From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 325231FF15C for ; Fri, 14 Nov 2025 12:03:09 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 807F8EBAA; Fri, 14 Nov 2025 12:04:04 +0100 (CET) Message-ID: <426ea401-74b9-4825-94ec-45a7fd80bb2d@proxmox.com> Date: Fri, 14 Nov 2025 12:03:30 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Thomas Lamprecht , Proxmox VE development discussion References: <20251111135808.110791-1-f.ebner@proxmox.com> <20251111135808.110791-3-f.ebner@proxmox.com> <5ce79121-9ce3-4f6f-9842-3c9a5572b99b@proxmox.com> Content-Language: en-US From: Fiona Ebner In-Reply-To: <5ce79121-9ce3-4f6f-9842-3c9a5572b99b@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1763118184146 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.017 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH qemu-server 2/2] fix #6985: ovmf: auto-enroll Microsoft UEFI CA 2023 for Windows X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Am 14.11.25 um 2:18 AM schrieb Thomas Lamprecht: > Am 11.11.25 um 14:57 schrieb Fiona Ebner: > needs a rebase (or I fumbled something). Probably because of the sev->cvm rename as part of the TDX series. Will do! >> @@ -235,4 +265,33 @@ sub print_ovmf_commandline { >> return ($cmd, $machine_flags); >> } >> >> +sub ensure_ms_2023_cert_enrolled { >> + my ($storecfg, $vmid, $efidisk_str) = @_; >> + >> + my $efidisk = parse_drive('efidisk0', $efidisk_str); >> + return if !$efidisk->{'pre-enrolled-keys'}; >> + return if $efidisk->{'ms-cert'} && $efidisk->{'ms-cert'} eq '2023'; >> + >> + print "efidisk0: enrolling Microsoft UEFI CA 2023\n"; >> + >> + my $new_qsd = !PVE::QemuServer::Helpers::qsd_running_locally($vmid); >> + PVE::QemuServer::QSD::start($vmid) if $new_qsd; >> + >> + eval { >> + my $efi_vars_path = >> + PVE::QemuServer::QSD::add_fuse_export($vmid, $efidisk, 'efidisk0-enroll'); >> + PVE::Tools::run_command( >> + ['virt-fw-vars', '--inplace', $efi_vars_path, '--distro-keys', 'ms-uefi']); >> + PVE::QemuServer::QSD::remove_fuse_export($vmid, 'efidisk0-enroll'); >> + }; >> + my $err = $@; >> + >> + PVE::QemuServer::QSD::quit($vmid) if $new_qsd; > > if other request start using this QSD after it was started here they might get > interrupted? Albeit currently this is probably rather theoretically due to QSD > being per-vmid and we the operations QSD is used as of now are not really being > able to run concurently for a single VM FWICT. > > Might be still good to at least add a comment for this for the case that QSD gets > adopted more. Yes, we will need to be careful down the line. A clean option is using different QSD IDs for different tasks (the ID for a QSD can be any string and does not need to be a VMID). Currently, we only use QSD for EFI enrollment here and for TPM which are both part of the same start task. I will add a comment to note this and that ensure_ms_2023_cert_enrolled() may currently only be called as part of VM start. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel