* [pve-devel] [PATCH qemu-server v3 1/3] vm start: check efi: always check for certificates when pre-enrolled-keys=1
2026-01-21 15:44 [pve-devel] [PATCH-SERIES qemu-server/manager/docs v3 0/3] improve Microsoft+Windows UEFI CA 2023 enrollment Fiona Ebner
@ 2026-01-21 15:44 ` Fiona Ebner
2026-01-21 15:44 ` [pve-devel] [PATCH manager v3 2/3] ui: qemu: hardware: efi: allow enrolling Microsoft+Windows UEFI CA 2023 Fiona Ebner
2026-01-21 15:44 ` [pve-devel] [PATCH docs v3 3/3] qm: bios/uefi: add secure boot certificate expiration section Fiona Ebner
2 siblings, 0 replies; 4+ messages in thread
From: Fiona Ebner @ 2026-01-21 15:44 UTC (permalink / raw)
To: pve-devel
Standard Linux distributions use a shim signed by the Microsoft KEK,
so secure boot update requires the new certificates too. Also update
the notice to mention this and improve it further.
While the checks for Windows could be limited to 10 and 11, if there
is an EFI disk with pre-enrolled keys, it could still be that some
specialized application actually uses them or simply that the OS type
was misconfigured, so do not special case that.
While skipping enrollment of the Windows CA could be skipped for Linux
with only the MS CA being enrolled, it doesn't hurt to do so and just
makes it consistent with what newly created EFI disk have.
Suggested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
New in v3.
src/PVE/CLI/qm.pm | 6 ------
src/PVE/QemuServer.pm | 12 ++++++------
2 files changed, 6 insertions(+), 12 deletions(-)
diff --git a/src/PVE/CLI/qm.pm b/src/PVE/CLI/qm.pm
index bdae9641..5326db5f 100755
--- a/src/PVE/CLI/qm.pm
+++ b/src/PVE/CLI/qm.pm
@@ -721,12 +721,6 @@ __PACKAGE__->register_method({
die "VM $vmid is a template\n" if PVE::QemuConfig->is_template($conf);
die "VM $vmid has no EFI disk configured\n" if !$conf->{efidisk0};
- my $ostype = $conf->{ostype};
- if (!defined($ostype) || ($ostype ne 'win10' && $ostype ne 'win11')) {
- print "skipping - OS type is neither Windows 10 nor Windows 11\n";
- return;
- }
-
my $storecfg = PVE::Storage::config();
my $efidisk = parse_drive('efidisk0', $conf->{efidisk0});
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index fc735aa3..7e3bf2f2 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -5405,16 +5405,16 @@ my sub check_efi_vars {
return if PVE::QemuConfig->is_template($conf);
return if !$conf->{efidisk0};
- return if !$conf->{ostype};
- return if $conf->{ostype} ne 'win10' && $conf->{ostype} ne 'win11';
my $efidisk = parse_drive('efidisk0', $conf->{efidisk0});
if (PVE::QemuServer::OVMF::should_enroll_ms_2023_cert($efidisk)) {
# TODO: make the first print a log_warn with PVE 9.2 to make it more noticeable!
- print "EFI disk without 'ms-cert=2023w' option, suggesting that the Microsoft UEFI 2023"
- . " certificate is not enrolled yet. The UEFI 2011 certificate expires in June 2026!\n";
- print "While the VM is shut down, run 'qm enroll-efi-keys $vmid' to enroll it.\n";
- print "If the VM uses BitLocker, run the following command inside Windows Powershell:\n";
+ print "EFI disk without 'ms-cert=2023w' option, suggesting that the Microsoft UEFI 2023\n";
+ print "certificate is not enrolled yet. The UEFI 2011 certificate expires in June 2026!\n";
+ print "The new certificate is required for secure boot update for Windows and common\n";
+ print "Linux distributions. Use 'Disk Action > Enroll Updated Certificates' in the UI\n";
+ print "or, while the VM is shut down, run 'qm enroll-efi-keys $vmid' to enroll it.\n\n";
+ print "For Windows with BitLocker, run the following command inside Powershell:\n";
print " manage-bde -protectors -disable <drive>\n";
print "for each drive with BitLocker (for example, <drive> could be 'C:').\n";
}
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread* [pve-devel] [PATCH manager v3 2/3] ui: qemu: hardware: efi: allow enrolling Microsoft+Windows UEFI CA 2023
2026-01-21 15:44 [pve-devel] [PATCH-SERIES qemu-server/manager/docs v3 0/3] improve Microsoft+Windows UEFI CA 2023 enrollment Fiona Ebner
2026-01-21 15:44 ` [pve-devel] [PATCH qemu-server v3 1/3] vm start: check efi: always check for certificates when pre-enrolled-keys=1 Fiona Ebner
@ 2026-01-21 15:44 ` Fiona Ebner
2026-01-21 15:44 ` [pve-devel] [PATCH docs v3 3/3] qm: bios/uefi: add secure boot certificate expiration section Fiona Ebner
2 siblings, 0 replies; 4+ messages in thread
From: Fiona Ebner @ 2026-01-21 15:44 UTC (permalink / raw)
To: pve-devel
When the following conditions are met:
- no pending change on the EFI disk
- EFI disk has pre-enrolled-keys
- There is no ms-cert=2023w marker yet
suggest enrolling the new Microsoft and Windows UEFI CA 2023.
The previous Microsoft UEFI CA 2011 will expire in June 2026 and the
previous Windows UEFI CA 2011 will expire in October 2026, so there
needs to be an easy way to update.
Note that this also detects drives with 'ms-cert=2023' as still
needing enrollment, because they do not yet include the 'Windows UEFI
CA 2023' certificate (only the 'Microsoft UEFI CA 2023' certificate).
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
Changes in v3:
* squash ui patches
* add additional newline in confirm dialog to better separate subject
from note
* move enrollment to Disk Actions menu
* also suggest enrollment for non-Windows guests (Linux distro shims
are also signed with the Microsoft KEK)
www/manager6/qemu/HardwareView.js | 89 ++++++++++++++++++++++++++++++-
1 file changed, 88 insertions(+), 1 deletion(-)
diff --git a/www/manager6/qemu/HardwareView.js b/www/manager6/qemu/HardwareView.js
index cf5e2a0f..aa694f76 100644
--- a/www/manager6/qemu/HardwareView.js
+++ b/www/manager6/qemu/HardwareView.js
@@ -442,6 +442,38 @@ Ext.define('PVE.qemu.HardwareView', {
handler: run_editor,
});
+ let runEfiEnroll = function () {
+ let rec = sm.getSelection()[0];
+ if (!rec) {
+ return;
+ }
+
+ let efidisk = PVE.Parser.parsePropertyString(rec.data.value, 'file');
+ efidisk['ms-cert'] = '2023w';
+
+ let params = {};
+ params[rec.data.key] = PVE.Parser.printPropertyString(efidisk);
+ Proxmox.Utils.API2Request({
+ url: `/api2/extjs/${baseurl}`,
+ waitMsgTarget: me,
+ method: 'POST',
+ params: params,
+ callback: () => me.reload(),
+ failure: (response) => Ext.Msg.alert('Error', response.htmlStatus),
+ success: function (response, options) {
+ if (response.result.data !== null) {
+ Ext.create('Proxmox.window.TaskProgress', {
+ autoShow: true,
+ upid: response.result.data,
+ listeners: {
+ destroy: () => me.reload(),
+ },
+ });
+ }
+ },
+ });
+ };
+
let move_menuitem = new Ext.menu.Item({
text: gettext('Move Storage'),
tooltip: gettext('Move disk to another storage'),
@@ -510,11 +542,55 @@ Ext.define('PVE.qemu.HardwareView', {
},
});
+ const efiEnrollMsg =
+ gettext(
+ 'Enroll the Microsoft and Windows UEFI 2023 CA required for secure boot update.',
+ ) +
+ '<br>' +
+ gettext('This is also needed for secure boot update for common Linux distributions.') +
+ '<br>' +
+ '<br>' +
+ gettext('For Windows with BitLocker, run the following command inside Powershell:') +
+ '<br><code>manage-bde -protectors -disable <drive></code><br>' +
+ Ext.String.format(
+ // TRANSLATORS: for a shell command: "placeholder could be 'concrete value'"
+ gettext("For example, {0} could be '{1}'."),
+ '<code><drive></code>',
+ '<code>C:</code>',
+ ) +
+ '<br>' +
+ gettext('This is required for each drive with BitLocker before proceeding!') +
+ '<br>' +
+ gettext(
+ 'Otherwise, you will be prompted for the BitLocker recovery key on the next boot!',
+ );
+ let efiEnrollMenuItem = new Ext.menu.Item({
+ text: gettext('Enroll Updated Certificates'),
+ iconCls: 'fa fa-refresh',
+ selModel: sm,
+ disabled: true,
+ hidden: true,
+ handler: () => {
+ Ext.Msg.show({
+ title: gettext('Confirm'),
+ icon: Ext.Msg.QUESTION,
+ message: efiEnrollMsg,
+ buttons: Ext.Msg.YESNO,
+ callback: function (btn) {
+ if (btn !== 'yes') {
+ return;
+ }
+ runEfiEnroll();
+ },
+ });
+ },
+ });
+
let diskaction_btn = new Proxmox.button.Button({
text: gettext('Disk Action'),
disabled: true,
menu: {
- items: [move_menuitem, reassign_menuitem, resize_menuitem],
+ items: [move_menuitem, reassign_menuitem, resize_menuitem, efiEnrollMenuItem],
},
});
@@ -686,6 +762,17 @@ Ext.define('PVE.qemu.HardwareView', {
);
remove_btn.RESTMethod = isUnusedDisk || (isDisk && isRunning) ? 'POST' : 'PUT';
+ let suggestEfiEnroll = false;
+ if (isEfi) {
+ let drive = PVE.Parser.parsePropertyString(value, 'file');
+ suggestEfiEnroll =
+ !pending &&
+ PVE.Parser.parseBoolean(drive['pre-enrolled-keys'], false) &&
+ drive['ms-cert'] !== '2023w';
+ }
+ efiEnrollMenuItem.setDisabled(!suggestEfiEnroll);
+ efiEnrollMenuItem.setHidden(!isEfi);
+
edit_btn.setDisabled(
deleted ||
!row.editor ||
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread* [pve-devel] [PATCH docs v3 3/3] qm: bios/uefi: add secure boot certificate expiration section
2026-01-21 15:44 [pve-devel] [PATCH-SERIES qemu-server/manager/docs v3 0/3] improve Microsoft+Windows UEFI CA 2023 enrollment Fiona Ebner
2026-01-21 15:44 ` [pve-devel] [PATCH qemu-server v3 1/3] vm start: check efi: always check for certificates when pre-enrolled-keys=1 Fiona Ebner
2026-01-21 15:44 ` [pve-devel] [PATCH manager v3 2/3] ui: qemu: hardware: efi: allow enrolling Microsoft+Windows UEFI CA 2023 Fiona Ebner
@ 2026-01-21 15:44 ` Fiona Ebner
2 siblings, 0 replies; 4+ messages in thread
From: Fiona Ebner @ 2026-01-21 15:44 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
New in v3.
qm.adoc | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 48 insertions(+), 1 deletion(-)
diff --git a/qm.adoc b/qm.adoc
index 667fd56..197a247 100644
--- a/qm.adoc
+++ b/qm.adoc
@@ -1121,7 +1121,8 @@ the GUI).
*pre-enroll-keys* specifies if the efidisk should come pre-loaded with
distribution-specific and Microsoft Standard Secure Boot keys. It also enables
Secure Boot by default (though it can still be disabled in the OVMF menu within
-the VM).
+the VM). See also
+xref:qm_secure_boot_ca_expiration[Secure Boot Certificate Expiration].
NOTE: If you want to start using Secure Boot in an existing VM (that still uses
a '2m' efidisk), you need to recreate the efidisk. To do so, delete the old one
@@ -1137,6 +1138,52 @@ When using OVMF with PXE boot, you have to add an xref:qm_virtio_rng[RNG device]
to the VM. For security reasons, the OVMF firmware disables PXE boot for guests
without a random number generator.
+[[qm_secure_boot_ca_expiration]]
+Secure Boot Certificate Expiration
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The expiration date for the original set of Microsoft certificates from 2011,
+which are used for secure boot for Windows and common Linux distributions, is
+June 2026. New certificates were created in 2023
+footnote:[Microsoft support article about the issue
+https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e].
+
+When secure boot is used, only bootloaders signed with certificates present on
+the EFI disk will be allowed by the firmware. In particular, when an EFI disk
+has only the 2011 certificates, bootloaders signed with the 2023 certificates
+will be rejected. The presence of the `ms-cert=2023w` marker in the VM
+configuration for an EFI disk indicates that the new certificates are enrolled.
+
+If the `pve-edk2-firmware` package version is at least `4.2025.05-1`, newly
+created EFI disks contain both the 2011 and 2023 certificates and will have the
+`ms-cert=2023w` marker. For EFI disks created before that, select the EFI disk
+in the 'Hardware' view in the UI and use 'Disk Action > Enroll Updated
+Certificates'. Alternatively, the marker can be set via the
+`/nodes/{node}/qemu/{vmid}/config` API endpoint or via the
+
+----
+qm enroll-efi-keys <vmid>
+----
+
+CLI command. The latter works if the VM is shut down.
+
+For Windows with BitLocker, run the following command inside Powershell:
+
+----
+manage-bde -protectors -disable <drive>
+----
+
+For example, `<drive>` could be `C:`. This is required for each drive with
+BitLocker before proceeding! Otherwise, you will be prompted for the BitLocker
+recovery key on the next boot!
+
+For proceeding with updating secure boot within Windows and signing the
+bootloader with the new 2023 certificate, see
+footnote:[Microsoft support article regarding CVE-2023-24932
+https://support.microsoft.com/en-us/topic/enterprise-deployment-guidance-for-cve-2023-24932-88b8f034-20b7-4a45-80cb-c6049b0f9967]
+footnote:[Related Windows security update which needs to be installed first
+https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932].
+
[[qm_tpm]]
Trusted Platform Module (TPM)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread