1VIRT-FW-VARS(1) User Commands VIRT-FW-VARS(1)
2
6 virt-fw-vars - manual page for virt-fw-vars 1.7
7
9 The virt-fw-vars utility can print and modify UEFI variable stores.
10 Supported formats are standard edk2 (as used by ovmf and armvirt) and
11 aws.
12 usage: virt-fw-vars [-h] [-l LEVEL] [-i FILE] [--extract-certs] [-d
14 VAR]
15 [--set-true VAR] [--set-false VAR] [--set-json FILE]
17 [--set-boot-uri LINK] [--append-boot-filepath FILE]
18 [--set-shim-debug] [--set-shim-verbose] [--set-fallback-verbose]
19 [--set-fallback-no-reboot] [--set-pk GUID FILE] [--add-kek GUID
20 FILE] [--add-db GUID FILE] [--set-dbx FILE] [--add-mok GUID
21 FILE] [--add-db-hash GUID HASH] [--add-mok-hash GUID HASH]
22 [--enroll-redhat] [--enroll-cert CERT] [--enroll-generate CN]
23 [--no-microsoft] [--distro-keys DISTRO] [--sb] [-p] [-v] [-x]
24 [-o FILE] [--output-aws FILE] [--output-json FILE]
25 options:
27 -h, --help
28 show this help message and exit
29 -l LEVEL, --loglevel LEVEL
31 set loglevel to LEVEL
32 -i FILE, --input FILE
34 read edk2 or aws vars from FILE
35 --extract-certs
37 extract all certificates
38 Variable options:
40 -d VAR, --delete VAR
41 delete variable VAR, can be specified multiple times
42 --set-true VAR
44 set variable VAR to true, can be specified multiple times
45 --set-false VAR
47 set variable VAR to false, can be specified multiple times
48 --set-json FILE
50 set variables from json dump FILE
51 Boot configuration:
53 --set-boot-uri LINK
54 set network boot uri to LINK (once, using BootNext)
55 --append-boot-filepath FILE
57 append boot entry for FILE (permanent, using BootOrder)
58 shim.efi configuration:
60 --set-shim-debug
61 enable shim.efi debugging (pause for debugger attach)
62 --set-shim-verbose
64 enable shim.efi verbose messages
65 --set-fallback-verbose
67 enable fallback.efi verbose messages
68 --set-fallback-no-reboot
70 disable rebooting for fallback.efi
71 Secure boot setup options:
73 --set-pk GUID FILE
74 set PK to x509 cert, loaded in pem format from FILE and with
75 owner GUID
76 --add-kek GUID FILE
78 add x509 cert to KEK, loaded in pem format from FILE and with
79 owner GUID, can be specified multiple times
80 --add-db GUID FILE
82 add x509 cert to db, loaded in pem format from FILE and with
83 owner GUID, can be specified multiple times
84 --set-dbx FILE
86 initialize dbx with update from FILE
87 --add-mok GUID FILE
89 add x509 cert to MokList, loaded in pem format from FILE and
90 with owner GUID, can be specified multiple times
91 --add-db-hash GUID HASH
93 add sha256 HASH to db, with owner GUID, can be specified multi‐
94 ple times
95 --add-mok-hash GUID HASH
97 add sha256 HASH to MokList, with owner GUID, can be specified
98 multiple times
99 Secure boot convinience shortcuts:
101 --enroll-redhat
102 enroll default certificates for redhat platform
103 --enroll-cert CERT
105 enroll using specified certificate
106 --enroll-generate CN
108 enroll using generated cert with given common name
109 --no-microsoft
111 do not add microsoft keys
112 --distro-keys DISTRO
114 add ca keys for DISTRO
115 --sb, --secure-boot
117 enable secure boot mode
118 Print options:
120 -p, --print
121 print varstore
122 -v, --verbose
124 print varstore verbosely
125 -x, --hexdump
127 print variable hexdumps
128 Output options:
130 -o FILE, --output FILE
131 write edk2 or aws vars to FILE, using the same format the --in‐
132 put FILE has.
133 --output-aws FILE
135 write aws vars to FILE
136 --output-json FILE
138 write json dump to FILE
139
141 Print variable store.
142 virt-fw-vars --input ${guest}_VARS.fd \
143 --print --vwerbose
144 Enroll default (microsoft) secure boot certificates
147 virt-fw-vars --input OVMF_VARS.fd \
148 --output OVMF_VARS.secboot.fd \
149 --enroll-redhat \
150 --secure-boot
151
153 Gerd Hoffmann <kraxel@redhat.com>
154virt-fw-vars 1.7 January 2023 VIRT-FW-VARS(1)