1EFISECDB(1) General Commands Manual EFISECDB(1)
2
6 efisecdb - utility for managing UEFI signature lists
7
9 efisecdb [-s SORT] [-i file [-i file] ...]
10 [-g guid ⟨-a | -r⟩ ⟨[-t hash-type] -h hash | -c file⟩
11 [-g guid ⟨-a | -r⟩ ⟨[-t hash-type] -h hash | -c file⟩] ...]
12 ⟨-d [-A] | -o file | -L⟩
13
15 efisecdb is a command line utility for management of UEFI signature
16 lists in detached files. That is, it's for command line generation and
17 management of files in the format of KEK, DB, and DBX.
18 Operation occurs in three phases:
20 1. Loading of security databases specified with --input
21 2. Left-to-right processing of other options, using --hash-type,
22 --owner-guid, --add, and --remove as state to build selectors to
23 add or remove hashes and certificates specified by --hash and
24 --certificate.
25 3. Generation of output
26 The accumulated state is persistent; once an Owner GUID, Add or Delete
27 operation, or hash type are specified, they need only be present again
28 to change the operations that follow. Operations are added to the list
29 to process when -h hash or -c cert are specified, and are processed in
30 the order they appear. Additionally, at least one -g argument and
31 either --add or --remove must appear before the first use of -h hash or
32 -c cert.
33
35 ⟨-s | --sort⟩ ⟨all | data | none | type⟩
36 Sort by data after sorting and grouping entry types, entry data, no
37 sorting, or by entry type
38 ⟨-s | --sort⟩ ⟨ascending | descending⟩
40 Sort in ascending or descending order
41 -i file | --infile file
43 Read EFI Security Database from file
44 -g guid | --owner-guid guid
46 Use the specified GUID or symbolic refrence (i.e. {empty}) for
47 forthcoming addition and removal operations
48 -a | --add | -r | --remove
50 Select add or remove for forthcoming operations
51 -t hash-type | --hash-type hash-type
53 Select hash-type for forthcoming addition and removal operations
54 (default sha256)
55 Use hash-type help to list supported hash types.
57 -h hash | --hash hash
59 Add or remove the specified hash
60 -c file | --certificate file
62 Add or remove the specified certificate
63 -d | --dump
65 Produce a hex dump of the output
66 -A | --annotate
68 Annotate the hex dump produced by --dump
69 -o file | --outfile file
71 Write EFI Security Database to file
72 -L | --list-guids
74 List the well known guids
75 The output is tab delimited: GUID short_name desription
77
79 Dumping the current system's DBX database with annotations
80 host:~$ efisecdb -d -A -i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
81 00000000 26 16 c4 c1 4c 50 92 40 ac a9 41 f9 36 93 43 28 |&...LP.@..A.6.C(| esl[0].signature_type = {sha256}
82 00000010 60 00 00 00 |....| esl[0].signature_list_size = 96
83 00000014 00 00 00 00 |....| esl[0].signature_header_size = 0
84 00000018 30 00 00 00 |0...| esl[0].signature_size = 48
85 0000001c esl[0].signature_header (end:0x0000001c)
86 0000001c bd 9a fa 77 |...w| esl[0].signature[0].owner = {microsoft}
87 00000020 59 03 32 4d bd 60 28 f4 e7 8f 78 4b |Y.2M.`(...xK|
88 0000002c fe cf b2 32 |...2| esl[0].signature[0].data (end:0x0000004c)
89 00000030 d1 2e 99 4b 6d 48 5d 2c 71 67 72 8a a5 52 59 84 |...KmH],qgr..RY.|
90 00000040 ad 5c a6 1e 75 16 22 1f 07 9a 14 36 |...u."....6|
91 0000004c bd 9a fa 77 |...w| esl[0].signature[1].owner = {microsoft}
92 00000050 59 03 32 4d bd 60 28 f4 e7 8f 78 4b |Y.2M.`(...xK|
93 0000005c fe 63 a8 4f |.c.O| esl[0].signature[1].data (end:0x0000007c)
94 00000060 78 2c c9 d3 fc f2 cc f9 fc 11 fb d0 37 60 87 87 |x,..........7`..|
95 00000070 58 d2 62 85 ed 12 66 9b dc 6e 6d 01 |X.b...f..nm.|
96 0000007c
97 Building a new EFI Security Database for use as KEK, replacing one
99 certificate.
100 # Figure out the original cert... the easy way
101 host:~$ strings KEK-* | grep microsoft.*crt
102 Dhttp://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt0
103 # Find it, because --export isn't implemented yet
105 host:~$ wget \
106 --user-agent='Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko' \
107 http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt
108 --2020-06-04 20:41:27-- http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt
109 Resolving www.microsoft.com (www.microsoft.com)... 2600:141b:800:287::356e, 2600:141b:800:2a0::356e, 23.43.254.254
110 Connecting to www.microsoft.com (www.microsoft.com)|2600:141b:800:287::356e|:80... connected.
111 HTTP request sent, awaiting response... 200 OK
112 Length: 1539 (1.5K) [application/octet-stream]
113 Saving to: ‘MicCorThiParMarRoo_2010-10-05.crt’
114 MicCorThiParMarRoo_ 100%[===================>] 1.50K --.-KB/s in 0s
116 2020-06-04 20:41:27 (177 MB/s) - ‘MicCorThiParMarRoo_2010-10-05.crt’ saved [1539/1539]
118 # Pick a GUID-like object, any GUID-like object...
120 host:~$ uuidgen
121 aab3960c-501e-485e-ac59-62805970a3dd
122 # Remove the old KEK entry and add a different one
124 host:~$ efisecdb -i KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c \
125 -g {microsoft} -r -c MicCorThiParMarRoo_2010-10-05.crt \
126 -g aab3960c-501e-485e-ac59-62805970a3dd -a -c pjkek.cer \
127 -o newkek.bin
128 Searching
130 the list of well-known GUIDs
131 host:~$ efisecdb -L | grep shim
132 {605dab50-e046-4300-abb6-3dd810dd8b23} {shim} shim
133
135 UEFI Specification Working Group, Unified Extensible Firmware Interface
137 (UEFI) Specification Version 2.8, Unified Extensible Firmware Interface
138 Forum, https://uefi.org/specifications , March 2019.
139
141 authvar(1), efikeygen(1), pesign(1)
142
144 Peter Jones
145
147 efisecdb is currently lacking several useful features:
148 • positional exporting of certificates
149 • --dump and --annotate do not adjust the output width for the
150 terminal
151 • certificates can't be specified for removal by their ToBeSigned
152 hash
153 January 7, 2021 EFISECDB(1)