[SOLVED] Can't enable secure boot on windows VM, option greyed out

W

whatishappening

Member
Jan 2, 2021
26
3
23
40
I'm trying to enable secure boot on a windows VM in preparation of the dreaded upgrade to Win11. However for some reason the option is greyed out in the VM bios (see screenshot). Not sure why or what needs to be changed. Config below if that helps.

Code: 
agent: 1
args: -cpu 'host,+kvm_pv_unhalt,+kvm_pv_eoi,hv_vendor_id=NV43FIX,kvm=off'
balloon: 1024
bios: ovmf
boot: order=scsi0;ide2
cores: 16
cpu: host,hidden=1
cpuunits: 200
description: scsi1%3A VM-Storage%3Avm-102-disk-1,backup=0,iothread=1,size=1000G
efidisk0: VM-Storage:vm-108-disk-0,size=1M
hostpci0: 0000:05:00,pcie=1,x-vga=1
ide2: none,media=cdrom
machine: pc-q35-9.0
memory: 32768
name: BlueIris
net0: virtio=B2:A1:A6:E6:E7:A7,bridge=vmbr0,firewall=1,queues=16,tag=10
numa: 0
onboot: 1
ostype: win10
protection: 1
scsi0: VM-Storage:vm-108-disk-1,cache=writeback,discard=on,iothread=1,size=200G
scsi1: VM-Storage:vm-108-disk-4,backup=0,cache=writeback,discard=on,iothread=1,size=1000G
scsi2: VM-Storage:vm-108-disk-2,cache=writeback,discard=on,iothread=1,size=100G
scsihw: virtio-scsi-single
smbios1: uuid=43c0867d-1f21-43ee-a0eb-55db3f1a355d
sockets: 1
startup: order=1
tablet: 1
tags: windows
tpmstate0: VM-Storage:vm-108-disk-3,size=4M,version=v2.0
vmgenid: dfcf9182-a8a6-4396-8411-4f590ef3aae3

1739835318695.png
 
Did you tick the checkbox to pre-enroll keys when creating the machine?
If not, then the keys for secure boot are missing and therefor it cant be enabled. It is possible to provide the keys later on with using Secure Boot Mode/Custom.
 
fba said:
Did you tick the checkbox to pre-enroll keys when creating the machine?
If not, then the keys for secure boot are missing and therefor it cant be enabled. It is possible to provide the keys later on with using Secure Boot Mode/Custom.
Click to expand...
Probably not, this VM is very old at this point and I didn't anticipate the need for secure boot and a TPM at the time of creation. Do you have an information or a guide on manual enrolling of keys? Any downside to doing it in this way?
 
whatishappening said:
Do you have an information or a guide on manual enrolling of keys?
Click to expand...
there are a few guides on the Internet, i.e. https://bobcares.com/blog/add-tpm-proxmox/
Of course, there is official documentation: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#qm_tpm

whatishappening said:
Any downside to doing it in this way?
Click to expand...
I would make a clone of your Windows VM as a precaution.

Cheers

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox
 
bbgeek17 said:
there are a few guides on the Internet, i.e. https://bobcares.com/blog/add-tpm-proxmox/
Of course, there is official documentation: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#qm_tpm


I would make a clone of your Windows VM as a precaution.

Cheers

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox
Click to expand...
These look like guides for adding a TPM, I have a TPM attached to the VM already that part seemed to work, but secure boot isn't enabled.
 
OK the solution is way easier than I thought. Just power down, delete EFI disk, recreate it with pre-enrolled keys checked, then boot the VM.

If you want to start using Secure Boot in an existing VM (that still usesa 2m efidisk), you need to recreate the efidisk. To do so, delete the old one(qm set <vmid> -delete efidisk0) and add a new one as described above. Thiswill reset any custom configurations you have made in the OVMF menu!
Click to expand...

Finally found this in the manual under "10.2.11. BIOS and UEF" section.
 
  • Like
Reactions: fba, _gabriel and bbgeek17
You must log in or register to reply here.
Top Bottom