From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH qemu-server 2/6] ovmf: enroll ms 2023 cert: pass along parsed drive
Date: Thu, 11 Dec 2025 13:31:22 +0100 [thread overview]
Message-ID: <20251211123145.143908-3-f.ebner@proxmox.com> (raw)
In-Reply-To: <20251211123145.143908-1-f.ebner@proxmox.com>
This makes the following changes easier.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
src/PVE/CLI/qm.pm | 10 +++++-----
src/PVE/QemuServer.pm | 3 ++-
src/PVE/QemuServer/OVMF.pm | 11 ++++-------
3 files changed, 11 insertions(+), 13 deletions(-)
diff --git a/src/PVE/CLI/qm.pm b/src/PVE/CLI/qm.pm
index ca57409f..adf90f3c 100755
--- a/src/PVE/CLI/qm.pm
+++ b/src/PVE/CLI/qm.pm
@@ -30,7 +30,7 @@ use PVE::Tools qw(extract_param file_get_contents);
use PVE::API2::Qemu::Agent;
use PVE::API2::Qemu;
use PVE::QemuConfig;
-use PVE::QemuServer::Drive qw(is_valid_drivename);
+use PVE::QemuServer::Drive qw(is_valid_drivename parse_drive print_drive);
use PVE::QemuServer::Helpers;
use PVE::QemuServer::Agent;
use PVE::QemuServer::ImportDisk;
@@ -729,9 +729,9 @@ __PACKAGE__->register_method({
my $storecfg = PVE::Storage::config();
- my $updated = PVE::QemuServer::OVMF::ensure_ms_2023_cert_enrolled(
- $storecfg, $vmid, $conf->{efidisk0},
- );
+ my $efidisk = parse_drive('efidisk0', $conf->{efidisk0});
+ my $updated =
+ PVE::QemuServer::OVMF::ensure_ms_2023_cert_enrolled($storecfg, $vmid, $efidisk);
if (!$updated) {
print "skipping - no pre-enrolled keys or already got ms-cert=2023 marker\n";
@@ -746,7 +746,7 @@ __PACKAGE__->register_method({
eval { PVE::Tools::assert_if_modified($conf->{digest}, $locked_conf->{digest}) };
die "VM ${vmid}: $@" if $@;
- $locked_conf->{efidisk0} = $updated;
+ $locked_conf->{efidisk0} = print_drive($updated);
PVE::QemuConfig->write_config($vmid, $locked_conf);
print "successfully updated efidisk\n";
},
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index d634251b..86f1347c 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -5424,7 +5424,8 @@ my sub check_efi_vars {
return if !$conf->{ostype};
return if $conf->{ostype} ne 'win10' && $conf->{ostype} ne 'win11';
- if (PVE::QemuServer::OVMF::should_enroll_ms_2023_cert($conf->{efidisk0})) {
+ my $efidisk = parse_drive('efidisk0', $conf->{efidisk0});
+ if (PVE::QemuServer::OVMF::should_enroll_ms_2023_cert($efidisk)) {
# TODO: make the first print a log_warn with PVE 9.2 to make it more noticeable!
print "EFI disk without 'ms-cert=2023' option, suggesting that the Microsoft UEFI 2023"
. " certificate is not enrolled yet. The UEFI 2011 certificate expires in June 2026!\n";
diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm
index e5f4cf02..4aa98100 100644
--- a/src/PVE/QemuServer/OVMF.pm
+++ b/src/PVE/QemuServer/OVMF.pm
@@ -279,9 +279,8 @@ sub print_ovmf_commandline {
}
sub should_enroll_ms_2023_cert {
- my ($efidisk_str) = @_;
+ my ($efidisk) = @_;
- my $efidisk = parse_drive('efidisk0', $efidisk_str);
return if !$efidisk->{'pre-enrolled-keys'};
return if $efidisk->{'ms-cert'} && $efidisk->{'ms-cert'} eq '2023';
@@ -289,11 +288,9 @@ sub should_enroll_ms_2023_cert {
}
sub ensure_ms_2023_cert_enrolled {
- my ($storecfg, $vmid, $efidisk_str) = @_;
+ my ($storecfg, $vmid, $efidisk) = @_;
- return if !should_enroll_ms_2023_cert($efidisk_str);
-
- my $efidisk = parse_drive('efidisk0', $efidisk_str);
+ return if !should_enroll_ms_2023_cert($efidisk);
print "efidisk0: enrolling Microsoft UEFI CA 2023\n";
@@ -317,7 +314,7 @@ sub ensure_ms_2023_cert_enrolled {
die "efidisk0: enrolling Microsoft UEFI CA 2023 failed - $err" if $err;
$efidisk->{'ms-cert'} = '2023';
- return print_drive($efidisk);
+ return $efidisk;
}
1;
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-12-11 12:31 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-11 12:31 [pve-devel] [PATCH-SERIES qemu-server/manager 0/6] improve Microsoft UEFI CA 2023 enrollment Fiona Ebner
2025-12-11 12:31 ` [pve-devel] [PATCH qemu-server 1/6] qm enroll-efi-keys: do not remove EFI disk when config was modified during operation Fiona Ebner
2025-12-11 12:31 ` Fiona Ebner [this message]
2025-12-11 12:31 ` [pve-devel] [PATCH qemu-server 3/6] config: apply pending: code style: avoid some line bloat Fiona Ebner
2025-12-11 12:31 ` [pve-devel] [PATCH qemu-server 4/6] config: apply pending: efi: enroll Microsoft UEFI CA 2023 when setting ms-cert=2023 option Fiona Ebner
2025-12-11 12:31 ` [pve-devel] [PATCH manager 5/6] ui: qemu: hd efi: fix typo in warning Fiona Ebner
2025-12-11 12:31 ` [pve-devel] [PATCH manager 6/6] ui: qemu: hardware: efi: allow enrolling Microsoft UEFI CA 2023 Fiona Ebner
2026-01-07 10:11 ` [pve-devel] [PATCH-SERIES qemu-server/manager 0/6] improve Microsoft UEFI CA 2023 enrollment Fiona Ebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251211123145.143908-3-f.ebner@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.