VIRT-FW-VARS(1) User Commands VIRT-FW-VARS(1) NAME virt-fw-vars - manual page for virt-fw-vars 24.4 DESCRIPTION The virt-fw-vars utility can print and modify UEFI variable stores. Supported formats are standard edk2 (as used by ovmf and armvirt) and aws. usage: virt-fw-vars [-h] [-l LEVEL] [-i FILE] [--inplace FILE] [--extract-certs] [-d VAR] [--set-true VAR] [--set-false VAR] [--set-json FILE] [--set-boot-uri LINK] [--append-boot-filepath FILE] [--set-shim-debug] [--set-shim-verbose] [--set-fallback-verbose] [--set-fallback-no-reboot] [--set-sbat-level FILE] [--set-pk GUID FILE] [--add-kek GUID FILE] [--add-db GUID FILE] [--set-dbx FILE] [--add-mok GUID FILE] [--add-db-hash GUID HASH] [--add-mok-hash GUID HASH] [--enroll-redhat] [--enroll-cert CERT] [--enroll-generate CN] [--no-microsoft] [--distro-keys DISTRO] [--distro-list] [--sb] [-p] [-v] [-x] [-o FILE] [--output-aws FILE] [--output-json FILE] Print and modify EFI variable stores. options: -h, --help show this help message and exit -l LEVEL, --loglevel LEVEL set loglevel to LEVEL -i FILE, --input FILE read edk2 or aws vars from FILE --inplace FILE, --in-place FILE modify FILE in place --extract-certs extract all certificates Variable options: -d VAR, --delete VAR delete variable VAR, can be specified multiple times --set-true VAR set variable VAR to true, can be specified multiple times --set-false VAR set variable VAR to false, can be specified multiple times --set-json FILE set variables from json dump FILE Boot configuration: --set-boot-uri LINK set network boot uri to LINK (once, using BootNext) --append-boot-filepath FILE append boot entry for FILE (permanent, using BootOrder) shim.efi configuration: --set-shim-debug enable shim.efi debugging (pause for debugger attach) --set-shim-verbose enable shim.efi verbose messages --set-fallback-verbose enable fallback.efi verbose messages --set-fallback-no-reboot disable rebooting for fallback.efi --set-sbat-level FILE set SbatLevel variable Secure boot setup options: --set-pk GUID FILE set PK to x509 cert, loaded in pem format from FILE and with owner GUID --add-kek GUID FILE add x509 cert to KEK, loaded in pem format from FILE and with owner GUID, can be specified multiple times --add-db GUID FILE add x509 cert to db, loaded in pem format from FILE and with owner GUID, can be specified multiple times --set-dbx FILE initialize dbx with update from FILE --add-mok GUID FILE add x509 cert to MokList, loaded in pem format from FILE and with owner GUID, can be specified multiple times --add-db-hash GUID HASH add sha256 HASH to db, with owner GUID, can be specified multiple times --add-mok-hash GUID HASH add sha256 HASH to MokList, with owner GUID, can be specified multiple times Secure boot convinience shortcuts: --enroll-redhat enroll default certificates for redhat platform --enroll-cert CERT enroll using specified certificate --enroll-generate CN enroll using generated cert with given common name --no-microsoft do not add microsoft keys --distro-keys DISTRO add ca keys for DISTRO --distro-list list known distros --sb, --secure-boot enable secure boot mode Print options: -p, --print print varstore -v, --verbose print varstore verbosely -x, --hexdump print variable hexdumps Output options: -o FILE, --output FILE write edk2 or aws vars to FILE, using the same format the --input FILE has. --output-aws FILE write aws vars to FILE --output-json FILE write json dump to FILE EXAMPLES Print variable store. virt-fw-vars --input ${guest}_VARS.fd \ --print --verbose Enroll default (microsoft) secure boot certificates virt-fw-vars --input OVMF_VARS.fd \ --output OVMF_VARS.secboot.fd \ --enroll-redhat \ --secure-boot AUTHOR Gerd Hoffmann virt-fw-vars 24.4 April 2024 VIRT-FW-VARS(1)