efi-updatevar(1)

1EFI-UPDATEVAR(1)                 User Commands                EFI-UPDATEVAR(1)
2
3
4

NAME

6       efi-updatevar - tool for updating secure variables
7

SYNOPSIS

9       efi-updatevar:  [-a]  [-e] [-d <list>[-<entry>]] [-k <key>] [-g <guid>]
10       [-b <file>|-f <file>|-c file] <var>
11

DESCRIPTION

13       Takes a variety of input files and adds them to one of the UEFI  secure
14       boot signature or key databases.
15
16       Note  that the efivarfs filesystem must be mounted somewhere on the box
17       and efi-updatevars must have the ability to write to  the  files  (this
18       usually means it must run as root).
19
20       Manipulate the UEFI key database via the efivarfs filesystem
21

OPTIONS

23       -a     append a value to the variable instead of replacing it
24
25       -e     use  EFI  Signature List instead of signed update (only works in
26              Setup Mode
27
28       -b <binfile>
29              Add hash of <binfile> to the signature list
30
31       -f <file>
32              Add or Replace the key file (.esl or .auth) to the <var>
33
34       -c <file>
35              Add or Replace the x509 certificate to the <var> (with <guid> if
36              provided)
37
38       -g <guid>
39              Optional <guid> for the X509 Certificate
40
41       -k <key>
42              Secret key file for authorising User Mode updates
43
44       -d <list>[-<entry>]
45              Delete  the  signature  list  <list>  (or  just a single <entry>
46              within the list)
47
48       --engine <eng>
49              Use engine <eng> for private key
50

EXAMPLES

52       Assuming you own your  own  platform  key  and  have  the  PK.auth  and
53       noPK.auth  files  which  go  with it, you can programmatically move the
54       system out of User Mode by doing
55
56       efi-updatevar -f noPK.auth PK
57
58       and put it back again with
59
60       efi-updatevar -f PK.auth PK
61
62       To add the hash of an efi binary bin.efi to db in Setup Mode do
63
64       efi-updatevar -b bin.efi db
65
66       And to append an EFI signature list append.esl to db in Setup Mode do
67
68       efi-updatevar -a -e append.esl db
69
70       To add your key (KEK.crt) to the Key Exchange Key in User Mode,  assum‐
71       ing the private part of the platform key is in PK.key, do
72
73       efi-updatevar -a -c KEK.crt -k PK.key KEK
74
75       To  add certificate DB.crt to db in User Mode assuming the private part
76       of the Key Exchange Key (KEK) is in KEK.key do
77
78       efi-updatevar -a -c DB.crt -k KEK.key db
79
80       To replace the old platform key (PK) with a new  one  in  newPK.crt  in
81       User  Mode  assuming  the  private  part  of the old platform key is in
82       PK.key, do
83
84       efi-updatevar -c newPK.crt -k PK.key db
85
86       To delete the private key, tipping the platform from User Mode to Setup
87       Mode, do
88
89       efi-updatevar -d 0 -k PK.key PK
90
91       And to put the private key back again (in Setup Mode) do
92
93       efi-updatevar -c PK.crt -k PK.key PK
94
95
96
97efi-updatevar 1.9.2              December 2022                EFI-UPDATEVAR(1)