Goal:
Linux as your daily driver π§
Windows 11 isolated on its own NVMe βοΈ
Secure Encrypted Virtualization (SEV/VT-d) for encrypted VMs π‘οΈ
Works perfectly for systems with:
- 2 Γ NVMe drives
- Modern AMD or Intel CPU (Ryzen 5000/7000 or Intel 12thβ15th Gen)
- Dedicated GPU (Radeon / RTX / Arc)
| Step | Action | Purpose |
|---|---|---|
| 1 | Enter UEFI β Advanced β CPU Configuration β enable SVM (AMD) or VT-x (Intel) + IOMMU/VT-d | Turns on virtualization |
| 2 | (AMD only) Enable SEV, TSME, and SME if available | Enables memory encryption |
| 3 | Plug in only the first NVMe (for Linux) | Prevents Windows installer from seeing it later |
| 4 | Boot Linux installer (Fedora, Nobara, Pop!_OS, etc.) | Start main OS install |
| 5 | Create partitions: EFI (512 MB), root (ext4/btrfs), swap | Clean Linux layout |
| 6 | Finish install β reboot to confirm boot works | Linux EFI verified |
| 7 | Shut down PC and unplug the Linux NVMe | Keeps Windows from overwriting GRUB |
π‘ Why: This keeps both operating systems physically separated β Linux will get its own EFI and Windows will never know it exists.
| Step | Action | Purpose |
|---|---|---|
| 8 | Plug in second NVMe | Dedicated drive for Windows 11 |
| 9 | Boot Windows 11 installer β delete all partitions | Fresh layout |
| 10 | Let Windows create its own EFI/MSR/NTFS partitions | Keeps boot records separate |
| 11 | Complete setup β disable Fast Startup + Hibernation (powercfg /h off) |
Prevents NTFS corruption in dual-boot |
| 12 | In Disk Management, confirm only Windows partitions exist | Ensures isolation |
| 13 | Shut down β reconnect Linux NVMe | Ready for dual-boot setup |
π‘ Why: Windows has no shared EFI or boot partition, so updates canβt overwrite Linux boot files.
| Step | Action | Purpose |
|---|---|---|
| 14 | Boot into Linux (via BIOS boot menu, e.g., F8 on ASUS) | Manual Linux boot |
| 15 | Run sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg (or distro equivalent) |
Detects Windows automatically |
| 16 | If Windows not detected β sudo os-prober && sudo update-grub |
Adds Windows EFI entry |
| 17 | Reboot β verify both Linux + Windows appear in GRUB menu | Dual-boot ready |
| 18 | Set Linux drive as first boot device in UEFI | Linux becomes default OS |
π‘ Why: Linuxβs GRUB will now boot both systems cleanly, without touching Windows EFI.
| Step | Action | Purpose |
|---|---|---|
| 19 | sudo dnf/apt install qemu-kvm libvirt virt-manager edk2-ovmf git |
Install virtualization stack |
| 20 | git clone https://github.com/AMDESE/amd-sev-tool.git && cd amd-sev-tool && make |
Build SEV utility |
| 21 | sudo ./sevctl status |
Verify firmware SEV support |
| 22 | `lscpu | grep "Encryption"anddmesg |
| 23 | Test VM: qemu-system-x86_64 --enable-kvm --machine q35,sev=on ... |
Confirm SEV active |
| 24 | Dump VM RAM β should be ciphertext | Confirms memory encryption working |
π‘ Why: SEV/SME protect VM and swap memory from inspection, even by the host OS β perfect for secure sandboxed Windows or other VMs.
| Step | Action | Purpose |
|---|---|---|
| 25 | efibootmgr β list boot entries |
Useful for troubleshooting |
| 26 | Backup EFI partitions with dd if=/dev/nvme0n1p1 of=linux_efi.img |
Quick recovery option |
| 27 | Disable βFast Bootβ in UEFI | Prevents EFI boot-order chaos |
| 28 | Optional: sudo chattr +i /boot/efi/EFI |
Makes GRUB immutable |
| 29 | Use timeshift or btrfs snapper for Linux snapshots |
Safe system rollback |
π‘ Why: Small preventive steps make this setup nearly bulletproof β even a failed Windows update canβt touch Linux.
1οΈβ£ Separate drives β Windows EFI is on its own disk.
2οΈβ£ Linux boots first β GRUB controls boot, not Windows.
3οΈβ£ Windows βblindnessβ β It never sees Linux partitions.
4οΈβ£ SEV/SME encryption β Even virtualized Windows memory stays private.
5οΈβ£ Immutable GRUB β Windows updates canβt overwrite your bootloader.
π‘ In short: Windows canβt nuke your Linux β ever again.
Keep Windows from even seeing Linux disks:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\mountmgr" /v NoAutoMount /t REG_DWORD /d 1 /f