From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id E26011FF187 for ; Tue, 18 Nov 2025 13:35:32 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 8FE4D1360B; Tue, 18 Nov 2025 13:35:24 +0100 (CET) From: Fiona Ebner To: pve-devel@lists.proxmox.com Date: Tue, 18 Nov 2025 13:34:38 +0100 Message-ID: <20251118123516.112546-1-f.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1763469290196 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.017 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH-SERIS qemu-server 0/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023 X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" As reported in the community forum [0], enrolling the new certificate will trigger BitLocker recovery. It doesn't seem to be possible to detect whether BitLocker is used by looking at the EFI var store (no telling difference in dumps with 'virt-fw-vars --output-json' before and after). Stop auto-enrolling the new Microsoft UEFI 2023 certificate and produce a warning, telling users about the 'qm enroll-efi-keys' command and what steps to take when BitLocker is used to avoid triggering recovery. Thomas found [1], which suggests using 'manage-bde -protectors -disable' which will disable key protectors for the next boot and this was also successfully tested. [0]: https://forum.proxmox.com/threads/173417/post-817164 [1]: https://discussion.fedoraproject.org/t/warning-recent-kek-firmware-update-locks-out-windows-bitlocker-urgent-issue-for-dual-boot-users/155431/5 qemu-server: Fiona Ebner (4): ovmf: enroll ms 2023 cert: change QSD ID to allow calling outside of VM start api/cli: add enroll-efi-keys endpoint ovmf: factor out helper for checking whether MS 2023 certificate should be enrolled vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023 src/PVE/API2/Qemu.pm | 60 ++++++++++++++++++++++++++++++++++++++ src/PVE/CLI/qm.pm | 2 ++ src/PVE/QemuServer.pm | 21 ++++++------- src/PVE/QemuServer/OVMF.pm | 29 ++++++++++++------ 4 files changed, 91 insertions(+), 21 deletions(-) Summary over all repositories: 4 files changed, 91 insertions(+), 21 deletions(-) -- Generated by git-murpp 0.5.0 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel