Provided by: efitools_1.9.2-1ubuntu3_amd64 bug


       sign-efi-sig-list - signing tool for secure variables as EFI Signature Lists


       sign-efi-sig-list  [-r] [-m] [-a] [-g <guid>] [-o] [-t <timestamp>] [-i <infile>] [-c <crt
       file>] [-k <key file>] [-e <engine>] <var> <efi sig list file> <output file>


       Produce an output file with an  authentication  header  for  direct  update  to  a  secure
       variable.   This  output  may  be  signed  by  the usual keys directly or may be split for
       external signing using the -o and -i options.


       -r     the certificate is rsa2048 rather than x509 [UNIMPLEMENTED]

       -m     Use a monotonic count instead of a timestamp [UNIMPLEMENTED]

       -a     Prepare the variable for APPEND_WRITE rather than replacement

       -o     Do not sign, but output a file of the exact bundle to be signed

       -t <timestamp>
              Use <timestamp> as the timestamp of the timed variable update If not present,  then
              the  timestamp  will be taken from system time.  Note you must use this option when
              doing detached signing  otherwise  the  signature  will  be  incorrect  because  of
              timestamp mismatches.

       -i <infile>
              take a detached signature (in PEM format) of the bundle produced by -o and complete
              the creation of the update

       -g <guid>
              Use <guid> as the signature owner GUID

       -c <crt>
              <crt> is the file containing the signing certificate in PEM format

       -k <key>
              <key> is the file containing the key for <crt> in PEM format

       -e <engine>
              Use openssl engine <engine> for the private key


       To sign a simple append update to db which has been prepared as an EFI Signature  List  in
       DB.esl and output the result with the authentication header in DB.auth

       sign-efi-sig-list -a -c KEK.crt -k KEK.key db DB.esl DB.auth

       To do a detached signature in the same way

       sign-efi-sig-list -a -t 'Jul 21 09:39:37 BST 2012' -o db DB.esl DB.forsig

       Now  sign the DB.forsig file in the standard openssl way.  Note that the standards require
       sha256 as the signature algorithm

       openssl smime -sign -binary -in DB.forsig -out DB.signed -signer  KEK.crt  -inkey  KEK.key
       -outform DER -md sha256

       Which  produces  a  detached  PKCS7  signature  in DB.signed.  Now feed this back into the
       program remembering to keep the same timestamp (and the -a flag):

       sign-efi-sig-list -a -i DB.signed -t 'Jul 21 09:39:37 BST 2012' db DB.auth

       To delete a key, simply sign an empty EFI signature list file, so to produce  an  variable
       update that will delete the PK:

       > null.esl

       And then sign it in the standard way (must not be an append write update):

       sign-efi-sig-list -c PK.crt -k PK.key PK null.esl PK.auth

       Once you have the .auth file conveyed to the UEFI platform, you can use the UpdateVars.efi
       program to apply it

       UpdateVars [-a] db DB.auth

       Where the -a flag must be present if the DB.auth file  was  created  as  an  append  write
       update and absent if its replacing the variable.


       cert-to-efi-sig-list(1) for details on how to produce EFI signature lists.