virt-fw-vars-setup - Man Page

generate uefi variable store in json format

Synopsis

virt-fw-vars-setup [--output] [--profile] [--enroll] [--arch] [--set-pk-cert] [--add-kek-cert] [--add-db-cert] [--set-dbx-update] [--disable-secure-boot] [-h|--help] [-V|--version]

Description

generate uefi variable store in json format

Options

--output <FILE>

json variable store output file

If not specified output goes to stdout.

-h,  --help

Print help (see a summary with '-h')

-V,  --version

Print version

Quick Setup

--profile <NAME>

select 'db' profile

Use 'uefi*' profiles for linux guests, use 'win*' profiles for windows guests.  If in doubt you can also use the 'all' profile which includes both and matches the typical configuration of physical hardware.

Possible values:

  • none: no certificates
  • win11: Windows CA certificates, 2011 + 2023
  • win23: Windows CA certificate, 2023 only
  • win+rom23: Windows CA + Option ROM certificates, 2023 only
  • uefi11: UEFI CA certificates, 2011 + 2023
  • uefi23: UEFI CA certificate, 2023
  • uefi+rom23: UEFI CA + Option ROM certificates, 2023
  • redhat: Red Hat UEFI CA certificate
  • redhat+rom: Red Hat UEFI CA + Option ROM certificates
  • all: Both Windows and UEFI CA certificates, 2011 + 2023
--enroll <MODE> [default: mgmt]

select 'PK' mode

Possible values:

  • mgmt: EFI_CERT_EXTERNAL_MANAGEMENT_GUID
  • redhat: Red Hat Secure Boot (PK/KEK key 1)
--arch <ARCH>

select efi architecture for 'dbx' update

By default native architecture will be used.

[possible values: aa64, x64]

Specify Details

--set-pk-cert <FILE>

set certificate for 'PK'

This has higher priority than PK mode.

--add-kek-cert <FILE>

add certificate to 'KEK'

Can be specified multiple times.  Default is to enroll the standard microsoft KEK certificates.

--add-db-cert <FILE>

add certificate to 'db'

Can be specified multiple times.  Certificates will be enrolled in addition to the profile certificates.  Use '--profile none' if you want specify all certificates explicitly.

--set-dbx-update <FILE>

load 'dbx' update from file

If specified replaces the compiled-in default update.

--disable-secure-boot

disable secure boot

Enroll all secure boot variables but disable secure boot.

Version

v0.6.0

Authors

Gerd Hoffmann <kraxel@redhat.com>

Info

virt-fw-vars-setup 0.6.0