[pve-devel] [PATCH qemu-server 2/4] api/cli: add enroll-efi-keys endpoint
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue Nov 18 14:07:07 CET 2025
Am 18.11.25 um 13:58 schrieb Fabian Grünbichler:
>> + my $updated = PVE::QemuServer::OVMF::ensure_ms_2023_cert_enrolled(
>> + $storecfg, $vmid, $conf->{efidisk0},
>> + );
> this can block and/or take a while, so shouldn't this endpoint fork a
> task worker?
>
> and do we really need a new endpoint for this, couldn't we do it in the
> config update and let the UI set the corresponding EFI disk flag as an
> (async) update?
Talked with Fiona off-list about this.
I'd for now move the endpoint to the CLI only. We plan re-use recently
added efidisk flag to provide a mechanism where the user can request enrollment
by setting the flag to a new value. This will be refused to get hot-applied, thus
stays a pending change in the config and will applied on the next fresh start.
In the UI we can then also display a nice hint w.r.t. users needing to be
prepared if they use Bitlocker, one option for that is executing the following
command in the Windows VM before shutting it down:
manage-bde -protectors -disable <drive>
More information about the pve-devel
mailing list