[PATCH-SERIES qemu-server/docs 0/2] efi enroll: small improvements to documentation

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

* [PATCH-SERIES qemu-server/docs 0/2] efi enroll: small improvements to documentation
@ 2026-03-18  9:32 Fiona Ebner
  2026-03-18  9:32 ` [PATCH qemu-server 1/2] start vm: check efi vars: clarify when to run the commands for BitLocker Fiona Ebner
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Fiona Ebner @ 2026-03-18  9:32 UTC (permalink / raw)
  To: pve-devel

qemu-server:

Fiona Ebner (1):
  start vm: check efi vars: clarify when to run the commands for
    BitLocker

 src/PVE/QemuServer.pm | 2 ++
 1 file changed, 2 insertions(+)


pve-docs:

Fiona Ebner (1):
  qm: bios/uefi: certificate expiration: mention steps for BitLocker
    earlier

 qm.adoc | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)


Summary over all repositories:
  2 files changed, 15 insertions(+), 11 deletions(-)

-- 
Generated by git-murpp 0.5.0




^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH qemu-server 1/2] start vm: check efi vars: clarify when to run the commands for BitLocker
  2026-03-18  9:32 [PATCH-SERIES qemu-server/docs 0/2] efi enroll: small improvements to documentation Fiona Ebner
@ 2026-03-18  9:32 ` Fiona Ebner
  2026-03-18  9:32 ` [PATCH docs 2/2] qm: bios/uefi: certificate expiration: mention steps for BitLocker earlier Fiona Ebner
  2026-03-18 10:25 ` [PATCH-SERIES qemu-server/docs 0/2] efi enroll: small improvements to documentation Maximiliano Sandoval
  2 siblings, 0 replies; 4+ messages in thread
From: Fiona Ebner @ 2026-03-18  9:32 UTC (permalink / raw)
  To: pve-devel

In the UI and in the docs, it is already mentioned that disabling the
protectors needs to happen before enrollment. Also mention it for the
informational message during VM start.

Suggested-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/QemuServer.pm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index 09e7a19b..33be0b36 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -5416,6 +5416,8 @@ my sub check_efi_vars {
         print "For Windows with BitLocker, run the following command inside Powershell:\n";
         print "  manage-bde -protectors -disable <drive>\n";
         print "for each drive with BitLocker (for example, <drive> could be 'C:').\n";
+        print "This is required for each drive with BitLocker before proceeding with enrollment.\n";
+        print "Otherwise, you will be prompted for the BitLocker recovery key on the next boot.\n";
     }
 
     return;
-- 
2.47.3





^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH docs 2/2] qm: bios/uefi: certificate expiration: mention steps for BitLocker earlier
  2026-03-18  9:32 [PATCH-SERIES qemu-server/docs 0/2] efi enroll: small improvements to documentation Fiona Ebner
  2026-03-18  9:32 ` [PATCH qemu-server 1/2] start vm: check efi vars: clarify when to run the commands for BitLocker Fiona Ebner
@ 2026-03-18  9:32 ` Fiona Ebner
  2026-03-18 10:25 ` [PATCH-SERIES qemu-server/docs 0/2] efi enroll: small improvements to documentation Maximiliano Sandoval
  2 siblings, 0 replies; 4+ messages in thread
From: Fiona Ebner @ 2026-03-18  9:32 UTC (permalink / raw)
  To: pve-devel

Mention the steps required when using BitLocker earlier to avoid users
running the command first and only later reading on.

Suggested-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 qm.adoc | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/qm.adoc b/qm.adoc
index 27dec2c..e6b7918 100644
--- a/qm.adoc
+++ b/qm.adoc
@@ -1156,17 +1156,8 @@ enrolled.
 
 If the `pve-edk2-firmware` package version is at least `4.2025.05-1`, newly
 created EFI disks contain both the 2011 and 2023 certificates and will have the
-`ms-cert=2023k` marker. For EFI disks created before that, select the EFI disk
-in the 'Hardware' view in the UI and use 'Disk Action > Enroll Updated
-Certificates'. Alternatively, enroll the certificates via the
-`/nodes/{node}/qemu/{vmid}/config` API endpoint. The enrollment takes effect
-when the VM is next started. The
-
-----
-qm enroll-efi-keys <vmid>
-----
-
-CLI command achieves the same, but requires the VM to be shut down.
+`ms-cert=2023k` marker. For EFI disks created before that, you need to enroll
+the certificates:
 
 For Windows with BitLocker, run the following command inside PowerShell:
 
@@ -1178,6 +1169,17 @@ For example, `<drive>` could be `C:`. This is required for each drive with
 BitLocker before proceeding. Otherwise, you will be prompted for the BitLocker
 recovery key on the next boot!
 
+Select the EFI disk in the 'Hardware' view in the UI and use
+'Disk Action > Enroll Updated Certificates'. Alternatively, enroll the
+certificates via the `/nodes/{node}/qemu/{vmid}/config` API endpoint. The
+enrollment takes effect when the VM is next started. The
+
+----
+qm enroll-efi-keys <vmid>
+----
+
+CLI command achieves the same, but requires the VM to be shut down.
+
 For further steps on updating secure boot within Windows and signing the
 bootloader with the new 2023 certificates, refer to the Microsoft support
 articles about
-- 
2.47.3





^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH-SERIES qemu-server/docs 0/2] efi enroll: small improvements to documentation
  2026-03-18  9:32 [PATCH-SERIES qemu-server/docs 0/2] efi enroll: small improvements to documentation Fiona Ebner
  2026-03-18  9:32 ` [PATCH qemu-server 1/2] start vm: check efi vars: clarify when to run the commands for BitLocker Fiona Ebner
  2026-03-18  9:32 ` [PATCH docs 2/2] qm: bios/uefi: certificate expiration: mention steps for BitLocker earlier Fiona Ebner
@ 2026-03-18 10:25 ` Maximiliano Sandoval
  2 siblings, 0 replies; 4+ messages in thread
From: Maximiliano Sandoval @ 2026-03-18 10:25 UTC (permalink / raw)
  To: Fiona Ebner; +Cc: pve-devel

Fiona Ebner <f.ebner@proxmox.com> writes:

> qemu-server:
>
> Fiona Ebner (1):
>   start vm: check efi vars: clarify when to run the commands for
>     BitLocker
>
>  src/PVE/QemuServer.pm | 2 ++
>  1 file changed, 2 insertions(+)
>
>
> pve-docs:
>
> Fiona Ebner (1):
>   qm: bios/uefi: certificate expiration: mention steps for BitLocker
>     earlier
>
>  qm.adoc | 24 +++++++++++++-----------
>  1 file changed, 13 insertions(+), 11 deletions(-)
>
>
> Summary over all repositories:
>   2 files changed, 15 insertions(+), 11 deletions(-)

While testing this patch it was not clear to me whether the order of
operations mattered after reading the documentation.

Given how sensitive this operation might be it is better to err on the
side of being precise.

Please consider this,

Reviewed-by: Maximiliano Sandoval <m.sandoval@proxmox.com>

-- 
Maximiliano




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-03-18 10:25 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-03-18  9:32 [PATCH-SERIES qemu-server/docs 0/2] efi enroll: small improvements to documentation Fiona Ebner
2026-03-18  9:32 ` [PATCH qemu-server 1/2] start vm: check efi vars: clarify when to run the commands for BitLocker Fiona Ebner
2026-03-18  9:32 ` [PATCH docs 2/2] qm: bios/uefi: certificate expiration: mention steps for BitLocker earlier Fiona Ebner
2026-03-18 10:25 ` [PATCH-SERIES qemu-server/docs 0/2] efi enroll: small improvements to documentation Maximiliano Sandoval

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal