From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH qemu-server v4 4/6] ovmf: efi enroll: also enroll the MS 2023 KEK
Date: Mon, 23 Feb 2026 16:25:36 +0100 [thread overview]
Message-ID: <20260223152556.197761-5-f.ebner@proxmox.com> (raw)
In-Reply-To: <20260223152556.197761-1-f.ebner@proxmox.com>
As reported in the community forum [0], not having the 2023 KEK
enrolled can still lead to errors for secure boot update.
Add a new ms-cert=2023k marker for EFI disks to distinguish.
[0]: https://forum.proxmox.com/threads/173417/post-839474
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
New in v4.
src/PVE/CLI/qm.pm | 2 +-
src/PVE/QemuServer.pm | 2 +-
src/PVE/QemuServer/Drive.pm | 9 +++++----
src/PVE/QemuServer/OVMF.pm | 16 +++++++++++++---
4 files changed, 20 insertions(+), 9 deletions(-)
diff --git a/src/PVE/CLI/qm.pm b/src/PVE/CLI/qm.pm
index f1867337..bfa0d1d5 100755
--- a/src/PVE/CLI/qm.pm
+++ b/src/PVE/CLI/qm.pm
@@ -729,7 +729,7 @@ __PACKAGE__->register_method({
PVE::QemuServer::OVMF::ensure_ms_2023_cert_enrolled($storecfg, $vmid, $efidisk);
if (!$updated) {
- print "skipping - no pre-enrolled keys or already got ms-cert=2023w marker\n";
+ print "skipping - no pre-enrolled keys or already got ms-cert=2023k marker\n";
return;
}
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index 741b2499..0b2e57e4 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -5407,7 +5407,7 @@ my sub check_efi_vars {
my $efidisk = parse_drive('efidisk0', $conf->{efidisk0});
if (PVE::QemuServer::OVMF::should_enroll_ms_2023_cert($efidisk)) {
# TODO: make the first print a log_warn with PVE 9.2 to make it more noticeable!
- print "EFI disk without 'ms-cert=2023w' option, suggesting that not all UEFI 2023\n";
+ print "EFI disk without 'ms-cert=2023k' option, suggesting that not all UEFI 2023\n";
print "certificates from Microsoft are enrolled yet. The UEFI 2011 certificates expire\n";
print "in June 2026! The new certificate are required for secure boot update for Windows\n";
print "and common Linux distributions. Use 'Disk Action > Enroll Updated Certificates'\n";
diff --git a/src/PVE/QemuServer/Drive.pm b/src/PVE/QemuServer/Drive.pm
index fa70ee6b..10106ebd 100644
--- a/src/PVE/QemuServer/Drive.pm
+++ b/src/PVE/QemuServer/Drive.pm
@@ -523,12 +523,13 @@ my %efitype_fmt = (
},
'ms-cert' => {
type => 'string',
- enum => [qw(2011 2023 2023w)],
+ enum => [qw(2011 2023 2023w 2023k)],
description =>
"Informational marker indicating the version of the latest Microsoft UEFI certificates"
- . " that have been enrolled by Proxmox VE. The value '2023w' means that both the"
- . " 'Microsoft UEFI CA 2023' and the 'Windows UEFI CA 2023' certificates are included."
- . " The value '2023' is deprecated and for compatibility only.",
+ . " that have been enrolled by Proxmox VE. The value '2023k' means that the 'Microsoft"
+ . " UEFI CA 2023', the 'Windows UEFI CA 2023' and the 'Microsoft Corporation KEK 2K CA"
+ . " 2023' certificates are included. The values '2023' and '2023w' are"
+ . " deprecated and for compatibility only.",
optional => 1,
default => '2011',
},
diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm
index 01b037ef..46495837 100644
--- a/src/PVE/QemuServer/OVMF.pm
+++ b/src/PVE/QemuServer/OVMF.pm
@@ -180,7 +180,7 @@ sub create_efidisk($$$$$$$$) {
my $size = PVE::Storage::volume_size_info($storecfg, $volid, 3);
if ($efidisk->{'pre-enrolled-keys'} && is_ms_2023_cert_enrolled($ovmf_vars)) {
- $efidisk->{'ms-cert'} = '2023w';
+ $efidisk->{'ms-cert'} = '2023k';
}
return ($volid, $size / 1024);
@@ -283,7 +283,7 @@ sub should_enroll_ms_2023_cert {
my ($efidisk) = @_;
return if !$efidisk->{'pre-enrolled-keys'};
- return if $efidisk->{'ms-cert'} && $efidisk->{'ms-cert'} eq '2023w';
+ return if $efidisk->{'ms-cert'} && $efidisk->{'ms-cert'} eq '2023k';
return 1;
}
@@ -302,6 +302,13 @@ sub ensure_ms_2023_cert_enrolled {
PVE::QemuServer::QSD::start($qsd_id);
eval {
+ # virt-fw-vars will only apply the --microsoft-kek option when combined with
+ # --enroll-{cert,generate,redhat}. That requires also specifying a platform key, so instead
+ # use the --add-kek option.
+ my $ms_2023_kek_path = '/usr/lib/python3/dist-packages/virt/firmware/certs/'
+ . 'MicrosoftCorporationKEK2KCA2023.pem';
+ # Taken from guids.py in the virt-fw-vars sources.
+ my $ms_vendor_guid = '77fa9abd-0359-4d32-bd60-28f4e78f784b';
my $efi_vars_path =
PVE::QemuServer::QSD::add_fuse_export($qsd_id, $efidisk, 'efidisk0-enroll');
PVE::Tools::run_command(
@@ -313,6 +320,9 @@ sub ensure_ms_2023_cert_enrolled {
'ms-uefi',
'--distro-keys',
'windows',
+ '--add-kek',
+ $ms_vendor_guid,
+ $ms_2023_kek_path,
],
);
PVE::QemuServer::QSD::remove_fuse_export($qsd_id, 'efidisk0-enroll');
@@ -323,7 +333,7 @@ sub ensure_ms_2023_cert_enrolled {
die "efidisk0: enrolling Microsoft UEFI CA 2023 failed - $err" if $err;
- $efidisk->{'ms-cert'} = '2023w';
+ $efidisk->{'ms-cert'} = '2023k';
return $efidisk;
}
--
2.47.3
next prev parent reply other threads:[~2026-02-23 15:25 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-23 15:25 [PATCH-SERIES qemu-server/manager/docs v4 0/6] improve Microsoft+Windows UEFI CA 2023 enrollment Fiona Ebner
2026-02-23 15:25 ` [PATCH qemu-server v4 1/6] vm start: check efi: always check for certificates when pre-enrolled-keys=1 Fiona Ebner
2026-02-23 15:25 ` [PATCH qemu-server v4 2/6] efi disk: clarify that there are multiple certificates Fiona Ebner
2026-02-23 15:25 ` [PATCH qemu-server v4 3/6] apply pending: efi disk: print drive to pick up changes Fiona Ebner
2026-02-23 15:25 ` Fiona Ebner [this message]
2026-02-23 15:25 ` [PATCH manager v4 5/6] ui: qemu: hardware: efi: allow enrolling UEFI 2023 certs from Microsoft Fiona Ebner
2026-02-23 15:25 ` [PATCH docs v4 6/6] qm: bios/uefi: add secure boot certificate expiration section Fiona Ebner
2026-02-24 13:13 ` [PATCH-SERIES qemu-server/manager/docs v4 0/6] improve Microsoft+Windows UEFI CA 2023 enrollment Daniel Kral
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260223152556.197761-5-f.ebner@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.