[pve-devel] [PATCH-SERIES RESEND edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys

Fri, 07 Nov 2025 00:55:26 -0800 

Re-sent with --transfer-encoding=base64. Also available at my staff
repo now: staff/f.ebner/pve-edk2-firmware, branch fix-6985

This fixes the issue with the Microsoft UEFI CA 2011 expiring in June
2026 for new EFI disks. What still needs to be done is giving users a
way for (or automatically) enrolling the new keys to existing EFI
disks. I will look at that part of the issue in the coming days.

To update an existing EFI disk, it should be enough to do something
like:
virt-fw-vars --inplace vm-103-disk-0.raw --distro-keys ms-uefi

AFAICS, virt-fw-vars can only deal with raw images, so we can use FUSE
exports of differently formatted EFI disks which requires [0].

[0]: 
https://lore.proxmox.com/pve-devel/[email protected]/


pve-edk2-firmware:

Fiona Ebner (6):
  update edk2 to edk2-stable202505 tag and refresh patches
  d/patches: pick up CVE fix from Debian tag debian/2025.05-1
  d/rules: pick up some improvements from Debian
  Use virt-firmware to enroll default keys.
  Initialize the Secure Boot dbx in *.ms.fd with the latest revocations
  partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys

 debian/DBXUpdate-2025-02-24.arm64.bin         | Bin 0 -> 4613 bytes
 debian/DBXUpdate-2025-10-16.amd64.bin         | Bin 0 -> 24053 bytes
 debian/control                                |   1 +
 debian/edk2-vars-generator.py                 | 140 ----
 ...nrollDefaultKeys-with-Microsoft-2023.patch | 613 ++++++++++++++++++
 ...tLib-Fix-split-lock-violation-from-M.patch |  10 +-
 ...CpuDxeSmm-Safe-handling-of-IDT-regis.patch |  45 ++
 debian/patches/series                         |   2 +
 debian/rules                                  |  99 +--
 debian/source/include-binaries                |   2 +
 edk2                                          |   2 +-
 11 files changed, 721 insertions(+), 193 deletions(-)
 create mode 100644 debian/DBXUpdate-2025-02-24.arm64.bin
 create mode 100644 debian/DBXUpdate-2025-10-16.amd64.bin
 delete mode 100755 debian/edk2-vars-generator.py
 create mode 100644 
debian/patches/OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch
 create mode 100644 
debian/patches/UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch


Summary over all repositories:
  11 files changed, 721 insertions(+), 193 deletions(-)

-- 
Generated by git-murpp 0.5.0
_______________________________________________
pve-devel mailing list
[email protected]
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to