secboot

Syntax

secboot[-l all]|[PK]|[KEK]|[db]|[dbx][-sfo]

secboot[-f file] secboot[-e PK]|[KEK]|[db]|[dbx][-f file]

secboot[-r][-q]

secboot[-d all]|[PK]|[KEK]|[db]|[dbx][-i index][-q]

Description

Displays and modifies the Secure Boot databases, keys, and security reports. Displays and modifies the Secure Boot databases, keys, and security reports.

Options

-l

Displays Secure Boot databases and keys.

all

Displays or deletes signatures of all Secure Boot variables.

PK

Displays Platform Key (PK) information. This is case sensitive.

KEK

Displays Key Exchange Key (KEK) information. This is case sensitive.

db

Displays Allowed Signatures Database (DB) information.

dbx

Displays Forbidden Signatures Database (DB) information.

-sfo

Displays information in standard formatted output.

-e

Enrolls a DER-format X509 file or a hash of an EFI application in a Secure Boot variable.

-f file

Displays DER-format X509 file information.

-r

Re-initializes all Secure Boot signatures to platform defaults.

-d

Deletes all signatures, or deletes signatures from a specified database.

-i index

Selects a signature (1,2,...) from a specific database.

-q

Displays in quiet mode without confirmation prompts.

Examples

To display signatures of all Secure Boot variables:

Shell> secboot -l all
      

To display Allowed Signatures Database information:

Shell> secboot -l db
      

To display DER-format X509 file information:

Shell> secboot -f abc.der
      

To enroll a hash of an EFI application in the Allowed Signatures Database:

Shell> secboot -e db –f boot64.efi
      

To re-initialize all Secure Boot signatures to platform defaults:

 Shell> secboot -r
      

To delete all Secure Boot signatures:

Shell> secboot -d all
      

To delete the Platform Key:

Shell> secboot -d PK
      

To clear the Allowed Signatures Database:

Shell> secboot -d db
      

To delete the second signature from the Key Exchange Key:

Shell>secboot -d KEK —i 2