diff --git a/.gitignore b/.gitignore
index bb3778d..6679260 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,5 @@ build/cache/
 secrets/
 *.key
 *.pem
+test/veilor-vm.qcow2
+test/veilor-vm.nvram*
diff --git a/test/run-vm.sh b/test/run-vm.sh
new file mode 100755
index 0000000..880d5ea
--- /dev/null
+++ b/test/run-vm.sh
@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+# Boot veilor-os ISO in KVM/QEMU under UEFI.
+# Usage:
+#   ./test/run-vm.sh              # boots latest ISO from build/out
+#   ./test/run-vm.sh path/to.iso  # specific ISO
+#   SECBOOT=1 ./test/run-vm.sh    # use OVMF Secure Boot firmware
+#   FRESH=1 ./test/run-vm.sh      # wipe disk + nvram, re-install from scratch
+
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+TEST_DIR="$REPO_ROOT/test"
+DISK="$TEST_DIR/veilor-vm.qcow2"
+NVRAM="$TEST_DIR/veilor-vm.nvram"
+
+ISO="${1:-$(ls -t "$REPO_ROOT"/build/out/*.iso 2>/dev/null | head -1)}"
+[[ -n ${ISO:-} && -f $ISO ]] || { echo "[ERR] No ISO found. Build first: ./build/build-iso.sh"; exit 1; }
+
+# OVMF firmware selection
+if [[ "${SECBOOT:-0}" == "1" ]]; then
+    OVMF_CODE=/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd
+    OVMF_VARS_SRC=/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd
+    NVRAM="$TEST_DIR/veilor-vm.nvram.secboot"
+else
+    OVMF_CODE=/usr/share/edk2/ovmf/OVMF_CODE.fd
+    OVMF_VARS_SRC=/usr/share/edk2/ovmf/OVMF_VARS.fd
+fi
+
+# Reset on FRESH=1
+if [[ "${FRESH:-0}" == "1" ]]; then
+    rm -f "$DISK" "$NVRAM"
+fi
+
+# Provision disk + per-VM nvram once
+[[ -f $DISK ]]  || qemu-img create -f qcow2 "$DISK" 40G
+[[ -f $NVRAM ]] || cp "$OVMF_VARS_SRC" "$NVRAM"
+
+echo "════════════════════════════════════════════════════════"
+echo "  veilor-os :: VM test"
+echo "  ISO   : $ISO"
+echo "  Disk  : $DISK"
+echo "  NVRAM : $NVRAM"
+echo "  Mode  : ${SECBOOT:+secboot}${SECBOOT:-stock UEFI}"
+echo "════════════════════════════════════════════════════════"
+
+exec qemu-system-x86_64 \
+    -name veilor-os \
+    -enable-kvm \
+    -cpu host \
+    -smp 4 \
+    -m 4096 \
+    -machine q35,smm=on \
+    -global driver=cfi.pflash01,property=secure,value=on \
+    -drive if=pflash,format=raw,readonly=on,file="$OVMF_CODE" \
+    -drive if=pflash,format=raw,file="$NVRAM" \
+    -drive file="$DISK",if=virtio,format=qcow2,cache=writeback \
+    -cdrom "$ISO" \
+    -boot menu=on,splash-time=2000 \
+    -netdev user,id=net0,hostfwd=tcp::2222-:22 \
+    -device virtio-net-pci,netdev=net0 \
+    -device virtio-rng-pci \
+    -vga virtio \
+    -display gtk,gl=on \
+    -audiodev pa,id=snd0 \
+    -device intel-hda \
+    -device hda-output,audiodev=snd0