[pve-devel] [PATCH-SERIES qemu-server/manager 0/6] improve Microsoft UEFI CA 2023 enrollment
Fiona Ebner
f.ebner at proxmox.com
Tue Jan 13 11:02:59 CET 2026
Am 11.12.25 um 1:32 PM schrieb Fiona Ebner:
> Make it possible to enroll via the API and UI by setting the
> ms-cert=2023 marker on the EFI disk.
>
> The previous Microsoft UEFI CA 2011 will expire in June 2026, so there
> should be a way to update that can be automated and done while guests
> are running.
>
> pve-manager needs a dependency bump for qemu-server for the API call
> to have the desired effect (or the marker will just get set without
> actually enrolling).
It turns out that there is a separate Windows UEFI 2023 CA [0], which is
not enrolled yet. That requires invoking virt-fw-vars with
'--distro-keys windows' additionally to '--distro-keys ms-uefi'. I'll
send a v2 fixing this later.
[0]:
https://support.microsoft.com/en-au/topic/enterprise-deployment-guidance-for-cve-2023-24932-88b8f034-20b7-4a45-80cb-c6049b0f9967#id0ebbj=overview&id0ebbh=overview&id0ebbf=overview&id0ebbl=table_of_certificates
More information about the pve-devel
mailing list