note that Debian is currently preparing the changes for their first shim update signed with both old and new microsoft keys, and that includes checking which keys are currently enrolled and refusing the update if there is no overlap. that means...
I think I understand now.
When the VM is stopped then started and this is in place "ms-cert=2023k", it does exactly what enroll-efi-key does right before it actually powers it on.
Appreciate the input!
What throws me off, is the "qm enroll-efi-key vmid" seems to do a lot more than just add a tag to the vm config file.
root@frontend-test:~# qm enroll-efi-keys 100
efidisk0: enrolling Microsoft UEFI CA 2023
INFO: reading...
Is there anyway to make the CLI option function like the GUI/API? With 1000's of VM's that is a tough one. Setting up tokens on tons of hosts to use the API would be a lot of manual work as well.
If we have Debian linux VM's running secure boot and the older 2011 certificate.
Let say Debian releases a new shim update after June and is singed by the 2023 cert, will all those VM fail to boot?