1EFISECDB(1)                 General Commands Manual                EFISECDB(1)
2
3
4

NAME

6       efisecdb - utility for managing UEFI signature lists
7

SYNOPSIS

9       efisecdb [-s SORT] [-i file [-i file] ...]
10                [-g guid ⟨-a | -r⟩ ⟨[-t hash-type] -h hash | -c file⟩
11                [-g guid ⟨-a | -r⟩ ⟨[-t hash-type] -h hash | -c file⟩] ...]
12-d [-A] | -o file | -L
13

DESCRIPTION

15       efisecdb is a command line utility for management of UEFI signature
16       lists in detached files. That is, it's for command line generation and
17       management of files in the format of KEK, DB, and DBX.
18
19       Operation occurs in three phases:
20       1.   Loading of security databases specified with --input
21       2.   Left-to-right processing of other options, using --hash-type,
22            --owner-guid, --add, and --remove as state to build selectors to
23            add or remove hashes and certificates specified by --hash and
24            --certificate.
25       3.   Generation of output
26       The accumulated state is persistent; once an Owner GUID, Add or Delete
27       operation, or hash type are specified, they need only be present again
28       to change the operations that follow.  Operations are added to the list
29       to process when -h hash or -c cert are specified, and are processed in
30       the order they appear.  Additionally, at least one -g argument and
31       either --add or --remove must appear before the first use of -h hash or
32       -c cert.
33

OPTIONS

35-s | --sort⟩ ⟨all | data | none | type
36         Sort by data after sorting and grouping entry types, entry data, no
37         sorting, or by entry type
38
39-s | --sort⟩ ⟨ascending | descending
40         Sort in ascending or descending order
41
42       -i file | --infile file
43         Read EFI Security Database from file
44
45       -g guid | --owner-guid guid
46         Use the specified GUID or symbolic refrence (i.e. {empty}) for
47         forthcoming addition and removal operations
48
49       -a | --add | -r | --remove
50         Select add or remove for forthcoming operations
51
52       -t hash-type | --hash-type hash-type
53         Select hash-type for forthcoming addition and removal operations
54         (default sha256)
55
56         Use hash-type help to list supported hash types.
57
58       -h hash | --hash hash
59         Add or remove the specified hash
60
61       -c file | --certificate file
62         Add or remove the specified certificate
63
64       -d | --dump
65         Produce a hex dump of the output
66
67       -A | --annotate
68         Annotate the hex dump produced by --dump
69
70       -o file | --outfile file
71         Write EFI Security Database to file
72
73       -L | --list-guids
74         List the well known guids
75
76         The output is tab delimited: GUID short_name desription
77

EXAMPLES

79   Dumping the current system's DBX database with annotations
80       host:~$ efisecdb -d -A -i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
81       00000000  26 16 c4 c1 4c 50 92 40  ac a9 41 f9 36 93 43 28  |&...LP.@..A.6.C(|  esl[0].signature_type = {sha256}
82       00000010  60 00 00 00                                       |....|              esl[0].signature_list_size = 96
83       00000014              00 00 00 00                               |....|          esl[0].signature_header_size = 0
84       00000018                           30 00 00 00                      |0...|      esl[0].signature_size = 48
85       0000001c                                                                        esl[0].signature_header (end:0x0000001c)
86       0000001c                                       bd 9a fa 77              |...w|  esl[0].signature[0].owner = {microsoft}
87       00000020  59 03 32 4d bd 60 28 f4  e7 8f 78 4b              |Y.2M.`(...xK|
88       0000002c                                       fe cf b2 32              |...2|  esl[0].signature[0].data (end:0x0000004c)
89       00000030  d1 2e 99 4b 6d 48 5d 2c  71 67 72 8a a5 52 59 84  |...KmH],qgr..RY.|
90       00000040  ad 5c a6 1e 75 16 22 1f  07 9a 14 36              |...u."....6|
91       0000004c                                       bd 9a fa 77              |...w|  esl[0].signature[1].owner = {microsoft}
92       00000050  59 03 32 4d bd 60 28 f4  e7 8f 78 4b              |Y.2M.`(...xK|
93       0000005c                                       fe 63 a8 4f              |.c.O|  esl[0].signature[1].data (end:0x0000007c)
94       00000060  78 2c c9 d3 fc f2 cc f9  fc 11 fb d0 37 60 87 87  |x,..........7`..|
95       00000070  58 d2 62 85 ed 12 66 9b  dc 6e 6d 01              |X.b...f..nm.|
96       0000007c
97
98   Building a new EFI Security Database for use as KEK, replacing one
99       certificate.
100       # Figure out the original cert... the easy way
101       host:~$ strings KEK-* | grep microsoft.*crt
102       Dhttp://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt0
103
104       # Find it, because --export isn't implemented yet
105       host:~$ wget \
106               --user-agent='Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko' \
107               http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt
108       --2020-06-04 20:41:27--  http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt
109       Resolving www.microsoft.com (www.microsoft.com)... 2600:141b:800:287::356e, 2600:141b:800:2a0::356e, 23.43.254.254
110       Connecting to www.microsoft.com (www.microsoft.com)|2600:141b:800:287::356e|:80... connected.
111       HTTP request sent, awaiting response... 200 OK
112       Length: 1539 (1.5K) [application/octet-stream]
113       Saving to: ‘MicCorThiParMarRoo_2010-10-05.crt’
114
115       MicCorThiParMarRoo_ 100%[===================>]   1.50K  --.-KB/s    in 0s
116
117       2020-06-04 20:41:27 (177 MB/s) - ‘MicCorThiParMarRoo_2010-10-05.crt’ saved [1539/1539]
118
119       # Pick a GUID-like object, any GUID-like object...
120       host:~$ uuidgen
121       aab3960c-501e-485e-ac59-62805970a3dd
122
123       # Remove the old KEK entry and add a different one
124       host:~$ efisecdb -i KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c \
125               -g {microsoft} -r -c MicCorThiParMarRoo_2010-10-05.crt \
126               -g aab3960c-501e-485e-ac59-62805970a3dd -a -c pjkek.cer \
127               -o newkek.bin
128
129   Searching
130       the list of well-known GUIDs
131       host:~$ efisecdb -L | grep shim
132       {605dab50-e046-4300-abb6-3dd810dd8b23}  {shim}    shim
133

STANDARDS

135
136       UEFI Specification Working Group, Unified Extensible Firmware Interface
137       (UEFI) Specification Version 2.8, Unified Extensible Firmware Interface
138       Forum, https://uefi.org/specifications , March 2019.
139

SEE ALSO

141       authvar(1), efikeygen(1), pesign(1)
142

AUTHORS

144       Peter Jones
145

BUGS

147       efisecdb is currently lacking several useful features:
148       positional exporting of certificates
149       •   --dump and --annotate do not adjust the output width for the
150           terminal
151       certificates can't be specified for removal by their ToBeSigned
152           hash
153
154
155
156                                January 7, 2021                    EFISECDB(1)
Impressum