1SIG-LIST-TO-CERTS(1) User Commands SIG-LIST-TO-CERTS(1)
2
3
4
6 sig-list-to-certs - tool for converting EFI signature lists back to
7 openssl certificates
8
10 sig-list-to-certs <efi sig list file> <cert file base name>
11
13 Takes <efi sig list file> and converts it to a set of DER format
14 openssl certificates in <cert file base name>.n (where n runs from 0 to
15 the number of certificates in the file)
16
18 To see what certificates your UEFI system currently has, you can run
19 the dmpstore command to print them to a file
20
21 dmpstore PK > PK.uc16
22
23 This file isn't readily readable on a standard unix system because it's
24 in UC-16 format, so convert it to ordinary text
25
26 iconv -f utf-16 PK.uc16 > PK.txt
27
28 Now remove the header which says something like
29
30 Dump Variable pk
31 Variable NV+RT+BS 'Efi:PK' DataSize = 2DA
32
33 Leaving only the hex dump. This can then be converted to an EFI signa‐
34 ture list by xxd
35
36 xxd -r PK.txt > PK.esl
37
38 and you can now extract openssl readable certificates from this
39
40 sig-list-to-certs PK.esl PK
41
42 Which will print some information like
43
44 X509 Header sls=730, header=0, sig=686
45 file PK.0: Guid 77fa9abd-0359-4d32-4d60-28f4e78f784b
46 Written 686 bytes
47
48 And finally, you can see the certificate in text format
49
50 openssl x509 -text -inform DER -in PK.0
51
52 Assuming it's an X509 certificate
53
54
55
56Usage: ./sig-list-to-certs <efi sigJluilsyt2f0i2l1e> <cert file bSaIsGe-LnIaSmTe->TO-CERTS(1)