[pve-devel] [PATCH qemu-server v2 5/9] ovmf: also enroll the Windows UEFI CA 2023 key
Fiona Ebner
f.ebner at proxmox.com
Tue Jan 13 11:54:19 CET 2026
It's a separate one from the Microsoft key [0] and is only selected
by virt-fw-vars when using '--distro-keys windows'.
[0]: https://support.microsoft.com/en-au/topic/enterprise-deployment-guidance-for-cve-2023-24932-88b8f034-20b7-4a45-80cb-c6049b0f9967#id0ebbj=overview&id0ebbh=overview&id0ebbf=overview&id0ebbl=table_of_certificates
Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
---
New in v2.
src/PVE/QemuServer/OVMF.pm | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm
index 436edb47..a8317ea6 100644
--- a/src/PVE/QemuServer/OVMF.pm
+++ b/src/PVE/QemuServer/OVMF.pm
@@ -305,7 +305,16 @@ sub ensure_ms_2023_cert_enrolled {
my $efi_vars_path =
PVE::QemuServer::QSD::add_fuse_export($qsd_id, $efidisk, 'efidisk0-enroll');
PVE::Tools::run_command(
- ['virt-fw-vars', '--inplace', $efi_vars_path, '--distro-keys', 'ms-uefi']);
+ [
+ 'virt-fw-vars',
+ '--inplace',
+ $efi_vars_path,
+ '--distro-keys',
+ 'ms-uefi',
+ '--distro-keys',
+ 'windows',
+ ],
+ );
PVE::QemuServer::QSD::remove_fuse_export($qsd_id, 'efidisk0-enroll');
};
my $err = $@;
--
2.47.3
More information about the pve-devel
mailing list