[pve-devel] [PATCH-SERIS qemu-server 0/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023

[Fiona Ebner]

As reported in the community forum [0], enrolling the new certificate
will trigger BitLocker recovery. It doesn't seem to be possible to
detect whether BitLocker is used by looking at the EFI var store (no
telling difference in dumps with 'virt-fw-vars --output-json' before
and after).

Stop auto-enrolling the new Microsoft UEFI 2023 certificate and
produce a warning, telling users about the 'qm enroll-efi-keys'
command and what steps to take when BitLocker is used to avoid
triggering recovery. Thomas found [1], which suggests using
'manage-bde -protectors -disable' which will disable key protectors
for the next boot and this was also successfully tested.

[0]: https://forum.proxmox.com/threads/173417/post-817164
[1]: https://discussion.fedoraproject.org/t/warning-recent-kek-firmware-update-locks-out-windows-bitlocker-urgent-issue-for-dual-boot-users/155431/5

qemu-server:

Fiona Ebner (4):
  ovmf: enroll ms 2023 cert: change QSD ID to allow calling outside of
    VM start
  api/cli: add enroll-efi-keys endpoint
  ovmf: factor out helper for checking whether MS 2023 certificate
    should be enrolled
  vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023

 src/PVE/API2/Qemu.pm       | 60 ++++++++++++++++++++++++++++++++++++++
 src/PVE/CLI/qm.pm          |  2 ++
 src/PVE/QemuServer.pm      | 21 ++++++-------
 src/PVE/QemuServer/OVMF.pm | 29 ++++++++++++------
 4 files changed, 91 insertions(+), 21 deletions(-)


Summary over all repositories:
  4 files changed, 91 insertions(+), 21 deletions(-)

-- 
Generated by git-murpp 0.5.0