What were you trying to do that didn't work?

To enable Windows VBS and Credential Guard.

Please provide the package NVR for which bug is seen:

qemu-kvm-7.2.0-14.el9_2.x86_64
kernel-5.14.0-284.11.1.el9_2.x86_64
edk2-ovmf-20221207gitfff6d81270b5-9.el9_2.noarch
virtio-win-1.9.34-0.el9_2.iso

How reproducible:

100%

Steps to reproduce

1. Boot up guest with vmx=on
2. On the VMs operating system, navigate to the Core isolation details page:
   Settings > Update & Security > Windows Security > Device Security > Core isolation details
3. Reboot guest by click the 'Restart' button on Windows prompt
4. After VM boot up, run msinfo32.exe in a command prompt.
   Check if Credential Guard, Hypervisor enforced Code Integrity is listed under Virtualization-based security Services Running.

Expected results

Credential Guard is running

Actual results

Both VBS and Credential Guard are not running

Note: The issue has been fixed on RHEL9.4, it could be successfully enabled with below package version:
qemu-kvm-8.2.0-3.el9.x86_64
Edk2-ovmf-20231122-3.el9.noarch
Kernel-5.14.0-414.el9.x86_64
virtio-win-1.9.36-0.el9_3.iso

qemu cmdline:
/usr/libexec/qemu-kvm \
-name 'avocado-vt-vm1' \
-sandbox on \
-blockdev '

{"node-name": "file_ovmf_code", "driver": "file", "filename": "/usr/share/OVMF/OVMF_CODE.secboot.fd", "auto-read-only": true, "discard": "unmap"}

' \
-blockdev '

{"node-name": "drive_ovmf_code", "driver": "raw", "read-only": true, "file": "file_ovmf_code"}

' \
-blockdev '

{"node-name": "file_ovmf_vars", "driver": "file", "filename": "/root/avocado/data/avocado-vt/avocado-vt-vm1_win11-64-virtio-scsi-ovmf_qcow2_filesystem_VARS.raw", "auto-read-only": true, "discard": "unmap"}

' \
-blockdev '

{"node-name": "drive_ovmf_vars", "driver": "raw", "read-only": false, "file": "file_ovmf_vars"}

' \
-machine q35,pflash0=drive_ovmf_code,pflash1=drive_ovmf_vars,memory-backend=mem-machine_mem \
-device '

{"id": "pcie-root-port-0", "driver": "pcie-root-port", "multifunction": true, "bus": "pcie.0", "addr": "0x1", "chassis": 1}

' \
-device '

{"id": "pcie-pci-bridge-0", "driver": "pcie-pci-bridge", "addr": "0x0", "bus": "pcie-root-port-0"}

' \
-nodefaults \
-device '

{"driver": "VGA", "bus": "pcie.0", "addr": "0x2"}

' \
-m 126976 \
-object '

{"size": 133143986176, "id": "mem-machine_mem", "qom-type": "memory-backend-ram"}

' \
-smp 24,maxcpus=24,cores=12,threads=1,dies=1,sockets=2 \
-cpu 'Icelake-Server',ds=on,ss=on,dtes64=on,vmx=on,pdcm=on,hypervisor=on,tsc-adjust=on,avx512ifma=on,sha-ni=on,rdpid=on,fsrm=on,md-clear=on,stibp=on,flush-l1d=on,arch-capabilities=on,xsaves=on,ibpb=on,ibrs=on,amd-stibp=on,amd-ssbd=on,rdctl-no=on,ibrs-all=on,skip-l1dfl-vmentry=on,mds-no=on,pschange-mc-no=on,tsx-ctrl=on,sbdr-ssdp-no=on,psdp-no=on,fb-clear=on,gds-no=on,vmx-ins-outs=on,vmx-true-ctls=on,vmx-store-lma=on,vmx-activity-hlt=on,vmx-activity-wait-sipi=on,vmx-vmwrite-vmexit-fields=on,vmx-apicv-xapic=on,vmx-ept=on,vmx-desc-exit=on,vmx-rdtscp-exit=on,vmx-apicv-x2apic=on,vmx-vpid=on,vmx-wbinvd-exit=on,vmx-unrestricted-guest=on,vmx-apicv-register=on,vmx-apicv-vid=on,vmx-rdrand-exit=on,vmx-invpcid-exit=on,vmx-vmfunc=on,vmx-shadow-vmcs=on,vmx-rdseed-exit=on,vmx-pml=on,vmx-xsaves=on,vmx-tsc-scaling=on,vmx-invvpid=on,vmx-invvpid-single-addr=on,vmx-invvpid-all-context=on,vmx-ept-execonly=on,vmx-page-walk-4=on,vmx-page-walk-5=on,vmx-ept-2mb=on,vmx-ept-1gb=on,vmx-invept=on,vmx-eptad=on,vmx-invept-single-context=on,vmx-invept-all-context=on,vmx-intr-exit=on,vmx-nmi-exit=on,vmx-vnmi=on,vmx-preemption-timer=on,vmx-posted-intr=on,vmx-vintr-pending=on,vmx-tsc-offset=on,vmx-hlt-exit=on,vmx-invlpg-exit=on,vmx-mwait-exit=on,vmx-rdpmc-exit=on,vmx-rdtsc-exit=on,vmx-cr3-load-noexit=on,vmx-cr3-store-noexit=on,vmx-cr8-load-exit=on,vmx-cr8-store-exit=on,vmx-flexpriority=on,vmx-vnmi-pending=on,vmx-movdr-exit=on,vmx-io-exit=on,vmx-io-bitmap=on,vmx-mtf=on,vmx-msr-bitmap=on,vmx-monitor-exit=on,vmx-pause-exit=on,vmx-secondary-ctls=on,vmx-exit-nosave-debugctl=on,vmx-exit-load-perf-global-ctrl=on,vmx-exit-ack-intr=on,vmx-exit-save-pat=on,vmx-exit-load-pat=on,vmx-exit-save-efer=on,vmx-exit-load-efer=on,vmx-exit-save-preemption-timer=on,vmx-entry-noload-debugctl=on,vmx-entry-ia32e-mode=on,vmx-entry-load-perf-global-ctrl=on,vmx-entry-load-pat=on,vmx-entry-load-efer=on,vmx-eptp-switching=on,hle=off,rtm=off,mpx=off,intel-pt=off,hv_stimer,hv_synic,hv_vpindex,hv_relaxed,hv_spinlocks=0x1fff,hv_vapic,hv_time,hv_frequencies,hv_runtime,hv_tlbflush,hv_reenlightenment,hv_stimer_direct,hv_ipi,hv-xmm-input,hv_tlbflush_ext,kvm_pv_unhalt=on \
-chardev socket,wait=off,id=qmp_id_qmpmonitor1,server=on,path=/var/tmp/avocado_zl15fv36/monitor-qmpmonitor1-20240202-001140-lb7zlTvK \
-mon chardev=qmp_id_qmpmonitor1,mode=control \
-chardev socket,wait=off,id=qmp_id_catch_monitor,server=on,path=/var/tmp/avocado_zl15fv36/monitor-catch_monitor-20240202-001140-lb7zlTvK \
-mon chardev=qmp_id_catch_monitor,mode=control \
-device '

{"ioport": 1285, "driver": "pvpanic", "id": "idWTbWZS"}

' \
-chardev socket,wait=off,id=chardev_serial0,server=on,path=/var/tmp/avocado_zl15fv36/serial-serial0-20240202-001140-lb7zlTvK \
-device '

{"id": "serial0", "driver": "isa-serial", "chardev": "chardev_serial0"}

' \
-chardev socket,id=seabioslog_id_20240202-001140-lb7zlTvK,path=/var/tmp/avocado_zl15fv36/seabios-20240202-001140-lb7zlTvK,server=on,wait=off \
-device isa-debugcon,chardev=seabioslog_id_20240202-001140-lb7zlTvK,iobase=0x402 \
-device '

{"id": "pcie-root-port-1", "port": 1, "driver": "pcie-root-port", "addr": "0x1.0x1", "bus": "pcie.0", "chassis": 2}

' \
-device '

{"driver": "qemu-xhci", "id": "usb1", "bus": "pcie-root-port-1", "addr": "0x0"}

' \
-device '

{"driver": "usb-tablet", "id": "usb-tablet1", "bus": "usb1.0", "port": "1"}

' \
-device '

{"id": "pcie-root-port-2", "port": 2, "driver": "pcie-root-port", "addr": "0x1.0x2", "bus": "pcie.0", "chassis": 3}

' \
-device '

{"id": "virtio_scsi_pci0", "driver": "virtio-scsi-pci", "bus": "pcie-root-port-2", "addr": "0x0"}

' \
-blockdev '{"node-name": "file_image1", "driver": "file", "auto-read-only": true, "discard": "unmap", "aio": "threads", "filename": "/home/kvm_autotest_root/images/win11-64-virtio-scsi-ovmf.qcow2", "cache": {"direct": true, "no-flush": false}}' \
-blockdev '{"node-name": "drive_image1", "driver": "qcow2", "read-only": false, "cache":

{"direct": true, "no-flush": false}

, "file": "file_image1"}' \
-device '

{"driver": "scsi-hd", "id": "image1", "drive": "drive_image1", "write-cache": "on"}

' \
-device '

{"id": "pcie-root-port-3", "port": 3, "driver": "pcie-root-port", "addr": "0x1.0x3", "bus": "pcie.0", "chassis": 4}

' \
-device '

{"driver": "virtio-net-pci", "mac": "9a:4f:bd:b2:46:13", "id": "idrvq3Yz", "netdev": "idwdxhHd", "bus": "pcie-root-port-3", "addr": "0x0"}

' \
-netdev '

{"id": "idwdxhHd", "type": "tap", "vhost": true}

' \
-blockdev '{"node-name": "file_winutils", "driver": "file", "auto-read-only": true, "discard": "unmap", "aio": "threads", "filename": "/home/kvm_autotest_root/iso/windows/winutils.iso", "cache": {"direct": true, "no-flush": false}}' \
-blockdev '{"node-name": "drive_winutils", "driver": "raw", "read-only": true, "cache":

{"direct": true, "no-flush": false}

, "file": "file_winutils"}' \
-device '

{"driver": "ide-cd", "id": "winutils", "drive": "drive_winutils", "write-cache": "on", "bus": "ide.1", "unit": 0}

' \
-vnc :0 \
-rtc base=localtime,clock=host,driftfix=slew \
-boot menu=off,order=cdn,once=d,strict=off \
-chardev socket,id=char_vtpm_avocado-vt-vm1_tpm0,path=/root/avocado/data/avocado-vt/swtpm/avocado-vt-vm1_tpm0_swtpm.sock \
-tpmdev emulator,chardev=char_vtpm_avocado-vt-vm1_tpm0,id=emulator_vtpm_avocado-vt-vm1_tpm0 \
-device '

{"id": "tpm-crb_vtpm_avocado-vt-vm1_tpm0", "tpmdev": "emulator_vtpm_avocado-vt-vm1_tpm0", "driver": "tpm-crb"}

' \
-enable-kvm