{
  pkgs,
  ...
}:
pkgs.writeShellApplication {
  name = "qemu-aarch64-uefi-tpm";

  runtimeInputs = with pkgs; [
    qemu
    swtpm
  ];

  text =
    let
      tpmOVMF = pkgs.OVMF.override {
        tpmSupport = true;
        secureBoot = true;
      };
    in
    ''
      set -ex
      state="/tmp/patos-qemu-$USER"
      rm -rf "$state"
      mkdir -m 700 "$state"
      qemu-img create -f qcow2 -F raw -b "$(readlink -e "$1")" "$state/disk.qcow2" 2G

      OVMF_FD=$(nix-build '<nixpkgs>' --no-out-link -A OVMF.fd --system aarch64-linux)
      cp "$OVMF_FD/AAVMF/vars-template-pflash.raw" "$state/vars-pflash.raw"
      chmod u+w "$state/vars-pflash.raw"

      # swtpm socket -d --tpmstate dir="$state" \
      #   --ctrl type=unixio,path="$state/swtpm-sock" \
      #   --tpm2 \
      #   --log file="$state/swtpm.log",level=20

      qemu-system-aarch64 \
        -machine virt,gic-version=max \
        -cpu max \
        -smp 8 \
        -m 4G \
        -display none \
        -serial stdio \
        -drive "if=pflash,format=raw,unit=0,readonly=on,file=$OVMF_FD/AAVMF/QEMU_EFI-pflash.raw" \
        -drive "if=pflash,format=raw,unit=1,file=$state/vars-pflash.raw" \
        -device virtio-scsi-pci \
        -device virtio-gpu-pci \
        -device virtio-net-pci,netdev=wan \
        -netdev user,id=wan \
        -device virtio-rng-pci,rng=rng0 \
        -object rng-random,filename=/dev/urandom,id=rng0 \
        -device virtio-serial-pci \
        -drive "format=qcow2,file=$state/disk.qcow2"
    '';
}