virt-fw-vars - Man Page

manual page for virt-fw-vars 24.7

Description

The virt-fw-vars utility can print and modify UEFI variable stores. Supported formats are standard edk2 (as used by ovmf and armvirt) and aws.

usage: virt-fw-vars [-h] [-l LEVEL] [-i FILE] [--inplace FILE]

[--extract-certs] [-d VAR] [--set-true VAR]

[--set-false VAR] [--set-json FILE] [--set-boot-uri LINK] [--append-boot-filepath FILE] [--set-shim-debug] [--set-shim-verbose] [--set-fallback-verbose] [--set-fallback-no-reboot] [--set-sbat-level FILE] [--set-pk GUID FILE] [--add-kek GUID FILE] [--add-db GUID FILE] [--set-dbx FILE] [--add-mok GUID FILE] [--add-db-hash GUID HASH] [--add-mok-hash GUID HASH] [--enroll-redhat] [--enroll-cert CERT] [--enroll-generate CN] [--no-microsoft] [--microsoft-kek {none,2011,2023,all}] [--distro-keys DISTRO] [--distro-list] [--sb] [-p] [-v] [-x] [-o FILE] [--output-aws FILE] [--output-json FILE]

Print and modify EFI variable stores.

options

-h, --help

show this help message and exit

-l LEVEL, --loglevel LEVEL

set loglevel to LEVEL

-i FILE, --input FILE

read edk2 or aws vars from FILE

--inplace FILE, --in-place FILE

modify FILE in place

--extract-certs

extract all certificates

Variable options

-d VAR, --delete VAR

delete variable VAR, can be specified multiple times

--set-true VAR

set variable VAR to true, can be specified multiple times

--set-false VAR

set variable VAR to false, can be specified multiple times

--set-json FILE

set variables from json dump FILE

Boot configuration

--set-boot-uri LINK

set network boot uri to LINK (once, using BootNext)

--append-boot-filepath FILE

append boot entry for FILE (permanent, using BootOrder)

shim.efi configuration

--set-shim-debug

enable shim.efi debugging (pause for debugger attach)

--set-shim-verbose

enable shim.efi verbose messages

--set-fallback-verbose

enable fallback.efi verbose messages

--set-fallback-no-reboot

disable rebooting for fallback.efi

--set-sbat-level FILE

set SbatLevel variable

Secure boot setup options

--set-pk GUID FILE

set PK to x509 cert, loaded in pem format from FILE and with owner GUID

--add-kek GUID FILE

add x509 cert to KEK, loaded in pem format from FILE and with owner GUID, can be specified multiple times

--add-db GUID FILE

add x509 cert to db, loaded in pem format from FILE and with owner GUID, can be specified multiple times

--set-dbx FILE

initialize dbx with update from FILE

--add-mok GUID FILE

add x509 cert to MokList, loaded in pem format from FILE and with owner GUID, can be specified multiple times

--add-db-hash GUID HASH

add sha256 HASH to db, with owner GUID, can be specified multiple times

--add-mok-hash GUID HASH

add sha256 HASH to MokList, with owner GUID, can be specified multiple times

Secure boot convinience shortcuts

--enroll-redhat

enroll default certificates for redhat platform

--enroll-cert CERT

enroll using specified certificate

--enroll-generate CN

enroll using generated cert with given common name

--no-microsoft

do not add microsoft keys to db

--microsoft-kek {none,2011,2023,all}

choose microsoft KEK keys to enroll

--distro-keys DISTRO

add ca keys for DISTRO

--distro-list

list known distros

--sb,  --secure-boot

enable secure boot mode

Print options

-p,  --print

print varstore

-v,  --verbose

print varstore verbosely

-x,  --hexdump

print variable hexdumps

Output options

-o FILE, --output FILE

write edk2 or aws vars to FILE, using the same format the --input FILE has.

--output-aws FILE

write aws vars to FILE

--output-json FILE

write json dump to FILE

Examples

Print variable store.

virt-fw-vars --input ${guest}_VARS.fd \
            --print --verbose

Enroll default (microsoft) secure boot certificates

virt-fw-vars --input OVMF_VARS.fd \
            --output OVMF_VARS.secboot.fd \
            --enroll-redhat \
            --secure-boot

Author

Gerd Hoffmann <kraxel@redhat.com>

Referenced By

virt-fw-sigdb(1).

July 2024 virt-fw-vars 24.7