NAME¶

virt-fw-sigdb - manual page for virt-fw-sigdb 25.4

DESCRIPTION¶

The virt-fw-sigdb utility can create, modify and print EFI signature databases. This is the format used by UEFI firmware to store lists of certificates and authenticode hashes for binaries in EFI variables like 'PK', 'KEK', 'db' and 'dbx'.

Usually signature databases are embedded in EFI variable stores, so for most use cases you'll probably should check out the virt-fw-vars(1) utility instead of this.

The exception to this rule is the list of root CA certificates for TLS connections which can be passed from the host via qemu to OVMF using the etc/edk2/https/cacerts fw_cfg file.

usage: virt-fw-sigdb [-h] [-i FILE] [-o FILE] [--add-cert GUID FILE]

: [--add-hash GUID HASH] [-p]

options:¶

-h, --help: show this help message and exit
-i, --input FILE: read efi sigdb FILE
-o, --output FILE: write efi sigdb FILE.
--add-cert GUID FILE: add x509 cert to sigdb, loaded in pem format from FILE and with owner GUID, can be specified multiple times
--add-hash GUID HASH: add sha256 hash to sigdb, with owner GUID, can be specified multiple times
-p, --print: print sigdb

EXAMPLES¶

Print system root CA database: virt-fw-sigdb --print \
--input /etc/pki/ca-trust/extracted/edk2/cacerts.bin

AUTHOR¶

Gerd Hoffmann <kraxel@redhat.com>

April 2025

virt-fw-sigdb 25.4

Source file:	virt-fw-sigdb.1.en.gz (from python3-virt-firmware 25.4.1-1)
Source last updated:	2025-05-11T20:28:02Z
Converted to HTML:	2025-05-12T02:59:04Z