From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH-SERIES edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys
Date: Thu, 6 Nov 2025 16:42:51 +0100 [thread overview]
Message-ID: <20251106154314.772317-1-f.ebner@proxmox.com> (raw)
This fixes the issue with the Microsoft UEFI CA 2011 expiring in June
2026 for new EFI disks. What still needs to be done is giving users a
way for (or automatically) enrolling the new keys to existing EFI
disks. I will look at that part of the issue in the coming days.
To update an existing EFI disk, it should be enough to do something
like:
virt-fw-vars --inplace vm-103-disk-0.raw --distro-keys ms-uefi
AFAICS, virt-fw-vars can only deal with raw images, so we can use FUSE
exports of differently formatted EFI disks which requires [0].
[0]: https://lore.proxmox.com/pve-devel/20251020141335.124077-1-f.ebner@proxmox.com/
pve-edk2-firmware:
Fiona Ebner (6):
update edk2 to edk2-stable202505 tag and refresh patches
d/patches: pick up CVE fix from Debian tag debian/2025.05-1
d/rules: pick up some improvements from Debian
Use virt-firmware to enroll default keys.
Initialize the Secure Boot dbx in *.ms.fd with the latest revocations
partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys
debian/DBXUpdate-2025-02-24.arm64.bin | Bin 0 -> 4613 bytes
debian/DBXUpdate-2025-10-16.amd64.bin | Bin 0 -> 24053 bytes
debian/control | 1 +
debian/edk2-vars-generator.py | 140 ----
...nrollDefaultKeys-with-Microsoft-2023.patch | 613 ++++++++++++++++++
...tLib-Fix-split-lock-violation-from-M.patch | 10 +-
...CpuDxeSmm-Safe-handling-of-IDT-regis.patch | 45 ++
debian/patches/series | 2 +
debian/rules | 99 +--
debian/source/include-binaries | 2 +
edk2 | 2 +-
11 files changed, 721 insertions(+), 193 deletions(-)
create mode 100644 debian/DBXUpdate-2025-02-24.arm64.bin
create mode 100644 debian/DBXUpdate-2025-10-16.amd64.bin
delete mode 100755 debian/edk2-vars-generator.py
create mode 100644 debian/patches/OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch
create mode 100644 debian/patches/UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch
Summary over all repositories:
11 files changed, 721 insertions(+), 193 deletions(-)
--
Generated by git-murpp 0.5.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next reply other threads:[~2025-11-06 15:42 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-06 15:42 Fiona Ebner [this message]
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 1/6] update edk2 to edk2-stable202505 tag and refresh patches Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 2/6] d/patches: pick up CVE fix from Debian tag debian/2025.05-1 Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 3/6] d/rules: pick up some improvements from Debian Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 4/6] Use virt-firmware to enroll default keys Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 5/6] Initialize the Secure Boot dbx in *.ms.fd with the latest revocations Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 6/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys Fiona Ebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251106154314.772317-1-f.ebner@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox