[pve-devel] [PATCH-SERIS qemu-server 0/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue Nov 18 14:30:00 CET 2025
On Tue, 18 Nov 2025 13:34:38 +0100, Fiona Ebner wrote:
> As reported in the community forum [0], enrolling the new certificate
> will trigger BitLocker recovery. It doesn't seem to be possible to
> detect whether BitLocker is used by looking at the EFI var store (no
> telling difference in dumps with 'virt-fw-vars --output-json' before
> and after).
>
> Stop auto-enrolling the new Microsoft UEFI 2023 certificate and
> produce a warning, telling users about the 'qm enroll-efi-keys'
> command and what steps to take when BitLocker is used to avoid
> triggering recovery. Thomas found [1], which suggests using
> 'manage-bde -protectors -disable' which will disable key protectors
> for the next boot and this was also successfully tested.
>
> [...]
Applied with two changes squashed in, thanks!
For one I replaced the log_warn with print for now to avoid being to noisy
already, we can "turn up the heat" for this early next year, e.g. for PVE 9.2.
Then I also moved new command out of the API, keeping it purely to the qm CLI
for now to avoid having to comit to this new API for the PVE 9 lifetime,
especially as we got some other ideas to handle this in a recent off list talk.
[1/4] ovmf: enroll ms 2023 cert: change QSD ID to allow calling outside of VM start
commit: 4effab683fc9d0a4e85d9435d84fccff56e69101
[2/4] api/cli: add enroll-efi-keys endpoint
commit: ee296e6eb10577ee90bfbb201beb5487bb81bda6
[3/4] ovmf: factor out helper for checking whether MS 2023 certificate should be enrolled
commit: 16750f2a6023f1304e445beb2d9504d51c090bfc
[4/4] vm start: ovmf: do not auto-enroll Microsoft UEFI CA 2023
commit: 6952b33bb976f3afe1369e7333e3aa3cc9dc2f1a
More information about the pve-devel
mailing list