From: Fiona Ebner <f.ebner@proxmox.com>
To: Thomas Lamprecht <t.lamprecht@proxmox.com>,
Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH qemu-server 2/2] fix #6985: ovmf: auto-enroll Microsoft UEFI CA 2023 for Windows
Date: Fri, 14 Nov 2025 12:03:30 +0100 [thread overview]
Message-ID: <426ea401-74b9-4825-94ec-45a7fd80bb2d@proxmox.com> (raw)
In-Reply-To: <5ce79121-9ce3-4f6f-9842-3c9a5572b99b@proxmox.com>
Am 14.11.25 um 2:18 AM schrieb Thomas Lamprecht:
> Am 11.11.25 um 14:57 schrieb Fiona Ebner:
> needs a rebase (or I fumbled something).
Probably because of the sev->cvm rename as part of the TDX series. Will do!
>> @@ -235,4 +265,33 @@ sub print_ovmf_commandline {
>> return ($cmd, $machine_flags);
>> }
>>
>> +sub ensure_ms_2023_cert_enrolled {
>> + my ($storecfg, $vmid, $efidisk_str) = @_;
>> +
>> + my $efidisk = parse_drive('efidisk0', $efidisk_str);
>> + return if !$efidisk->{'pre-enrolled-keys'};
>> + return if $efidisk->{'ms-cert'} && $efidisk->{'ms-cert'} eq '2023';
>> +
>> + print "efidisk0: enrolling Microsoft UEFI CA 2023\n";
>> +
>> + my $new_qsd = !PVE::QemuServer::Helpers::qsd_running_locally($vmid);
>> + PVE::QemuServer::QSD::start($vmid) if $new_qsd;
>> +
>> + eval {
>> + my $efi_vars_path =
>> + PVE::QemuServer::QSD::add_fuse_export($vmid, $efidisk, 'efidisk0-enroll');
>> + PVE::Tools::run_command(
>> + ['virt-fw-vars', '--inplace', $efi_vars_path, '--distro-keys', 'ms-uefi']);
>> + PVE::QemuServer::QSD::remove_fuse_export($vmid, 'efidisk0-enroll');
>> + };
>> + my $err = $@;
>> +
>> + PVE::QemuServer::QSD::quit($vmid) if $new_qsd;
>
> if other request start using this QSD after it was started here they might get
> interrupted? Albeit currently this is probably rather theoretically due to QSD
> being per-vmid and we the operations QSD is used as of now are not really being
> able to run concurently for a single VM FWICT.
>
> Might be still good to at least add a comment for this for the case that QSD gets
> adopted more.
Yes, we will need to be careful down the line. A clean option is using
different QSD IDs for different tasks (the ID for a QSD can be any
string and does not need to be a VMID). Currently, we only use QSD for
EFI enrollment here and for TPM which are both part of the same start
task. I will add a comment to note this and that
ensure_ms_2023_cert_enrolled() may currently only be called as part of
VM start.
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-11-14 11:03 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-11 13:57 [pve-devel] [PATCH-SERIES qemu-server 0/2] " Fiona Ebner
2025-11-11 13:57 ` [pve-devel] [PATCH qemu-server 1/2] qsd: add remove_fuse_export() function Fiona Ebner
2025-11-14 11:50 ` [pve-devel] applied: " Thomas Lamprecht
2025-11-11 13:57 ` [pve-devel] [PATCH qemu-server 2/2] fix #6985: ovmf: auto-enroll Microsoft UEFI CA 2023 for Windows Fiona Ebner
2025-11-14 1:18 ` Thomas Lamprecht
2025-11-14 11:03 ` Fiona Ebner [this message]
2025-11-14 11:48 ` Thomas Lamprecht
2025-11-14 12:03 ` Fiona Ebner
2025-11-14 12:12 ` Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=426ea401-74b9-4825-94ec-45a7fd80bb2d@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=t.lamprecht@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.