secboot
Syntax
secboot[-l all]|[PK]|[KEK]|[db]|[dbx][-sfo]
secboot[-f
file]
secboot[-e PK]|[KEK]|[db]|[dbx][-f
file]
secboot[-r][-q]
secboot[-d all]|[PK]|[KEK]|[db]|[dbx][-i
index][-q]
Description
Displays and modifies the Secure Boot databases, keys, and security reports.
Options
-l
-
Displays Secure Boot databases and keys.
all
-
Displays or deletes signatures of all Secure Boot variables.
PK
-
Displays Platform Key (PK) information. This is case sensitive.
KEK
-
Displays Key Exchange Key (KEK) information. This is case sensitive.
db
-
Displays Allowed Signatures Database (DB) information.
dbx
-
Displays Forbidden Signatures Database (DB) information.
-sfo
-
Displays information in standard formatted output.
-e
-
Enrolls a DER-format X509 file or a hash of an EFI application in a Secure Boot variable.
-f file
-
Displays DER-format X509 file information.
-r
-
Re-initializes all Secure Boot signatures to platform defaults.
-d
-
Deletes all signatures, or deletes signatures from a specified database.
-i index
-
Selects a signature (1,2,...) from a specific database.
-q
-
Displays in quiet mode without confirmation prompts.
Examples
To display signatures of all Secure Boot variables:
Shell> secboot -l all
To display Allowed Signatures Database information:
Shell> secboot -l db
To display DER-format X509 file information:
Shell> secboot -f abc.der
To enroll a hash of an EFI application in the Allowed Signatures Database:
Shell> secboot -e db –f boot64.efi
To re-initialize all Secure Boot signatures to platform defaults:
Shell> secboot -r
To delete all Secure Boot signatures:
Shell> secboot -d all
To delete the Platform Key:
Shell> secboot -d PK
To clear the Allowed Signatures Database:
Shell> secboot -d db
To delete the second signature from the Key Exchange Key:
Shell>secboot -d KEK —i 2