From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH-SERIES RESEND edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys
Date: Fri, 7 Nov 2025 09:54:27 +0100 [thread overview]
Message-ID: <20251107085441.5093-1-f.ebner@proxmox.com> (raw)
Re-sent with --transfer-encoding=base64. Also available at my staff
repo now: staff/f.ebner/pve-edk2-firmware, branch fix-6985
This fixes the issue with the Microsoft UEFI CA 2011 expiring in June
2026 for new EFI disks. What still needs to be done is giving users a
way for (or automatically) enrolling the new keys to existing EFI
disks. I will look at that part of the issue in the coming days.
To update an existing EFI disk, it should be enough to do something
like:
virt-fw-vars --inplace vm-103-disk-0.raw --distro-keys ms-uefi
AFAICS, virt-fw-vars can only deal with raw images, so we can use FUSE
exports of differently formatted EFI disks which requires [0].
[0]: https://lore.proxmox.com/pve-devel/20251020141335.124077-1-f.ebner@proxmox.com/
pve-edk2-firmware:
Fiona Ebner (6):
update edk2 to edk2-stable202505 tag and refresh patches
d/patches: pick up CVE fix from Debian tag debian/2025.05-1
d/rules: pick up some improvements from Debian
Use virt-firmware to enroll default keys.
Initialize the Secure Boot dbx in *.ms.fd with the latest revocations
partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys
debian/DBXUpdate-2025-02-24.arm64.bin | Bin 0 -> 4613 bytes
debian/DBXUpdate-2025-10-16.amd64.bin | Bin 0 -> 24053 bytes
debian/control | 1 +
debian/edk2-vars-generator.py | 140 ----
...nrollDefaultKeys-with-Microsoft-2023.patch | 613 ++++++++++++++++++
...tLib-Fix-split-lock-violation-from-M.patch | 10 +-
...CpuDxeSmm-Safe-handling-of-IDT-regis.patch | 45 ++
debian/patches/series | 2 +
debian/rules | 99 +--
debian/source/include-binaries | 2 +
edk2 | 2 +-
11 files changed, 721 insertions(+), 193 deletions(-)
create mode 100644 debian/DBXUpdate-2025-02-24.arm64.bin
create mode 100644 debian/DBXUpdate-2025-10-16.amd64.bin
delete mode 100755 debian/edk2-vars-generator.py
create mode 100644 debian/patches/OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch
create mode 100644 debian/patches/UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch
Summary over all repositories:
11 files changed, 721 insertions(+), 193 deletions(-)
--
Generated by git-murpp 0.5.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next reply other threads:[~2025-11-07 8:54 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-07 8:54 Fiona Ebner [this message]
2025-11-07 8:54 ` [pve-devel] [PATCH edk2-firmware 1/6] update edk2 to edk2-stable202505 tag and refresh patches Fiona Ebner
2025-11-07 8:54 ` [pve-devel] [PATCH edk2-firmware 2/6] d/patches: pick up CVE fix from Debian tag debian/2025.05-1 Fiona Ebner
2025-11-07 8:54 ` [pve-devel] [PATCH edk2-firmware 3/6] d/rules: pick up some improvements from Debian Fiona Ebner
2025-11-07 8:54 ` [pve-devel] [PATCH edk2-firmware 4/6] Use virt-firmware to enroll default keys Fiona Ebner
2025-11-07 8:54 ` [pve-devel] [PATCH edk2-firmware 5/6] Initialize the Secure Boot dbx in *.ms.fd with the latest revocations Fiona Ebner
2025-11-07 8:54 ` [pve-devel] [PATCH edk2-firmware 6/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys Fiona Ebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251107085441.5093-1-f.ebner@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.