Provided by: python3-virt-firmware_24.1.1-2_all 
NAME
virt-fw-vars - manual page for virt-fw-vars 24.1
DESCRIPTION
The virt-fw-vars utility can print and modify UEFI variable stores. Supported formats are
standard edk2 (as used by ovmf and armvirt) and aws.
usage: virt-fw-vars [-h] [-l LEVEL] [-i FILE] [--inplace FILE]
[--extract-certs] [-d VAR] [--set-true VAR]
[--set-false VAR] [--set-json FILE] [--set-boot-uri LINK] [--append-boot-filepath
FILE] [--set-shim-debug] [--set-shim-verbose] [--set-fallback-verbose]
[--set-fallback-no-reboot] [--set-sbat-level FILE] [--set-pk GUID FILE] [--add-kek
GUID FILE] [--add-db GUID FILE] [--set-dbx FILE] [--add-mok GUID FILE]
[--add-db-hash GUID HASH] [--add-mok-hash GUID HASH] [--enroll-redhat]
[--enroll-cert CERT] [--enroll-generate CN] [--no-microsoft] [--distro-keys DISTRO]
[--distro-list] [--sb] [-p] [-v] [-x] [-o FILE] [--output-aws FILE] [--output-json
FILE]
Print and modify EFI variable stores.
options:
-h, --help
show this help message and exit
-l LEVEL, --loglevel LEVEL
set loglevel to LEVEL
-i FILE, --input FILE
read edk2 or aws vars from FILE
--inplace FILE, --in-place FILE
modify FILE in place
--extract-certs
extract all certificates
Variable options:
-d VAR, --delete VAR
delete variable VAR, can be specified multiple times
--set-true VAR
set variable VAR to true, can be specified multiple times
--set-false VAR
set variable VAR to false, can be specified multiple times
--set-json FILE
set variables from json dump FILE
Boot configuration:
--set-boot-uri LINK
set network boot uri to LINK (once, using BootNext)
--append-boot-filepath FILE
append boot entry for FILE (permanent, using BootOrder)
shim.efi configuration:
--set-shim-debug
enable shim.efi debugging (pause for debugger attach)
--set-shim-verbose
enable shim.efi verbose messages
--set-fallback-verbose
enable fallback.efi verbose messages
--set-fallback-no-reboot
disable rebooting for fallback.efi
--set-sbat-level FILE
set SbatLevel variable
Secure boot setup options:
--set-pk GUID FILE
set PK to x509 cert, loaded in pem format from FILE and with owner GUID
--add-kek GUID FILE
add x509 cert to KEK, loaded in pem format from FILE and with owner GUID, can be
specified multiple times
--add-db GUID FILE
add x509 cert to db, loaded in pem format from FILE and with owner GUID, can be
specified multiple times
--set-dbx FILE
initialize dbx with update from FILE
--add-mok GUID FILE
add x509 cert to MokList, loaded in pem format from FILE and with owner GUID, can
be specified multiple times
--add-db-hash GUID HASH
add sha256 HASH to db, with owner GUID, can be specified multiple times
--add-mok-hash GUID HASH
add sha256 HASH to MokList, with owner GUID, can be specified multiple times
Secure boot convinience shortcuts:
--enroll-redhat
enroll default certificates for redhat platform
--enroll-cert CERT
enroll using specified certificate
--enroll-generate CN
enroll using generated cert with given common name
--no-microsoft
do not add microsoft keys
--distro-keys DISTRO
add ca keys for DISTRO
--distro-list
list known distros
--sb, --secure-boot
enable secure boot mode
Print options:
-p, --print
print varstore
-v, --verbose
print varstore verbosely
-x, --hexdump
print variable hexdumps
Output options:
-o FILE, --output FILE
write edk2 or aws vars to FILE, using the same format the --input FILE has.
--output-aws FILE
write aws vars to FILE
--output-json FILE
write json dump to FILE
EXAMPLES
Print variable store.
virt-fw-vars --input ${guest}_VARS.fd \
--print --verbose
Enroll default (microsoft) secure boot certificates
virt-fw-vars --input OVMF_VARS.fd \
--output OVMF_VARS.secboot.fd \
--enroll-redhat \
--secure-boot
AUTHOR
Gerd Hoffmann <kraxel@redhat.com>