installer again. I rebuilt it with the install script and the executable was there.

There is still the need to enable unsigned drivers to be installed as the current ones are not signed. Still working through it but it may be as simple as adding the following to the oobeSystem section of the unattened answer file. Something like the below (doesn't work though):

    <settings pass="oobeSystem">
[...]
        <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <RunSynchronous>
                <RunSynchronousCommand wcm:action="add">
                    <Description>Enable Test Signing</Description>
                    <Order>1</Order>
                    <Path>cmd.exe /c bcdedit /set testsigning on</Path>
                </RunSynchronousCommand>
                <RunSynchronousCommand wcm:action="add">
                    <Description>Disable Integrity Checks</Description>
                    <Order>2</Order>
                    <Path>cmd.exe /c bcdedit /set nointegritychecks on</Path>
                </RunSynchronousCommand>
            </RunSynchronous>
        </component>
    </settings>

and then turning those two settings off in one of the batch files after QWT installation, perhaps in install-qwt.bat:

@echo off
title %~f0

:: Copyright (C) 2023 Elliot Killick <contact@elliotkillick.com>
:: Licensed under the MIT License. See LICENSE file for details.

cd installer || exit
for %%i in (qubes-tools-*.exe qubes-tools-*.msi) do (
    start %%i /passive
)

bcdedit /set testsigning off
bcdedit /set nointegritychecks off

Even if all of the above worked as described, the installer will still prompt to allow installation of unsigned drivers even when it's run in unattended. I haven't found a solution for that.

[NipponBill]

@d2x Where are you getting the updated QWT package that utilizes 9.0.0?

[d2x]

@d2x Where are you getting the updated QWT package that utilizes 9.0.0?

I built it myself. I posted high level overview here in the forums.

[ElliotKillick]

Use the Windows 7 ISO download provided by Mido. It includes an MSU that adds support for SHA-256 driver signatures (Xen drivers only have SHA-256 signatures with no SHA-1). This is a known issue documented in the README, which only applies to Windows 7.

[ElliotKillick]

@d2x The answer files start executing from run.bat, this is the correct entry point to begin the QWT installation process: https://github.com/ElliotKillick/qvm-create-windows-qube/blob/master/tools/auto-qwt/run.batrun.bat runs trust-certificates.bat to add Xen certificates, so these prompts don't show up. However, these may not work now that people have to use unsigned or self-built drivers. In this case, allow-drivers.vbs should work as a substitute. allow-drivers.vbs is a hack originally created to accept this prompt on Win7/2008R2, where MS intentionally broke the trust-certificates.bat method. However, now it's also being used to automate accepting the prompt on newer Windows versions: https://github.com/ElliotKillick/qvm-create-windows-qube/blob/master/tools/auto-qwt/allow-drivers.vbs

[jpph]

I had same issue with win10. If it can take other I did whats is said in the last message of this thread :

https://forum.qubes-os.org/t/qvm-create-windows-qube-qubes-windows-tools-install-hangs-infinitely/9851/17

(basically you need ot update the iso of the windows-tool in dom0)