From: "Daniel Kral" <d.kral@proxmox.com>
To: "Fiona Ebner" <f.ebner@proxmox.com>, <pve-devel@lists.proxmox.com>
Subject: Re: [PATCH-SERIES qemu-server/manager/docs v4 0/6] improve Microsoft+Windows UEFI CA 2023 enrollment
Date: Tue, 24 Feb 2026 14:13:32 +0100 [thread overview]
Message-ID: <DGN7VWSNS1E1.3PPEZZELGYSSH@proxmox.com> (raw)
In-Reply-To: <20260223152556.197761-1-f.ebner@proxmox.com>
On Mon Feb 23, 2026 at 4:25 PM CET, Fiona Ebner wrote:
> Changes in v4:
> * Also enroll MS 2023 KEK.
> * Add ms-cert=2023k marker.
> * Clarify that there are multiple certificates in all descriptions.
> * Print correct marker when applying pending changes.
> * Mention that ms-cert=2023 and ms-cert=2023w may indicate partial
> enrollment in docs.
Tested this series with some Windows VMs and Proxmox VE VMs again:
- `qm enroll-efi-keys $vmid` and "Enroll updated certificates" in the
web interface work as expected and both the CAs and KEK are there
after a shutdown+start cycle
- Enrollment for efidisks with previous ms-cert=2023w work as expected
as well
- ms-cert={2023,2023w,2023k} on efidisk trigger the enrollment correctly
- Also tested it with a BitLocker'd Windows drive this time with and
without disabling the BitLocker key protectors beforehand
I tried to reproduce the 1801 event with any provided secure boot
updates from Microsoft Windows, but I couldn't trigger it on my VMs,
probably because I'm running an older Windows version on these VMs. Any
incoming updates were completed successfully, though none of them were
secure boot related.
The enrollment for the additional KEK 2K CA 2023 was tested with
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI KEK).Bytes)
-match 'Microsoft Corporation KEK 2K CA 2023'
and the equivalent for mokutil on a Linux VM:
mokutil --kek | grep 'Microsoft Corporation KEK 2K CA 2023'
Nothing seemed off to me here and the changes look good to me as well,
so consider this series as:
Reviewed-by: Daniel Kral <d.kral@proxmox.com>
Tested-by: Daniel Kral <d.kral@proxmox.com>
prev parent reply other threads:[~2026-02-24 13:13 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-23 15:25 Fiona Ebner
2026-02-23 15:25 ` [PATCH qemu-server v4 1/6] vm start: check efi: always check for certificates when pre-enrolled-keys=1 Fiona Ebner
2026-02-23 15:25 ` [PATCH qemu-server v4 2/6] efi disk: clarify that there are multiple certificates Fiona Ebner
2026-02-23 15:25 ` [PATCH qemu-server v4 3/6] apply pending: efi disk: print drive to pick up changes Fiona Ebner
2026-02-23 15:25 ` [PATCH qemu-server v4 4/6] ovmf: efi enroll: also enroll the MS 2023 KEK Fiona Ebner
2026-02-23 15:25 ` [PATCH manager v4 5/6] ui: qemu: hardware: efi: allow enrolling UEFI 2023 certs from Microsoft Fiona Ebner
2026-02-23 15:25 ` [PATCH docs v4 6/6] qm: bios/uefi: add secure boot certificate expiration section Fiona Ebner
2026-02-24 13:13 ` Daniel Kral [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DGN7VWSNS1E1.3PPEZZELGYSSH@proxmox.com \
--to=d.kral@proxmox.com \
--cc=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox