.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.49.3. .TH EFI-UPDATEVAR "1" "March 2024" "efi-updatevar 1.9.2" "User Commands" .SH NAME efi-updatevar - tool for updating secure variables .SH SYNOPSIS .B efi-updatevar: [\fI\,-a\/\fR] [\fI\,-e\/\fR] [\fI\,-d \/\fR[\fI\,-\/\fR]] [\fI\,-k \/\fR] [\fI\,-g \/\fR] [\fI\,-b |-f |-c file\/\fR] \fI\,\/\fR .SH DESCRIPTION Takes a variety of input files and adds them to one of the UEFI secure boot signature or key databases. Note that the efivarfs filesystem must be mounted somewhere on the box and efi-updatevars must have the ability to write to the files (this usually means it must run as root). .PP Manipulate the UEFI key database via the efivarfs filesystem .SH OPTIONS .TP \fB\-a\fR append a value to the variable instead of replacing it .TP \fB\-e\fR use EFI Signature List instead of signed update (only works in Setup Mode .TP \fB\-b\fR Add hash of to the signature list .TP \fB\-f\fR Add or Replace the key file (.esl or .auth) to the .TP \fB\-c\fR Add or Replace the x509 certificate to the (with if provided) .TP \fB\-g\fR Optional for the X509 Certificate .TP \fB\-k\fR Secret key file for authorising User Mode updates .TP \fB\-d\fR [\-] Delete the signature list (or just a single within the list) .TP \fB\-\-engine\fR Use engine for private key .SH EXAMPLES Assuming you own your own platform key and have the PK.auth and noPK.auth files which go with it, you can programmatically move the system out of User Mode by doing efi-updatevar -f noPK.auth PK and put it back again with efi-updatevar -f PK.auth PK To add the hash of an efi binary bin.efi to db in Setup Mode do efi-updatevar -b bin.efi db And to append an EFI signature list append.esl to db in Setup Mode do efi-updatevar -a -e append.esl db To add your key (KEK.crt) to the Key Exchange Key in User Mode, assuming the private part of the platform key is in PK.key, do efi-updatevar -a -c KEK.crt -k PK.key KEK To add certificate DB.crt to db in User Mode assuming the private part of the Key Exchange Key (KEK) is in KEK.key do efi-updatevar -a -c DB.crt -k KEK.key db To replace the old platform key (PK) with a new one in newPK.crt in User Mode assuming the private part of the old platform key is in PK.key, do efi-updatevar -c newPK.crt -k PK.key db To delete the private key, tipping the platform from User Mode to Setup Mode, do efi-updatevar -d 0 -k PK.key PK And to put the private key back again (in Setup Mode) do efi-updatevar -c PK.crt -k PK.key PK