SYSTEMD-SBSIGN(1) systemd-sbsign SYSTEMD-SBSIGN(1) NAME systemd-sbsign - Sign PE binaries for EFI Secure Boot SYNOPSIS systemd-sbsign [OPTIONS...] {COMMAND} DESCRIPTION systemd-sbsign can be used to sign PE binaries for EFI Secure Boot. COMMANDS sign Signs the given PE binary for EFI Secure Boot. Takes a path to a PE binary as its argument. If the PE binary already has a certificate table, the new signature will be added to it. Otherwise, a new certificate table will be created. The signed PE binary will be written to the path specified with --output=. Added in version 257. OPTIONS The following options are understood: --output=PATH Specifies the path where to write the signed PE binary or the data to be signed offline when using the --prepare-offline-signing option. Added in version 257. --private-key=PATH/URI, --private-key-source=TYPE[:NAME], --certificate=PATH, --certificate-source=TYPE[:NAME] Set the Secure Boot private key and certificate for use with the sign verb. The --certificate= option takes a path to a PEM-encoded X.509 certificate or a URI that's passed to the OpenSSL provider configured with --certificate-source. The --certificate-source option takes one of "file" or "provider", with the latter being followed by a specific provider identifier, separated with a colon, e.g. "provider:pkcs11". The --private-key= option takes a path or a URI that will be passed to the OpenSSL engine or provider, as specified by --private-key-source= as a "type:name" tuple, such as "engine:pkcs11". The specified OpenSSL signing engine or provider will be used to sign the PE binary. Added in version 257. --prepare-offline-signing When this option is specified, the sign command writes the data that should be signed to the path specified with --output= instead of writing the signed PE binary. This data can then be signed out of band after which the signature can be attached to the PE binary using the --signed-data= and --signed-data-signature= options. Added in version 258. --signed-data=PATH, --signed-data-signature=PATH Configure the signed data (as written to the path specified with --output= when using the --prepare-offline-signing option) and corresponding signature for the sign command. Added in version 258. -h, --help Print a short help text and exit. --version Print a short version string and exit. EXAMPLES Example 1. Offline EFI secure boot signing of a PE binary The following does offline secure boot signing of systemd-boot: SD_BOOT="$(find /usr/lib/systemd/boot/efi/ -name "systemd-boot*.efi" | head -n1)" # Extract the data that should be signed offline. /usr/lib/systemd/systemd-sbsign \ sign \ --certificate=secure-boot-certificate.pem \ --output=signed-data.bin \ --prepare-offline-signing \ "$SD_BOOT" # Sign the data out-of-band. This step usually happens out-of-band on a separate system. openssl dgst -sha256 -sign secure-boot-private-key.pem -out signed-data.sig signed-data.bin # Attach the signed data and its signature to the systemd-boot PE binary. /usr/lib/systemd/systemd-sbsign \ sign \ --certificate=secure-boot-certificate.pem \ --output="$SD_BOOT.signed" \ --signed-data=signed-data.bin \ --signed-data-signature=signed-data.sig \ "$SD_BOOT" SEE ALSO bootctl(1) systemd 259.5 SYSTEMD-SBSIGN(1)