From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 1D6D81FF139 for ; Tue, 24 Feb 2026 14:13:15 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id E44A8AA6C; Tue, 24 Feb 2026 14:14:07 +0100 (CET) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Tue, 24 Feb 2026 14:13:32 +0100 Message-Id: From: "Daniel Kral" To: "Fiona Ebner" , Subject: Re: [PATCH-SERIES qemu-server/manager/docs v4 0/6] improve Microsoft+Windows UEFI CA 2023 enrollment X-Mailer: aerc 0.21.0-38-g7088c3642f2c-dirty References: <20260223152556.197761-1-f.ebner@proxmox.com> In-Reply-To: <20260223152556.197761-1-f.ebner@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1771938797053 X-SPAM-LEVEL: Spam detection results: 0 AWL -1.045 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 1.179 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.717 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.236 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: O5IW56H3EX4GN54AVNQWYVVBFHGNZUPM X-Message-ID-Hash: O5IW56H3EX4GN54AVNQWYVVBFHGNZUPM X-MailFrom: d.kral@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Mon Feb 23, 2026 at 4:25 PM CET, Fiona Ebner wrote: > Changes in v4: > * Also enroll MS 2023 KEK. > * Add ms-cert=3D2023k marker. > * Clarify that there are multiple certificates in all descriptions. > * Print correct marker when applying pending changes. > * Mention that ms-cert=3D2023 and ms-cert=3D2023w may indicate partial > enrollment in docs. Tested this series with some Windows VMs and Proxmox VE VMs again: - `qm enroll-efi-keys $vmid` and "Enroll updated certificates" in the web interface work as expected and both the CAs and KEK are there after a shutdown+start cycle - Enrollment for efidisks with previous ms-cert=3D2023w work as expected as well - ms-cert=3D{2023,2023w,2023k} on efidisk trigger the enrollment correctly - Also tested it with a BitLocker'd Windows drive this time with and without disabling the BitLocker key protectors beforehand I tried to reproduce the 1801 event with any provided secure boot updates from Microsoft Windows, but I couldn't trigger it on my VMs, probably because I'm running an older Windows version on these VMs. Any incoming updates were completed successfully, though none of them were secure boot related. The enrollment for the additional KEK 2K CA 2023 was tested with [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI KEK).Bytes) -match 'Microsoft Corporation KEK 2K CA 2023' and the equivalent for mokutil on a Linux VM: mokutil --kek | grep 'Microsoft Corporation KEK 2K CA 2023' Nothing seemed off to me here and the changes look good to me as well, so consider this series as: Reviewed-by: Daniel Kral Tested-by: Daniel Kral