1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
Efitools
========
The Efitools packages contains two sets of utilities for UEFI Secure Boot:
- the host files
- the UEFI executables
Both allow manipulating UEFI variables, so using only one kind of tools should be enough.
Before modifying the variables, the bootloader must be signed using a valid certificate.
The certificate, PK and KEK keys, db and dbx files must be prepared using the 'sbsigntool' package.
Note that backups of all modified files are *strongly* recommended.
For a complete example/walkthrough, see http://www.rodsbooks.com/efi-bootloaders/controlling-sb.html.
Important note
--------------
Be careful when modifying or removing UEFI variables! Removing or altering critical variables may brick
your system!
Usually, this does *not* include PK, KEK or Secure Boot variables: as long as you can boot and go
to the firmware menu, Secure Boot can be reset to its factory state.
Host files
----------
These files require the 'efivars' filesystem to be mounted.
See http://blog.hansenpartnership.com/efitools-1-4-with-linux-key-manipulation-utilities-released/
for some help and examples.
UEFI files
----------
UEFI files are located in the `/usr/lib/efitools/${ARCH}` directory.
These files should be copied on a bootable USB key for UEFI. They should be used within the Tianocore UEFI
Shell (version 1 and 2 should work).
From the UEFI shell, run KeyTool.efi to view/edit keys.
Security
--------
The Firmware (BIOS) should be password-protected, or Secure Boot could be disabled from the menus.
Protect your private keys (ideally, on an offline host).
Use keys with a minimum size of 2048 bits.
|
