Scroll to navigation

VIRT-FW-VARS(1) User Commands VIRT-FW-VARS(1)

NAME

virt-fw-vars - manual page for virt-fw-vars 25.7.3

DESCRIPTION

The virt-fw-vars utility can print and modify UEFI variable stores. Supported formats are standard edk2 (as used by ovmf and armvirt) and aws.

usage: virt-fw-vars [-h] [-l LEVEL] [-i FILE] [--inplace FILE]

[--extract-certs] [-d VAR] [--set-true VAR]
[--set-false VAR] [--set-json FILE] [--set-boot-uri LINK] [--append-boot-filepath FILE] [--set-shim-debug] [--set-shim-verbose] [--set-fallback-verbose] [--set-fallback-no-reboot] [--set-sbat-level FILE] [--set-pk GUID FILE] [--add-kek GUID FILE] [--add-db GUID FILE] [--add-db-hash GUID HASH] [--set-dbx FILE] [--add-dbx FILE] [--add-dbx-cert GUID FILE] [--add-dbx-hash GUID HASH] [--add-mok GUID FILE] [--add-mok-hash GUID HASH] [--enroll-redhat] [--enroll-cert CERT] [--enroll-generate CN] [--enroll-mgmt] [--no-microsoft] [--microsoft-kek {none,2011,2023,all}] [--distro-keys DISTRO] [--distro-list] [--sb] [-p] [-v] [--hashes] [-x] [-o FILE] [--output-aws FILE] [--output-json FILE] [--output-auth DIR]

Print and modify EFI variable stores.

options:

show this help message and exit
set loglevel to LEVEL
read edk2 or aws vars from FILE
modify FILE in place
extract all certificates

Variable options:

delete variable VAR, can be specified multiple times
set variable VAR to true, can be specified multiple times
set variable VAR to false, can be specified multiple times
set variables from json dump FILE

Boot configuration:

set network boot uri to LINK (once, using BootNext)
append boot entry for FILE (permanent, using BootOrder)

shim.efi configuration:

enable shim.efi debugging (pause for debugger attach)
enable shim.efi verbose messages
enable fallback.efi verbose messages
disable rebooting for fallback.efi
set SbatLevel variable

Secure boot setup options:

set PK to x509 cert, loaded in pem or der format from FILE and with owner GUID
add x509 cert to KEK, loaded in pem or der format from FILE and with owner GUID, can be specified multiple times
add x509 cert to db, loaded in pem or der format from FILE and with owner GUID, can be specified multiple times
add sha256 HASH to db, with owner GUID, can be specified multiple times
initialize dbx with update from FILE
append dbx update from FILE
add x509 cert to dbx, loaded in pem or der format from FILE and with owner GUID, can be specified multiple times
add sha256 HASH to dbx, with owner GUID, can be specified multiple times
add x509 cert to MokList, loaded in pem or der format from FILE and with owner GUID, can be specified multiple times
add sha256 HASH to MokList, with owner GUID, can be specified multiple times

Secure boot convinience shortcuts:

enroll default certificates for redhat platform
enroll using specified certificate
enroll using generated cert with given common name
enroll using external management guid
do not add microsoft keys to db
choose microsoft KEK keys to enroll
add ca keys for DISTRO
list known distros
enable secure boot mode
print varstore
print varstore verbosely
print signature db sha256 hashes
print variable hexdumps

Output options:

write edk2 or aws vars to FILE, using the same format the --input FILE has.
write aws vars to FILE
write json dump to FILE
write *.auth files to DIR

EXAMPLES

virt-fw-vars --input ${guest}_VARS.fd \
--print --verbose

virt-fw-vars --input OVMF_VARS.fd \
--output OVMF_VARS.secboot.fd \
--enroll-redhat \
--secure-boot

AUTHOR

Gerd Hoffmann <kraxel@redhat.com>

July 2025 virt-fw-vars 25.7.3