A new enroll-efi-keys API endpoint and command for qm is added. It enrolls the latest known-to-be-important certificates to the EFI disk, which currently is just the Microsoft UEFI CA 2023.
Signed-off-by: Fiona Ebner <[email protected]> --- src/PVE/API2/Qemu.pm | 60 ++++++++++++++++++++++++++++++++++++++++++++ src/PVE/CLI/qm.pm | 2 ++ 2 files changed, 62 insertions(+) diff --git a/src/PVE/API2/Qemu.pm b/src/PVE/API2/Qemu.pm index 5cdba4bb..665afbe2 100644 --- a/src/PVE/API2/Qemu.pm +++ b/src/PVE/API2/Qemu.pm @@ -7048,4 +7048,64 @@ __PACKAGE__->register_method({ }, }); +__PACKAGE__->register_method({ + name => 'enroll-efi-keys', + path => '{vmid}/enroll-efi-keys', + method => 'POST', + protected => 1, + proxyto => 'node', + description => + "Enroll important updated certificates to the EFI disk with pre-enrolled-keys. Currently," + . " this is only the Microsoft UEFI CA 2023. Must be called while the VM is shut down.", + permissions => { + check => ['perm', '/vms/{vmid}', ['VM.Config.Disk']], + }, + parameters => { + additionalProperties => 0, + properties => { + node => get_standard_option('pve-node'), + vmid => + get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }), + }, + }, + returns => { type => 'null' }, + code => sub { + my ($param) = @_; + + my $vmid = extract_param($param, 'vmid'); + + my $enroll_fn = sub { + my $conf = PVE::QemuConfig->load_config($vmid); + + PVE::QemuConfig->check_lock($conf); + die "VM $vmid is running\n" if PVE::QemuServer::Helpers::vm_running_locally($vmid); + die "VM $vmid is a template\n" if PVE::QemuConfig->is_template($conf); + die "VM $vmid has no EFI disk configured\n" if !$conf->{efidisk0}; + + my $ostype = $conf->{ostype}; + if (!defined($ostype) || ($ostype ne 'win10' && $ostype ne 'win11')) { + print "skipping - OS type is neither Windows 10 nor Windows 11\n"; + return; + } + + my $storecfg = PVE::Storage::config(); + + my $updated = PVE::QemuServer::OVMF::ensure_ms_2023_cert_enrolled( + $storecfg, $vmid, $conf->{efidisk0}, + ); + if ($updated) { + $conf->{efidisk0} = $updated; + PVE::QemuConfig->write_config($vmid, $conf); + } else { + print "skipping - no pre-enrolled keys or already got ms-cert=2023 marker\n"; + } + + return; + }; + + PVE::QemuConfig->lock_config($vmid, $enroll_fn); + return; + }, +}); + 1; diff --git a/src/PVE/CLI/qm.pm b/src/PVE/CLI/qm.pm index 9398780e..d0f80b20 100755 --- a/src/PVE/CLI/qm.pm +++ b/src/PVE/CLI/qm.pm @@ -1341,6 +1341,8 @@ our $cmddef = { unlink => ["PVE::API2::Qemu", 'unlink', ['vmid'], {%node}], }, + 'enroll-efi-keys' => ["PVE::API2::Qemu", 'enroll-efi-keys', ['vmid'], {%node}], + monitor => [__PACKAGE__, 'monitor', ['vmid']], agent => { alias => 'guest cmd' }, # FIXME: remove with PVE 8.0 -- 2.47.3 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
