NAME

       virt-fw-sigdb - manual page for virt-fw-sigdb 24.7

DESCRIPTION

       The  virt-fw-sigdb  utility can create, modify and print EFI signature databases.  This is
       the format used by UEFI firmware to store lists of certificates  and  authenticode  hashes
       for binaries in EFI variables like 'PK', 'KEK', 'db' and 'dbx'.

       Usually  signature  databases  are  embedded in EFI variable stores, so for most use cases
       you'll probably should check out the virt-fw-vars(1) utility instead of this.

       The exception to this rule is the list of root CA certificates for TLS  connections  which
       can be passed from the host via qemu to OVMF using the etc/edk2/https/cacerts fw_cfg file.

       usage: virt-fw-sigdb [-h] [-i FILE] [-o FILE] [--add-cert GUID FILE]

              [--add-hash GUID HASH] [-p]

   options:
       -h, --help
              show this help message and exit

       -i FILE, --input FILE
              read efi sigdb FILE

       -o FILE, --output FILE
              write efi sigdb FILE.

       --add-cert GUID FILE
              add  x509 cert to sigdb, loaded in pem format from FILE and with owner GUID, can be
              specified multiple times

       --add-hash GUID HASH
              add sha256 hash to sigdb, with owner GUID, can be specified multiple times

       -p, --print
              print sigdb

EXAMPLES

       Print system root CA database
              virt-fw-sigdb --print \
                  --input /etc/pki/ca-trust/extracted/edk2/cacerts.bin

AUTHOR

       Gerd Hoffmann <kraxel@redhat.com>