{"id":2379,"date":"2023-03-08T18:16:01","date_gmt":"2023-03-09T01:16:01","guid":{"rendered":"https:\/\/www.itayemi.com\/blog\/?p=2379"},"modified":"2023-03-29T16:00:17","modified_gmt":"2023-03-29T22:00:17","slug":"install-osx-ventura-13-x-on-qemu-kvm-linux","status":"publish","type":"post","link":"https:\/\/www.itayemi.com\/blog\/2023\/03\/08\/install-osx-ventura-13-x-on-qemu-kvm-linux\/","title":{"rendered":"INSTALL OSX VENTURA (13.x) ON QEMU\/KVM (Linux)"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">NOTE: for educational purposes only<\/h2>\n\n\n\n<p>GUIDE: Used OSX-KVM with modifications: https:\/\/github.com\/kholia\/OSX-KVM<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>I installed the latest QEMU (compiled from source):<br>root@itamint:~\/# apt install -y gcc make ninja-build libglib2.0-dev libpixman-1-dev ncurses-dev libusb-dev libusb-1.0-0-dev libusbredirparser1 libusbredirhost1 usbutils<br>root@itamint:~# git clone https:\/\/github.com\/qemu\/qemu.git<br>root@itamint:~#cd qemu<br>root@itamint:~\/qemu# .\/configure &#8211;enable-vde &#8211;enable-libusb &#8211;prefix=\/usr\/local &#8211;target-list=&#8221;i386-softmmu x86_64-softmmu&#8221;<br>root@itamint:~\/qemu# make<br>root@itamint:~\/qemu# make install<br>root@itamint:~\/qemu# qemu-system-x86_64 &#8211;version<br>QEMU emulator version 7.2.50 (v7.2.0-2313-g9832009d9d)<br><br><\/li>\n\n\n\n<li>Install libvirtd\/QEMU<br>root@itamint:~# apt update -y<br>root@itamint:~# apt install qemu-kvm qemu-system qemu-utils python3 python3-pip libvirt-clients libvirt-daemon-system bridge-utils virtinst libvirt-daemon virt-manager cpu-checker -y<br>root@itamint:~# usermod -aG root<br>root@itamint:~# newgrp kvm<br>root@itamint:~# systemctl enable libvirtd<br>root@itamint:~# systemctl start libvirtd<br>root@itamint:~# virsh net-start default<br>root@itamint:~# virsh net-autostart default<br><br>NOTE: this is to make networking config easy. We won&#8217;t use the qemu version 6.x installed above. We will use the much newer version we compiled earlier which we installed in \/usr\/local\/bin\/ whereas the one installed by the apt command puts qemu in \/usr\/bin\/. To confirm you are using the right qemu, run &#8220;which qemu-system-x86_64&#8221; <br><br><\/li>\n\n\n\n<li>Setup networking so that the VM has network access:<br>I have put all the networking and firewall rules in a script which can then be executed with a command such as &#8220;sudo \/home\/itababa\/setup_firewall.sh&#8221;<br><br>itababa@itamint:~\/OSX-KVM$ cat \/home\/itababa\/setup_firewall.sh<br>#!\/usr\/bin\/bash<br><br># create a VDE switch and add a subnet range to it. also add an IP address to the switch as it will be the gateway for connected VMs:<br>vde_switch -tap vde0 -daemon<br>ip link set dev vde0 up<br>ip addr add 10.0.2.1\/24 dev vde0<br>ip route add 10.0.2.0\/24 dev vde0<br>echo 1 &gt; \/proc\/sys\/net\/ipv4\/conf\/vde0\/proxy_arp<br><br># NOTE: it is possible to setup DHCP on the switch but I will be using static IPs in this guide<br><br># Internet access to the VMs (execute on the QEMU hypervisor host) where wlp5s0 is the WAN NIC on the Ubuntu QEMU host:<br>echo 1 &gt; \/proc\/sys\/net\/ipv4\/ip_forward<br>iptables -t nat -A POSTROUTING -o wlp5s0 -j MASQUERADE<br>iptables -I FORWARD 1 -i vde0 -j ACCEPT<br>iptables -I FORWARD 1 -o vde0 -m state &#8211;state RELATED,ESTABLISHED -j ACCEPT<br><br># On the QEMU hypervisor (Linux) host, configure the rules for the ports to be forwarded to the OSX VM:<br>iptables -A INPUT -p tcp &#8211;dport 2222 -j ACCEPT<br>iptables -t nat -A PREROUTING -p tcp &#8211;dport 2222 -j DNAT &#8211;to-destination 10.0.2.100:22<br>iptables -A INPUT -p tcp &#8211;dport 5905 -j ACCEPT<br>iptables -t nat -A PREROUTING -p tcp &#8211;dport 5905 -j DNAT &#8211;to-destination 10.0.2.100:5900<br># end of networking script<br><br><\/li>\n\n\n\n<li>&#8220;Install&#8221; OSX in the VM using OSX-KVM:<\/li>\n<\/ul>\n\n\n\n<p>itababa@itamint:~\/$ sudo echo 1 | sudo tee \/sys\/module\/kvm\/parameters\/ignore_msrs<br>itababa@itamint:~\/$ sudo cp kvm.conf \/etc\/modprobe.d\/kvm.conf<\/p>\n\n\n\n<p>itababa@itamint:~\/$ sudo groupadd kvm<br>itababa@itamint:~\/$ sudo groupadd libvirt<br>itababa@itamint:~\/$ sudo groupadd input<\/p>\n\n\n\n<p>itababa@itamint:~\/$ sudo usermod -aG kvm $(whoami)<br>itababa@itamint:~\/$ sudo usermod -aG libvirt $(whoami)<br>itababa@itamint:~\/$ sudo usermod -aG input $(whoami)<\/p>\n\n\n\n<p>itababa@itamint:~\/$ cd ~<br>itababa@itamint:~\/$ git clone &#8211;depth 1 &#8211;recursive https:\/\/github.com\/kholia\/OSX-KVM.git<br>itababa@itamint:~\/$ cd OSX-KVM<br>itababa@itamint:~\/OSX-KVM$ pwd<br>\/home\/itababa\/OSX-KVM<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Fetch the Ventura Installer (option 6):<br>itababa@itamint:~\/OSX-KVM$ .\/fetch-macOS-v2.py<br><br><\/li>\n\n\n\n<li>Convert the downloaded BaseSystem.dmg file into the BaseSystem.img file.<br>itababa@itamint:~\/OSX-KVM$ dmg2img -i BaseSystem.dmg BaseSystem.img<br><br><\/li>\n\n\n\n<li>Create a virtual HDD image where macOS will be installed.<br>itababa@itamint:~\/OSX-KVM$ qemu-img create -f qcow2 mac_hdd_ng.img 128G<br><br><\/li>\n\n\n\n<li>Edit the OpenCore-Boot.sh script and make the following changes:<br>&#8211; increase the RAM from 4096MB to 8192MB (ALLOCATED_RAM variable)<br>&#8211; add avx2 to the CPU flags list (MY_OPTIONS variable)<br>&#8211; change the CPU from Penryn to Cascadelake-Server-noTSX (only one that didn&#8217;t cause random freezing after installation and reboot loop during installation from the several I tested. Unfortunately the VM still freezes\/hangs consistently between 10 and 12 minutes after startup.)<br>&#8211; since we are VDE, comment out the default NIC entry starting with &#8220;-netdev user&#8221; and replace with our VDE line (see below).<br>&#8211; Below is how the relevant lines looked in my modified OpenCore-Boot.sh file:<br>root@itamint:\/home\/itababa\/OSX-KVM# diff OpenCore-Boot.sh OpenCore-Boot.sh.org<br>MY_OPTIONS=&#8221;+ssse3,+sse4.2,+popcnt,+avx,+avx2,+aes,+xsave,+xsaveopt,check&#8221;<br>ALLOCATED_RAM=&#8221;8192&#8243; # MiB<br>-enable-kvm -m &#8220;$ALLOCATED_RAM&#8221; -cpu Cascadelake-Server-noTSX,kvm=on,vendor=GenuineIntel,+invtsc,vmware-cpuid-freq=on,&#8221;$MY_OPTIONS&#8221;<br>-device virtio-net-pci,netdev=net0,mac=52:54:00:e6:5d:16 -netdev vde,id=net0<br><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Run the OpenCore-Boot.sh script (with admin rights as root or using sudo) to create the VM and start the installation (this starts a VNC session listening on localhost:5901 for example. Use Mobaxterm\/VNC or putty tunnel+VNC client to access the VNC session)<br>itababa@itamint:~\/OSX-KVM$ sudo .\/OpenCore-Boot.sh<br>VNC server running on 127.0.0.1:5901 (output of executing the OpenCore-Boot.sh script)<br>NOTE: without &#8220;sudo&#8221; or &#8220;root&#8221; user, you will get an error similar to &#8220;Could not open vde: No such file or directory&#8221;<br><br><\/li>\n\n\n\n<li>Connnect to the VNC session (using a VNC client):<br><br><\/li>\n\n\n\n<li>Go through the installation steps (use Disk Utility to erase the target disk, then install Ventura)<br><br><\/li>\n\n\n\n<li>Optional: Login into the OSX and enabled &#8220;remote management&#8221; (VNC) and &#8220;remote login&#8221; (SSH) (from &#8220;System Settings \u2026&#8221; &#8211; it is no longer called &#8220;System Preferences&#8221;)<br><br><\/li>\n\n\n\n<li>Optional: if you enabled &#8220;remote management&#8221; (VNC) and\/or &#8220;remote login&#8221; (SSH), you can connect directly to the OSX VM via a VNC client (using the IP address of the Linux host and port 5901) and\/or via SSH (using the IP address of the Linux host and port 2222). The connections work because we included the relevant forwarding rules in the firewall script (above). <br><br><\/li>\n\n\n\n<li>Naviate to &#8220;System Settings&#8221; &gt; Network &gt; Ethernet &gt; &#8220;Details&#8230;&#8221;. Assign a static IP address such as 10.0.2.100 (see the setup_firewall.sh script above) to the OSX with subnet mask 255.255.255.0 and Router 10.0.2.1 (IP address of the VDE switch). Also assign the VDE switch IP address as the DNS Server.<br><br><\/li>\n\n\n\n<li>Optional: Update OpenCore-Boot.sh and comment out the 2 lines that attaches the installer disk to the VM i.e.,<br># -device ide-hd,bus=sata.3,drive=InstallMedia<br># -drive id=InstallMedia,if=none,file=&#8221;$REPO_PATH\/BaseSystem.img&#8221;,format=raw<br><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Optional: shutdown OSX. Modify OpenCore-Boot.sh so that it starts the VM &#8220;headless&#8221; (i.e., running as a background process):<br>Comment out the line &#8220;-monitor stdio&#8221; and add a line below it with &#8220;-daemonize&#8221; without the double-quotes.<br><br><\/li>\n\n\n\n<li>Start the VM in the (OSX-KVM directory) with the command: sudo .\/OpenCore-Boot.sh<br><br><\/li>\n\n\n\n<li>Configure the VM to auto-boots from the OSX disk, run the command at the UEFI shell: <br>bcfg boot add 0 FS0:\\EFI\\boot\\BOOT_X64.efi &#8220;my_boot&#8221;<br><br><\/li>\n\n\n\n<li>Boot to OSX from the UEFI shell with the command sequence (ENTER key after each one): FS0: &gt; cd EFI &gt; cd BOOT &gt; BOOTx64.efi<br><br><\/li>\n\n\n\n<li>You can now connect to the OSX VM with VNC (Linux host IP and port 5905 in this example) or SSH (Linux host IP and port 2222 in this example).<br> <\/li>\n<\/ul>\n\n\n\n<p>NOTE: Several methods to attach a USB stick\/device (e.g., one containing TimeMachine backups) to a QEMU VM<\/p>\n\n\n\n<p>Option 1: In Linux Mint (Debian\/Ubuntu), attached USB storage gets the group &#8220;disk&#8221;. So add your normal user to that group.<br>$ sudo usermod -aG disk itababa<br>$ newgrp disk<\/p>\n\n\n\n<p>&#8211; Then add the device nodename of the USB device to the &#8220;args&#8221; list for QEMU in the OpenBoot-core.sh file (get the device file from the output of &#8220;blkid&#8221; or &#8220;lsblk&#8221; (e.g., \/dev\/sdb)<br>-hdc \/dev\/sdb<\/p>\n\n\n\n<p>&#8211; you can also use the following 2x lines (equivalent to the single &#8220;-hdc \/dev\/sdb&#8221; line above)<br>-drive id=USBstick,if=none,file=&#8221;\/dev\/sdb&#8221;<br>-device ide-hd,bus=sata.5,drive=USBstick<\/p>\n\n\n\n<p>Note: in OSX, since the USB is &#8220;direct-attached&#8221;, it is treated as a HDD. To make the volume appear on the desktop, go to &#8220;Finder&#8221; (menu) &gt; &#8220;Settings&#8221;. Check\/select\/enable the &#8220;Hard disks&#8221; option.<\/p>\n\n\n\n<p>Option 2: Add the USB device&#8217;s &#8220;location&#8221; to the args list for QEMU in the OpenBoot-core.sh file (get the hostbus and hostaddr from the output of the &#8220;lsusb&#8221; commmand). You must also change the permission on the device files (e.g., &#8220;sudo chmod o+rw \/dev\/bus\/usb\/002\/*&#8221;). This operation does not survive a reboot of the physical host or re-insertion of the USB, so if you want it permanent consider UDEV rules):<br>-device qemu-xhci,id=usbxhci<br>-usb -device usb-host,hostbus=2,hostaddr=6<\/p>\n\n\n\n<p>For example, in the &#8220;lsusb&#8221; output below, &#8220;Bus&#8221; is &#8220;hostbus&#8221; and &#8220;Device&#8221; is &#8220;hostaddr&#8221;<br>root@itamint:\/home\/itababa\/OSX-KVM# lsusb<br>\u2026<br>Bus 002 Device 006: ID 05dc:a838 Lexar Media, Inc. JumpDrive Tough<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>IMPORTANT NOTE: to prevent the OSX on QEMU from freezing\/hanging (after about 10 mins uptime):<br>&#8211; Go to &#8220;System Settings \u2026&#8221; &gt; Energy Saver &gt; Conserve battery &gt; &#8220;Put hard disks to sleep when possible&#8221; disabled.<br>&#8211; Go to &#8220;System Settings \u2026&#8221; &gt; &#8220;Lock Screen&#8221; &gt; &#8220;Turn display off when inactive&#8221; to &#8220;Never&#8221;<br>&#8211; Also, you MUST login to an account, if you leave the system on the login screen, it will freeze\/hang.<\/p>\n\n\n\n<p>* If you restore a time machine back along with &#8220;System &amp; Networking&#8221;, check afterwards that the two settings above have not reverted to their defaults.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NOTE: Take snapshots often (e.g., before using &#8220;Migration Assistant&#8221; to restore TimeMachine backups from another OSX)<br>&#8211; take an internal snapshot:  qemu-img snapshot -c mac_hdd_ng.ss.030823.img mac_hdd_ng.img<br>&#8211; list internal snapshots:  qemu-img snapshot -l mac_hdd_ng.img<br>&#8211; revert\/restore to a snapshot:  qemu-img snapshot -a mac_hdd_ng.ss.030823.img mac_hdd_ng.img<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NOTE: IF &#8220;managed device attestation&#8221; is configured on your source OSX from which you restored a Time Machine backup, you may notice ACME (or a similar policy enforcement) app is installed and running.<br>IF your source OSX is part of a corporate network, unless you decide to connect to the corporate VPN (unlikely for the purpose of this procedure), ACME won&#8217;t be able to validate your OSX VM config and may isolate your restored OSX VM (no networking access). To fix this, temporarily stop the ACME app, or permanently remove it:<br>&#8211; Use the Utilities &gt; &#8220;Activity Monitor&#8221; &gt; to stop the ACME process<br>&#8211; Go to Applications folder and delete (&#8220;move to trash&#8221;) the ACME app shortcut<br>&#8211; Go to folder ~\/Library\/ and delete (&#8220;move to trash&#8221;) the ACME folder<\/li>\n<\/ul>\n\n\n\n<p><strong>References:<\/strong><br>https:\/\/wiki.qemu.org\/Documentation\/Networking<br>https:\/\/documentation.suse.com\/sles\/15-SP2\/html\/SLES-all\/cha-qemu-running.html<br>https:\/\/qemu-project.gitlab.io\/qemu\/system\/qemu-cpu-models.html<br>https:\/\/kb.nmsu.edu\/page.php?id=99123 (enable remote management i.e., VNC)<br>https:\/\/setapp.com\/how-to\/how-to-access-your-mac-remotely<br>https:\/\/www.qemu.org\/2017\/11\/22\/haxm-usage-windows\/<br>https:\/\/qemu-project.gitlab.io\/qemu\/system\/devices\/usb.html<br>https:\/\/askubuntu.com\/questions\/15570\/configure-udev-to-change-permissions-on-usb-hid-device\/15643<br>https:\/\/unix.stackexchange.com\/questions\/141255\/give-a-specific-user-permissions-to-a-device-without-giving-access-to-other-user<br>https:\/\/blog.programster.org\/qemu-img-cheatsheet<br>https:\/\/www.linux-kvm.org\/images\/6\/65\/02x08B-Max_Reitz-Backups_with_QEMU.pdf<br>https:\/\/unix.stackexchange.com\/questions\/530674\/qemu-doesnt-respect-the-boot-order-when-booting-with-uefi-ovmf<br>https:\/\/github.com\/sickcodes\/Docker-OSX<br>https:\/\/www.cyberciti.biz\/faq\/kvm-forward-ports-to-guests-vm-with-ufw-on-linux\/<br>https:\/\/support.apple.com\/guide\/deployment\/managed-device-attestation-dep28afbde6a\/web<\/p>\n","protected":false},"excerpt":{"rendered":"<p>NOTE: for educational purposes only GUIDE: Used OSX-KVM with modifications: https:\/\/github.com\/kholia\/OSX-KVM itababa@itamint:~\/$ sudo echo 1 | sudo tee \/sys\/module\/kvm\/parameters\/ignore_msrsitababa@itamint:~\/$ sudo cp kvm.conf \/etc\/modprobe.d\/kvm.conf itababa@itamint:~\/$ sudo groupadd kvmitababa@itamint:~\/$ sudo groupadd libvirtitababa@itamint:~\/$ sudo groupadd input itababa@itamint:~\/$ sudo usermod -aG kvm $(whoami)itababa@itamint:~\/$ sudo &hellip; <a href=\"https:\/\/www.itayemi.com\/blog\/2023\/03\/08\/install-osx-ventura-13-x-on-qemu-kvm-linux\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":336,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1436,1426,1422,1278,1423,1424,1421,1376,1282,1425],"class_list":["post-2379","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-acme","tag-avx2","tag-kvm","tag-macos","tag-monterey","tag-opencore","tag-osx-ventura","tag-qemu","tag-virtualbox","tag-vnc"],"_links":{"self":[{"href":"https:\/\/www.itayemi.com\/blog\/wp-json\/wp\/v2\/posts\/2379","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.itayemi.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.itayemi.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.itayemi.com\/blog\/wp-json\/wp\/v2\/users\/336"}],"replies":[{"embeddable":true,"href":"https:\/\/www.itayemi.com\/blog\/wp-json\/wp\/v2\/comments?post=2379"}],"version-history":[{"count":19,"href":"https:\/\/www.itayemi.com\/blog\/wp-json\/wp\/v2\/posts\/2379\/revisions"}],"predecessor-version":[{"id":2441,"href":"https:\/\/www.itayemi.com\/blog\/wp-json\/wp\/v2\/posts\/2379\/revisions\/2441"}],"wp:attachment":[{"href":"https:\/\/www.itayemi.com\/blog\/wp-json\/wp\/v2\/media?parent=2379"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.itayemi.com\/blog\/wp-json\/wp\/v2\/categories?post=2379"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.itayemi.com\/blog\/wp-json\/wp\/v2\/tags?post=2379"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}