Like this, the 'qm enroll-efi-keys' operation can be done via API too. The previous Microsoft UEFI CA 2011 will expire in June 2026, so there should be a way to update that can be automated and done while guests are running.
Suggested-by: Fabian Grünbichler <[email protected]> Suggested-by: Thomas Lamprecht <[email protected]> Signed-off-by: Fiona Ebner <[email protected]> --- src/PVE/QemuServer.pm | 9 +++++++++ src/PVE/QemuServer/OVMF.pm | 16 ++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm index dfa74c4b..6492d706 100644 --- a/src/PVE/QemuServer.pm +++ b/src/PVE/QemuServer.pm @@ -4988,6 +4988,15 @@ sub vmconfig_apply_pending { if (defined($conf->{$opt}) && is_valid_drivename($opt)) { my $old_drive = parse_drive($opt, $conf->{$opt}); vmconfig_register_unused_drive($storecfg, $vmid, $conf, $old_drive); + if ($opt eq 'efidisk0') { + my $new_drive = parse_drive($opt, $conf->{pending}->{$opt}); + PVE::QemuServer::OVMF::drive_change( + $storecfg, + $vmid, + $old_drive, + $new_drive, + ); + } } elsif (defined($conf->{pending}->{$opt}) && $opt =~ m/^net\d+$/) { my $new_net = PVE::QemuServer::Network::parse_net($conf->{pending}->{$opt}); if ($conf->{$opt}) { diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm index 4aa98100..58415899 100644 --- a/src/PVE/QemuServer/OVMF.pm +++ b/src/PVE/QemuServer/OVMF.pm @@ -317,4 +317,20 @@ sub ensure_ms_2023_cert_enrolled { return $efidisk; } +sub drive_change { + my ($storecfg, $vmid, $old_drive, $new_drive) = @_; + + return if $old_drive->{file} ne $new_drive->{file}; + + # Note that changing away from ms-cert=2023 is allowed, the marker is not the source of truth. + return if $old_drive->{'ms-cert'} && $old_drive->{'ms-cert'} eq '2023'; + + return if !$new_drive->{'ms-cert'} || $new_drive->{'ms-cert'} ne '2023'; + + # The ms-cert marker was newly changed to 2023, ensure it's enrolled. Clear it first to avoid + # detecting as already enrolled. + delete $new_drive->{'ms-cert'}; + ensure_ms_2023_cert_enrolled($storecfg, $vmid, $new_drive); +} + 1; -- 2.47.3 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
