{"id":32,"date":"2023-11-24T23:14:36","date_gmt":"2023-11-25T07:14:36","guid":{"rendered":"https:\/\/blogs.wang-home.net\/?p=32"},"modified":"2023-11-24T23:14:37","modified_gmt":"2023-11-25T07:14:37","slug":"proxmox-virtual-environment-8-1-and-secure-boot","status":"publish","type":"post","link":"https:\/\/blog.wang-home.net\/?p=32","title":{"rendered":"Proxmox Virtual Environment 8.1 and Secure Boot"},"content":{"rendered":"<p><a href=\"https:\/\/www.proxmox.com\/en\/about\/press-releases\/proxmox-virtual-environment-8-1\">Proxmox Virtual Environment 8.1<\/a> is out, it now allows the host system to do proper secure boot. &quot;That's great!&quot; I thought, logged into the management UI of my PVE host, upgraded a node from 8.0 to 8.1, the VMs and containers all seemed to be working fine as usual.<\/p>\n<p>According to the <a href=\"https:\/\/pve.proxmox.com\/wiki\/Roadmap#Proxmox_VE_8.1\">release notes<\/a>, an existing PVE installation can be easily switched to secure boot. I followed the <a href=\"https:\/\/pve.proxmox.com\/pve-docs\/chapter-sysadmin.html#sysboot_secure_boot\">documentation<\/a>, which states I need the following packages installed to enable secure boot:<\/p>\n<ul>\n<li>shim-signed (shim bootloader signed by Microsoft)<\/li>\n<li>shim-helpers-amd64-signed (fallback bootloader and MOKManager, signed by Proxmox)<\/li>\n<li>grub-efi-amd64-signed (Grub EFI bootloader, signed by Proxmox)<\/li>\n<li>proxmox-kernel-6.X.Y-Z-pve-signed (Kernel image, signed by Proxmox)<\/li>\n<\/ul>\n<p>So I ran <code class=\"\" data-line=\"\">apt install<\/code> to get the first three installed, it seemed some of the packages were already installed, but I didn't pay much attention to see which ones as there were no error messages. As for the <code class=\"\" data-line=\"\">proxmox-kernel-6.X.Y-Z-pve-signed<\/code>, there was already a <code class=\"\" data-line=\"\">proxmox-kernel-6.5.11-4-pve-signed<\/code> installed. (My PVE node is not on <code class=\"\" data-line=\"\">systemd-boot<\/code> so that section in the documentation doesn't apply.)<\/p>\n<p>Then I restarted the host machine, entered BIOS setup, and turned on the <code class=\"\" data-line=\"\">Secure Boot<\/code> setting. Guess what, it didn't work. UEFI boot complains about disallowed signature. Okay... disabled secure boot to get back into the PVE, ran <code class=\"\" data-line=\"\">efibootmgr -v<\/code> and saw this:<\/p>\n<pre><code class=\"language-bash\" data-line=\"\">BootCurrent: 0000\nTimeout: 1 seconds\nBootOrder: 0000,0001\nBoot0000* proxmox    HD(2,GPT,ec7dcdc8-450e-4b1e-be89-f024fb9a25eb,0x800,0x200000)\/File(\\EFI\\proxmox\\grubx64.efi)\nBoot0001  UEFI OS    HD(2,GPT,ec7dcdc8-450e-4b1e-be89-f024fb9a25eb,0x800,0x200000)\/File(\\EFI\\BOOT\\BOOTX64.EFI)..BO<\/code><\/pre>\n<p>That explains why it didn't work - <code class=\"\" data-line=\"\">grubx64.efi<\/code> is still the bootloader. It should be the Microsoft signed <code class=\"\" data-line=\"\">shimx64.efi<\/code>.<\/p>\n<p>Hmmm... I decided before trying anything complicated, just re-install the listed packages.<\/p>\n<pre><code class=\"language-bash\" data-line=\"\">apt remove shim-signed shim-helpers-amd64-signed grub-efi-amd64-signed<\/code><\/pre>\n<p>And then:<\/p>\n<pre><code class=\"language-bash\" data-line=\"\">apt install shim-signed shim-helpers-amd64-signed grub-efi-amd64-signed<\/code><\/pre>\n<p>This time I took notice of the output and saw these:<\/p>\n<pre><code class=\"language-bash\" data-line=\"\">Setting up grub-efi-amd64-signed (1+2.06+13+pmx1) ...\nSetting up shim-helpers-amd64-signed (1+15.7+1+pmx1) ...\nInstalling for x86_64-efi platform.\nSetting up shim-signed:amd64 (1.39+pmx1+15.7-1+pmx1) ...\nInstalling for x86_64-efi platform.<\/code><\/pre>\n<p>That's a good sign, but need to verify before try enabling secure boot again:<\/p>\n<pre><code class=\"language-bash\" data-line=\"\">efibootmgr -v<\/code><\/pre>\n<p>The output:<\/p>\n<pre><code class=\"language-bash\" data-line=\"\">BootCurrent: 0000\nTimeout: 1 seconds\nBootOrder: 0000,0001\nBoot0000* proxmox    HD(2,GPT,ec7dcdc8-450e-4b1e-be89-f024fb9a25eb,0x800,0x200000)\/File(\\EFI\\proxmox\\shimx64.efi)\nBoot0001  UEFI OS    HD(2,GPT,ec7dcdc8-450e-4b1e-be89-f024fb9a25eb,0x800,0x200000)\/File(\\EFI\\BOOT\\BOOTX64.EFI)..BO<\/code><\/pre>\n<p>Good, now <code class=\"\" data-line=\"\">shimx64.efi<\/code> is there, Reboot, set <code class=\"\" data-line=\"\">Secure Boot<\/code> to <code class=\"\" data-line=\"\">Enable<\/code>, <code class=\"\" data-line=\"\">OS Type<\/code> to <code class=\"\" data-line=\"\">Others<\/code> (default is <code class=\"\" data-line=\"\">Windows 10<\/code>), <code class=\"\" data-line=\"\">Mode<\/code> to <code class=\"\" data-line=\"\">Standard<\/code>, save and exit. Voila! Secure boot is working on this PVE 8.1 node.<\/p>\n<p>In summary, if you try to enable secure boot for your PVE 8.1 host, make sure <code class=\"\" data-line=\"\">shimx64.efi<\/code> is the bootloader, If it is not, try re-installing the three packages above. Good luck!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Proxmox Virtual Environment 8.1 is out, it now allows the host system to do proper secure boot. &quot;That&#8217;s great!&quot; I thought, logged into the management UI of my PVE host, upgraded a node from 8.0 to 8.1, the VMs and containers all seemed to be working fine as usual. According to the release notes, an &#8230; <a title=\"Proxmox Virtual Environment 8.1 and Secure Boot\" class=\"read-more\" href=\"https:\/\/blog.wang-home.net\/?p=32\" aria-label=\"Read more about Proxmox Virtual Environment 8.1 and Secure Boot\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":38,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[3,4,5],"class_list":["post-32","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-homelab","tag-proxmox","tag-secure-boot","tag-shimx64"],"_links":{"self":[{"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=\/wp\/v2\/posts\/32","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=32"}],"version-history":[{"count":5,"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=\/wp\/v2\/posts\/32\/revisions"}],"predecessor-version":[{"id":37,"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=\/wp\/v2\/posts\/32\/revisions\/37"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=\/wp\/v2\/media\/38"}],"wp:attachment":[{"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=32"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=32"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=32"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}