1SIGN-EFI-SIG-LIST(1) User Commands SIGN-EFI-SIG-LIST(1)
2
3
4
6 sign-efi-sig-list - signing tool for secure variables as EFI Signature
7 Lists
8
10 sign-efi-sig-list [-r] [-m] [-a] [-g <guid>] [-o] [-t <timestamp>] [-i
11 <infile>] [-c <crt file>] [-k <key file>] [-e <engine>] <var> <efi sig
12 list file> <output file>
13
15 Produce an output file with an authentication header for direct update
16 to a secure variable. This output may be signed by the usual keys di‐
17 rectly or may be split for external signing using the -o and -i op‐
18 tions.
19
21 -r the certificate is rsa2048 rather than x509 [UNIMPLEMENTED]
22
23 -m Use a monotonic count instead of a timestamp [UNIMPLEMENTED]
24
25 -a Prepare the variable for APPEND_WRITE rather than replacement
26
27 -o Do not sign, but output a file of the exact bundle to be signed
28
29 -t <timestamp>
30 Use <timestamp> as the timestamp of the timed variable update If
31 not present, then the timestamp will be taken from system time.
32 Note you must use this option when doing detached signing other‐
33 wise the signature will be incorrect because of timestamp mis‐
34 matches.
35
36 -i <infile>
37 take a detached signature (in PEM format) of the bundle produced
38 by -o and complete the creation of the update
39
40 -g <guid>
41 Use <guid> as the signature owner GUID
42
43 -c <crt>
44 <crt> is the file containing the signing certificate in PEM for‐
45 mat
46
47 -k <key>
48 <key> is the file containing the key for <crt> in PEM format
49
50 -e <engine>
51 Use openssl engine <engine> for the private key
52
54 To sign a simple append update to db which has been prepared as an EFI
55 Signature List in DB.esl and output the result with the authentication
56 header in DB.auth
57
58 sign-efi-sig-list -a -c KEK.crt -k KEK.key db DB.esl DB.auth
59
60 To do a detached signature in the same way
61
62 sign-efi-sig-list -a -t 'Jul 21 09:39:37 BST 2012' -o db DB.esl DB.for‐
63 sig
64
65 Now sign the DB.forsig file in the standard openssl way. Note that the
66 standards require sha256 as the signature algorithm
67
68 openssl smime -sign -binary -in DB.forsig -out DB.signed -signer
69 KEK.crt -inkey KEK.key -outform DER -md sha256
70
71 Which produces a detached PKCS7 signature in DB.signed. Now feed this
72 back into the program remembering to keep the same timestamp (and the
73 -a flag):
74
75 sign-efi-sig-list -a -i DB.signed -t 'Jul 21 09:39:37 BST 2012' db
76 DB.auth
77
78 To delete a key, simply sign an empty EFI signature list file, so to
79 produce an variable update that will delete the PK:
80
81 > null.esl
82
83 And then sign it in the standard way (must not be an append write up‐
84 date):
85
86 sign-efi-sig-list -c PK.crt -k PK.key PK null.esl PK.auth
87
88 Once you have the .auth file conveyed to the UEFI platform, you can use
89 the UpdateVars.efi program to apply it
90
91 UpdateVars [-a] db DB.auth
92
93 Where the -a flag must be present if the DB.auth file was created as an
94 append write update and absent if its replacing the variable.
95
97 cert-to-efi-sig-list(1) for details on how to produce EFI signature
98 lists.
99
100
101
102sign-efi-sig-list 1.9.2 July 2022 SIGN-EFI-SIG-LIST(1)