virt-fw-vars(1)

1VIRT-FW-VARS(1)                  User Commands                 VIRT-FW-VARS(1)
2
3
4

NAME

6       virt-fw-vars - manual page for virt-fw-vars 23.11
7

DESCRIPTION

9       The  virt-fw-vars  utility  can  print and modify UEFI variable stores.
10       Supported formats are standard edk2 (as used by ovmf and  armvirt)  and
11       aws.
12
13       usage:  virt-fw-vars  [-h]  [-l  LEVEL] [-i FILE] [--extract-certs] [-d
14       VAR]
15
16       [--set-true VAR] [--set-false VAR] [--set-json FILE]
17              [--set-boot-uri     LINK]     [--append-boot-filepath      FILE]
18              [--set-shim-debug] [--set-shim-verbose] [--set-fallback-verbose]
19              [--set-fallback-no-reboot]  [--set-sbat-level  FILE]   [--set-pk
20              GUID FILE] [--add-kek GUID FILE] [--add-db GUID FILE] [--set-dbx
21              FILE]  [--add-mok   GUID   FILE]   [--add-db-hash   GUID   HASH]
22              [--add-mok-hash   GUID  HASH]  [--enroll-redhat]  [--enroll-cert
23              CERT]  [--enroll-generate  CN]  [--no-microsoft]  [--distro-keys
24              DISTRO]  [--sb]  [-p]  [-v]  [-x]  [-o FILE] [--output-aws FILE]
25              [--output-json FILE]
26
27   options:
28       -h, --help
29              show this help message and exit
30
31       -l LEVEL, --loglevel LEVEL
32              set loglevel to LEVEL
33
34       -i FILE, --input FILE
35              read edk2 or aws vars from FILE
36
37       --extract-certs
38              extract all certificates
39
40   Variable options:
41       -d VAR, --delete VAR
42              delete variable VAR, can be specified multiple times
43
44       --set-true VAR
45              set variable VAR to true, can be specified multiple times
46
47       --set-false VAR
48              set variable VAR to false, can be specified multiple times
49
50       --set-json FILE
51              set variables from json dump FILE
52
53   Boot configuration:
54       --set-boot-uri LINK
55              set network boot uri to LINK (once, using BootNext)
56
57       --append-boot-filepath FILE
58              append boot entry for FILE (permanent, using BootOrder)
59
60   shim.efi configuration:
61       --set-shim-debug
62              enable shim.efi debugging (pause for debugger attach)
63
64       --set-shim-verbose
65              enable shim.efi verbose messages
66
67       --set-fallback-verbose
68              enable fallback.efi verbose messages
69
70       --set-fallback-no-reboot
71              disable rebooting for fallback.efi
72
73       --set-sbat-level FILE
74              set SbatLevel variable
75
76   Secure boot setup options:
77       --set-pk GUID FILE
78              set PK to x509 cert, loaded in pem format  from  FILE  and  with
79              owner GUID
80
81       --add-kek GUID FILE
82              add  x509  cert  to KEK, loaded in pem format from FILE and with
83              owner GUID, can be specified multiple times
84
85       --add-db GUID FILE
86              add x509 cert to db, loaded in pem format  from  FILE  and  with
87              owner GUID, can be specified multiple times
88
89       --set-dbx FILE
90              initialize dbx with update from FILE
91
92       --add-mok GUID FILE
93              add  x509  cert  to  MokList, loaded in pem format from FILE and
94              with owner GUID, can be specified multiple times
95
96       --add-db-hash GUID HASH
97              add sha256 HASH to db, with owner GUID, can be specified  multi‐
98              ple times
99
100       --add-mok-hash GUID HASH
101              add  sha256  HASH  to MokList, with owner GUID, can be specified
102              multiple times
103
104   Secure boot convinience shortcuts:
105       --enroll-redhat
106              enroll default certificates for redhat platform
107
108       --enroll-cert CERT
109              enroll using specified certificate
110
111       --enroll-generate CN
112              enroll using generated cert with given common name
113
114       --no-microsoft
115              do not add microsoft keys
116
117       --distro-keys DISTRO
118              add ca keys for DISTRO
119
120       --sb, --secure-boot
121              enable secure boot mode
122
123   Print options:
124       -p, --print
125              print varstore
126
127       -v, --verbose
128              print varstore verbosely
129
130       -x, --hexdump
131              print variable hexdumps
132
133   Output options:
134       -o FILE, --output FILE
135              write edk2 or aws vars to FILE, using the same format the  --in‐
136              put FILE has.
137
138       --output-aws FILE
139              write aws vars to FILE
140
141       --output-json FILE
142              write json dump to FILE
143

EXAMPLES

145       Print variable store.
146              virt-fw-vars --input ${guest}_VARS.fd \
147                           --print --vwerbose
148
149
150       Enroll default (microsoft) secure boot certificates
151              virt-fw-vars --input OVMF_VARS.fd \
152                           --output OVMF_VARS.secboot.fd \
153                           --enroll-redhat \
154                           --secure-boot
155

AUTHOR

157       Gerd Hoffmann <kraxel@redhat.com>
158
159
160
161virt-fw-vars 23.11               November 2023                 VIRT-FW-VARS(1)