* [PATCH qemu-server v4 1/6] vm start: check efi: always check for certificates when pre-enrolled-keys=1
2026-02-23 15:25 [PATCH-SERIES qemu-server/manager/docs v4 0/6] improve Microsoft+Windows UEFI CA 2023 enrollment Fiona Ebner
@ 2026-02-23 15:25 ` Fiona Ebner
2026-02-23 15:25 ` [PATCH qemu-server v4 2/6] efi disk: clarify that there are multiple certificates Fiona Ebner
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Fiona Ebner @ 2026-02-23 15:25 UTC (permalink / raw)
To: pve-devel
Standard Linux distributions use a shim signed by the Microsoft KEK,
so secure boot update requires the new certificates too. Also update
the notice to mention this and improve it further.
While the checks for Windows could be limited to 10 and 11, if there
is an EFI disk with pre-enrolled keys, it could still be that some
specialized application actually uses them or simply that the OS type
was misconfigured, so do not special case that.
While skipping enrollment of the Windows CA could be skipped for Linux
with only the MS CA being enrolled, it doesn't hurt to do so and just
makes it consistent with what newly created EFI disk have.
Suggested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
No changes in v4.
src/PVE/CLI/qm.pm | 6 ------
src/PVE/QemuServer.pm | 12 ++++++------
2 files changed, 6 insertions(+), 12 deletions(-)
diff --git a/src/PVE/CLI/qm.pm b/src/PVE/CLI/qm.pm
index bdae9641..5326db5f 100755
--- a/src/PVE/CLI/qm.pm
+++ b/src/PVE/CLI/qm.pm
@@ -721,12 +721,6 @@ __PACKAGE__->register_method({
die "VM $vmid is a template\n" if PVE::QemuConfig->is_template($conf);
die "VM $vmid has no EFI disk configured\n" if !$conf->{efidisk0};
- my $ostype = $conf->{ostype};
- if (!defined($ostype) || ($ostype ne 'win10' && $ostype ne 'win11')) {
- print "skipping - OS type is neither Windows 10 nor Windows 11\n";
- return;
- }
-
my $storecfg = PVE::Storage::config();
my $efidisk = parse_drive('efidisk0', $conf->{efidisk0});
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index 545758dc..03354e31 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -5402,16 +5402,16 @@ my sub check_efi_vars {
return if PVE::QemuConfig->is_template($conf);
return if !$conf->{efidisk0};
- return if !$conf->{ostype};
- return if $conf->{ostype} ne 'win10' && $conf->{ostype} ne 'win11';
my $efidisk = parse_drive('efidisk0', $conf->{efidisk0});
if (PVE::QemuServer::OVMF::should_enroll_ms_2023_cert($efidisk)) {
# TODO: make the first print a log_warn with PVE 9.2 to make it more noticeable!
- print "EFI disk without 'ms-cert=2023w' option, suggesting that the Microsoft UEFI 2023"
- . " certificate is not enrolled yet. The UEFI 2011 certificate expires in June 2026!\n";
- print "While the VM is shut down, run 'qm enroll-efi-keys $vmid' to enroll it.\n";
- print "If the VM uses BitLocker, run the following command inside Windows Powershell:\n";
+ print "EFI disk without 'ms-cert=2023w' option, suggesting that the Microsoft UEFI 2023\n";
+ print "certificate is not enrolled yet. The UEFI 2011 certificate expires in June 2026!\n";
+ print "The new certificate is required for secure boot update for Windows and common\n";
+ print "Linux distributions. Use 'Disk Action > Enroll Updated Certificates' in the UI\n";
+ print "or, while the VM is shut down, run 'qm enroll-efi-keys $vmid' to enroll it.\n\n";
+ print "For Windows with BitLocker, run the following command inside Powershell:\n";
print " manage-bde -protectors -disable <drive>\n";
print "for each drive with BitLocker (for example, <drive> could be 'C:').\n";
}
--
2.47.3
^ permalink raw reply [flat|nested] 8+ messages in thread* [PATCH qemu-server v4 2/6] efi disk: clarify that there are multiple certificates
2026-02-23 15:25 [PATCH-SERIES qemu-server/manager/docs v4 0/6] improve Microsoft+Windows UEFI CA 2023 enrollment Fiona Ebner
2026-02-23 15:25 ` [PATCH qemu-server v4 1/6] vm start: check efi: always check for certificates when pre-enrolled-keys=1 Fiona Ebner
@ 2026-02-23 15:25 ` Fiona Ebner
2026-02-23 15:25 ` [PATCH qemu-server v4 3/6] apply pending: efi disk: print drive to pick up changes Fiona Ebner
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Fiona Ebner @ 2026-02-23 15:25 UTC (permalink / raw)
To: pve-devel
Suggested-by: Daniel Kral <d.kral@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
New in v4.
src/PVE/CLI/qm.pm | 3 ++-
src/PVE/QemuServer.pm | 11 ++++++-----
src/PVE/QemuServer/Drive.pm | 4 ++--
3 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/PVE/CLI/qm.pm b/src/PVE/CLI/qm.pm
index 5326db5f..f1867337 100755
--- a/src/PVE/CLI/qm.pm
+++ b/src/PVE/CLI/qm.pm
@@ -700,7 +700,8 @@ __PACKAGE__->register_method({
method => 'POST',
description =>
"Enroll important updated certificates to the EFI disk with pre-enrolled-keys. Currently,"
- . " this is only the Microsoft UEFI CA 2023. Must be called while the VM is shut down.",
+ . " these are UEFI 2023 certificates from Microsoft. Must be called while the VM is shut"
+ . " down.",
parameters => {
additionalProperties => 0,
properties => {
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index 03354e31..d103731c 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -5406,11 +5406,12 @@ my sub check_efi_vars {
my $efidisk = parse_drive('efidisk0', $conf->{efidisk0});
if (PVE::QemuServer::OVMF::should_enroll_ms_2023_cert($efidisk)) {
# TODO: make the first print a log_warn with PVE 9.2 to make it more noticeable!
- print "EFI disk without 'ms-cert=2023w' option, suggesting that the Microsoft UEFI 2023\n";
- print "certificate is not enrolled yet. The UEFI 2011 certificate expires in June 2026!\n";
- print "The new certificate is required for secure boot update for Windows and common\n";
- print "Linux distributions. Use 'Disk Action > Enroll Updated Certificates' in the UI\n";
- print "or, while the VM is shut down, run 'qm enroll-efi-keys $vmid' to enroll it.\n\n";
+ print "EFI disk without 'ms-cert=2023w' option, suggesting that not all UEFI 2023\n";
+ print "certificates from Microsoft are enrolled yet. The UEFI 2011 certificates expire\n";
+ print "in June 2026! The new certificate are required for secure boot update for Windows\n";
+ print "and common Linux distributions. Use 'Disk Action > Enroll Updated Certificates'\n";
+ print "in the UI or, while the VM is shut down, run 'qm enroll-efi-keys $vmid' to enroll\n";
+ print "the new certificates.\n\n";
print "For Windows with BitLocker, run the following command inside Powershell:\n";
print " manage-bde -protectors -disable <drive>\n";
print "for each drive with BitLocker (for example, <drive> could be 'C:').\n";
diff --git a/src/PVE/QemuServer/Drive.pm b/src/PVE/QemuServer/Drive.pm
index ae907b5c..fa70ee6b 100644
--- a/src/PVE/QemuServer/Drive.pm
+++ b/src/PVE/QemuServer/Drive.pm
@@ -525,8 +525,8 @@ my %efitype_fmt = (
type => 'string',
enum => [qw(2011 2023 2023w)],
description =>
- "Informational marker indicating the version of the latest Microsoft UEFI certificate"
- . " that has been enrolled by Proxmox VE. The value '2023w' means that both the"
+ "Informational marker indicating the version of the latest Microsoft UEFI certificates"
+ . " that have been enrolled by Proxmox VE. The value '2023w' means that both the"
. " 'Microsoft UEFI CA 2023' and the 'Windows UEFI CA 2023' certificates are included."
. " The value '2023' is deprecated and for compatibility only.",
optional => 1,
--
2.47.3
^ permalink raw reply [flat|nested] 8+ messages in thread* [PATCH qemu-server v4 3/6] apply pending: efi disk: print drive to pick up changes
2026-02-23 15:25 [PATCH-SERIES qemu-server/manager/docs v4 0/6] improve Microsoft+Windows UEFI CA 2023 enrollment Fiona Ebner
2026-02-23 15:25 ` [PATCH qemu-server v4 1/6] vm start: check efi: always check for certificates when pre-enrolled-keys=1 Fiona Ebner
2026-02-23 15:25 ` [PATCH qemu-server v4 2/6] efi disk: clarify that there are multiple certificates Fiona Ebner
@ 2026-02-23 15:25 ` Fiona Ebner
2026-02-23 15:25 ` [PATCH qemu-server v4 4/6] ovmf: efi enroll: also enroll the MS 2023 KEK Fiona Ebner
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Fiona Ebner @ 2026-02-23 15:25 UTC (permalink / raw)
To: pve-devel
When setting 'ms-cert=2023' rather than 'ms-cert=2023w' on an existing
EFI disk, both certificates would still be enrolled, but the
'ms-cert=2023' would end up in the VM configuration. Pick up the
'ms-cert=2023w' marker which already gets set by the
OVMF::change_drive() function.
Reported-by: Daniel Kral <d.kral@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
New in v4.
src/PVE/QemuServer.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index d103731c..741b2499 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -4972,6 +4972,7 @@ sub vmconfig_apply_pending {
$old_drive,
$new_drive,
);
+ $conf->{pending}->{$opt} = print_drive($new_drive);
}
} elsif (defined($conf->{pending}->{$opt}) && $opt =~ m/^net\d+$/) {
my $new_net = PVE::QemuServer::Network::parse_net($conf->{pending}->{$opt});
--
2.47.3
^ permalink raw reply [flat|nested] 8+ messages in thread* [PATCH qemu-server v4 4/6] ovmf: efi enroll: also enroll the MS 2023 KEK
2026-02-23 15:25 [PATCH-SERIES qemu-server/manager/docs v4 0/6] improve Microsoft+Windows UEFI CA 2023 enrollment Fiona Ebner
` (2 preceding siblings ...)
2026-02-23 15:25 ` [PATCH qemu-server v4 3/6] apply pending: efi disk: print drive to pick up changes Fiona Ebner
@ 2026-02-23 15:25 ` Fiona Ebner
2026-02-23 15:25 ` [PATCH manager v4 5/6] ui: qemu: hardware: efi: allow enrolling UEFI 2023 certs from Microsoft Fiona Ebner
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Fiona Ebner @ 2026-02-23 15:25 UTC (permalink / raw)
To: pve-devel
As reported in the community forum [0], not having the 2023 KEK
enrolled can still lead to errors for secure boot update.
Add a new ms-cert=2023k marker for EFI disks to distinguish.
[0]: https://forum.proxmox.com/threads/173417/post-839474
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
New in v4.
src/PVE/CLI/qm.pm | 2 +-
src/PVE/QemuServer.pm | 2 +-
src/PVE/QemuServer/Drive.pm | 9 +++++----
src/PVE/QemuServer/OVMF.pm | 16 +++++++++++++---
4 files changed, 20 insertions(+), 9 deletions(-)
diff --git a/src/PVE/CLI/qm.pm b/src/PVE/CLI/qm.pm
index f1867337..bfa0d1d5 100755
--- a/src/PVE/CLI/qm.pm
+++ b/src/PVE/CLI/qm.pm
@@ -729,7 +729,7 @@ __PACKAGE__->register_method({
PVE::QemuServer::OVMF::ensure_ms_2023_cert_enrolled($storecfg, $vmid, $efidisk);
if (!$updated) {
- print "skipping - no pre-enrolled keys or already got ms-cert=2023w marker\n";
+ print "skipping - no pre-enrolled keys or already got ms-cert=2023k marker\n";
return;
}
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index 741b2499..0b2e57e4 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -5407,7 +5407,7 @@ my sub check_efi_vars {
my $efidisk = parse_drive('efidisk0', $conf->{efidisk0});
if (PVE::QemuServer::OVMF::should_enroll_ms_2023_cert($efidisk)) {
# TODO: make the first print a log_warn with PVE 9.2 to make it more noticeable!
- print "EFI disk without 'ms-cert=2023w' option, suggesting that not all UEFI 2023\n";
+ print "EFI disk without 'ms-cert=2023k' option, suggesting that not all UEFI 2023\n";
print "certificates from Microsoft are enrolled yet. The UEFI 2011 certificates expire\n";
print "in June 2026! The new certificate are required for secure boot update for Windows\n";
print "and common Linux distributions. Use 'Disk Action > Enroll Updated Certificates'\n";
diff --git a/src/PVE/QemuServer/Drive.pm b/src/PVE/QemuServer/Drive.pm
index fa70ee6b..10106ebd 100644
--- a/src/PVE/QemuServer/Drive.pm
+++ b/src/PVE/QemuServer/Drive.pm
@@ -523,12 +523,13 @@ my %efitype_fmt = (
},
'ms-cert' => {
type => 'string',
- enum => [qw(2011 2023 2023w)],
+ enum => [qw(2011 2023 2023w 2023k)],
description =>
"Informational marker indicating the version of the latest Microsoft UEFI certificates"
- . " that have been enrolled by Proxmox VE. The value '2023w' means that both the"
- . " 'Microsoft UEFI CA 2023' and the 'Windows UEFI CA 2023' certificates are included."
- . " The value '2023' is deprecated and for compatibility only.",
+ . " that have been enrolled by Proxmox VE. The value '2023k' means that the 'Microsoft"
+ . " UEFI CA 2023', the 'Windows UEFI CA 2023' and the 'Microsoft Corporation KEK 2K CA"
+ . " 2023' certificates are included. The values '2023' and '2023w' are"
+ . " deprecated and for compatibility only.",
optional => 1,
default => '2011',
},
diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm
index 01b037ef..46495837 100644
--- a/src/PVE/QemuServer/OVMF.pm
+++ b/src/PVE/QemuServer/OVMF.pm
@@ -180,7 +180,7 @@ sub create_efidisk($$$$$$$$) {
my $size = PVE::Storage::volume_size_info($storecfg, $volid, 3);
if ($efidisk->{'pre-enrolled-keys'} && is_ms_2023_cert_enrolled($ovmf_vars)) {
- $efidisk->{'ms-cert'} = '2023w';
+ $efidisk->{'ms-cert'} = '2023k';
}
return ($volid, $size / 1024);
@@ -283,7 +283,7 @@ sub should_enroll_ms_2023_cert {
my ($efidisk) = @_;
return if !$efidisk->{'pre-enrolled-keys'};
- return if $efidisk->{'ms-cert'} && $efidisk->{'ms-cert'} eq '2023w';
+ return if $efidisk->{'ms-cert'} && $efidisk->{'ms-cert'} eq '2023k';
return 1;
}
@@ -302,6 +302,13 @@ sub ensure_ms_2023_cert_enrolled {
PVE::QemuServer::QSD::start($qsd_id);
eval {
+ # virt-fw-vars will only apply the --microsoft-kek option when combined with
+ # --enroll-{cert,generate,redhat}. That requires also specifying a platform key, so instead
+ # use the --add-kek option.
+ my $ms_2023_kek_path = '/usr/lib/python3/dist-packages/virt/firmware/certs/'
+ . 'MicrosoftCorporationKEK2KCA2023.pem';
+ # Taken from guids.py in the virt-fw-vars sources.
+ my $ms_vendor_guid = '77fa9abd-0359-4d32-bd60-28f4e78f784b';
my $efi_vars_path =
PVE::QemuServer::QSD::add_fuse_export($qsd_id, $efidisk, 'efidisk0-enroll');
PVE::Tools::run_command(
@@ -313,6 +320,9 @@ sub ensure_ms_2023_cert_enrolled {
'ms-uefi',
'--distro-keys',
'windows',
+ '--add-kek',
+ $ms_vendor_guid,
+ $ms_2023_kek_path,
],
);
PVE::QemuServer::QSD::remove_fuse_export($qsd_id, 'efidisk0-enroll');
@@ -323,7 +333,7 @@ sub ensure_ms_2023_cert_enrolled {
die "efidisk0: enrolling Microsoft UEFI CA 2023 failed - $err" if $err;
- $efidisk->{'ms-cert'} = '2023w';
+ $efidisk->{'ms-cert'} = '2023k';
return $efidisk;
}
--
2.47.3
^ permalink raw reply [flat|nested] 8+ messages in thread* [PATCH manager v4 5/6] ui: qemu: hardware: efi: allow enrolling UEFI 2023 certs from Microsoft
2026-02-23 15:25 [PATCH-SERIES qemu-server/manager/docs v4 0/6] improve Microsoft+Windows UEFI CA 2023 enrollment Fiona Ebner
` (3 preceding siblings ...)
2026-02-23 15:25 ` [PATCH qemu-server v4 4/6] ovmf: efi enroll: also enroll the MS 2023 KEK Fiona Ebner
@ 2026-02-23 15:25 ` Fiona Ebner
2026-02-23 15:25 ` [PATCH docs v4 6/6] qm: bios/uefi: add secure boot certificate expiration section Fiona Ebner
2026-02-24 13:13 ` [PATCH-SERIES qemu-server/manager/docs v4 0/6] improve Microsoft+Windows UEFI CA 2023 enrollment Daniel Kral
6 siblings, 0 replies; 8+ messages in thread
From: Fiona Ebner @ 2026-02-23 15:25 UTC (permalink / raw)
To: pve-devel
When the following conditions are met:
- no pending change on the EFI disk
- EFI disk has pre-enrolled-keys
- There is no ms-cert=2023k marker yet
suggest enrolling the new UEFI 2023 certificates from Microsoft.
The previous 'Microsoft UEFI CA 2011' and the 'Microsoft Corporation
KEK CA 2011' will expire in June 2026 and the previous 'Windows UEFI
CA 2011' will expire in October 2026, so there needs to be an easy way
to update.
Note that this also detects drives with 'ms-cert=2023' and
'ms-cert=2023w' as still needing enrollment, because they do not yet
include the 'Windows UEFI CA 2023' certificate and/or not include the
2023 KEK.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
Changes in v4:
* use 2023k instead of 2023w
www/manager6/qemu/HardwareView.js | 89 ++++++++++++++++++++++++++++++-
1 file changed, 88 insertions(+), 1 deletion(-)
diff --git a/www/manager6/qemu/HardwareView.js b/www/manager6/qemu/HardwareView.js
index cf5e2a0f..e9f84b51 100644
--- a/www/manager6/qemu/HardwareView.js
+++ b/www/manager6/qemu/HardwareView.js
@@ -442,6 +442,38 @@ Ext.define('PVE.qemu.HardwareView', {
handler: run_editor,
});
+ let runEfiEnroll = function () {
+ let rec = sm.getSelection()[0];
+ if (!rec) {
+ return;
+ }
+
+ let efidisk = PVE.Parser.parsePropertyString(rec.data.value, 'file');
+ efidisk['ms-cert'] = '2023k';
+
+ let params = {};
+ params[rec.data.key] = PVE.Parser.printPropertyString(efidisk);
+ Proxmox.Utils.API2Request({
+ url: `/api2/extjs/${baseurl}`,
+ waitMsgTarget: me,
+ method: 'POST',
+ params: params,
+ callback: () => me.reload(),
+ failure: (response) => Ext.Msg.alert('Error', response.htmlStatus),
+ success: function (response, options) {
+ if (response.result.data !== null) {
+ Ext.create('Proxmox.window.TaskProgress', {
+ autoShow: true,
+ upid: response.result.data,
+ listeners: {
+ destroy: () => me.reload(),
+ },
+ });
+ }
+ },
+ });
+ };
+
let move_menuitem = new Ext.menu.Item({
text: gettext('Move Storage'),
tooltip: gettext('Move disk to another storage'),
@@ -510,11 +542,55 @@ Ext.define('PVE.qemu.HardwareView', {
},
});
+ const efiEnrollMsg =
+ gettext(
+ 'Enroll the UEFI 2023 certificates from Microsoft required for secure boot update.',
+ ) +
+ '<br>' +
+ gettext('This is also needed for secure boot update for common Linux distributions.') +
+ '<br>' +
+ '<br>' +
+ gettext('For Windows with BitLocker, run the following command inside Powershell:') +
+ '<br><code>manage-bde -protectors -disable <drive></code><br>' +
+ Ext.String.format(
+ // TRANSLATORS: for a shell command: "placeholder could be 'concrete value'"
+ gettext("For example, {0} could be '{1}'."),
+ '<code><drive></code>',
+ '<code>C:</code>',
+ ) +
+ '<br>' +
+ gettext('This is required for each drive with BitLocker before proceeding!') +
+ '<br>' +
+ gettext(
+ 'Otherwise, you will be prompted for the BitLocker recovery key on the next boot!',
+ );
+ let efiEnrollMenuItem = new Ext.menu.Item({
+ text: gettext('Enroll Updated Certificates'),
+ iconCls: 'fa fa-refresh',
+ selModel: sm,
+ disabled: true,
+ hidden: true,
+ handler: () => {
+ Ext.Msg.show({
+ title: gettext('Confirm'),
+ icon: Ext.Msg.QUESTION,
+ message: efiEnrollMsg,
+ buttons: Ext.Msg.YESNO,
+ callback: function (btn) {
+ if (btn !== 'yes') {
+ return;
+ }
+ runEfiEnroll();
+ },
+ });
+ },
+ });
+
let diskaction_btn = new Proxmox.button.Button({
text: gettext('Disk Action'),
disabled: true,
menu: {
- items: [move_menuitem, reassign_menuitem, resize_menuitem],
+ items: [move_menuitem, reassign_menuitem, resize_menuitem, efiEnrollMenuItem],
},
});
@@ -686,6 +762,17 @@ Ext.define('PVE.qemu.HardwareView', {
);
remove_btn.RESTMethod = isUnusedDisk || (isDisk && isRunning) ? 'POST' : 'PUT';
+ let suggestEfiEnroll = false;
+ if (isEfi) {
+ let drive = PVE.Parser.parsePropertyString(value, 'file');
+ suggestEfiEnroll =
+ !pending &&
+ PVE.Parser.parseBoolean(drive['pre-enrolled-keys'], false) &&
+ drive['ms-cert'] !== '2023k';
+ }
+ efiEnrollMenuItem.setDisabled(!suggestEfiEnroll);
+ efiEnrollMenuItem.setHidden(!isEfi);
+
edit_btn.setDisabled(
deleted ||
!row.editor ||
--
2.47.3
^ permalink raw reply [flat|nested] 8+ messages in thread* [PATCH docs v4 6/6] qm: bios/uefi: add secure boot certificate expiration section
2026-02-23 15:25 [PATCH-SERIES qemu-server/manager/docs v4 0/6] improve Microsoft+Windows UEFI CA 2023 enrollment Fiona Ebner
` (4 preceding siblings ...)
2026-02-23 15:25 ` [PATCH manager v4 5/6] ui: qemu: hardware: efi: allow enrolling UEFI 2023 certs from Microsoft Fiona Ebner
@ 2026-02-23 15:25 ` Fiona Ebner
2026-02-24 13:13 ` [PATCH-SERIES qemu-server/manager/docs v4 0/6] improve Microsoft+Windows UEFI CA 2023 enrollment Daniel Kral
6 siblings, 0 replies; 8+ messages in thread
From: Fiona Ebner @ 2026-02-23 15:25 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
Changes in v4:
* use 2023k instead of 2023w
* mention that 2023w and 2023 may indicate partial enrollment
qm.adoc | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 51 insertions(+), 1 deletion(-)
diff --git a/qm.adoc b/qm.adoc
index 667fd56..8f55794 100644
--- a/qm.adoc
+++ b/qm.adoc
@@ -1121,7 +1121,8 @@ the GUI).
*pre-enroll-keys* specifies if the efidisk should come pre-loaded with
distribution-specific and Microsoft Standard Secure Boot keys. It also enables
Secure Boot by default (though it can still be disabled in the OVMF menu within
-the VM).
+the VM). See also
+xref:qm_secure_boot_ca_expiration[Secure Boot Certificate Expiration].
NOTE: If you want to start using Secure Boot in an existing VM (that still uses
a '2m' efidisk), you need to recreate the efidisk. To do so, delete the old one
@@ -1137,6 +1138,55 @@ When using OVMF with PXE boot, you have to add an xref:qm_virtio_rng[RNG device]
to the VM. For security reasons, the OVMF firmware disables PXE boot for guests
without a random number generator.
+[[qm_secure_boot_ca_expiration]]
+Secure Boot Certificate Expiration
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The expiration date for the original set of Microsoft certificates from 2011,
+which are used for secure boot for Windows and common Linux distributions, is
+June 2026. New certificates were created in 2023
+footnote:[Microsoft support article about the issue
+https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e].
+
+When secure boot is used, only bootloaders signed with certificates present on
+the EFI disk will be allowed by the firmware. In particular, when an EFI disk
+has only the 2011 certificates, bootloaders signed with the 2023 certificates
+will be rejected. The presence of the `ms-cert=2023k` marker in the VM
+configuration for an EFI disk indicates that the new certificates are enrolled.
+
+If the `pve-edk2-firmware` package version is at least `4.2025.05-1`, newly
+created EFI disks contain both the 2011 and 2023 certificates and will have the
+`ms-cert=2023k` marker. For EFI disks created before that, select the EFI disk
+in the 'Hardware' view in the UI and use 'Disk Action > Enroll Updated
+Certificates'. Alternatively, the marker can be set via the
+`/nodes/{node}/qemu/{vmid}/config` API endpoint or via the
+
+----
+qm enroll-efi-keys <vmid>
+----
+
+CLI command. The latter works if the VM is shut down.
+
+For Windows with BitLocker, run the following command inside Powershell:
+
+----
+manage-bde -protectors -disable <drive>
+----
+
+For example, `<drive>` could be `C:`. This is required for each drive with
+BitLocker before proceeding! Otherwise, you will be prompted for the BitLocker
+recovery key on the next boot!
+
+For proceeding with updating secure boot within Windows and signing the
+bootloader with the new 2023 certificate, see
+footnote:[Microsoft support article regarding CVE-2023-24932
+https://support.microsoft.com/en-us/topic/enterprise-deployment-guidance-for-cve-2023-24932-88b8f034-20b7-4a45-80cb-c6049b0f9967]
+footnote:[Related Windows security update which needs to be installed first
+https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932].
+
+NOTE: The markers `ms-cert=2023` and `ms-cert=2023w` may indicate partial
+enrollment. You should apply the enrollment procedure for such EFI drives too.
+
[[qm_tpm]]
Trusted Platform Module (TPM)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
2.47.3
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH-SERIES qemu-server/manager/docs v4 0/6] improve Microsoft+Windows UEFI CA 2023 enrollment
2026-02-23 15:25 [PATCH-SERIES qemu-server/manager/docs v4 0/6] improve Microsoft+Windows UEFI CA 2023 enrollment Fiona Ebner
` (5 preceding siblings ...)
2026-02-23 15:25 ` [PATCH docs v4 6/6] qm: bios/uefi: add secure boot certificate expiration section Fiona Ebner
@ 2026-02-24 13:13 ` Daniel Kral
6 siblings, 0 replies; 8+ messages in thread
From: Daniel Kral @ 2026-02-24 13:13 UTC (permalink / raw)
To: Fiona Ebner, pve-devel
On Mon Feb 23, 2026 at 4:25 PM CET, Fiona Ebner wrote:
> Changes in v4:
> * Also enroll MS 2023 KEK.
> * Add ms-cert=2023k marker.
> * Clarify that there are multiple certificates in all descriptions.
> * Print correct marker when applying pending changes.
> * Mention that ms-cert=2023 and ms-cert=2023w may indicate partial
> enrollment in docs.
Tested this series with some Windows VMs and Proxmox VE VMs again:
- `qm enroll-efi-keys $vmid` and "Enroll updated certificates" in the
web interface work as expected and both the CAs and KEK are there
after a shutdown+start cycle
- Enrollment for efidisks with previous ms-cert=2023w work as expected
as well
- ms-cert={2023,2023w,2023k} on efidisk trigger the enrollment correctly
- Also tested it with a BitLocker'd Windows drive this time with and
without disabling the BitLocker key protectors beforehand
I tried to reproduce the 1801 event with any provided secure boot
updates from Microsoft Windows, but I couldn't trigger it on my VMs,
probably because I'm running an older Windows version on these VMs. Any
incoming updates were completed successfully, though none of them were
secure boot related.
The enrollment for the additional KEK 2K CA 2023 was tested with
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI KEK).Bytes)
-match 'Microsoft Corporation KEK 2K CA 2023'
and the equivalent for mokutil on a Linux VM:
mokutil --kek | grep 'Microsoft Corporation KEK 2K CA 2023'
Nothing seemed off to me here and the changes look good to me as well,
so consider this series as:
Reviewed-by: Daniel Kral <d.kral@proxmox.com>
Tested-by: Daniel Kral <d.kral@proxmox.com>
^ permalink raw reply [flat|nested] 8+ messages in thread