ProxmoxのEFI関連でWarning

ProxmoxをUpdateしてノードを再起動したところ以下の警告が表示された。

WARN: EFI disk without 'ms-cert=2023k' option, suggesting that not all UEFI 2023
certificates from Microsoft are enrolled yet.
The UEFI 2011 certificates expire in June 2026! The new certificates are required
for secure boot update for Windows and common Linux distributions.
Use 'Disk Action > Enroll Updated Certificates' in the UI or, while the VM is
shut down, run 'qm enroll-efi-keys 3140' to enroll the new certificates.

For Windows with BitLocker, run the following command inside Powershell:
  manage-bde -protectors -disable <drive>
for each drive with BitLocker (for example, <drive> could be 'C:').
This is required for each drive with BitLocker before proceeding with enrollment.
Otherwise, you will be prompted for the BitLocker recovery key on the next boot.
TASK WARNINGS: 1

最初UIの操作(Disk Action > Enroll Updated Certificates)がわからなかったので、コマンドを実行してみた。

# qm enroll-efi-keys 3140
efidisk0: enrolling Microsoft UEFI CA 2023
INFO: reading raw edk2 varstore from /var/run/qemu-server/qsd-vm-3140-efi-enroll-efidisk0-enroll.fuse
INFO: var store range: 0x64 -> 0x40000
INFO: add db cert /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftCorporationUEFICA2011.pem
INFO: certificate already present, skipping
INFO: add db cert /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftUEFICA2023.pem
INFO: add db cert /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftWindowsProductionPCA2011.pem
INFO: certificate already present, skipping
INFO: add db cert /usr/lib/python3/dist-packages/virt/firmware/certs/WindowsUEFICA2023.pem
INFO: add KEK cert /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftCorporationKEK2KCA2023.pem
INFO: writing raw edk2 varstore to /var/run/qemu-server/qsd-vm-3140-efi-enroll-efidisk0-enroll.fuse
successfully updated efidisk
#

この後、UI画面を見ると、ノード選択(上記の例で行くと VIDが3140のもの) > Hardware > EFI Diskの部分が書き換えられていた。

UIでの変更は、ノード選択 > Hardware > EFI Disk > Disk Action > Enroll Updated Certificates と進めていく。すると、以下のメッセージが表示されるので、

Enroll the UEFI 2023 certificates from Microsoft required for secure boot update.
This is also needed for secure boot update for common Linux distributions.

For Windows with BitLocker, run the following command inside Powershell:
manage-bde -protectors -disable <drive>
For example, <drive> could be 'C:'.
This is required for each drive with BitLocker before proceeding!
Otherwise, you will be prompted for the BitLocker recovery key on the next boot!

Yesを選択する。VM上のOSがWindowsであれば、画面の操作を行いリブートする。VM上のOSがWindows以外であればそのままリブートする。
すると、EFI Diskの項目が

local-lvm:vm-3039-disk-0,efitype=4m,pre-enrolled-keys=1,size=4M

から

local-lvm:vm-3039-disk-0,efitype=4m,ms-cert=2023k,pre-enrolled-keys=1,size=4M

となる。

Cookie	期間	説明
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.