secboot
Syntax
secboot[-l all]|[PK]|[KEK]|[db]|[dbx][-sfo]
secboot[-f
file]
secboot[-e PK]|[KEK]|[db]|[dbx][-f
file]
secboot[-r][-q]
secboot[-d all]|[PK]|[KEK]|[db]|[dbx][-i
index][-q]
Description
Displays and modifies the Secure Boot databases, keys, and security reports.
Options
-l
Displays Secure Boot databases and keys.
all
Displays or deletes signatures of all Secure Boot variables.
PK
Displays Platform Key (PK) information. This is case sensitive.
KEK
Displays Key Exchange Key (KEK) information. This is case sensitive.
db
Displays Allowed Signatures Database (DB) information.
dbx
Displays Forbidden Signatures Database (DB) information.
-sfo
Displays information in standard formatted output.
-e
Enrolls a DER-format X509 file or a hash of an EFI application in a Secure Boot variable.
-f file
Displays DER-format X509 file information.
-r
Re-initializes all Secure Boot signatures to platform defaults.
-d
Deletes all signatures, or deletes signatures from a specified database.
-i index
Selects a signature (1,2,...) from a specific database.
-q
Displays in quiet mode without confirmation prompts.
Examples
To display signatures of all Secure Boot variables:
Shell> secboot -l all
To display Allowed Signatures Database information:
Shell> secboot -l db
To display DER-format X509 file information:
Shell> secboot -f abc.der
To enroll a hash of an EFI application in the Allowed Signatures Database:
Shell> secboot -e db –f boot64.efi
To re-initialize all Secure Boot signatures to platform defaults:
Shell> secboot -r
To delete all Secure Boot signatures:
Shell> secboot -d all
To delete the Platform Key:
Shell> secboot -d PK
To clear the Allowed Signatures Database:
Shell> secboot -d db
To delete the second signature from the Key Exchange Key:
Shell>secboot -d KEK —i 2