[pve-devel] [PATCH-SERIES qemu-server/manager v2 0/9] improve Microsoft+Windows UEFI CA 2023 enrollment

[pve-devel] [PATCH-SERIES qemu-server/manager v2 0/9] improve Microsoft+Windows UEFI CA 2023 enrollment

[Fiona Ebner]

Changes in v2:
* add patch to also enroll the Windows UEFI CA 2023
* improve readability of change_drive() function
* ui: add more context to confirmation dialog
* add patch introducing a '2023w' marker so that drives already
  enrolled with only the MS 2023 cert can still be detected as needing
  enrollment

Make it possible to enroll via the API and UI by setting the
ms-cert=2023w marker on the EFI disk.

The previous Microsoft UEFI CA 2011 will expire in June 2026, and the
previous Windows UEFI CA 2011 will expire in October 2026, so there
should be a way to update that can be automated and done while guests
are running.

pve-manager needs a dependency bump for qemu-server for the API call
to have the desired effect (or the marker will just get set without
actually enrolling).


qemu-server:

Fiona Ebner (6):
  qm enroll-efi-keys: do not remove EFI disk when config was modified
    during operation
  ovmf: enroll ms 2023 cert: pass along parsed drive
  config: apply pending: code style: avoid some line bloat
  config: apply pending: efi: enroll Microsoft UEFI CA 2023 when setting
    ms-cert=2023 option
  ovmf: also enroll the Windows UEFI CA 2023 key
  efi disk: distinguish between having only MS 2023 cert and also having
    Windows 2023 cert

 src/PVE/CLI/qm.pm           | 21 ++++++----------
 src/PVE/QemuServer.pm       | 22 ++++++++++-------
 src/PVE/QemuServer/Drive.pm |  6 +++--
 src/PVE/QemuServer/OVMF.pm  | 48 ++++++++++++++++++++++++++++---------
 4 files changed, 62 insertions(+), 35 deletions(-)


pve-manager:

Fiona Ebner (3):
  ui: qemu: hd efi: fix typo in warning
  ui: qemu: hardware: efi: allow enrolling Microsoft+Windows UEFI CA
    2023
  ui: qemu: hardware: efi: use 2023w value when enrolling certs

 www/manager6/qemu/HDEfi.js        |  2 +-
 www/manager6/qemu/HardwareView.js | 82 +++++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+), 1 deletion(-)


Summary over all repositories:
  6 files changed, 145 insertions(+), 36 deletions(-)

-- 
Generated by git-murpp 0.5.0


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server v2 1/9] qm enroll-efi-keys: do not remove EFI disk when config was modified during operation

[Fiona Ebner]

The EFI disk is already pre-existing and should not be removed in case
the VM configuration was modified during the enrollment operation.
It's not critical if the new certs are enrolled but the marker is not
written to the configuration. Worst case, the operation is just done
again, where virt-fw-vars will just skip enrollment after detecting
that the new certs are already on the disk.

Fixes: 95eb95c3 ("qm enroll-efi-keys: move potential blocking operation out of lock")
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/CLI/qm.pm | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/src/PVE/CLI/qm.pm b/src/PVE/CLI/qm.pm
index 60fe318e..ca57409f 100755
--- a/src/PVE/CLI/qm.pm
+++ b/src/PVE/CLI/qm.pm
@@ -744,14 +744,7 @@ __PACKAGE__->register_method({
                 my $locked_conf = PVE::QemuConfig->load_config($vmid);
 
                 eval { PVE::Tools::assert_if_modified($conf->{digest}, $locked_conf->{digest}) };
-                if (my $err = $@) {
-                    eval {
-                        my $drive = PVE::QemuServer::Drive::parse_drive('efidisk0', $updated);
-                        PVE::Storage::vdisk_free($storecfg, $drive->{file});
-                    };
-                    warn "failed to clean-up prepared efidisk volume - $@" if $@;
-                    die "VM ${vmid}: $err";
-                }
+                die "VM ${vmid}: $@" if $@;
 
                 $locked_conf->{efidisk0} = $updated;
                 PVE::QemuConfig->write_config($vmid, $locked_conf);
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server v2 2/9] ovmf: enroll ms 2023 cert: pass along parsed drive

[Fiona Ebner]

This makes the following changes easier.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/CLI/qm.pm          | 10 +++++-----
 src/PVE/QemuServer.pm      |  3 ++-
 src/PVE/QemuServer/OVMF.pm | 11 ++++-------
 3 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/src/PVE/CLI/qm.pm b/src/PVE/CLI/qm.pm
index ca57409f..adf90f3c 100755
--- a/src/PVE/CLI/qm.pm
+++ b/src/PVE/CLI/qm.pm
@@ -30,7 +30,7 @@ use PVE::Tools qw(extract_param file_get_contents);
 use PVE::API2::Qemu::Agent;
 use PVE::API2::Qemu;
 use PVE::QemuConfig;
-use PVE::QemuServer::Drive qw(is_valid_drivename);
+use PVE::QemuServer::Drive qw(is_valid_drivename parse_drive print_drive);
 use PVE::QemuServer::Helpers;
 use PVE::QemuServer::Agent;
 use PVE::QemuServer::ImportDisk;
@@ -729,9 +729,9 @@ __PACKAGE__->register_method({
 
         my $storecfg = PVE::Storage::config();
 
-        my $updated = PVE::QemuServer::OVMF::ensure_ms_2023_cert_enrolled(
-            $storecfg, $vmid, $conf->{efidisk0},
-        );
+        my $efidisk = parse_drive('efidisk0', $conf->{efidisk0});
+        my $updated =
+            PVE::QemuServer::OVMF::ensure_ms_2023_cert_enrolled($storecfg, $vmid, $efidisk);
 
         if (!$updated) {
             print "skipping - no pre-enrolled keys or already got ms-cert=2023 marker\n";
@@ -746,7 +746,7 @@ __PACKAGE__->register_method({
                 eval { PVE::Tools::assert_if_modified($conf->{digest}, $locked_conf->{digest}) };
                 die "VM ${vmid}: $@" if $@;
 
-                $locked_conf->{efidisk0} = $updated;
+                $locked_conf->{efidisk0} = print_drive($updated);
                 PVE::QemuConfig->write_config($vmid, $locked_conf);
                 print "successfully updated efidisk\n";
             },
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index a50a1518..1e09145f 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -5425,7 +5425,8 @@ my sub check_efi_vars {
     return if !$conf->{ostype};
     return if $conf->{ostype} ne 'win10' && $conf->{ostype} ne 'win11';
 
-    if (PVE::QemuServer::OVMF::should_enroll_ms_2023_cert($conf->{efidisk0})) {
+    my $efidisk = parse_drive('efidisk0', $conf->{efidisk0});
+    if (PVE::QemuServer::OVMF::should_enroll_ms_2023_cert($efidisk)) {
         # TODO: make the first print a log_warn with PVE 9.2 to make it more noticeable!
         print "EFI disk without 'ms-cert=2023' option, suggesting that the Microsoft UEFI 2023"
             . " certificate is not enrolled yet. The UEFI 2011 certificate expires in June 2026!\n";
diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm
index e5f4cf02..4aa98100 100644
--- a/src/PVE/QemuServer/OVMF.pm
+++ b/src/PVE/QemuServer/OVMF.pm
@@ -279,9 +279,8 @@ sub print_ovmf_commandline {
 }
 
 sub should_enroll_ms_2023_cert {
-    my ($efidisk_str) = @_;
+    my ($efidisk) = @_;
 
-    my $efidisk = parse_drive('efidisk0', $efidisk_str);
     return if !$efidisk->{'pre-enrolled-keys'};
     return if $efidisk->{'ms-cert'} && $efidisk->{'ms-cert'} eq '2023';
 
@@ -289,11 +288,9 @@ sub should_enroll_ms_2023_cert {
 }
 
 sub ensure_ms_2023_cert_enrolled {
-    my ($storecfg, $vmid, $efidisk_str) = @_;
+    my ($storecfg, $vmid, $efidisk) = @_;
 
-    return if !should_enroll_ms_2023_cert($efidisk_str);
-
-    my $efidisk = parse_drive('efidisk0', $efidisk_str);
+    return if !should_enroll_ms_2023_cert($efidisk);
 
     print "efidisk0: enrolling Microsoft UEFI CA 2023\n";
 
@@ -317,7 +314,7 @@ sub ensure_ms_2023_cert_enrolled {
     die "efidisk0: enrolling Microsoft UEFI CA 2023 failed - $err" if $err;
 
     $efidisk->{'ms-cert'} = '2023';
-    return print_drive($efidisk);
+    return $efidisk;
 }
 
 1;
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server v2 3/9] config: apply pending: code style: avoid some line bloat

[Fiona Ebner]

Also in preparation to re-use the parsed drive.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/QemuServer.pm | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index 1e09145f..80ee4542 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -4987,12 +4987,8 @@ sub vmconfig_apply_pending {
         next if $opt eq 'delete'; # just to be sure
         eval {
             if (defined($conf->{$opt}) && is_valid_drivename($opt)) {
-                vmconfig_register_unused_drive(
-                    $storecfg,
-                    $vmid,
-                    $conf,
-                    parse_drive($opt, $conf->{$opt}),
-                );
+                my $old_drive = parse_drive($opt, $conf->{$opt});
+                vmconfig_register_unused_drive($storecfg, $vmid, $conf, $old_drive);
             } elsif (defined($conf->{pending}->{$opt}) && $opt =~ m/^net\d+$/) {
                 my $new_net = PVE::QemuServer::Network::parse_net($conf->{pending}->{$opt});
                 if ($conf->{$opt}) {
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server v2 4/9] config: apply pending: efi: enroll Microsoft UEFI CA 2023 when setting ms-cert=2023 option

[Fiona Ebner]

Like this, the 'qm enroll-efi-keys' operation can be done via API too.

The previous Microsoft UEFI CA 2011 will expire in June 2026, so there
should be a way to update that can be automated and done as a pending
change while guests are running.

Suggested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Suggested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---

Changes in v2:
* improve readability/structure of drive_change() function

 src/PVE/QemuServer.pm      |  9 +++++++++
 src/PVE/QemuServer/OVMF.pm | 20 ++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index 80ee4542..5d2d4f78 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -4989,6 +4989,15 @@ sub vmconfig_apply_pending {
             if (defined($conf->{$opt}) && is_valid_drivename($opt)) {
                 my $old_drive = parse_drive($opt, $conf->{$opt});
                 vmconfig_register_unused_drive($storecfg, $vmid, $conf, $old_drive);
+                if ($opt eq 'efidisk0') {
+                    my $new_drive = parse_drive($opt, $conf->{pending}->{$opt});
+                    PVE::QemuServer::OVMF::drive_change(
+                        $storecfg,
+                        $vmid,
+                        $old_drive,
+                        $new_drive,
+                    );
+                }
             } elsif (defined($conf->{pending}->{$opt}) && $opt =~ m/^net\d+$/) {
                 my $new_net = PVE::QemuServer::Network::parse_net($conf->{pending}->{$opt});
                 if ($conf->{$opt}) {
diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm
index 4aa98100..436edb47 100644
--- a/src/PVE/QemuServer/OVMF.pm
+++ b/src/PVE/QemuServer/OVMF.pm
@@ -5,6 +5,7 @@ use warnings;
 
 use JSON qw(to_json);
 
+use PVE::GuestHelpers qw(safe_string_ne);
 use PVE::RESTEnvironment qw(log_warn);
 use PVE::Storage;
 use PVE::Tools;
@@ -317,4 +318,23 @@ sub ensure_ms_2023_cert_enrolled {
     return $efidisk;
 }
 
+sub drive_change {
+    my ($storecfg, $vmid, $old_drive, $new_drive) = @_;
+
+    if (
+        $old_drive->{file} eq $new_drive->{file} # change affecting the same volume
+        && safe_string_ne($old_drive->{'ms-cert'}, $new_drive->{'ms-cert'}) # ms-cert changed
+        && $new_drive->{'ms-cert'}
+        && $new_drive->{'ms-cert'} eq '2023'
+    ) {
+        # The ms-cert marker was newly changed to 2023, ensure it's enrolled. Clear it first to
+        # avoid detecting as already enrolled.
+        delete $new_drive->{'ms-cert'};
+        ensure_ms_2023_cert_enrolled($storecfg, $vmid, $new_drive);
+    }
+
+    # Otherwise, there is nothing special to do. Note that changing away from ms-cert=2023 is
+    # allowed too, the marker is not the source of truth.
+}
+
 1;
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server v2 5/9] ovmf: also enroll the Windows UEFI CA 2023 key

[Fiona Ebner]

It's a separate one from the Microsoft key [0] and is only selected
by virt-fw-vars when using '--distro-keys windows'.

[0]: https://support.microsoft.com/en-au/topic/enterprise-deployment-guidance-for-cve-2023-24932-88b8f034-20b7-4a45-80cb-c6049b0f9967#id0ebbj=overview&id0ebbh=overview&id0ebbf=overview&id0ebbl=table_of_certificates

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---

New in v2.

 src/PVE/QemuServer/OVMF.pm | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm
index 436edb47..a8317ea6 100644
--- a/src/PVE/QemuServer/OVMF.pm
+++ b/src/PVE/QemuServer/OVMF.pm
@@ -305,7 +305,16 @@ sub ensure_ms_2023_cert_enrolled {
         my $efi_vars_path =
             PVE::QemuServer::QSD::add_fuse_export($qsd_id, $efidisk, 'efidisk0-enroll');
         PVE::Tools::run_command(
-            ['virt-fw-vars', '--inplace', $efi_vars_path, '--distro-keys', 'ms-uefi']);
+            [
+                'virt-fw-vars',
+                '--inplace',
+                $efi_vars_path,
+                '--distro-keys',
+                'ms-uefi',
+                '--distro-keys',
+                'windows',
+            ],
+        );
         PVE::QemuServer::QSD::remove_fuse_export($qsd_id, 'efidisk0-enroll');
     };
     my $err = $@;
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server v2 6/9] efi disk: distinguish between having only MS 2023 cert and also having Windows 2023 cert

[Fiona Ebner]

Like this, the need to enroll the Windows 2023 cert can easily be
detected and done for drives where the Microsoft 2023 cert was already
enrolled.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---

New in v2.

 src/PVE/CLI/qm.pm           | 2 +-
 src/PVE/QemuServer.pm       | 2 +-
 src/PVE/QemuServer/Drive.pm | 6 ++++--
 src/PVE/QemuServer/OVMF.pm  | 8 ++++----
 4 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/src/PVE/CLI/qm.pm b/src/PVE/CLI/qm.pm
index adf90f3c..bdae9641 100755
--- a/src/PVE/CLI/qm.pm
+++ b/src/PVE/CLI/qm.pm
@@ -734,7 +734,7 @@ __PACKAGE__->register_method({
             PVE::QemuServer::OVMF::ensure_ms_2023_cert_enrolled($storecfg, $vmid, $efidisk);
 
         if (!$updated) {
-            print "skipping - no pre-enrolled keys or already got ms-cert=2023 marker\n";
+            print "skipping - no pre-enrolled keys or already got ms-cert=2023w marker\n";
             return;
         }
 
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index 5d2d4f78..3e8be180 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -5433,7 +5433,7 @@ my sub check_efi_vars {
     my $efidisk = parse_drive('efidisk0', $conf->{efidisk0});
     if (PVE::QemuServer::OVMF::should_enroll_ms_2023_cert($efidisk)) {
         # TODO: make the first print a log_warn with PVE 9.2 to make it more noticeable!
-        print "EFI disk without 'ms-cert=2023' option, suggesting that the Microsoft UEFI 2023"
+        print "EFI disk without 'ms-cert=2023w' option, suggesting that the Microsoft UEFI 2023"
             . " certificate is not enrolled yet. The UEFI 2011 certificate expires in June 2026!\n";
         print "While the VM is shut down, run 'qm enroll-efi-keys $vmid' to enroll it.\n";
         print "If the VM uses BitLocker, run the following command inside Windows Powershell:\n";
diff --git a/src/PVE/QemuServer/Drive.pm b/src/PVE/QemuServer/Drive.pm
index 0d59d1df..ae907b5c 100644
--- a/src/PVE/QemuServer/Drive.pm
+++ b/src/PVE/QemuServer/Drive.pm
@@ -523,10 +523,12 @@ my %efitype_fmt = (
     },
     'ms-cert' => {
         type => 'string',
-        enum => [qw(2011 2023)],
+        enum => [qw(2011 2023 2023w)],
         description =>
             "Informational marker indicating the version of the latest Microsoft UEFI certificate"
-            . " that has been enrolled by Proxmox VE.",
+            . " that has been enrolled by Proxmox VE. The value '2023w' means that both the"
+            . " 'Microsoft UEFI CA 2023' and the 'Windows UEFI CA 2023' certificates are included."
+            . " The value '2023' is deprecated and for compatibility only.",
         optional => 1,
         default => '2011',
     },
diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm
index a8317ea6..01b037ef 100644
--- a/src/PVE/QemuServer/OVMF.pm
+++ b/src/PVE/QemuServer/OVMF.pm
@@ -180,7 +180,7 @@ sub create_efidisk($$$$$$$$) {
     my $size = PVE::Storage::volume_size_info($storecfg, $volid, 3);
 
     if ($efidisk->{'pre-enrolled-keys'} && is_ms_2023_cert_enrolled($ovmf_vars)) {
-        $efidisk->{'ms-cert'} = '2023';
+        $efidisk->{'ms-cert'} = '2023w';
     }
 
     return ($volid, $size / 1024);
@@ -283,7 +283,7 @@ sub should_enroll_ms_2023_cert {
     my ($efidisk) = @_;
 
     return if !$efidisk->{'pre-enrolled-keys'};
-    return if $efidisk->{'ms-cert'} && $efidisk->{'ms-cert'} eq '2023';
+    return if $efidisk->{'ms-cert'} && $efidisk->{'ms-cert'} eq '2023w';
 
     return 1;
 }
@@ -323,7 +323,7 @@ sub ensure_ms_2023_cert_enrolled {
 
     die "efidisk0: enrolling Microsoft UEFI CA 2023 failed - $err" if $err;
 
-    $efidisk->{'ms-cert'} = '2023';
+    $efidisk->{'ms-cert'} = '2023w';
     return $efidisk;
 }
 
@@ -334,7 +334,7 @@ sub drive_change {
         $old_drive->{file} eq $new_drive->{file} # change affecting the same volume
         && safe_string_ne($old_drive->{'ms-cert'}, $new_drive->{'ms-cert'}) # ms-cert changed
         && $new_drive->{'ms-cert'}
-        && $new_drive->{'ms-cert'} eq '2023'
+        && $new_drive->{'ms-cert'} =~ m/^2023/
     ) {
         # The ms-cert marker was newly changed to 2023, ensure it's enrolled. Clear it first to
         # avoid detecting as already enrolled.
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager v2 7/9] ui: qemu: hd efi: fix typo in warning

[Fiona Ebner]

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 www/manager6/qemu/HDEfi.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/manager6/qemu/HDEfi.js b/www/manager6/qemu/HDEfi.js
index 6371ebe4..1ae63add 100644
--- a/www/manager6/qemu/HDEfi.js
+++ b/www/manager6/qemu/HDEfi.js
@@ -80,7 +80,7 @@ Ext.define('PVE.qemu.EFIDiskInputPanel', {
             },
             {
                 xtype: 'label',
-                text: gettext("Warning: The VM currently does not uses 'OVMF (UEFI)' as BIOS."),
+                text: gettext("Warning: The VM currently does not use 'OVMF (UEFI)' as BIOS."),
                 userCls: 'pmx-hint',
                 hidden: me.usesEFI,
             },
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager v2 8/9] ui: qemu: hardware: efi: allow enrolling Microsoft+Windows UEFI CA 2023

[Fiona Ebner]

When the following conditions are met:
- no pending change on the EFI disk
- OS type Windows 10 or 11
- EFI disk has pre-enrolled-keys
- There is no ms-cert=2023 marker yet
suggest enrolling the new Microsoft and Windows UEFI CA 2023.

The previous Microsoft UEFI CA 2011 will expire in June 2026 and the
previous Windows UEFI CA 2011 will expire in October 2026, so there
needs to be an easy way to update.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---

Changes in v2:
* add more context to confirm dialog

 www/manager6/qemu/HardwareView.js | 82 +++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)

diff --git a/www/manager6/qemu/HardwareView.js b/www/manager6/qemu/HardwareView.js
index cf5e2a0f..69216932 100644
--- a/www/manager6/qemu/HardwareView.js
+++ b/www/manager6/qemu/HardwareView.js
@@ -442,6 +442,67 @@ Ext.define('PVE.qemu.HardwareView', {
             handler: run_editor,
         });
 
+        let runEfiEnroll = function () {
+            let rec = sm.getSelection()[0];
+            if (!rec) {
+                return;
+            }
+
+            let efidisk = PVE.Parser.parsePropertyString(rec.data.value, 'file');
+            efidisk['ms-cert'] = '2023';
+
+            let params = {};
+            params[rec.data.key] = PVE.Parser.printPropertyString(efidisk);
+            Proxmox.Utils.API2Request({
+                url: `/api2/extjs/${baseurl}`,
+                waitMsgTarget: me,
+                method: 'POST',
+                params: params,
+                callback: () => me.reload(),
+                failure: (response) => Ext.Msg.alert('Error', response.htmlStatus),
+                success: function (response, options) {
+                    if (response.result.data !== null) {
+                        Ext.create('Proxmox.window.TaskProgress', {
+                            autoShow: true,
+                            upid: response.result.data,
+                            listeners: {
+                                destroy: () => me.reload(),
+                            },
+                        });
+                    }
+                },
+            });
+        };
+
+        let efiEnrollButton = new Proxmox.button.Button({
+            text: gettext('Enroll updated certificates'),
+            selModel: sm,
+            disabled: true,
+            hidden: true,
+            handler: runEfiEnroll,
+            confirmMsg:
+                gettext(
+                    'Enroll the Microsoft and Windows UEFI 2023 CA required for secure boot update.'
+                ) +
+                '<br>' +
+                gettext(
+                    'If the VM uses BitLocker, run the following command inside Windows Powershell:',
+                ) +
+                '<br><code>manage-bde -protectors -disable &lt;drive&gt;</code><br>' +
+                Ext.String.format(
+                    // TRANSLATORS: for a shell command: "placeholder could be 'concrete value'"
+                    gettext("For example, {0} could be '{1}'."),
+                    '<code>&lt;drive&gt;</code>',
+                    '<code>C:</code>',
+                ) +
+                '<br>' +
+                gettext('This is required for each drive with BitLocker before proceeding!') +
+                '<br>' +
+                gettext(
+                    'Otherwise, you will be prompted for the BitLocker recovery key on the next boot!',
+                ),
+        });
+
         let move_menuitem = new Ext.menu.Item({
             text: gettext('Move Storage'),
             tooltip: gettext('Move disk to another storage'),
@@ -616,6 +677,8 @@ Ext.define('PVE.qemu.HardwareView', {
             let selection_model = me.getSelectionModel();
             let rec = selection_model.getSelection()[0];
 
+            let isWin10or11 = false;
+
             counts = {}; // en/disable hardwarebuttons
             let hasCloudInit = false;
             me.rstore.getData().items.forEach(function ({ id, data }) {
@@ -629,6 +692,10 @@ Ext.define('PVE.qemu.HardwareView', {
                     let type = match[1];
                     counts[type] = (counts[type] || 0) + 1;
                 }
+
+                if (id === 'ostype' && (data.value === 'win10' || data.value === 'win11')) {
+                    isWin10or11 = true;
+                }
             });
 
             // heuristic only for disabling some stuff, the backend has the final word.
@@ -655,6 +722,7 @@ Ext.define('PVE.qemu.HardwareView', {
             if (!rec) {
                 remove_btn.disable();
                 edit_btn.disable();
+                efiEnrollButton.disable();
                 diskaction_btn.disable();
                 revert_btn.disable();
                 return;
@@ -686,6 +754,16 @@ Ext.define('PVE.qemu.HardwareView', {
             );
             remove_btn.RESTMethod = isUnusedDisk || (isDisk && isRunning) ? 'POST' : 'PUT';
 
+            let suggestEfiEnroll = false;
+            if (isEfi) {
+                let drive = PVE.Parser.parsePropertyString(value, 'file');
+                suggestEfiEnroll =
+                    !pending &&
+                    isWin10or11 &&
+                    PVE.Parser.parseBoolean(drive['pre-enrolled-keys'], false) &&
+                    drive['ms-cert'] !== '2023';
+            }
+
             edit_btn.setDisabled(
                 deleted ||
                     !row.editor ||
@@ -694,6 +772,9 @@ Ext.define('PVE.qemu.HardwareView', {
                     (isDisk && !diskCap),
             );
 
+            efiEnrollButton.setDisabled(!suggestEfiEnroll);
+            efiEnrollButton.setHidden(!suggestEfiEnroll);
+
             diskaction_btn.setDisabled(
                 pending || !diskCap || isCloudInit || !(isDisk || isEfi || tpmMoveable),
             );
@@ -822,6 +903,7 @@ Ext.define('PVE.qemu.HardwareView', {
                 },
                 remove_btn,
                 edit_btn,
+                efiEnrollButton,
                 diskaction_btn,
                 revert_btn,
             ],
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager v2 9/9] ui: qemu: hardware: efi: use 2023w value when enrolling certs

[Fiona Ebner]

Also detect drives with 'ms-cert=2023' as still needing enrollment,
because they do not yet include the 'Windows UEFI CA 2023' certificate
(only the 'Microsoft UEFI CA 2023' certificate).

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---

New in v2.

 www/manager6/qemu/HardwareView.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/manager6/qemu/HardwareView.js b/www/manager6/qemu/HardwareView.js
index 69216932..2c506ab8 100644
--- a/www/manager6/qemu/HardwareView.js
+++ b/www/manager6/qemu/HardwareView.js
@@ -449,7 +449,7 @@ Ext.define('PVE.qemu.HardwareView', {
             }
 
             let efidisk = PVE.Parser.parsePropertyString(rec.data.value, 'file');
-            efidisk['ms-cert'] = '2023';
+            efidisk['ms-cert'] = '2023w';
 
             let params = {};
             params[rec.data.key] = PVE.Parser.printPropertyString(efidisk);
@@ -761,7 +761,7 @@ Ext.define('PVE.qemu.HardwareView', {
                     !pending &&
                     isWin10or11 &&
                     PVE.Parser.parseBoolean(drive['pre-enrolled-keys'], false) &&
-                    drive['ms-cert'] !== '2023';
+                    drive['ms-cert'] !== '2023w';
             }
 
             edit_btn.setDisabled(
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel