1SIGN-EFI-SIG-LIST(1)             User Commands            SIGN-EFI-SIG-LIST(1)
2
3
4

NAME

6       sign-efi-sig-list  - signing tool for secure variables as EFI Signature
7       Lists
8

SYNOPSIS

10       sign-efi-sig-list [-r] [-m] [-a] [-g <guid>] [-o] [-t <timestamp>]  [-i
11       <infile>]  [-c <crt file>] [-k <key file>] [-e <engine>] <var> <efi sig
12       list file> <output file>
13

DESCRIPTION

15       Produce an output file with an authentication header for direct  update
16       to  a secure variable.  This output may be signed by the usual keys di‐
17       rectly or may be split for external signing using the  -o  and  -i  op‐
18       tions.
19

OPTIONS

21       -r     the certificate is rsa2048 rather than x509 [UNIMPLEMENTED]
22
23       -m     Use a monotonic count instead of a timestamp [UNIMPLEMENTED]
24
25       -a     Prepare the variable for APPEND_WRITE rather than replacement
26
27       -o     Do not sign, but output a file of the exact bundle to be signed
28
29       -t <timestamp>
30              Use <timestamp> as the timestamp of the timed variable update If
31              not present, then the timestamp will be taken from system  time.
32              Note you must use this option when doing detached signing other‐
33              wise the signature will be incorrect because of  timestamp  mis‐
34              matches.
35
36       -i <infile>
37              take a detached signature (in PEM format) of the bundle produced
38              by -o and complete the creation of the update
39
40       -g <guid>
41              Use <guid> as the signature owner GUID
42
43       -c <crt>
44              <crt> is the file containing the signing certificate in PEM for‐
45              mat
46
47       -k <key>
48              <key> is the file containing the key for <crt> in PEM format
49
50       -e <engine>
51              Use openssl engine <engine> for the private key
52

EXAMPLES

54       To  sign a simple append update to db which has been prepared as an EFI
55       Signature List in DB.esl and output the result with the  authentication
56       header in DB.auth
57
58       sign-efi-sig-list -a -c KEK.crt -k KEK.key db DB.esl DB.auth
59
60       To do a detached signature in the same way
61
62       sign-efi-sig-list -a -t 'Jul 21 09:39:37 BST 2012' -o db DB.esl DB.for‐
63       sig
64
65       Now sign the DB.forsig file in the standard openssl way.  Note that the
66       standards require sha256 as the signature algorithm
67
68       openssl  smime  -sign  -binary  -in  DB.forsig  -out  DB.signed -signer
69       KEK.crt -inkey KEK.key -outform DER -md sha256
70
71       Which produces a detached PKCS7 signature in DB.signed.  Now feed  this
72       back  into  the program remembering to keep the same timestamp (and the
73       -a flag):
74
75       sign-efi-sig-list -a -i DB.signed -t 'Jul  21  09:39:37  BST  2012'  db
76       DB.auth
77
78       To  delete  a  key, simply sign an empty EFI signature list file, so to
79       produce an variable update that will delete the PK:
80
81       > null.esl
82
83       And then sign it in the standard way (must not be an append  write  up‐
84       date):
85
86       sign-efi-sig-list -c PK.crt -k PK.key PK null.esl PK.auth
87
88       Once you have the .auth file conveyed to the UEFI platform, you can use
89       the UpdateVars.efi program to apply it
90
91       UpdateVars [-a] db DB.auth
92
93       Where the -a flag must be present if the DB.auth file was created as an
94       append write update and absent if its replacing the variable.
95

SEE ALSO

97       cert-to-efi-sig-list(1)  for  details  on  how to produce EFI signature
98       lists.
99
100
101
102sign-efi-sig-list 1.9.2            July 2021              SIGN-EFI-SIG-LIST(1)
Impressum