NAME

virt-fw-vars - manual page for virt-fw-vars 24.4

DESCRIPTION

The virt-fw-vars utility can print and modify UEFI variable stores. Supported formats are standard edk2 (as used by ovmf and armvirt) and aws.

usage: virt-fw-vars [-h] [-l LEVEL] [-i FILE] [--inplace FILE]

[--extract-certs] [-d VAR] [--set-true VAR]: [--set-false VAR] [--set-json FILE] [--set-boot-uri LINK] [--append-boot-filepath FILE] [--set-shim-debug] [--set-shim-verbose] [--set-fallback-verbose] [--set-fallback-no-reboot] [--set-sbat-level FILE] [--set-pk GUID FILE] [--add-kek GUID FILE] [--add-db GUID FILE] [--set-dbx FILE] [--add-mok GUID FILE] [--add-db-hash GUID HASH] [--add-mok-hash GUID HASH] [--enroll-redhat] [--enroll-cert CERT] [--enroll-generate CN] [--no-microsoft] [--distro-keys DISTRO] [--distro-list] [--sb] [-p] [-v] [-x] [-o FILE] [--output-aws FILE] [--output-json FILE]

Print and modify EFI variable stores.

--set-boot-uri LINK: set network boot uri to LINK (once, using BootNext)
--append-boot-filepath FILE: append boot entry for FILE (permanent, using BootOrder)

--set-pk GUID FILE: set PK to x509 cert, loaded in pem format from FILE and with owner GUID
--add-kek GUID FILE: add x509 cert to KEK, loaded in pem format from FILE and with owner GUID, can be specified multiple times
--add-db GUID FILE: add x509 cert to db, loaded in pem format from FILE and with owner GUID, can be specified multiple times
--set-dbx FILE: initialize dbx with update from FILE
--add-mok GUID FILE: add x509 cert to MokList, loaded in pem format from FILE and with owner GUID, can be specified multiple times
--add-db-hash GUID HASH: add sha256 HASH to db, with owner GUID, can be specified multiple times
--add-mok-hash GUID HASH: add sha256 HASH to MokList, with owner GUID, can be specified multiple times

-o FILE, --output FILE: write edk2 or aws vars to FILE, using the same format the --input FILE has.
--output-aws FILE: write aws vars to FILE
--output-json FILE: write json dump to FILE

Print variable store.: virt-fw-vars --input ${guest}_VARS.fd \
--print --verbose
Enroll default (microsoft) secure boot certificates: virt-fw-vars --input OVMF_VARS.fd \
--output OVMF_VARS.secboot.fd \
--enroll-redhat \
--secure-boot

Gerd Hoffmann <kraxel@redhat.com>

April 2024

virt-fw-vars 24.4