* [pve-devel] [PATCH qemu-server 1/4] ovmf: enroll ms 2023 cert: change QSD ID to allow calling outside of VM start
2025-11-18 12:34 [pve-devel] [PATCH-SERIS qemu-server 0/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023 Fiona Ebner
@ 2025-11-18 12:34 ` Fiona Ebner
2025-11-18 12:34 ` [pve-devel] [PATCH qemu-server 2/4] api/cli: add enroll-efi-keys endpoint Fiona Ebner
` (3 subsequent siblings)
4 siblings, 0 replies; 10+ messages in thread
From: Fiona Ebner @ 2025-11-18 12:34 UTC (permalink / raw)
To: pve-devel
The main QSD instance with ID $vmid can only be re-used as part of
VM start tasks. In preparation to allow calling the method from a new
enroll-efi-keys command/endpoint, change the QSD ID to something else.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
src/PVE/QemuServer/OVMF.pm | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm
index 408144a0..409ad022 100644
--- a/src/PVE/QemuServer/OVMF.pm
+++ b/src/PVE/QemuServer/OVMF.pm
@@ -278,8 +278,6 @@ sub print_ovmf_commandline {
return ($cmd, $machine_flags);
}
-# May only be called as part of VM start right now, because it uses the main QSD associated to the
-# VM. If required for another scenario, change the QSD ID to something else.
sub ensure_ms_2023_cert_enrolled {
my ($storecfg, $vmid, $efidisk_str) = @_;
@@ -289,19 +287,22 @@ sub ensure_ms_2023_cert_enrolled {
print "efidisk0: enrolling Microsoft UEFI CA 2023\n";
- my $new_qsd = !PVE::QemuServer::Helpers::qsd_running_locally($vmid);
- PVE::QemuServer::QSD::start($vmid) if $new_qsd;
+ my $qsd_id = "vm-$vmid-efi-enroll";
+ if (my $qsd_pid = PVE::QemuServer::Helpers::qsd_running_locally($qsd_id)) {
+ die "QEMU storage daemon $qsd_id already running with PID $qsd_pid (left over process?)\n";
+ }
+ PVE::QemuServer::QSD::start($qsd_id);
eval {
my $efi_vars_path =
- PVE::QemuServer::QSD::add_fuse_export($vmid, $efidisk, 'efidisk0-enroll');
+ PVE::QemuServer::QSD::add_fuse_export($qsd_id, $efidisk, 'efidisk0-enroll');
PVE::Tools::run_command(
['virt-fw-vars', '--inplace', $efi_vars_path, '--distro-keys', 'ms-uefi']);
- PVE::QemuServer::QSD::remove_fuse_export($vmid, 'efidisk0-enroll');
+ PVE::QemuServer::QSD::remove_fuse_export($qsd_id, 'efidisk0-enroll');
};
my $err = $@;
- PVE::QemuServer::QSD::quit($vmid) if $new_qsd;
+ PVE::QemuServer::QSD::quit($qsd_id);
die "efidisk0: enrolling Microsoft UEFI CA 2023 failed - $err" if $err;
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 10+ messages in thread* [pve-devel] [PATCH qemu-server 2/4] api/cli: add enroll-efi-keys endpoint
2025-11-18 12:34 [pve-devel] [PATCH-SERIS qemu-server 0/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023 Fiona Ebner
2025-11-18 12:34 ` [pve-devel] [PATCH qemu-server 1/4] ovmf: enroll ms 2023 cert: change QSD ID to allow calling outside of VM start Fiona Ebner
@ 2025-11-18 12:34 ` Fiona Ebner
2025-11-18 12:58 ` Fabian Grünbichler
2025-11-18 12:34 ` [pve-devel] [PATCH qemu-server 3/4] ovmf: factor out helper for checking whether MS 2023 certificate should be enrolled Fiona Ebner
` (2 subsequent siblings)
4 siblings, 1 reply; 10+ messages in thread
From: Fiona Ebner @ 2025-11-18 12:34 UTC (permalink / raw)
To: pve-devel
A new enroll-efi-keys API endpoint and command for qm is added. It
enrolls the latest known-to-be-important certificates to the EFI disk,
which currently is just the Microsoft UEFI CA 2023.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
src/PVE/API2/Qemu.pm | 60 ++++++++++++++++++++++++++++++++++++++++++++
src/PVE/CLI/qm.pm | 2 ++
2 files changed, 62 insertions(+)
diff --git a/src/PVE/API2/Qemu.pm b/src/PVE/API2/Qemu.pm
index 5cdba4bb..665afbe2 100644
--- a/src/PVE/API2/Qemu.pm
+++ b/src/PVE/API2/Qemu.pm
@@ -7048,4 +7048,64 @@ __PACKAGE__->register_method({
},
});
+__PACKAGE__->register_method({
+ name => 'enroll-efi-keys',
+ path => '{vmid}/enroll-efi-keys',
+ method => 'POST',
+ protected => 1,
+ proxyto => 'node',
+ description =>
+ "Enroll important updated certificates to the EFI disk with pre-enrolled-keys. Currently,"
+ . " this is only the Microsoft UEFI CA 2023. Must be called while the VM is shut down.",
+ permissions => {
+ check => ['perm', '/vms/{vmid}', ['VM.Config.Disk']],
+ },
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ node => get_standard_option('pve-node'),
+ vmid =>
+ get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
+ },
+ },
+ returns => { type => 'null' },
+ code => sub {
+ my ($param) = @_;
+
+ my $vmid = extract_param($param, 'vmid');
+
+ my $enroll_fn = sub {
+ my $conf = PVE::QemuConfig->load_config($vmid);
+
+ PVE::QemuConfig->check_lock($conf);
+ die "VM $vmid is running\n" if PVE::QemuServer::Helpers::vm_running_locally($vmid);
+ die "VM $vmid is a template\n" if PVE::QemuConfig->is_template($conf);
+ die "VM $vmid has no EFI disk configured\n" if !$conf->{efidisk0};
+
+ my $ostype = $conf->{ostype};
+ if (!defined($ostype) || ($ostype ne 'win10' && $ostype ne 'win11')) {
+ print "skipping - OS type is neither Windows 10 nor Windows 11\n";
+ return;
+ }
+
+ my $storecfg = PVE::Storage::config();
+
+ my $updated = PVE::QemuServer::OVMF::ensure_ms_2023_cert_enrolled(
+ $storecfg, $vmid, $conf->{efidisk0},
+ );
+ if ($updated) {
+ $conf->{efidisk0} = $updated;
+ PVE::QemuConfig->write_config($vmid, $conf);
+ } else {
+ print "skipping - no pre-enrolled keys or already got ms-cert=2023 marker\n";
+ }
+
+ return;
+ };
+
+ PVE::QemuConfig->lock_config($vmid, $enroll_fn);
+ return;
+ },
+});
+
1;
diff --git a/src/PVE/CLI/qm.pm b/src/PVE/CLI/qm.pm
index 9398780e..d0f80b20 100755
--- a/src/PVE/CLI/qm.pm
+++ b/src/PVE/CLI/qm.pm
@@ -1341,6 +1341,8 @@ our $cmddef = {
unlink => ["PVE::API2::Qemu", 'unlink', ['vmid'], {%node}],
},
+ 'enroll-efi-keys' => ["PVE::API2::Qemu", 'enroll-efi-keys', ['vmid'], {%node}],
+
monitor => [__PACKAGE__, 'monitor', ['vmid']],
agent => { alias => 'guest cmd' }, # FIXME: remove with PVE 8.0
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [pve-devel] [PATCH qemu-server 2/4] api/cli: add enroll-efi-keys endpoint
2025-11-18 12:34 ` [pve-devel] [PATCH qemu-server 2/4] api/cli: add enroll-efi-keys endpoint Fiona Ebner
@ 2025-11-18 12:58 ` Fabian Grünbichler
2025-11-18 13:07 ` Thomas Lamprecht
0 siblings, 1 reply; 10+ messages in thread
From: Fabian Grünbichler @ 2025-11-18 12:58 UTC (permalink / raw)
To: Proxmox VE development discussion
On November 18, 2025 1:34 pm, Fiona Ebner wrote:
> A new enroll-efi-keys API endpoint and command for qm is added. It
> enrolls the latest known-to-be-important certificates to the EFI disk,
> which currently is just the Microsoft UEFI CA 2023.
>
> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
> ---
> src/PVE/API2/Qemu.pm | 60 ++++++++++++++++++++++++++++++++++++++++++++
> src/PVE/CLI/qm.pm | 2 ++
> 2 files changed, 62 insertions(+)
>
> diff --git a/src/PVE/API2/Qemu.pm b/src/PVE/API2/Qemu.pm
> index 5cdba4bb..665afbe2 100644
> --- a/src/PVE/API2/Qemu.pm
> +++ b/src/PVE/API2/Qemu.pm
> @@ -7048,4 +7048,64 @@ __PACKAGE__->register_method({
> },
> });
>
> +__PACKAGE__->register_method({
> + name => 'enroll-efi-keys',
> + path => '{vmid}/enroll-efi-keys',
> + method => 'POST',
> + protected => 1,
> + proxyto => 'node',
> + description =>
> + "Enroll important updated certificates to the EFI disk with pre-enrolled-keys. Currently,"
> + . " this is only the Microsoft UEFI CA 2023. Must be called while the VM is shut down.",
> + permissions => {
> + check => ['perm', '/vms/{vmid}', ['VM.Config.Disk']],
> + },
> + parameters => {
> + additionalProperties => 0,
> + properties => {
> + node => get_standard_option('pve-node'),
> + vmid =>
> + get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
> + },
> + },
> + returns => { type => 'null' },
> + code => sub {
> + my ($param) = @_;
> +
> + my $vmid = extract_param($param, 'vmid');
> +
> + my $enroll_fn = sub {
> + my $conf = PVE::QemuConfig->load_config($vmid);
> +
> + PVE::QemuConfig->check_lock($conf);
> + die "VM $vmid is running\n" if PVE::QemuServer::Helpers::vm_running_locally($vmid);
> + die "VM $vmid is a template\n" if PVE::QemuConfig->is_template($conf);
> + die "VM $vmid has no EFI disk configured\n" if !$conf->{efidisk0};
> +
> + my $ostype = $conf->{ostype};
> + if (!defined($ostype) || ($ostype ne 'win10' && $ostype ne 'win11')) {
> + print "skipping - OS type is neither Windows 10 nor Windows 11\n";
> + return;
> + }
> +
> + my $storecfg = PVE::Storage::config();
> +
> + my $updated = PVE::QemuServer::OVMF::ensure_ms_2023_cert_enrolled(
> + $storecfg, $vmid, $conf->{efidisk0},
> + );
this can block and/or take a while, so shouldn't this endpoint fork a
task worker?
and do we really need a new endpoint for this, couldn't we do it in the
config update and let the UI set the corresponding EFI disk flag as an
(async) update?
> + if ($updated) {
> + $conf->{efidisk0} = $updated;
> + PVE::QemuConfig->write_config($vmid, $conf);
> + } else {
> + print "skipping - no pre-enrolled keys or already got ms-cert=2023 marker\n";
> + }
> +
> + return;
> + };
> +
> + PVE::QemuConfig->lock_config($vmid, $enroll_fn);
> + return;
> + },
> +});
> +
> 1;
> diff --git a/src/PVE/CLI/qm.pm b/src/PVE/CLI/qm.pm
> index 9398780e..d0f80b20 100755
> --- a/src/PVE/CLI/qm.pm
> +++ b/src/PVE/CLI/qm.pm
> @@ -1341,6 +1341,8 @@ our $cmddef = {
> unlink => ["PVE::API2::Qemu", 'unlink', ['vmid'], {%node}],
> },
>
> + 'enroll-efi-keys' => ["PVE::API2::Qemu", 'enroll-efi-keys', ['vmid'], {%node}],
> +
> monitor => [__PACKAGE__, 'monitor', ['vmid']],
>
> agent => { alias => 'guest cmd' }, # FIXME: remove with PVE 8.0
> --
> 2.47.3
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [pve-devel] [PATCH qemu-server 2/4] api/cli: add enroll-efi-keys endpoint
2025-11-18 12:58 ` Fabian Grünbichler
@ 2025-11-18 13:07 ` Thomas Lamprecht
2025-11-18 13:09 ` Fabian Grünbichler
0 siblings, 1 reply; 10+ messages in thread
From: Thomas Lamprecht @ 2025-11-18 13:07 UTC (permalink / raw)
To: Proxmox VE development discussion, Fabian Grünbichler
Am 18.11.25 um 13:58 schrieb Fabian Grünbichler:
>> + my $updated = PVE::QemuServer::OVMF::ensure_ms_2023_cert_enrolled(
>> + $storecfg, $vmid, $conf->{efidisk0},
>> + );
> this can block and/or take a while, so shouldn't this endpoint fork a
> task worker?
>
> and do we really need a new endpoint for this, couldn't we do it in the
> config update and let the UI set the corresponding EFI disk flag as an
> (async) update?
Talked with Fiona off-list about this.
I'd for now move the endpoint to the CLI only. We plan re-use recently
added efidisk flag to provide a mechanism where the user can request enrollment
by setting the flag to a new value. This will be refused to get hot-applied, thus
stays a pending change in the config and will applied on the next fresh start.
In the UI we can then also display a nice hint w.r.t. users needing to be
prepared if they use Bitlocker, one option for that is executing the following
command in the Windows VM before shutting it down:
manage-bde -protectors -disable <drive>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [pve-devel] [PATCH qemu-server 2/4] api/cli: add enroll-efi-keys endpoint
2025-11-18 13:07 ` Thomas Lamprecht
@ 2025-11-18 13:09 ` Fabian Grünbichler
2025-11-18 14:11 ` Thomas Lamprecht
0 siblings, 1 reply; 10+ messages in thread
From: Fabian Grünbichler @ 2025-11-18 13:09 UTC (permalink / raw)
To: Proxmox VE development discussion, Thomas Lamprecht
On November 18, 2025 2:07 pm, Thomas Lamprecht wrote:
> Am 18.11.25 um 13:58 schrieb Fabian Grünbichler:
>>> + my $updated = PVE::QemuServer::OVMF::ensure_ms_2023_cert_enrolled(
>>> + $storecfg, $vmid, $conf->{efidisk0},
>>> + );
>> this can block and/or take a while, so shouldn't this endpoint fork a
>> task worker?
>>
>> and do we really need a new endpoint for this, couldn't we do it in the
>> config update and let the UI set the corresponding EFI disk flag as an
>> (async) update?
>
> Talked with Fiona off-list about this.
>
> I'd for now move the endpoint to the CLI only. We plan re-use recently
> added efidisk flag to provide a mechanism where the user can request enrollment
> by setting the flag to a new value. This will be refused to get hot-applied, thus
> stays a pending change in the config and will applied on the next fresh start.
> In the UI we can then also display a nice hint w.r.t. users needing to be
> prepared if they use Bitlocker, one option for that is executing the following
> command in the Windows VM before shutting it down:
>
> manage-bde -protectors -disable <drive>
sounds like a good plan - that CLI endpoint can then be converted to
become
load_config
get efidisk
call update config with modified efidisk, protected by digest
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
* [pve-devel] [PATCH qemu-server 3/4] ovmf: factor out helper for checking whether MS 2023 certificate should be enrolled
2025-11-18 12:34 [pve-devel] [PATCH-SERIS qemu-server 0/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023 Fiona Ebner
2025-11-18 12:34 ` [pve-devel] [PATCH qemu-server 1/4] ovmf: enroll ms 2023 cert: change QSD ID to allow calling outside of VM start Fiona Ebner
2025-11-18 12:34 ` [pve-devel] [PATCH qemu-server 2/4] api/cli: add enroll-efi-keys endpoint Fiona Ebner
@ 2025-11-18 12:34 ` Fiona Ebner
2025-11-18 12:34 ` [pve-devel] [PATCH qemu-server 4/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023 Fiona Ebner
2025-11-18 13:30 ` [pve-devel] [PATCH-SERIS qemu-server 0/4] " Thomas Lamprecht
4 siblings, 0 replies; 10+ messages in thread
From: Fiona Ebner @ 2025-11-18 12:34 UTC (permalink / raw)
To: pve-devel
In preparation to only call that helper during VM start. See the
following commit "vm start: ovmf: do not auto-enroll Microsoft UEFI CA
2023" for details.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
src/PVE/QemuServer/OVMF.pm | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm
index 409ad022..e5f4cf02 100644
--- a/src/PVE/QemuServer/OVMF.pm
+++ b/src/PVE/QemuServer/OVMF.pm
@@ -278,13 +278,23 @@ sub print_ovmf_commandline {
return ($cmd, $machine_flags);
}
-sub ensure_ms_2023_cert_enrolled {
- my ($storecfg, $vmid, $efidisk_str) = @_;
+sub should_enroll_ms_2023_cert {
+ my ($efidisk_str) = @_;
my $efidisk = parse_drive('efidisk0', $efidisk_str);
return if !$efidisk->{'pre-enrolled-keys'};
return if $efidisk->{'ms-cert'} && $efidisk->{'ms-cert'} eq '2023';
+ return 1;
+}
+
+sub ensure_ms_2023_cert_enrolled {
+ my ($storecfg, $vmid, $efidisk_str) = @_;
+
+ return if !should_enroll_ms_2023_cert($efidisk_str);
+
+ my $efidisk = parse_drive('efidisk0', $efidisk_str);
+
print "efidisk0: enrolling Microsoft UEFI CA 2023\n";
my $qsd_id = "vm-$vmid-efi-enroll";
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 10+ messages in thread* [pve-devel] [PATCH qemu-server 4/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023
2025-11-18 12:34 [pve-devel] [PATCH-SERIS qemu-server 0/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023 Fiona Ebner
` (2 preceding siblings ...)
2025-11-18 12:34 ` [pve-devel] [PATCH qemu-server 3/4] ovmf: factor out helper for checking whether MS 2023 certificate should be enrolled Fiona Ebner
@ 2025-11-18 12:34 ` Fiona Ebner
2025-11-18 13:30 ` [pve-devel] [PATCH-SERIS qemu-server 0/4] " Thomas Lamprecht
4 siblings, 0 replies; 10+ messages in thread
From: Fiona Ebner @ 2025-11-18 12:34 UTC (permalink / raw)
To: pve-devel
As reported in the community forum [0], enrolling the new certificate
will trigger BitLocker recovery. It doesn't seem to be possible to
detect whether BitLocker is used by looking at the EFI var store (no
telling difference in dumps with 'virt-fw-vars --output-json' before
and after).
Stop auto-enrolling the new Microsoft UEFI 2023 certificate and
produce a warning, telling users about the 'qm enroll-efi-keys'
command and what steps to take when BitLocker is used to avoid
triggering recovery. Thomas found [1], which suggests using
'manage-bde -protectors -disable' which will disable key protectors
for the next boot and this was also successfully tested.
[0]: https://forum.proxmox.com/threads/173417/post-817164
[1]: https://discussion.fedoraproject.org/t/warning-recent-kek-firmware-update-locks-out-windows-bitlocker-urgent-issue-for-dual-boot-users/155431/5
Suggested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
src/PVE/QemuServer.pm | 21 +++++++++------------
1 file changed, 9 insertions(+), 12 deletions(-)
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index 687335b8..678e9ec5 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -5423,14 +5423,15 @@ my sub check_efi_vars {
return if !$conf->{efidisk0};
return if $conf->{ostype} ne 'win10' && $conf->{ostype} ne 'win11';
- if (
- my $updated = PVE::QemuServer::OVMF::ensure_ms_2023_cert_enrolled(
- $storecfg, $vmid, $conf->{efidisk0},
- )
- ) {
- $conf->{efidisk0} = $updated;
- PVE::QemuConfig->write_config($vmid, $conf);
+ if (PVE::QemuServer::OVMF::should_enroll_ms_2023_cert($conf->{efidisk0})) {
+ log_warn("EFI disk without 'ms-cert=2023' option, suggesting that the Microsoft UEFI 2023"
+ . " certificate is not enrolled yet. The UEFI 2011 certificate expires in June 2026!");
+ print "While the VM is shut down, run 'qm enroll-efi-keys $vmid' to enroll it.\n";
+ print "If the VM uses BitLocker, run the following command inside Windows Powershell:\n";
+ print "manage-bde -protectors -disable <drive>\n";
+ print "for each drive with BitLocker (for example, <drive> could be 'C:').\n";
}
+
return;
}
@@ -5611,11 +5612,7 @@ sub vm_start_nolock {
my $storage_hints = generate_storage_hints($conf, 1);
PVE::Storage::activate_volumes($storecfg, $vollist, undef, $storage_hints);
- # Can only exclusively access EFI disk during cold start. Also, check_efi_vars() might write
- # the configuration, which must not be done at this stage of migration on the target.
- if (!$statefile && !$resume && $conf->{bios} && $conf->{bios} eq 'ovmf') {
- check_efi_vars($storecfg, $vmid, $conf);
- }
+ check_efi_vars($storecfg, $vmid, $conf) if $conf->{bios} && $conf->{bios} eq 'ovmf';
# Note that for certain cases like templates, the configuration is minimized, so need to ensure
# the rest of the function here uses the same configuration that was used to build the command
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [pve-devel] [PATCH-SERIS qemu-server 0/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023
2025-11-18 12:34 [pve-devel] [PATCH-SERIS qemu-server 0/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023 Fiona Ebner
` (3 preceding siblings ...)
2025-11-18 12:34 ` [pve-devel] [PATCH qemu-server 4/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023 Fiona Ebner
@ 2025-11-18 13:30 ` Thomas Lamprecht
4 siblings, 0 replies; 10+ messages in thread
From: Thomas Lamprecht @ 2025-11-18 13:30 UTC (permalink / raw)
To: pve-devel, Fiona Ebner
On Tue, 18 Nov 2025 13:34:38 +0100, Fiona Ebner wrote:
> As reported in the community forum [0], enrolling the new certificate
> will trigger BitLocker recovery. It doesn't seem to be possible to
> detect whether BitLocker is used by looking at the EFI var store (no
> telling difference in dumps with 'virt-fw-vars --output-json' before
> and after).
>
> Stop auto-enrolling the new Microsoft UEFI 2023 certificate and
> produce a warning, telling users about the 'qm enroll-efi-keys'
> command and what steps to take when BitLocker is used to avoid
> triggering recovery. Thomas found [1], which suggests using
> 'manage-bde -protectors -disable' which will disable key protectors
> for the next boot and this was also successfully tested.
>
> [...]
Applied with two changes squashed in, thanks!
For one I replaced the log_warn with print for now to avoid being to noisy
already, we can "turn up the heat" for this early next year, e.g. for PVE 9.2.
Then I also moved new command out of the API, keeping it purely to the qm CLI
for now to avoid having to comit to this new API for the PVE 9 lifetime,
especially as we got some other ideas to handle this in a recent off list talk.
[1/4] ovmf: enroll ms 2023 cert: change QSD ID to allow calling outside of VM start
commit: 4effab683fc9d0a4e85d9435d84fccff56e69101
[2/4] api/cli: add enroll-efi-keys endpoint
commit: ee296e6eb10577ee90bfbb201beb5487bb81bda6
[3/4] ovmf: factor out helper for checking whether MS 2023 certificate should be enrolled
commit: 16750f2a6023f1304e445beb2d9504d51c090bfc
[4/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023
commit: 6952b33bb976f3afe1369e7333e3aa3cc9dc2f1a
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 10+ messages in thread