all lists on lists.proxmox.com
 help / color / mirror / Atom feed
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
	Fiona Ebner <f.ebner@proxmox.com>
Subject: [pve-devel] applied: [PATCH-SERIES edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys
Date: Tue, 11 Nov 2025 11:59:00 +0100	[thread overview]
Message-ID: <ed2339c8-ec08-488a-8fba-a31c4293a896@proxmox.com> (raw)
In-Reply-To: <20251106154314.772317-1-f.ebner@proxmox.com>

Am 06.11.25 um 16:43 schrieb Fiona Ebner:
> This fixes the issue with the Microsoft UEFI CA 2011 expiring in June
> 2026 for new EFI disks. What still needs to be done is giving users a
> way for (or automatically) enrolling the new keys to existing EFI
> disks. I will look at that part of the issue in the coming days.
> 
> To update an existing EFI disk, it should be enough to do something
> like:
> virt-fw-vars --inplace vm-103-disk-0.raw --distro-keys ms-uefi
> 
> AFAICS, virt-fw-vars can only deal with raw images, so we can use FUSE
> exports of differently formatted EFI disks which requires [0].
> 
> [0]: https://lore.proxmox.com/pve-devel/20251020141335.124077-1-f.ebner@proxmox.com/
> 
> 
> pve-edk2-firmware:
> 
> Fiona Ebner (6):
>   update edk2 to edk2-stable202505 tag and refresh patches
>   d/patches: pick up CVE fix from Debian tag debian/2025.05-1
>   d/rules: pick up some improvements from Debian
>   Use virt-firmware to enroll default keys.
>   Initialize the Secure Boot dbx in *.ms.fd with the latest revocations
>   partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys
> 
>  debian/DBXUpdate-2025-02-24.arm64.bin         | Bin 0 -> 4613 bytes
>  debian/DBXUpdate-2025-10-16.amd64.bin         | Bin 0 -> 24053 bytes
>  debian/control                                |   1 +
>  debian/edk2-vars-generator.py                 | 140 ----
>  ...nrollDefaultKeys-with-Microsoft-2023.patch | 613 ++++++++++++++++++
>  ...tLib-Fix-split-lock-violation-from-M.patch |  10 +-
>  ...CpuDxeSmm-Safe-handling-of-IDT-regis.patch |  45 ++
>  debian/patches/series                         |   2 +
>  debian/rules                                  |  99 +--
>  debian/source/include-binaries                |   2 +
>  edk2                                          |   2 +-
>  11 files changed, 721 insertions(+), 193 deletions(-)
>  create mode 100644 debian/DBXUpdate-2025-02-24.arm64.bin
>  create mode 100644 debian/DBXUpdate-2025-10-16.amd64.bin
>  delete mode 100755 debian/edk2-vars-generator.py
>  create mode 100644 debian/patches/OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch
>  create mode 100644 debian/patches/UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch
> 
> 
> Summary over all repositories:
>   11 files changed, 721 insertions(+), 193 deletions(-)
> 


applied series (pulled from your staff repo), thanks!


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


      parent reply	other threads:[~2025-11-11 10:58 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-06 15:42 [pve-devel] " Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 1/6] update edk2 to edk2-stable202505 tag and refresh patches Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 2/6] d/patches: pick up CVE fix from Debian tag debian/2025.05-1 Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 3/6] d/rules: pick up some improvements from Debian Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 4/6] Use virt-firmware to enroll default keys Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 5/6] Initialize the Secure Boot dbx in *.ms.fd with the latest revocations Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 6/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys Fiona Ebner
2025-11-11 10:59 ` Thomas Lamprecht [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ed2339c8-ec08-488a-8fba-a31c4293a896@proxmox.com \
    --to=t.lamprecht@proxmox.com \
    --cc=f.ebner@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal