diff --git a/flake.nix b/flake.nix
index 690b1ab..884349e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -38,6 +38,7 @@
image-aarch64 = pkgsCross.callPackage ./pkgs/image { inherit version updateUrl secureBoot; };
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
+ qemu-aarch64-uefi-tpm = pkgs.callPackage ./utils/qemu-aarch64-uefi-tpm.nix { };
firewall-sysext = pkgs.callPackage ./lib/make-sysext.nix {
name = "firewall-tools";
diff --git a/utils/qemu-aarch64-uefi-tpm.nix b/utils/qemu-aarch64-uefi-tpm.nix
new file mode 100644
index 0000000..87c9d69
--- /dev/null
+++ b/utils/qemu-aarch64-uefi-tpm.nix
@@ -0,0 +1,54 @@
+{
+ pkgs,
+ ...
+}:
+pkgs.writeShellApplication {
+ name = "qemu-aarch64-uefi-tpm";
+
+ runtimeInputs = with pkgs; [
+ qemu
+ swtpm
+ ];
+
+ text =
+ let
+ tpmOVMF = pkgs.OVMF.override {
+ tpmSupport = true;
+ secureBoot = true;
+ };
+ in
+ ''
+ set -ex
+ state="/tmp/patos-qemu-$USER"
+ rm -rf "$state"
+ mkdir -m 700 "$state"
+ qemu-img create -f qcow2 -F raw -b "$(readlink -e "$1")" "$state/disk.qcow2" 2G
+
+ OVMF_FD=$(nix-build '<nixpkgs>' --no-out-link -A OVMF.fd --system aarch64-linux)
+ cp "$OVMF_FD/AAVMF/vars-template-pflash.raw" "$state/vars-pflash.raw"
+ chmod u+w "$state/vars-pflash.raw"
+
+ # swtpm socket -d --tpmstate dir="$state" \
+ # --ctrl type=unixio,path="$state/swtpm-sock" \
+ # --tpm2 \
+ # --log file="$state/swtpm.log",level=20
+
+ qemu-system-aarch64 \
+ -machine virt,gic-version=max \
+ -cpu max \
+ -smp 8 \
+ -m 4G \
+ -display none \
+ -serial stdio \
+ -drive "if=pflash,format=raw,unit=0,readonly=on,file=$OVMF_FD/AAVMF/QEMU_EFI-pflash.raw" \
+ -drive "if=pflash,format=raw,unit=1,file=$state/vars-pflash.raw" \
+ -device virtio-scsi-pci \
+ -device virtio-gpu-pci \
+ -device virtio-net-pci,netdev=wan \
+ -netdev user,id=wan \
+ -device virtio-rng-pci,rng=rng0 \
+ -object rng-random,filename=/dev/urandom,id=rng0 \
+ -device virtio-serial-pci \
+ -drive "format=qcow2,file=$state/disk.qcow2"
+ '';
+}