Secure Boot – Microsoft UEFI CA 2023 Certificate Not Included in EFI Disk

[r.wegmann]

Hello,

After receiving a notification during the backup of my Linux VMs, I attempted to update the VMs with the latest MS KEK certificate.
These VMs, which are configured with Secure Boot, were updated according to the instructions in the backup task log.

One VM using the command ‘Disk Action > Enroll Updated Certificates’ in the UI, and the second in offline mode with `qm enroll-efi-keys <vm-id>`
When updating via the GUI, this resulted in a second line appearing in the GUI under HW (see screenshot).
I then rebooted the VM and have since been getting an error message at startup stating that the enroll process was not executed correctly.
(See log file in the attachment).

I performed this entire process on my Proxmox Q system, which runs on the no-subscription repository.
What is the problem here?

Something else I noticed while reviewing the log.

INFO: add KEK cert /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftCorporationKEK2KCA2023.pem
INFO: certificate already present, skipping

Is that the certificate that's supposed to be imported? If so, it seems to already be present.
Does this still result in an error?

 

[fiona]

Hi @r.wegmann,
the second orange line just means that the change cannot be applied immediately while the VM is running. It will be applied the next time, the VM is started or rebooted from the UI (reboot within the VM is not enough). If the certificates are already present, that is fine too. Then the ms-cert=2023k marker will just be set to indicate that fact. Proxmox VE does not check each time which certificates are there, but uses the marker, because checking each time would be a waste.

 

[r.wegmann]

Hi @fiona,

unfortunately i had no success with rebooting or shutdown and start the VM using the UI!
Still the same warning about 'EFI disk without 'ms-cert=2023k' option,'.
Looks like the marker is not applied.

Stopping the VM and manually enrolling the KEK by using the 'qm enroll-efi-keys' 104' results in following output.

root@vpmoxqual:~# qm enroll-efi-keys 104
efidisk0: enrolling Microsoft UEFI CA 2023
INFO: reading raw edk2 varstore from /var/run/qemu-server/qsd-vm-104-efi-enroll-efidisk0-enroll.fuse
INFO: var store range: 0x64 -> 0x40000
INFO: add db cert /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftCorporationUEFICA2011.pem
INFO: certificate already present, skipping
INFO: add db cert /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftUEFICA2023.pem
INFO: certificate already present, skipping
INFO: add db cert /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftWindowsProductionPCA2011.pem
INFO: certificate already present, skipping
INFO: add db cert /usr/lib/python3/dist-packages/virt/firmware/certs/WindowsUEFICA2023.pem
INFO: certificate already present, skipping
INFO: add KEK cert /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftCorporationKEK2KCA2023.pem
INFO: certificate already present, skipping
INFO: writing raw edk2 varstore to /var/run/qemu-server/qsd-vm-104-efi-enroll-efidisk0-enroll.fuse
Traceback (most recent call last):
File "/bin/virt-fw-vars", line 33, in <module>
sys.exit(load_entry_point('virt-firmware==24.11', 'console_scripts', 'virt-fw-vars')())
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3/dist-packages/virt/firmware/vars.py", line 305, in main
varstore.write_varstore(options.output, varlist)
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/virt/firmware/varstore/edk2.py", line 157, in write_varstore
with open(filename, "wb") as f:
~~~~^^^^^^^^^^^^^^^^
OSError: [Errno 95] Operation not supported: '/var/run/qemu-server/qsd-vm-104-efi-enroll-efidisk0-enroll.fuse'
efidisk0: enrolling Microsoft UEFI CA 2023 failed - command 'virt-fw-vars --inplace /var/run/qemu-server/qsd-vm-104-efi-enroll-efidisk0-enroll.fuse --distro-keys ms-uefi --distro-keys windows --add-kek 77fa9abd-0359-4d32-bd60-28f4e78f784b /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftCorporationKEK2KCA2023.pem' failed: exit code 1

strange !