[pve-devel] [PATCH qemu-server 2/4] api/cli: add enroll-efi-keys endpoint

[Fabian Grünbichler]

On November 18, 2025 2:07 pm, Thomas Lamprecht wrote:
> Am 18.11.25 um 13:58 schrieb Fabian Grünbichler:
>>> +            my $updated = PVE::QemuServer::OVMF::ensure_ms_2023_cert_enrolled(
>>> +                $storecfg, $vmid, $conf->{efidisk0},
>>> +            );
>> this can block and/or take a while, so shouldn't this endpoint fork a
>> task worker?
>> 
>> and do we really need a new endpoint for this, couldn't we do it in the
>> config update and let the UI set the corresponding EFI disk flag as an
>> (async) update?
> 
> Talked with Fiona off-list about this.
> 
> I'd for now move the endpoint to the CLI only. We plan re-use recently
> added efidisk flag to provide a mechanism where the user can request enrollment
> by setting the flag to a new value. This will be refused to get hot-applied, thus
> stays a pending change in the config and will applied on the next fresh start.
> In the UI we can then also display a nice hint w.r.t. users needing to be
> prepared if they use Bitlocker, one option for that is executing the following
> command in the Windows VM before shutting it down:
> 
> manage-bde -protectors -disable <drive>

sounds like a good plan - that CLI endpoint can then be converted to
become

load_config
get efidisk
call update config with modified efidisk, protected by digest