From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 542511FF136
	for <inbox@lore.proxmox.com>; Mon, 23 Feb 2026 12:04:56 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 519BF8B08;
	Mon, 23 Feb 2026 12:05:47 +0100 (CET)
Message-ID: <3ef71bc4-93cb-4eab-982d-7663083a9726@proxmox.com>
Date: Mon, 23 Feb 2026 12:05:12 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [pve-devel] [PATCH-SERIES qemu-server/manager/docs v3 0/3]
 improve Microsoft+Windows UEFI CA 2023 enrollment
To: Daniel Kral <d.kral@proxmox.com>,
 Proxmox VE development discussion <pve-devel@lists.proxmox.com>
References: <20260121154453.285642-1-f.ebner@proxmox.com>
 <DGMAENE5QLUV.1KC78AS2VTTP9@proxmox.com>
Content-Language: en-US
From: Fiona Ebner <f.ebner@proxmox.com>
In-Reply-To: <DGMAENE5QLUV.1KC78AS2VTTP9@proxmox.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1771844698580
X-SPAM-LEVEL: Spam detection results:  0
	AWL                    -1.082 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED  0.798 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_RPBL_BLOCKED   0.79 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_SAFE_BLOCKED  0.547 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: CKBFYSAD2Z6G57XOYE43AEDV65RM5ZTX
X-Message-ID-Hash: CKBFYSAD2Z6G57XOYE43AEDV65RM5ZTX
X-MailFrom: f.ebner@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pve-devel-owner@lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Subscribe: <mailto:pve-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pve-devel-leave@lists.proxmox.com>

Am 23.02.26 um 11:59 AM schrieb Daniel Kral:
> On Wed Jan 21, 2026 at 4:44 PM CET, Fiona Ebner wrote:
>> Make it possible to enroll via the API and UI by setting the
>> ms-cert=2023w marker on the EFI disk.
>>
>> The previous Microsoft UEFI CA 2011 will expire in June 2026, and the
>> previous Windows UEFI CA 2011 will expire in October 2026, so there
>> should be a way to update that can be automated and done while guests
>> are running.
>>
>> pve-manager needs a dependency bump for qemu-server for the API call
>> to have the desired effect (or the marker will just get set without
>> actually enrolling).
> 
> Tested this series with some Windows 11, Debian and Proxmox VE VMs that
> I had lying around which still did not have the new UEFI CA certs
> enrolled yet.
> 
> Tested with each the Windows 11 and Linux VMs that
> 
> - `qm enroll-efi-keys $vmid` fails for running VMs
> - `qm enroll-efi-keys $vmid` fails for VMs without EFI disks
> - `qm enroll-efi-keys $vmid` does nothing for VMs without pre-enrolled
>   keys set
> - `qm enroll-efi-keys $vmid` does update to '2023w' if ms-cert=2023
> - `qm enroll-efi-keys $vmid` works for stopped VMs
> - Enrolling EFI keys through the CLI/API/UI works for them and are
>   enrolled correctly when doing a full shutdown-start cycle
> - Enrolling EFI keys is disabled in UI if VM does not have pre-enrolled
>   keys set or ms-cert=2023w, but enabled for ms-cert=2011 or
>   ms-cert=2023
> 
> I checked whether those were correctly enrolled inside the VM with
> 
>     [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
>         -match 'Microsoft UEFI CA 2023'
>     [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
>         -match 'Windows UEFI CA 2023'
> 
> for Windows VMs, and
> 
>     mokutil --all --list-enrolled | grep '\(Microsoft\|Windows\) UEFI CA 2023'
> 
> for Linux VMs.
> 
> The Windows VMs did _not_ have BitLocker configured though.
> 
> 
> Two small nits unrelated to the direct changes of this series:
> 
> - a `qm set 101 --efidisk0 '...,pre-enrolled-keys=1,ms-cert=2023'` will
>   also enroll the Windows UEFI CA 2023 certificate, should we set
>   `ms-cert=2023w` afterwards then as that's the correct state? But as
>   it's only a marker state that might be unnecessary.

Yes, good catch!

> - there are few spots only naming the Microsoft UEFI CA 2023 but not the
>   Windows UEFI CA 2023 certificate, e.g. the output and description of
>   `qm enroll-efi-keys`.

Ack.

> Otherwise, the changes look good to me, so consider this series as:
> 
> Tested-by: Daniel Kral <d.kral@proxmox.com>
> Reviewed-by: Daniel Kral <d.kral@proxmox.com>

Thank you for testing! Unfortunately, it seems we need yet another
change to also enroll the 2023 KEK:

https://forum.proxmox.com/threads/secure-boot-%E2%80%93-microsoft-uefi-ca-2023-certificate-not-included-in-efi-disk.173417/page-3#post-839474