secboot
Syntax
secboot[-l all]|[PK]|[KEK]|[db]|[dbx][-sfo]
secboot[-f
file]
secboot -e [PK]|[KEK]|[db]|[dbx][-f
file]
secboot -r [all | PK | KEK | db | dbx] [-q]
secboot -d [all]|[PK]|[KEK]|[db]|[dbx][-i
index][-q]
secboot -x [all | PK | KEK | db | dbx] [-i
index][-f
file]
Description
Displays and modifies the Secure Boot databases, keys, and security reports.
Options
-l
Displays Secure Boot databases and keys.
all
Displays or deletes signatures of all Secure Boot variables.
PK
Displays Platform Key (PK) information. This is case sensitive.
KEK
Displays Key Exchange Key (KEK) information. This is case sensitive.
db
Displays Allowed Signatures Database (DB) information.
dbx
Displays Forbidden Signatures Database (DB) information.
-sfo
Displays information in standard formatted output.
-e
Enrolls a DER-format X509 file or a hash of an EFI application or Shell Script in a Secure Boot variable. The Shell script must start with the signature "#!NSH"
-f file
Displays DER-format X509 file information.
-r
Resets all Secure Boot signatures to platform defaults.
-d
Deletes all signatures, or deletes signatures from a specified database.
-i index
Selects a signature (1,2,...) from a specific database.
-q
Displays in quiet mode without confirmation prompts.
-x
Exports certificates or hashes from the Secure Boot databases to destination files.
Examples
To display signatures of all Secure Boot variables:
Shell> secboot -l all
To display Allowed Signatures Database information:
Shell> secboot -l db
To display DER-format X509 file information:
Shell> secboot -f abc.der
To enroll a DER-format X509 file in a Secure Boot variable:
Shell> secboot -e db -f abc.der
To enroll a hash of an EFI application in the Allowed Signatures Database:
Shell> secboot -e db -f bootx64.efi
To enroll a hash of an EFI application on the network in the Allowed Signatures Database:
Shell> secboot -e db -f http://www.example.com/BOOT/bootx64.efi
To enroll a hash of a script in the Allowed Signatures Database:
Shell> secboot -e db -f Test.nsh
To enroll a hash of a script on a network location in the Allowed Signatures Database:
Shell> secboot -e db -f http://www.example.com/TESTS/Test.nsh
To Reset all Secure Boot signatures to platform defaults:
Shell> secboot -r all
To Reset KEK Secure Boot signatures to platform defaults:
Shell> secboot -r KEK
To delete all Secure Boot signatures:
Shell> secboot -d all
To delete the Platform Key:
Shell> secboot -d PK
To clear the Allowed Signatures Database:
Shell> secboot -d db
To delete the second signature from the Key Exchange Key:
Shell> secboot -d KEK -i 2
To export the third entry from the KEK Secure Boot database to a file
abc.der
Shell> secboot -x KEK -i 3 -f abc.der
To export all entries from all Secure Boot databases(PK/KEK/db/dbx):
Shell> secboot -x all
To export all entries from the KEK Secure Boot database(PK/KEK/db/dbx):
Shell> secboot -x KEK