From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH-SERIES qemu-server/manager/docs v3 0/3] improve Microsoft+Windows UEFI CA 2023 enrollment
Date: Wed, 21 Jan 2026 16:44:33 +0100 [thread overview]
Message-ID: <20260121154453.285642-1-f.ebner@proxmox.com> (raw)
Changes in v3:
* drop already applied patches
* squash ui patches
* add additional newline in confirm dialog to better separate subject
from note
* move enrollment to Disk Actions menu
* also suggest and support enrollment for non-Windows guests (Linux
distro shims are also signed with the Microsoft KEK)
* add docs patch
Changes in v2:
* add patch to also enroll the Windows UEFI CA 2023
* improve readability of change_drive() function
* ui: add more context to confirmation dialog
* add patch introducing a '2023w' marker so that drives already
enrolled with only the MS 2023 cert can still be detected as needing
enrollment
Make it possible to enroll via the API and UI by setting the
ms-cert=2023w marker on the EFI disk.
The previous Microsoft UEFI CA 2011 will expire in June 2026, and the
previous Windows UEFI CA 2011 will expire in October 2026, so there
should be a way to update that can be automated and done while guests
are running.
pve-manager needs a dependency bump for qemu-server for the API call
to have the desired effect (or the marker will just get set without
actually enrolling).
qemu-server:
Fiona Ebner (1):
vm start: check efi: always check for certificates when
pre-enrolled-keys=1
src/PVE/CLI/qm.pm | 6 ------
src/PVE/QemuServer.pm | 12 ++++++------
2 files changed, 6 insertions(+), 12 deletions(-)
manager:
Fiona Ebner (1):
ui: qemu: hardware: efi: allow enrolling Microsoft+Windows UEFI CA
2023
www/manager6/qemu/HardwareView.js | 89 ++++++++++++++++++++++++++++++-
1 file changed, 88 insertions(+), 1 deletion(-)
docs:
Fiona Ebner (1):
qm: bios/uefi: add secure boot certificate expiration section
qm.adoc | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 48 insertions(+), 1 deletion(-)
Summary over all repositories:
4 files changed, 142 insertions(+), 14 deletions(-)
--
Generated by git-murpp 0.5.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next reply other threads:[~2026-01-21 15:45 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-21 15:44 Fiona Ebner [this message]
2026-01-21 15:44 ` [pve-devel] [PATCH qemu-server v3 1/3] vm start: check efi: always check for certificates when pre-enrolled-keys=1 Fiona Ebner
2026-01-21 15:44 ` [pve-devel] [PATCH manager v3 2/3] ui: qemu: hardware: efi: allow enrolling Microsoft+Windows UEFI CA 2023 Fiona Ebner
2026-01-21 15:44 ` [pve-devel] [PATCH docs v3 3/3] qm: bios/uefi: add secure boot certificate expiration section Fiona Ebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260121154453.285642-1-f.ebner@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox