NAME

virt-fw-sigdb - manual page for virt-fw-sigdb 24.11

DESCRIPTION

The virt-fw-sigdb utility can create, modify and print EFI signature databases. This is the format used by UEFI firmware to store lists of certificates and authenticode hashes for binaries in EFI variables like 'PK', 'KEK', 'db' and 'dbx'.

Usually signature databases are embedded in EFI variable stores, so for most use cases you'll probably should check out the virt-fw-vars(1) utility instead of this.

The exception to this rule is the list of root CA certificates for TLS connections which can be passed from the host via qemu to OVMF using the etc/edk2/https/cacerts fw_cfg file.

usage: virt-fw-sigdb [-h] [-i FILE] [-o FILE] [--add-cert GUID FILE]

: [--add-hash GUID HASH] [-p]

options:

-h, --help: show this help message and exit
-i, --input FILE: read efi sigdb FILE
-o, --output FILE: write efi sigdb FILE.
--add-cert GUID FILE: add x509 cert to sigdb, loaded in pem format from FILE and with owner GUID, can be specified multiple times
--add-hash GUID HASH: add sha256 hash to sigdb, with owner GUID, can be specified multiple times
-p, --print: print sigdb

EXAMPLES

Print system root CA database: virt-fw-sigdb --print \
--input /etc/pki/ca-trust/extracted/edk2/cacerts.bin

AUTHOR

Gerd Hoffmann <kraxel@redhat.com>

November 2024

virt-fw-sigdb 24.11