[pve-devel] applied: [PATCH-SERIES edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Nov 11 11:59:00 CET 2025 

Am 06.11.25 um 16:43 schrieb Fiona Ebner:
> This fixes the issue with the Microsoft UEFI CA 2011 expiring in June
> 2026 for new EFI disks. What still needs to be done is giving users a
> way for (or automatically) enrolling the new keys to existing EFI
> disks. I will look at that part of the issue in the coming days.
> 
> To update an existing EFI disk, it should be enough to do something
> like:
> virt-fw-vars --inplace vm-103-disk-0.raw --distro-keys ms-uefi
> 
> AFAICS, virt-fw-vars can only deal with raw images, so we can use FUSE
> exports of differently formatted EFI disks which requires [0].
> 
> [0]: https://lore.proxmox.com/pve-devel/20251020141335.124077-1-f.ebner@proxmox.com/
> 
> 
> pve-edk2-firmware:
> 
> Fiona Ebner (6):
>   update edk2 to edk2-stable202505 tag and refresh patches
>   d/patches: pick up CVE fix from Debian tag debian/2025.05-1
>   d/rules: pick up some improvements from Debian
>   Use virt-firmware to enroll default keys.
>   Initialize the Secure Boot dbx in *.ms.fd with the latest revocations
>   partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys
> 
>  debian/DBXUpdate-2025-02-24.arm64.bin         | Bin 0 -> 4613 bytes
>  debian/DBXUpdate-2025-10-16.amd64.bin         | Bin 0 -> 24053 bytes
>  debian/control                                |   1 +
>  debian/edk2-vars-generator.py                 | 140 ----
>  ...nrollDefaultKeys-with-Microsoft-2023.patch | 613 ++++++++++++++++++
>  ...tLib-Fix-split-lock-violation-from-M.patch |  10 +-
>  ...CpuDxeSmm-Safe-handling-of-IDT-regis.patch |  45 ++
>  debian/patches/series                         |   2 +
>  debian/rules                                  |  99 +--
>  debian/source/include-binaries                |   2 +
>  edk2                                          |   2 +-
>  11 files changed, 721 insertions(+), 193 deletions(-)
>  create mode 100644 debian/DBXUpdate-2025-02-24.arm64.bin
>  create mode 100644 debian/DBXUpdate-2025-10-16.amd64.bin
>  delete mode 100755 debian/edk2-vars-generator.py
>  create mode 100644 debian/patches/OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch
>  create mode 100644 debian/patches/UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch
> 
> 
> Summary over all repositories:
>   11 files changed, 721 insertions(+), 193 deletions(-)
> 


applied series (pulled from your staff repo), thanks!

More information about the pve-devel mailing list