From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Thomas Lamprecht <t.lamprecht@proxmox.com>
Subject: Re: [pve-devel] [PATCH qemu-server 2/4] api/cli: add enroll-efi-keys endpoint
Date: Tue, 18 Nov 2025 14:09:39 +0100 [thread overview]
Message-ID: <1763471319.7o0f3g0oz5.astroid@yuna.none> (raw)
In-Reply-To: <01f6f78e-aef1-4302-a9c0-805ae7a85517@proxmox.com>
On November 18, 2025 2:07 pm, Thomas Lamprecht wrote:
> Am 18.11.25 um 13:58 schrieb Fabian Grünbichler:
>>> + my $updated = PVE::QemuServer::OVMF::ensure_ms_2023_cert_enrolled(
>>> + $storecfg, $vmid, $conf->{efidisk0},
>>> + );
>> this can block and/or take a while, so shouldn't this endpoint fork a
>> task worker?
>>
>> and do we really need a new endpoint for this, couldn't we do it in the
>> config update and let the UI set the corresponding EFI disk flag as an
>> (async) update?
>
> Talked with Fiona off-list about this.
>
> I'd for now move the endpoint to the CLI only. We plan re-use recently
> added efidisk flag to provide a mechanism where the user can request enrollment
> by setting the flag to a new value. This will be refused to get hot-applied, thus
> stays a pending change in the config and will applied on the next fresh start.
> In the UI we can then also display a nice hint w.r.t. users needing to be
> prepared if they use Bitlocker, one option for that is executing the following
> command in the Windows VM before shutting it down:
>
> manage-bde -protectors -disable <drive>
sounds like a good plan - that CLI endpoint can then be converted to
become
load_config
get efidisk
call update config with modified efidisk, protected by digest
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-11-18 13:09 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-18 12:34 [pve-devel] [PATCH-SERIS qemu-server 0/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023 Fiona Ebner
2025-11-18 12:34 ` [pve-devel] [PATCH qemu-server 1/4] ovmf: enroll ms 2023 cert: change QSD ID to allow calling outside of VM start Fiona Ebner
2025-11-18 12:34 ` [pve-devel] [PATCH qemu-server 2/4] api/cli: add enroll-efi-keys endpoint Fiona Ebner
2025-11-18 12:58 ` Fabian Grünbichler
2025-11-18 13:07 ` Thomas Lamprecht
2025-11-18 13:09 ` Fabian Grünbichler [this message]
2025-11-18 14:11 ` Thomas Lamprecht
2025-11-18 12:34 ` [pve-devel] [PATCH qemu-server 3/4] ovmf: factor out helper for checking whether MS 2023 certificate should be enrolled Fiona Ebner
2025-11-18 12:34 ` [pve-devel] [PATCH qemu-server 4/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023 Fiona Ebner
2025-11-18 13:30 ` [pve-devel] [PATCH-SERIS qemu-server 0/4] " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1763471319.7o0f3g0oz5.astroid@yuna.none \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=t.lamprecht@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox