{
  config,
  pkgs,
  ...
}:
pkgs.writeShellApplication {
  name = "qemu-uefi-tpm";

  runtimeInputs = with pkgs; [
    qemu
    swtpm
  ];

  text =
    let
      tpmOVMF = pkgs.OVMF.override { tpmSupport = true; };
    in
    ''
      set -ex
      state="/tmp/patos-qemu-$USER"
      rm -rf "$state"
      mkdir -m 700 "$state"
      qemu-img create -f qcow2 -F raw -b "$(readlink -e "$1")" "$state/disk.qcow2" 10G

      swtpm socket -d --tpmstate dir="$state" \
        --ctrl type=unixio,path="$state/swtpm-sock" \
        --tpm2 \
        --log level=20

      qemu-system-x86_64 \
        -enable-kvm \
        -machine q35,accel=kvm \
        -cpu host \
        -smp 8 \
        -m 4G \
        -display none \
        -chardev "stdio,id=char0,mux=on,logfile=$state/console.log,signal=off" \
        -serial chardev:char0 \
        -mon chardev=char0 \
        -drive "if=pflash,format=raw,unit=0,readonly=on,file=${tpmOVMF.firmware}" \
        -drive "if=pflash,format=raw,unit=1,readonly=on,file=${tpmOVMF.variables}" \
        -chardev socket,id=chrtpm,path="$state/swtpm-sock" \
        -tpmdev emulator,id=tpm0,chardev=chrtpm \
        -device tpm-tis,tpmdev=tpm0 \
        -netdev id=net00,type=user,hostfwd=tcp::2222-:22 \
        -device virtio-net-pci,netdev=net00 \
        -drive "format=qcow2,file=$state/disk.qcow2"
    '';
}