| [name] |
| sign-efi-sig-list - signing tool for secure variables as EFI Signature Lists |
| |
| [examples] |
| |
| To sign a simple append update to db which has been prepared |
| as an EFI Signature List in DB.esl and output the result |
| with the authentication header in DB.auth |
| |
| sign-efi-sig-list -a -c KEK.crt -k KEK.key db DB.esl DB.auth |
| |
| To do a detached signature in the same way |
| |
| sign-efi-sig-list -a -t 'Jul 21 09:39:37 BST 2012' -o db DB.esl DB.forsig |
| |
| Now sign the DB.forsig file in the standard openssl way. |
| Note that the standards require sha256 as the signature algorithm |
| |
| openssl smime -sign -binary -in DB.forsig -out DB.signed -signer KEK.crt -inkey KEK.key -outform DER -md sha256 |
| |
| Which produces a detached PKCS7 signature in DB.signed. Now |
| feed this back into the program remembering to keep the same |
| timestamp (and the -a flag): |
| |
| sign-efi-sig-list -a -i DB.signed -t 'Jul 21 09:39:37 BST 2012' db DB.auth |
| |
| To delete a key, simply sign an empty EFI signature list |
| file, so to produce an variable update that will delete the |
| PK: |
| |
| > null.esl |
| |
| And then sign it in the standard way (must not be an append |
| write update): |
| |
| sign-efi-sig-list -c PK.crt -k PK.key PK null.esl PK.auth |
| |
| Once you have the .auth file conveyed to the UEFI platform, |
| you can use the UpdateVars.efi program to apply it |
| |
| UpdateVars [-a] db DB.auth |
| |
| Where the -a flag must be present if the DB.auth file was |
| created as an append write update and absent if its |
| replacing the variable. |
| |
| [see also] |
| |
| cert-to-efi-sig-list(1) for details on how to produce EFI |
| signature lists. |