Standard Linux distributions use a shim signed by the Microsoft KEK, so secure boot update requires the new certificates too. Also update the notice to mention this and improve it further.
While the checks for Windows could be limited to 10 and 11, if there is an EFI disk with pre-enrolled keys, it could still be that some specialized application actually uses them or simply that the OS type was misconfigured, so do not special case that. While skipping enrollment of the Windows CA could be skipped for Linux with only the MS CA being enrolled, it doesn't hurt to do so and just makes it consistent with what newly created EFI disk have. Suggested-by: Thomas Lamprecht <[email protected]> Signed-off-by: Fiona Ebner <[email protected]> --- New in v3. src/PVE/CLI/qm.pm | 6 ------ src/PVE/QemuServer.pm | 12 ++++++------ 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/src/PVE/CLI/qm.pm b/src/PVE/CLI/qm.pm index bdae9641..5326db5f 100755 --- a/src/PVE/CLI/qm.pm +++ b/src/PVE/CLI/qm.pm @@ -721,12 +721,6 @@ __PACKAGE__->register_method({ die "VM $vmid is a template\n" if PVE::QemuConfig->is_template($conf); die "VM $vmid has no EFI disk configured\n" if !$conf->{efidisk0}; - my $ostype = $conf->{ostype}; - if (!defined($ostype) || ($ostype ne 'win10' && $ostype ne 'win11')) { - print "skipping - OS type is neither Windows 10 nor Windows 11\n"; - return; - } - my $storecfg = PVE::Storage::config(); my $efidisk = parse_drive('efidisk0', $conf->{efidisk0}); diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm index fc735aa3..7e3bf2f2 100644 --- a/src/PVE/QemuServer.pm +++ b/src/PVE/QemuServer.pm @@ -5405,16 +5405,16 @@ my sub check_efi_vars { return if PVE::QemuConfig->is_template($conf); return if !$conf->{efidisk0}; - return if !$conf->{ostype}; - return if $conf->{ostype} ne 'win10' && $conf->{ostype} ne 'win11'; my $efidisk = parse_drive('efidisk0', $conf->{efidisk0}); if (PVE::QemuServer::OVMF::should_enroll_ms_2023_cert($efidisk)) { # TODO: make the first print a log_warn with PVE 9.2 to make it more noticeable! - print "EFI disk without 'ms-cert=2023w' option, suggesting that the Microsoft UEFI 2023" - . " certificate is not enrolled yet. The UEFI 2011 certificate expires in June 2026!\n"; - print "While the VM is shut down, run 'qm enroll-efi-keys $vmid' to enroll it.\n"; - print "If the VM uses BitLocker, run the following command inside Windows Powershell:\n"; + print "EFI disk without 'ms-cert=2023w' option, suggesting that the Microsoft UEFI 2023\n"; + print "certificate is not enrolled yet. The UEFI 2011 certificate expires in June 2026!\n"; + print "The new certificate is required for secure boot update for Windows and common\n"; + print "Linux distributions. Use 'Disk Action > Enroll Updated Certificates' in the UI\n"; + print "or, while the VM is shut down, run 'qm enroll-efi-keys $vmid' to enroll it.\n\n"; + print "For Windows with BitLocker, run the following command inside Powershell:\n"; print " manage-bde -protectors -disable <drive>\n"; print "for each drive with BitLocker (for example, <drive> could be 'C:').\n"; } -- 2.47.3 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
