From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH manager v4 5/6] ui: qemu: hardware: efi: allow enrolling UEFI 2023 certs from Microsoft
Date: Mon, 23 Feb 2026 16:25:37 +0100 [thread overview]
Message-ID: <20260223152556.197761-6-f.ebner@proxmox.com> (raw)
In-Reply-To: <20260223152556.197761-1-f.ebner@proxmox.com>
When the following conditions are met:
- no pending change on the EFI disk
- EFI disk has pre-enrolled-keys
- There is no ms-cert=2023k marker yet
suggest enrolling the new UEFI 2023 certificates from Microsoft.
The previous 'Microsoft UEFI CA 2011' and the 'Microsoft Corporation
KEK CA 2011' will expire in June 2026 and the previous 'Windows UEFI
CA 2011' will expire in October 2026, so there needs to be an easy way
to update.
Note that this also detects drives with 'ms-cert=2023' and
'ms-cert=2023w' as still needing enrollment, because they do not yet
include the 'Windows UEFI CA 2023' certificate and/or not include the
2023 KEK.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
Changes in v4:
* use 2023k instead of 2023w
www/manager6/qemu/HardwareView.js | 89 ++++++++++++++++++++++++++++++-
1 file changed, 88 insertions(+), 1 deletion(-)
diff --git a/www/manager6/qemu/HardwareView.js b/www/manager6/qemu/HardwareView.js
index cf5e2a0f..e9f84b51 100644
--- a/www/manager6/qemu/HardwareView.js
+++ b/www/manager6/qemu/HardwareView.js
@@ -442,6 +442,38 @@ Ext.define('PVE.qemu.HardwareView', {
handler: run_editor,
});
+ let runEfiEnroll = function () {
+ let rec = sm.getSelection()[0];
+ if (!rec) {
+ return;
+ }
+
+ let efidisk = PVE.Parser.parsePropertyString(rec.data.value, 'file');
+ efidisk['ms-cert'] = '2023k';
+
+ let params = {};
+ params[rec.data.key] = PVE.Parser.printPropertyString(efidisk);
+ Proxmox.Utils.API2Request({
+ url: `/api2/extjs/${baseurl}`,
+ waitMsgTarget: me,
+ method: 'POST',
+ params: params,
+ callback: () => me.reload(),
+ failure: (response) => Ext.Msg.alert('Error', response.htmlStatus),
+ success: function (response, options) {
+ if (response.result.data !== null) {
+ Ext.create('Proxmox.window.TaskProgress', {
+ autoShow: true,
+ upid: response.result.data,
+ listeners: {
+ destroy: () => me.reload(),
+ },
+ });
+ }
+ },
+ });
+ };
+
let move_menuitem = new Ext.menu.Item({
text: gettext('Move Storage'),
tooltip: gettext('Move disk to another storage'),
@@ -510,11 +542,55 @@ Ext.define('PVE.qemu.HardwareView', {
},
});
+ const efiEnrollMsg =
+ gettext(
+ 'Enroll the UEFI 2023 certificates from Microsoft required for secure boot update.',
+ ) +
+ '<br>' +
+ gettext('This is also needed for secure boot update for common Linux distributions.') +
+ '<br>' +
+ '<br>' +
+ gettext('For Windows with BitLocker, run the following command inside Powershell:') +
+ '<br><code>manage-bde -protectors -disable <drive></code><br>' +
+ Ext.String.format(
+ // TRANSLATORS: for a shell command: "placeholder could be 'concrete value'"
+ gettext("For example, {0} could be '{1}'."),
+ '<code><drive></code>',
+ '<code>C:</code>',
+ ) +
+ '<br>' +
+ gettext('This is required for each drive with BitLocker before proceeding!') +
+ '<br>' +
+ gettext(
+ 'Otherwise, you will be prompted for the BitLocker recovery key on the next boot!',
+ );
+ let efiEnrollMenuItem = new Ext.menu.Item({
+ text: gettext('Enroll Updated Certificates'),
+ iconCls: 'fa fa-refresh',
+ selModel: sm,
+ disabled: true,
+ hidden: true,
+ handler: () => {
+ Ext.Msg.show({
+ title: gettext('Confirm'),
+ icon: Ext.Msg.QUESTION,
+ message: efiEnrollMsg,
+ buttons: Ext.Msg.YESNO,
+ callback: function (btn) {
+ if (btn !== 'yes') {
+ return;
+ }
+ runEfiEnroll();
+ },
+ });
+ },
+ });
+
let diskaction_btn = new Proxmox.button.Button({
text: gettext('Disk Action'),
disabled: true,
menu: {
- items: [move_menuitem, reassign_menuitem, resize_menuitem],
+ items: [move_menuitem, reassign_menuitem, resize_menuitem, efiEnrollMenuItem],
},
});
@@ -686,6 +762,17 @@ Ext.define('PVE.qemu.HardwareView', {
);
remove_btn.RESTMethod = isUnusedDisk || (isDisk && isRunning) ? 'POST' : 'PUT';
+ let suggestEfiEnroll = false;
+ if (isEfi) {
+ let drive = PVE.Parser.parsePropertyString(value, 'file');
+ suggestEfiEnroll =
+ !pending &&
+ PVE.Parser.parseBoolean(drive['pre-enrolled-keys'], false) &&
+ drive['ms-cert'] !== '2023k';
+ }
+ efiEnrollMenuItem.setDisabled(!suggestEfiEnroll);
+ efiEnrollMenuItem.setHidden(!isEfi);
+
edit_btn.setDisabled(
deleted ||
!row.editor ||
--
2.47.3
next prev parent reply other threads:[~2026-02-23 15:25 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-23 15:25 [PATCH-SERIES qemu-server/manager/docs v4 0/6] improve Microsoft+Windows UEFI CA 2023 enrollment Fiona Ebner
2026-02-23 15:25 ` [PATCH qemu-server v4 1/6] vm start: check efi: always check for certificates when pre-enrolled-keys=1 Fiona Ebner
2026-02-23 15:25 ` [PATCH qemu-server v4 2/6] efi disk: clarify that there are multiple certificates Fiona Ebner
2026-02-23 15:25 ` [PATCH qemu-server v4 3/6] apply pending: efi disk: print drive to pick up changes Fiona Ebner
2026-02-23 15:25 ` [PATCH qemu-server v4 4/6] ovmf: efi enroll: also enroll the MS 2023 KEK Fiona Ebner
2026-02-23 15:25 ` Fiona Ebner [this message]
2026-02-23 15:25 ` [PATCH docs v4 6/6] qm: bios/uefi: add secure boot certificate expiration section Fiona Ebner
2026-02-24 13:13 ` [PATCH-SERIES qemu-server/manager/docs v4 0/6] improve Microsoft+Windows UEFI CA 2023 enrollment Daniel Kral
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260223152556.197761-6-f.ebner@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.