{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreifvilgviurjczjf4x6jvy55fp7hd37x33m4dw7ckc22ug6mdwpcni",
"uri": "at://did:plc:46ti67tc37qcmwp2vaynk6fq/app.bsky.feed.post/3mif6yxsfusv2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreifqaymphlhaou7ymuxlsdcq46k6c4k27dbs2lrqq2rxp5ioaxmdoy"
},
"mimeType": "image/jpeg",
"size": 8554
},
"path": "/cj/?p=2133",
"publishedAt": "2026-03-31T22:10:57.055Z",
"site": "https://wp.c9h.org",
"tags": [
"Tweet"
],
"textContent": "## Discovery\n\nLegacy cloud templates often lack the partitioning and bootloader\nbinaries required for UEFI Secure Boot. Attempting to switch such a VM\nto OVMF in Proxmox results in “not a bootable disk.” We discovered that\na surgical promotion is possible by manipulating the block device and\nEFI variables from the hypervisor.\n\n## The Problem\n\n 1. **Protective MBR Flags:** Legacy installers often set\nthe `pmbr_boot` flag on the GPT’s protective MBR. Strict UEFI\nimplementations (OVMF) will ignore the GPT if this flag is present.\n 2. **Missing ESP:** Cloud images often lack a FAT32 EFI\nSystem Partition (ESP).\n 3. **Variable Store:** A fresh Proxmox\n`efidisk0` is empty and lacks both the trust certificates\n(PK/KEK/db) and the BootOrder entries required for an automated\nboot.\n\n\n\n## The “Promotion” Rule\n\nTo upgrade a SeaBIOS VM to Secure Boot without a full OS reinstall:\n1. **Surgical Partitioning:** Map the disk on the host and\nadd a FAT32 partition (Type `EF00`). Clear the\n`pmbr_boot` flag from the MBR. 2. **Binary\nPreparation:** Boot the VM in SeaBIOS mode to install\n`shim` and `grub-efi` packages. Use\n`grub2-mkconfig` to populate the new ESP. 3. **Trust\nInjection:** Use the `virt-fw-vars` utility on the\nhypervisor to programmatically enroll the Red Hat/Microsoft CA keys and\nany custom certificates (e.g., FreeIPA CA) into the VM’s\n`efidisk`. 4. **Boot Pinning:** Explicitly set\nthe UEFI `BootOrder` to point to the `shimx64.efi`\npath via `virt-fw-vars --append-boot-filepath`.\n\n## Solution (Example Command\nSequence)\n\nOn the Proxmox Host (`root`):\n\n\n # Map and Clean MBR\n DEV=$(rbd map pool/disk)\n parted -s $DEV disk_set pmbr_boot off\n\n # Inject Trust and Boot Path (VM must be stopped)\n virt-fw-vars --inplace /dev/rbd/mapped_efidisk \\\n --enroll-redhat \\\n --add-db <GUID> /path/to/ipa-ca.crt \\\n --append-boot-filepath '\\EFI\\centos\\shimx64.efi' \\\n --sb\n\nThis workflow enables high-integrity Secure Boot environments using\nexisting SeaBIOS infrastructure templates.\n\nTweet",
"title": "C.J. Collier: Finding: Promoting SeaBIOS Cloud Images to UEFI Secure Boot (Proxmox)",
"updatedAt": "2026-03-31T21:03:24.000Z"
}