From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH-SERIS qemu-server 0/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023
Date: Tue, 18 Nov 2025 13:34:38 +0100 [thread overview]
Message-ID: <20251118123516.112546-1-f.ebner@proxmox.com> (raw)
As reported in the community forum [0], enrolling the new certificate
will trigger BitLocker recovery. It doesn't seem to be possible to
detect whether BitLocker is used by looking at the EFI var store (no
telling difference in dumps with 'virt-fw-vars --output-json' before
and after).
Stop auto-enrolling the new Microsoft UEFI 2023 certificate and
produce a warning, telling users about the 'qm enroll-efi-keys'
command and what steps to take when BitLocker is used to avoid
triggering recovery. Thomas found [1], which suggests using
'manage-bde -protectors -disable' which will disable key protectors
for the next boot and this was also successfully tested.
[0]: https://forum.proxmox.com/threads/173417/post-817164
[1]: https://discussion.fedoraproject.org/t/warning-recent-kek-firmware-update-locks-out-windows-bitlocker-urgent-issue-for-dual-boot-users/155431/5
qemu-server:
Fiona Ebner (4):
ovmf: enroll ms 2023 cert: change QSD ID to allow calling outside of
VM start
api/cli: add enroll-efi-keys endpoint
ovmf: factor out helper for checking whether MS 2023 certificate
should be enrolled
vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023
src/PVE/API2/Qemu.pm | 60 ++++++++++++++++++++++++++++++++++++++
src/PVE/CLI/qm.pm | 2 ++
src/PVE/QemuServer.pm | 21 ++++++-------
src/PVE/QemuServer/OVMF.pm | 29 ++++++++++++------
4 files changed, 91 insertions(+), 21 deletions(-)
Summary over all repositories:
4 files changed, 91 insertions(+), 21 deletions(-)
--
Generated by git-murpp 0.5.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next reply other threads:[~2025-11-18 12:35 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-18 12:34 Fiona Ebner [this message]
2025-11-18 12:34 ` [pve-devel] [PATCH qemu-server 1/4] ovmf: enroll ms 2023 cert: change QSD ID to allow calling outside of VM start Fiona Ebner
2025-11-18 12:34 ` [pve-devel] [PATCH qemu-server 2/4] api/cli: add enroll-efi-keys endpoint Fiona Ebner
2025-11-18 12:58 ` Fabian Grünbichler
2025-11-18 13:07 ` Thomas Lamprecht
2025-11-18 13:09 ` Fabian Grünbichler
2025-11-18 14:11 ` Thomas Lamprecht
2025-11-18 12:34 ` [pve-devel] [PATCH qemu-server 3/4] ovmf: factor out helper for checking whether MS 2023 certificate should be enrolled Fiona Ebner
2025-11-18 12:34 ` [pve-devel] [PATCH qemu-server 4/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023 Fiona Ebner
2025-11-18 13:30 ` [pve-devel] [PATCH-SERIS qemu-server 0/4] " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251118123516.112546-1-f.ebner@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.