virt-fw-vars - Man Page
manual page for virt-fw-vars 24.7
Description
The virt-fw-vars utility can print and modify UEFI variable stores. Supported formats are standard edk2 (as used by ovmf and armvirt) and aws.
usage: virt-fw-vars [-h] [-l LEVEL] [-i FILE] [--inplace FILE]
- [--extract-certs] [-d VAR] [--set-true VAR]
[--set-false VAR] [--set-json FILE] [--set-boot-uri LINK] [--append-boot-filepath FILE] [--set-shim-debug] [--set-shim-verbose] [--set-fallback-verbose] [--set-fallback-no-reboot] [--set-sbat-level FILE] [--set-pk GUID FILE] [--add-kek GUID FILE] [--add-db GUID FILE] [--set-dbx FILE] [--add-mok GUID FILE] [--add-db-hash GUID HASH] [--add-mok-hash GUID HASH] [--enroll-redhat] [--enroll-cert CERT] [--enroll-generate CN] [--no-microsoft] [--microsoft-kek {none,2011,2023,all}] [--distro-keys DISTRO] [--distro-list] [--sb] [-p] [-v] [-x] [-o FILE] [--output-aws FILE] [--output-json FILE]
Print and modify EFI variable stores.
options
- -h, --help
show this help message and exit
- -l LEVEL, --loglevel LEVEL
set loglevel to LEVEL
- -i FILE, --input FILE
read edk2 or aws vars from FILE
- --inplace FILE, --in-place FILE
modify FILE in place
- --extract-certs
extract all certificates
Variable options
- -d VAR, --delete VAR
delete variable VAR, can be specified multiple times
- --set-true VAR
set variable VAR to true, can be specified multiple times
- --set-false VAR
set variable VAR to false, can be specified multiple times
- --set-json FILE
set variables from json dump FILE
Boot configuration
- --set-boot-uri LINK
set network boot uri to LINK (once, using BootNext)
- --append-boot-filepath FILE
append boot entry for FILE (permanent, using BootOrder)
shim.efi configuration
- --set-shim-debug
enable shim.efi debugging (pause for debugger attach)
- --set-shim-verbose
enable shim.efi verbose messages
- --set-fallback-verbose
enable fallback.efi verbose messages
- --set-fallback-no-reboot
disable rebooting for fallback.efi
- --set-sbat-level FILE
set SbatLevel variable
Secure boot setup options
- --set-pk GUID FILE
set PK to x509 cert, loaded in pem format from FILE and with owner GUID
- --add-kek GUID FILE
add x509 cert to KEK, loaded in pem format from FILE and with owner GUID, can be specified multiple times
- --add-db GUID FILE
add x509 cert to db, loaded in pem format from FILE and with owner GUID, can be specified multiple times
- --set-dbx FILE
initialize dbx with update from FILE
- --add-mok GUID FILE
add x509 cert to MokList, loaded in pem format from FILE and with owner GUID, can be specified multiple times
- --add-db-hash GUID HASH
add sha256 HASH to db, with owner GUID, can be specified multiple times
- --add-mok-hash GUID HASH
add sha256 HASH to MokList, with owner GUID, can be specified multiple times
Secure boot convinience shortcuts
- --enroll-redhat
enroll default certificates for redhat platform
- --enroll-cert CERT
enroll using specified certificate
- --enroll-generate CN
enroll using generated cert with given common name
- --no-microsoft
do not add microsoft keys to db
- --microsoft-kek {none,2011,2023,all}
choose microsoft KEK keys to enroll
- --distro-keys DISTRO
add ca keys for DISTRO
- --distro-list
list known distros
- --sb, --secure-boot
enable secure boot mode
Print options
- -p, --print
print varstore
- -v, --verbose
print varstore verbosely
- -x, --hexdump
print variable hexdumps
Output options
- -o FILE, --output FILE
write edk2 or aws vars to FILE, using the same format the --input FILE has.
- --output-aws FILE
write aws vars to FILE
- --output-json FILE
write json dump to FILE
Examples
- Print variable store.
- Enroll default (microsoft) secure boot certificates
virt-fw-vars --input OVMF_VARS.fd \
--output OVMF_VARS.secboot.fd \
--enroll-redhat \
--secure-boot
Author
Gerd Hoffmann <kraxel@redhat.com>