Re: [pve-devel] [PATCH-SERIS qemu-server 0/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023

[Thomas Lamprecht <t.lamprecht@proxmox.com>]

On Tue, 18 Nov 2025 13:34:38 +0100, Fiona Ebner wrote:
> As reported in the community forum [0], enrolling the new certificate
> will trigger BitLocker recovery. It doesn't seem to be possible to
> detect whether BitLocker is used by looking at the EFI var store (no
> telling difference in dumps with 'virt-fw-vars --output-json' before
> and after).
> 
> Stop auto-enrolling the new Microsoft UEFI 2023 certificate and
> produce a warning, telling users about the 'qm enroll-efi-keys'
> command and what steps to take when BitLocker is used to avoid
> triggering recovery. Thomas found [1], which suggests using
> 'manage-bde -protectors -disable' which will disable key protectors
> for the next boot and this was also successfully tested.
> 
> [...]

Applied with two changes squashed in, thanks!

For one I replaced the log_warn with print for now to avoid being to noisy
already, we can "turn up the heat" for this early next year, e.g. for PVE 9.2.
Then I also moved new command out of the API, keeping it purely to the qm CLI
for now to avoid having to comit to this new API for the PVE 9 lifetime,
especially as we got some other ideas to handle this in a recent off list talk.

[1/4] ovmf: enroll ms 2023 cert: change QSD ID to allow calling outside of VM start
      commit: 4effab683fc9d0a4e85d9435d84fccff56e69101
[2/4] api/cli: add enroll-efi-keys endpoint
      commit: ee296e6eb10577ee90bfbb201beb5487bb81bda6
[3/4] ovmf: factor out helper for checking whether MS 2023 certificate should be enrolled
      commit: 16750f2a6023f1304e445beb2d9504d51c090bfc
[4/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023
      commit: 6952b33bb976f3afe1369e7333e3aa3cc9dc2f1a


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel