[pve-devel] [PATCH manager v3 2/3] ui: qemu: hardware: efi: allow enrolling Microsoft+Windows UEFI CA 2023

[Fiona Ebner <f.ebner@proxmox.com>]

When the following conditions are met:
- no pending change on the EFI disk
- EFI disk has pre-enrolled-keys
- There is no ms-cert=2023w marker yet
suggest enrolling the new Microsoft and Windows UEFI CA 2023.

The previous Microsoft UEFI CA 2011 will expire in June 2026 and the
previous Windows UEFI CA 2011 will expire in October 2026, so there
needs to be an easy way to update.

Note that this also detects drives with 'ms-cert=2023' as still
needing enrollment, because they do not yet include the 'Windows UEFI
CA 2023' certificate (only the 'Microsoft UEFI CA 2023' certificate).

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---

Changes in v3:
* squash ui patches
* add additional newline in confirm dialog to better separate subject
  from note
* move enrollment to Disk Actions menu
* also suggest enrollment for non-Windows guests (Linux distro shims
  are also signed with the Microsoft KEK)


 www/manager6/qemu/HardwareView.js | 89 ++++++++++++++++++++++++++++++-
 1 file changed, 88 insertions(+), 1 deletion(-)

diff --git a/www/manager6/qemu/HardwareView.js b/www/manager6/qemu/HardwareView.js
index cf5e2a0f..aa694f76 100644
--- a/www/manager6/qemu/HardwareView.js
+++ b/www/manager6/qemu/HardwareView.js
@@ -442,6 +442,38 @@ Ext.define('PVE.qemu.HardwareView', {
             handler: run_editor,
         });
 
+        let runEfiEnroll = function () {
+            let rec = sm.getSelection()[0];
+            if (!rec) {
+                return;
+            }
+
+            let efidisk = PVE.Parser.parsePropertyString(rec.data.value, 'file');
+            efidisk['ms-cert'] = '2023w';
+
+            let params = {};
+            params[rec.data.key] = PVE.Parser.printPropertyString(efidisk);
+            Proxmox.Utils.API2Request({
+                url: `/api2/extjs/${baseurl}`,
+                waitMsgTarget: me,
+                method: 'POST',
+                params: params,
+                callback: () => me.reload(),
+                failure: (response) => Ext.Msg.alert('Error', response.htmlStatus),
+                success: function (response, options) {
+                    if (response.result.data !== null) {
+                        Ext.create('Proxmox.window.TaskProgress', {
+                            autoShow: true,
+                            upid: response.result.data,
+                            listeners: {
+                                destroy: () => me.reload(),
+                            },
+                        });
+                    }
+                },
+            });
+        };
+
         let move_menuitem = new Ext.menu.Item({
             text: gettext('Move Storage'),
             tooltip: gettext('Move disk to another storage'),
@@ -510,11 +542,55 @@ Ext.define('PVE.qemu.HardwareView', {
             },
         });
 
+        const efiEnrollMsg =
+            gettext(
+                'Enroll the Microsoft and Windows UEFI 2023 CA required for secure boot update.',
+            ) +
+            '<br>' +
+            gettext('This is also needed for secure boot update for common Linux distributions.') +
+            '<br>' +
+            '<br>' +
+            gettext('For Windows with BitLocker, run the following command inside Powershell:') +
+            '<br><code>manage-bde -protectors -disable &lt;drive&gt;</code><br>' +
+            Ext.String.format(
+                // TRANSLATORS: for a shell command: "placeholder could be 'concrete value'"
+                gettext("For example, {0} could be '{1}'."),
+                '<code>&lt;drive&gt;</code>',
+                '<code>C:</code>',
+            ) +
+            '<br>' +
+            gettext('This is required for each drive with BitLocker before proceeding!') +
+            '<br>' +
+            gettext(
+                'Otherwise, you will be prompted for the BitLocker recovery key on the next boot!',
+            );
+        let efiEnrollMenuItem = new Ext.menu.Item({
+            text: gettext('Enroll Updated Certificates'),
+            iconCls: 'fa fa-refresh',
+            selModel: sm,
+            disabled: true,
+            hidden: true,
+            handler: () => {
+                Ext.Msg.show({
+                    title: gettext('Confirm'),
+                    icon: Ext.Msg.QUESTION,
+                    message: efiEnrollMsg,
+                    buttons: Ext.Msg.YESNO,
+                    callback: function (btn) {
+                        if (btn !== 'yes') {
+                            return;
+                        }
+                        runEfiEnroll();
+                    },
+                });
+            },
+        });
+
         let diskaction_btn = new Proxmox.button.Button({
             text: gettext('Disk Action'),
             disabled: true,
             menu: {
-                items: [move_menuitem, reassign_menuitem, resize_menuitem],
+                items: [move_menuitem, reassign_menuitem, resize_menuitem, efiEnrollMenuItem],
             },
         });
 
@@ -686,6 +762,17 @@ Ext.define('PVE.qemu.HardwareView', {
             );
             remove_btn.RESTMethod = isUnusedDisk || (isDisk && isRunning) ? 'POST' : 'PUT';
 
+            let suggestEfiEnroll = false;
+            if (isEfi) {
+                let drive = PVE.Parser.parsePropertyString(value, 'file');
+                suggestEfiEnroll =
+                    !pending &&
+                    PVE.Parser.parseBoolean(drive['pre-enrolled-keys'], false) &&
+                    drive['ms-cert'] !== '2023w';
+            }
+            efiEnrollMenuItem.setDisabled(!suggestEfiEnroll);
+            efiEnrollMenuItem.setHidden(!isEfi);
+
             edit_btn.setDisabled(
                 deleted ||
                     !row.editor ||
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel