From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id D17F71FF15E for ; Wed, 21 Jan 2026 14:08:46 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id F0E8325EDC; Wed, 21 Jan 2026 14:09:04 +0100 (CET) Message-ID: <78bfb5b9-f00c-4641-a971-a6c1d8dea4c4@proxmox.com> Date: Wed, 21 Jan 2026 14:08:31 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Thomas Lamprecht , Proxmox VE development discussion References: <20260113105440.68336-1-f.ebner@proxmox.com> <20260113105440.68336-9-f.ebner@proxmox.com> <777b5621-4cf6-44e5-90ee-6882cfb3f290@proxmox.com> Content-Language: en-US From: Fiona Ebner In-Reply-To: <777b5621-4cf6-44e5-90ee-6882cfb3f290@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1769000855238 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.015 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [result.data] Subject: Re: [pve-devel] [PATCH manager v2 8/9] ui: qemu: hardware: efi: allow enrolling Microsoft+Windows UEFI CA 2023 X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Am 20.01.26 um 6:49 PM schrieb Thomas Lamprecht: > Am 13.01.26 um 11:54 schrieb Fiona Ebner: >> diff --git a/www/manager6/qemu/HardwareView.js b/www/manager6/qemu/HardwareView.js >> index cf5e2a0f..69216932 100644 >> --- a/www/manager6/qemu/HardwareView.js >> +++ b/www/manager6/qemu/HardwareView.js >> @@ -442,6 +442,67 @@ Ext.define('PVE.qemu.HardwareView', { >> handler: run_editor, >> }); >> >> + let runEfiEnroll = function () { >> + let rec = sm.getSelection()[0]; >> + if (!rec) { >> + return; >> + } >> + >> + let efidisk = PVE.Parser.parsePropertyString(rec.data.value, 'file'); >> + efidisk['ms-cert'] = '2023'; >> + >> + let params = {}; >> + params[rec.data.key] = PVE.Parser.printPropertyString(efidisk); >> + Proxmox.Utils.API2Request({ >> + url: `/api2/extjs/${baseurl}`, >> + waitMsgTarget: me, >> + method: 'POST', >> + params: params, >> + callback: () => me.reload(), >> + failure: (response) => Ext.Msg.alert('Error', response.htmlStatus), >> + success: function (response, options) { >> + if (response.result.data !== null) { >> + Ext.create('Proxmox.window.TaskProgress', { >> + autoShow: true, >> + upid: response.result.data, >> + listeners: { >> + destroy: () => me.reload(), >> + }, >> + }); >> + } >> + }, >> + }); >> + }; >> + >> + let efiEnrollButton = new Proxmox.button.Button({ >> + text: gettext('Enroll updated certificates'), >> + selModel: sm, >> + disabled: true, >> + hidden: true, >> + handler: runEfiEnroll, >> + confirmMsg: >> + gettext( >> + 'Enroll the Microsoft and Windows UEFI 2023 CA required for secure boot update.' >> + ) + >> + '
' + > > would probably add an extra line break here to better distinguish the description of what's > happening here with the note below. Ack. >> + gettext( >> + 'If the VM uses BitLocker, run the following command inside Windows Powershell:', >> + ) + >> + '
manage-bde -protectors -disable <drive>
' + >> + Ext.String.format( >> + // TRANSLATORS: for a shell command: "placeholder could be 'concrete value'" >> + gettext("For example, {0} could be '{1}'."), >> + '<drive>', >> + 'C:', >> + ) + >> + '
' + >> + gettext('This is required for each drive with BitLocker before proceeding!') + >> + '
' + >> + gettext( >> + 'Otherwise, you will be prompted for the BitLocker recovery key on the next boot!', >> + ), >> + }); >> + >> let move_menuitem = new Ext.menu.Item({ >> text: gettext('Move Storage'), >> tooltip: gettext('Move disk to another storage'), >> @@ -616,6 +677,8 @@ Ext.define('PVE.qemu.HardwareView', { >> let selection_model = me.getSelectionModel(); >> let rec = selection_model.getSelection()[0]; >> >> + let isWin10or11 = false; >> + >> counts = {}; // en/disable hardwarebuttons >> let hasCloudInit = false; >> me.rstore.getData().items.forEach(function ({ id, data }) { >> @@ -629,6 +692,10 @@ Ext.define('PVE.qemu.HardwareView', { >> let type = match[1]; >> counts[type] = (counts[type] || 0) + 1; >> } >> + >> + if (id === 'ostype' && (data.value === 'win10' || data.value === 'win11')) { >> + isWin10or11 = true; > > Hmm, this is not complete though? What if my Linux distro uses a MS blessed > signing key for the bootloader and switch to the 2023 one? Ah, very good point! Right, they do depend on the Microsoft KEK too.. > Maybe always show it if windows or pre-enrolled-keys is true? Ack. The backend currently also checks for OS type being Win10/11, I'll adapt it there too. >> @@ -822,6 +903,7 @@ Ext.define('PVE.qemu.HardwareView', { >> }, >> remove_btn, >> edit_btn, >> + efiEnrollButton, > > Slightly torn here on button placement. Semantically it would fit better in the > disk-action sub-menu, and while it's a bit less subtle there, it's IMO not that > much more noticeable as is. > If you strongly disagree with me, which I'm naturally fine with, I'd vouch for at > least move it to the end so that the other buttons do not "jump" location when > selection changes from another HW property to an efidisk one. Okay, I'll move it to the disk-action sub menu. Will also add a docs patch. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel