[pve-devel] [PATCH qemu-server 2/2] fix #6985: ovmf: auto-enroll Microsoft UEFI CA 2023 for Windows

[Thomas Lamprecht]

Am 14.11.25 um 13:03 schrieb Fiona Ebner:
> Am 14.11.25 um 12:47 PM schrieb Thomas Lamprecht:
>> Am 14.11.25 um 12:03 schrieb Fiona Ebner:
>>> Yes, we will need to be careful down the line. A clean option is using
>>> different QSD IDs for different tasks (the ID for a QSD can be any
>>> string and does not need to be a VMID). Currently, we only use QSD for
>>> EFI enrollment here and for TPM which are both part of the same start
>>> task. I will add a comment to note this and that
>>> ensure_ms_2023_cert_enrolled() may currently only be called as part of
>>> VM start.
>>
>>
>> Oh, and what I just noticed: the QSD is currently not running inside of
>> the qemu.slice/$vmid.scope?
>>
>> Not a blocker at all now, but that might be nice to have to ensure it's
>> resource (mainly memory) usage is accounted for.
> 
> The one started for enrollment is not, but that one is very short-lived.
> The one for started for swtpm should actually be? It's part of the
> start_swtpm() function.

True, and as you say that's the more important one anyway due to running
for the entire time such a VM is running.
So fine as is for now, we can change this at anytime anyway.