secboot

Syntax

secboot[-l all]|[PK]|[KEK]|[db]|[dbx][-sfo]

secboot[-f file]

secboot -e [PK]|[KEK]|[db]|[dbx][-f file] secboot -r [all | PK | KEK | db | dbx] [-q]

secboot -d [all]|[PK]|[KEK]|[db]|[dbx][-i index][-q] secboot -x [all | PK | KEK | db | dbx] [-i index][-f file]

Description

Displays and modifies the Secure Boot databases, keys, and security reports. Displays and modifies the Secure Boot databases, keys, and security reports.

Options

-l

Displays Secure Boot databases and keys.

all

Displays or deletes signatures of all Secure Boot variables.

PK

Displays Platform Key (PK) information. This is case sensitive.

KEK

Displays Key Exchange Key (KEK) information. This is case sensitive.

db

Displays Allowed Signatures Database (DB) information.

dbx

Displays Forbidden Signatures Database (DB) information.

-sfo

Displays information in standard formatted output.

-e

Enrolls a DER-format X509 file or a hash of an EFI application or Shell Script in a Secure Boot variable. The Shell script must start with the signature "#!NSH"

-f file

Displays DER-format X509 file information.

-r

Resets all Secure Boot signatures to platform defaults.

-d

Deletes all signatures, or deletes signatures from a specified database.

-i index

Selects a signature (1,2,...) from a specific database.

-q

Displays in quiet mode without confirmation prompts.

-x

Exports certificates or hashes from the Secure Boot databases to destination files.

Examples

To display signatures of all Secure Boot variables: 

Shell> secboot -l all

To display Allowed Signatures Database information: 

Shell> secboot -l db

To display DER-format X509 file information: 

Shell> secboot -f abc.der

To enroll a DER-format X509 file in a Secure Boot variable: 

Shell> secboot -e db -f abc.der

To enroll a hash of an EFI application in the Allowed Signatures Database: 

Shell> secboot -e db -f bootx64.efi

To enroll a hash of an EFI application on the network in the Allowed Signatures Database: 

Shell> secboot -e db -f http://www.example.com/BOOT/bootx64.efi

To enroll a hash of a script in the Allowed Signatures Database: 

Shell> secboot -e db -f Test.nsh

To enroll a hash of a script on a network location in the Allowed Signatures Database: 

Shell> secboot -e db -f http://www.example.com/TESTS/Test.nsh

To Reset all Secure Boot signatures to platform defaults: 

Shell> secboot -r all

To Reset KEK Secure Boot signatures to platform defaults: 

Shell> secboot -r KEK

To delete all Secure Boot signatures: 

Shell> secboot -d all

To delete the Platform Key: 

Shell> secboot -d PK

To clear the Allowed Signatures Database: 

Shell> secboot -d db

To delete the second signature from the Key Exchange Key: 

Shell> secboot -d KEK -i 2

To export the third entry from the KEK Secure Boot database to a file abc.der 

Shell> secboot -x KEK -i 3 -f abc.der

To export all entries from all Secure Boot databases(PK/KEK/db/dbx): 

Shell> secboot -x all

To export all entries from the KEK Secure Boot database(PK/KEK/db/dbx): 

Shell> secboot -x KEK