.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.49.3. .TH VIRT-FW-VARS "1" "April 2024" "virt-fw-vars 24.4" "User Commands" .SH NAME virt-fw-vars \- manual page for virt-fw-vars 24.4 .SH DESCRIPTION The virt-fw-vars utility can print and modify UEFI variable stores. Supported formats are standard edk2 (as used by ovmf and armvirt) and aws. .PP usage: virt\-fw\-vars [\-h] [\-l LEVEL] [\-i FILE] [\-\-inplace FILE] .TP [\-\-extract\-certs] [\-d VAR] [\-\-set\-true VAR] [\-\-set\-false VAR] [\-\-set\-json FILE] [\-\-set\-boot\-uri LINK] [\-\-append\-boot\-filepath FILE] [\-\-set\-shim\-debug] [\-\-set\-shim\-verbose] [\-\-set\-fallback\-verbose] [\-\-set\-fallback\-no\-reboot] [\-\-set\-sbat\-level FILE] [\-\-set\-pk GUID FILE] [\-\-add\-kek GUID FILE] [\-\-add\-db GUID FILE] [\-\-set\-dbx FILE] [\-\-add\-mok GUID FILE] [\-\-add\-db\-hash GUID HASH] [\-\-add\-mok\-hash GUID HASH] [\-\-enroll\-redhat] [\-\-enroll\-cert CERT] [\-\-enroll\-generate CN] [\-\-no\-microsoft] [\-\-distro\-keys DISTRO] [\-\-distro\-list] [\-\-sb] [\-p] [\-v] [\-x] [\-o FILE] [\-\-output\-aws FILE] [\-\-output\-json FILE] .PP Print and modify EFI variable stores. .SS "options:" .TP \fB\-h\fR, \fB\-\-help\fR show this help message and exit .TP \fB\-l\fR LEVEL, \fB\-\-loglevel\fR LEVEL set loglevel to LEVEL .TP \fB\-i\fR FILE, \fB\-\-input\fR FILE read edk2 or aws vars from FILE .TP \fB\-\-inplace\fR FILE, \fB\-\-in\-place\fR FILE modify FILE in place .TP \fB\-\-extract\-certs\fR extract all certificates .SS "Variable options:" .TP \fB\-d\fR VAR, \fB\-\-delete\fR VAR delete variable VAR, can be specified multiple times .TP \fB\-\-set\-true\fR VAR set variable VAR to true, can be specified multiple times .TP \fB\-\-set\-false\fR VAR set variable VAR to false, can be specified multiple times .TP \fB\-\-set\-json\fR FILE set variables from json dump FILE .SS "Boot configuration:" .TP \fB\-\-set\-boot\-uri\fR LINK set network boot uri to LINK (once, using BootNext) .TP \fB\-\-append\-boot\-filepath\fR FILE append boot entry for FILE (permanent, using BootOrder) .SS "shim.efi configuration:" .TP \fB\-\-set\-shim\-debug\fR enable shim.efi debugging (pause for debugger attach) .TP \fB\-\-set\-shim\-verbose\fR enable shim.efi verbose messages .TP \fB\-\-set\-fallback\-verbose\fR enable fallback.efi verbose messages .TP \fB\-\-set\-fallback\-no\-reboot\fR disable rebooting for fallback.efi .TP \fB\-\-set\-sbat\-level\fR FILE set SbatLevel variable .SS "Secure boot setup options:" .TP \fB\-\-set\-pk\fR GUID FILE set PK to x509 cert, loaded in pem format from FILE and with owner GUID .TP \fB\-\-add\-kek\fR GUID FILE add x509 cert to KEK, loaded in pem format from FILE and with owner GUID, can be specified multiple times .TP \fB\-\-add\-db\fR GUID FILE add x509 cert to db, loaded in pem format from FILE and with owner GUID, can be specified multiple times .TP \fB\-\-set\-dbx\fR FILE initialize dbx with update from FILE .TP \fB\-\-add\-mok\fR GUID FILE add x509 cert to MokList, loaded in pem format from FILE and with owner GUID, can be specified multiple times .TP \fB\-\-add\-db\-hash\fR GUID HASH add sha256 HASH to db, with owner GUID, can be specified multiple times .TP \fB\-\-add\-mok\-hash\fR GUID HASH add sha256 HASH to MokList, with owner GUID, can be specified multiple times .SS "Secure boot convinience shortcuts:" .TP \fB\-\-enroll\-redhat\fR enroll default certificates for redhat platform .TP \fB\-\-enroll\-cert\fR CERT enroll using specified certificate .TP \fB\-\-enroll\-generate\fR CN enroll using generated cert with given common name .TP \fB\-\-no\-microsoft\fR do not add microsoft keys .TP \fB\-\-distro\-keys\fR DISTRO add ca keys for DISTRO .TP \fB\-\-distro\-list\fR list known distros .TP \fB\-\-sb\fR, \fB\-\-secure\-boot\fR enable secure boot mode .SS "Print options:" .TP \fB\-p\fR, \fB\-\-print\fR print varstore .TP \fB\-v\fR, \fB\-\-verbose\fR print varstore verbosely .TP \fB\-x\fR, \fB\-\-hexdump\fR print variable hexdumps .SS "Output options:" .TP \fB\-o\fR FILE, \fB\-\-output\fR FILE write edk2 or aws vars to FILE, using the same format the \fB\-\-input\fR FILE has. .TP \fB\-\-output\-aws\fR FILE write aws vars to FILE .TP \fB\-\-output\-json\fR FILE write json dump to FILE .SH EXAMPLES .TP Print variable store. virt-fw-vars --input ${guest}_VARS.fd \\ --print --verbose .TP Enroll default (microsoft) secure boot certificates virt-fw-vars --input OVMF_VARS.fd \\ --output OVMF_VARS.secboot.fd \\ --enroll-redhat \\ --secure-boot .SH AUTHOR Gerd Hoffmann