.\" Automatically generated from an mdoc input file.  Do not edit.
.TH "EFISECDB" "1" "January 7, 2021" "" "General Commands Manual"
.nh
.if n .ad l
.SH "NAME"
\fBefisecdb\fR
\- utility for managing UEFI signature lists
.SH "SYNOPSIS"
.HP 9n
\fBefisecdb\fR
[\fB\-s\fR\ \fISORT\fR]
[\fB\-i\fR\ \fIfile\fR\ [\fB\-i\fR\ \fIfile\fR]
\&...]
\ \p
[\fB\-g\fR\ \fIguid\fR
\(la\fB\-a\fR\ |\ \fB\-r\fR\(ra
\(la[\fB\-t\fR\ \fIhash-type\fR]\ \fB\-h\fR\ \fIhash\fR\ |
\fB\-c\fR\ \fIfile\fR\(ra
\ \p
[\fB\-g\fR\ \fIguid\fR
\(la\fB\-a\fR\ |\ \fB\-r\fR\(ra
\(la[\fB\-t\fR\ \fIhash-type\fR]\ \fB\-h\fR\ \fIhash\fR\ |
\fB\-c\fR\ \fIfile\fR\(ra]
\&...]
\(la\fB\-d\fR\ [\fB\-A\fR]
|
\fB\-o\fR\ \fIfile\fR
|
\fB\-L\fR\(ra
.SH "DESCRIPTION"
\fBefisecdb\fR
is a command line utility for management of UEFI signature lists in detached
files. That is, it's for command line generation and management of files in the
format of KEK, DB, and DBX.
.sp
Operation occurs in three phases:
.PD 0
.TP 5n
1.\&
Loading of security databases specified with \fB\-\-input\fR
.TP 5n
2.\&
Left-to-right processing of other options, using \fB\-\-hash-type,\fR \fB\-\-owner-guid,\fR \fB\-\-add,\fR
and \fB\-\-remove\fR
as state to build selectors to add or remove hashes and certificates specified by \fB\-\-hash\fR
and \fB\-\-certificate\fR.\fR
.TP 5n
3.\&
Generation of output
.PP
The accumulated state is persistent; once an Owner GUID, Add or Delete
operation, or hash type are specified, they need only be present again to
change the operations that follow.  Operations are added to the list to process
when
\fB\-h\fR \fIhash\fR
or
\fB\-c\fR \fIcert\fR
are specified, and are processed in the order they appear.  Additionally,
at least one
\fB\-g\fR
argument and either \fB\-\-add\fR
or \fB\-\-remove\fR
must appear before the first use of
\fB\-h\fR \fIhash\fR
or
\fB\-c\fR \fIcert\fR.\fR
.PD
.SH "OPTIONS"
.TP 2n
\(la\fB\-s\fR | \fB\-\-sort\fR\(ra \(la\fIall\fR | \fIdata\fR | \fInone\fR | \fItype\fR\(ra
Sort by data after sorting and grouping entry types, entry data, no sorting, or by entry type
.TP 2n
\(la\fB\-s\fR | \fB\-\-sort\fR\(ra \(la\fIascending\fR | \fIdescending\fR\(ra
Sort in ascending or descending order
.TP 2n
\fB\-i\fR \fIfile\fR | \fB\-\-infile\fR \fIfile\fR
Read EFI Security Database from
\fIfile\fR
.TP 2n
\fB\-g\fR \fIguid\fR | \fB\-\-owner-guid\fR \fIguid\fR
Use the specified GUID or symbolic refrence (i.e. {empty}) for forthcoming
addition and removal operations
.TP 2n
\fB\-a\fR | \fB\-\-add\fR | \fB\-r\fR | \fB\-\-remove\fR
Select
\fIadd\fR
or
\fIremove\fR
for forthcoming operations
.TP 2n
\fB\-t\fR \fIhash-type\fR | \fB\-\-hash-type\fR \fIhash-type\fR
Select
\fIhash-type\fR
for forthcoming addition and removal operations
(default \fIsha256\fR)
.sp
Use hash-type \fIhelp\fR to list supported hash types.
.TP 2n
\fB\-h\fR \fIhash\fR | \fB\-\-hash\fR \fIhash\fR
Add or remove the specified hash
.TP 2n
\fB\-c\fR \fIfile\fR | \fB\-\-certificate\fR \fIfile\fR
Add or remove the specified certificate
.TP 2n
\fB\-d\fR | \fB\-\-dump\fR
Produce a hex dump of the output
.TP 2n
\fB\-A\fR | \fB\-\-annotate\fR
Annotate the hex dump produced by \fB\-\-dump\fR
.TP 2n
\fB\-o\fR \fIfile\fR | \fB\-\-outfile\fR \fIfile\fR
Write EFI Security Database to
\fIfile\fR
.TP 2n
\fB\-L\fR | \fB\-\-list-guids\fR
List the well known guids
.sp
The output is tab delimited: GUID short_name desription
.SH "EXAMPLES"
.SS "Dumping the current system's \fIDBX\fP database with annotations"
.nf
.RS 0n
host:~$ \fBefisecdb -d -A -i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f\fR
00000000  26 16 c4 c1 4c 50 92 40  ac a9 41 f9 36 93 43 28  |&...LP.@..A.6.C(|  esl[0].signature_type = {sha256}
00000010  60 00 00 00                                       |....|              esl[0].signature_list_size = 96
00000014              00 00 00 00                               |....|          esl[0].signature_header_size = 0
00000018                           30 00 00 00                      |0...|      esl[0].signature_size = 48
0000001c                                                                        esl[0].signature_header (end:0x0000001c)
0000001c                                       bd 9a fa 77              |...w|  esl[0].signature[0].owner = {microsoft}
00000020  59 03 32 4d bd 60 28 f4  e7 8f 78 4b              |Y.2M.`(...xK|
0000002c                                       fe cf b2 32              |...2|  esl[0].signature[0].data (end:0x0000004c)
00000030  d1 2e 99 4b 6d 48 5d 2c  71 67 72 8a a5 52 59 84  |...KmH],qgr..RY.|
00000040  ad 5c a6 1e 75 16 22 1f  07 9a 14 36              |.\..u."....6|
0000004c                                       bd 9a fa 77              |...w|  esl[0].signature[1].owner = {microsoft}
00000050  59 03 32 4d bd 60 28 f4  e7 8f 78 4b              |Y.2M.`(...xK|
0000005c                                       fe 63 a8 4f              |.c.O|  esl[0].signature[1].data (end:0x0000007c)
00000060  78 2c c9 d3 fc f2 cc f9  fc 11 fb d0 37 60 87 87  |x,..........7`..|
00000070  58 d2 62 85 ed 12 66 9b  dc 6e 6d 01              |X.b...f..nm.|
0000007c
.RE
.fi
.SS "Building a new EFI Security Database for use as \fIKEK\fP, replacing one certificate."
.nf
.RS 0n
# Figure out the original cert... the easy way
host:~$ \fBstrings KEK-* | grep microsoft.*crt\fR\p
Dhttp://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt0

# Find it, because --export isn't implemented yet
host:~$ \fBwget \e\p
        --user-agent='Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko' \e\p
        http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt\fR\p
--2020-06-04 20:41:27--  http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt
Resolving www.microsoft.com (www.microsoft.com)... 2600:141b:800:287::356e, 2600:141b:800:2a0::356e, 23.43.254.254
Connecting to www.microsoft.com (www.microsoft.com)|2600:141b:800:287::356e|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1539 (1.5K) [application/octet-stream]
Saving to: \[u2018]MicCorThiParMarRoo_2010-10-05.crt\[u2019]

MicCorThiParMarRoo_ 100%[===================>]   1.50K  --.-KB/s    in 0s

2020-06-04 20:41:27 (177 MB/s) - \[u2018]MicCorThiParMarRoo_2010-10-05.crt\[u2019] saved [1539/1539]

# Pick a GUID-like object, any GUID-like object...
host:~$ \fBuuidgen\fR
aab3960c-501e-485e-ac59-62805970a3dd

# Remove the old KEK entry and add a different one
host:~$ \fBefisecdb -i KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c \e\p
        -g {microsoft} -r -c MicCorThiParMarRoo_2010-10-05.crt \e\p
        -g aab3960c-501e-485e-ac59-62805970a3dd -a -c pjkek.cer \e\p
        -o newkek.bin\fR\p
.RE
.fi
.SS "Searching the list of well-known GUIDs"
.nf
.RS 0n
host:~$ \fBefisecdb -L | grep shim\fR\p
{605dab50-e046-4300-abb6-3dd810dd8b23}	{shim}	shim
.RE
.fi
.SH "STANDARDS"
UEFI Specification Working Group,
\fIUnified Extensible Firmware Interface (UEFI) Specification Version 2.8\fR,
\fIUnified Extensible Firmware Interface Forum\fR,
https://uefi.org/specifications\ \&,
March 2019.
.SH "SEE ALSO"
authvar(1),
efikeygen(1),
pesign(1)
.SH "AUTHORS"
Peter Jones
.SH "BUGS"
\fBefisecdb\fR
is currently lacking several useful features:
.PD 0
.TP 4n
\fB\(bu\fR
positional exporting of certificates
.TP 4n
\fB\(bu\fR
\fB\-\-dump\fR
and \fB\-\-annotate\fR
do not adjust the output width for the terminal
.TP 4n
\fB\(bu\fR
certificates can't be specified for removal by their \fIToBeSigned\fR hash