When creating a new virtual machine (including ms-cert=2023w) and executing the following command, KEK is displayed. Is this something else...?
*KEK was displayed even when not connected to the network, so it was determined that this was not a patch on the guest OS.
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI kek).bytes)
Editing: The virtual machine created using the following steps will display the results below. KEK is not manually registered. However, it exists in the results. (It already exists.)
1. Disable BitLocker on the guest OS
manage-bde -protectors -disable <drive>
*I suppose getting a recovery key is fine, but I can't guarantee it.
manage-bde -protectors -get <drive>
2. Shut down the virtual machine
3. Delete the EFI partition
4. Create the EFI partition
The KEK for ms-cert=2023w appears to include Microsoft Corporation KEK 2K CA 2023.
Code:
PS C:\Windows\system32> [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI kek).bytes)
U0n10?H??+?r???????H???m=0??0???E?9>R)x6??B??{???K70
U05234249Z0n10devel@lists.debian.org0(PK/KEK key)1,0* *?H??
?0???bian-devel@lists.debian.org0?"0K/KEK key)1,0* *?H??
???I????T*q?y????Yb?q??l?P????????<I??Q??????Q:?[8S??hR?>????^?0??s??V?J(?3?Ra{??@??x[?mj??D???{-???
g?S???e???Xe?Y?W?3H?l'?????c???R4(????{?w??N?j??+???B?2?4??o???_? ?3??]?ixN.???S0Q0U? ??*?H????s0U#0?? ???}-]?0g???????s0U?0?0
j??|???m3s???M???Tt??(?oX1?A?%?@?(?69s????>BZ{ x?Mi????????B?w??;??y\]q??h?i-???Q?9?Rp?<?????b?kaK?{???:???y??~E??l?1?
8'?<?D"Nz?r/v\??&??qR_[????S??
??%?Y?????J???\+?r????wY2M?`(???xK0??0???
a
0??10H?? UUS10U
Washington10URedmond10U
260624205129Z0??10tion1UUS10Uft Corporation Third Party Marketplace Root0
Washington10URedmond10U
?0???orporation1*0(U!Microsoft Corporation KEK CA 20110?"0 ★
?J?t*???m????Zc2|O??8?????????,????? ?????0?H?P?d?Q??O? ???/??????????Sjb:C??%???????#??p??M????????????/???$???????J?C~?G?l?????3?*q???<?% /hvF??O???q*X???y=??e;?)*??rY??????5????_??v??c???y@?y??R???{i???O0?K0 +?70Ub?C??>??g?[?U?{???_0 +?7
SubCA0U?0U?0?0U#0?EfRC?~X??N?#;:"j?0\UU0S0Q?O?M?Khttp://crl.microsoft.com/pki/crl/products/MicCorThiParMarRoo_2010-10-05.crl0`+T0R0P+0?Dhttp://www.microsoft.com/pki/certs/MicCorThiParMarRoo_20???????*<?*??????Rf????uz??-?vZ?y??7jQ{d??d?g???????Xd?W??_????i?HK2??]?0?????x?+???4V?????A%p?k???????<??????C??-???j+Z|D?R???-??R???=?`??3????e^V????B??w?qV???#?????X~?ig?~???
???O?u;??$?PA@y?-O??B?)??FA;???CYe?
5|?4r??`;?y???]???????%o8?????y??i?? ????????uk4??`?\??WN6?2????Y?????J???\+?r?????wY2M?`(???xK0??0???0Z10?H?? UUS10U
380302203135Z0\10ation1UUS10Uft RSA Devices Root CA 20210
?0???orporation1-0+U$Microsoft Corporation KEK 2K CA 20230?"0 ★
??^??s,?
?????-??&57?ISq?[?R?????9??LeuS??
?)?R&?+????????4?c?t?r?)~?2!Y?w?*?L??7??????H!?a??Q???$c.??????^i?Q
?+???4N??9??1?=??v??????/(?H??????h[?n?z???I??S?M/?{???????pw?EI?????f??}6?
,???!-????\T???m0?i0U??0 +?70U??r??>??f?}ZC>\BT?_0 +?7
SubCA0U?0?0U#0??D???,??????.??? 0eU^0\0Z?X?V?Thttp://www.microsoft.com/pkiops/crl/Microsoft%20RSA%20Devices%20Root%20CA%202021.crl0r+f0d0b+0?Vhttp://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20???g?O9??4?]*x{8????<=2
^?X?o???????D&?,?_n#%?[L&.v1C.n??1?J?????u??????xD?3v?+M????;?M)????????F?]??????v?+?????k?>????6/??(?@?&???5??
???!'??B1V.????4?N?p0i????dFo?!???2???E8]N?????s?5O???k>?T4I??z???Y?+*??&??l?????A?o???n????@?8mp????VH????P?nm??k??rdP??U?n?K??2??mez?RW0\?(f?z?qN?a`zmV?[ >??????????xxk??*?xg>?*??]???50???Ek????????
PS C:\Windows\system32>
Of course, the `qm enroll-efi-keys` command does not include the process to register the KEK, so the KEK will not be registered. If you want to register it using the `qm enroll-efi-keys` command, I believe you'll just have to wait for a fix.
If I am mistaken, I am truly sorry.
...
If it's already installed, please stop displaying that noisy log telling me to update to k when booting a virtual machine with an EFI disk that has a certificate ending in w. I've already completed Microsoft's CVE fix on all virtual machines running on PVE...
It's ridiculous that the log remains unless you run it again, even after you've already dealt with it.
