Provided by: python3-virt-firmware_25.4.1-1_all 
NAME
virt-fw-vars - manual page for virt-fw-vars 25.4
DESCRIPTION
The virt-fw-vars utility can print and modify UEFI variable stores. Supported formats are standard edk2
(as used by ovmf and armvirt) and aws.
usage: virt-fw-vars [-h] [-l LEVEL] [-i FILE] [--inplace FILE]
[--extract-certs] [-d VAR] [--set-true VAR]
[--set-false VAR] [--set-json FILE] [--set-boot-uri LINK] [--append-boot-filepath FILE]
[--set-shim-debug] [--set-shim-verbose] [--set-fallback-verbose] [--set-fallback-no-reboot]
[--set-sbat-level FILE] [--set-pk GUID FILE] [--add-kek GUID FILE] [--add-db GUID FILE] [--set-dbx
FILE] [--add-dbx FILE] [--add-mok GUID FILE] [--add-db-hash GUID HASH] [--add-mok-hash GUID HASH]
[--enroll-redhat] [--enroll-cert CERT] [--enroll-generate CN] [--enroll-mgmt] [--no-microsoft]
[--microsoft-kek {none,2011,2023,all}] [--distro-keys DISTRO] [--distro-list] [--sb] [-p] [-v]
[--hashes] [-x] [-o FILE] [--output-aws FILE] [--output-json FILE]
Print and modify EFI variable stores.
options:
-h, --help
show this help message and exit
-l, --loglevel LEVEL
set loglevel to LEVEL
-i, --input FILE
read edk2 or aws vars from FILE
--inplace, --in-place FILE
modify FILE in place
--extract-certs
extract all certificates
Variable options:
-d, --delete VAR
delete variable VAR, can be specified multiple times
--set-true VAR
set variable VAR to true, can be specified multiple times
--set-false VAR
set variable VAR to false, can be specified multiple times
--set-json FILE
set variables from json dump FILE
Boot configuration:
--set-boot-uri LINK
set network boot uri to LINK (once, using BootNext)
--append-boot-filepath FILE
append boot entry for FILE (permanent, using BootOrder)
shim.efi configuration:
--set-shim-debug
enable shim.efi debugging (pause for debugger attach)
--set-shim-verbose
enable shim.efi verbose messages
--set-fallback-verbose
enable fallback.efi verbose messages
--set-fallback-no-reboot
disable rebooting for fallback.efi
--set-sbat-level FILE
set SbatLevel variable
Secure boot setup options:
--set-pk GUID FILE
set PK to x509 cert, loaded in pem format from FILE and with owner GUID
--add-kek GUID FILE
add x509 cert to KEK, loaded in pem format from FILE and with owner GUID, can be specified
multiple times
--add-db GUID FILE
add x509 cert to db, loaded in pem format from FILE and with owner GUID, can be specified multiple
times
--set-dbx FILE
initialize dbx with update from FILE
--add-dbx FILE
append dbx update from FILE
--add-mok GUID FILE
add x509 cert to MokList, loaded in pem format from FILE and with owner GUID, can be specified
multiple times
--add-db-hash GUID HASH
add sha256 HASH to db, with owner GUID, can be specified multiple times
--add-mok-hash GUID HASH
add sha256 HASH to MokList, with owner GUID, can be specified multiple times
Secure boot convinience shortcuts:
--enroll-redhat
enroll default certificates for redhat platform
--enroll-cert CERT
enroll using specified certificate
--enroll-generate CN
enroll using generated cert with given common name
--enroll-mgmt
enroll using external management guid
--no-microsoft
do not add microsoft keys to db
--microsoft-kek {none,2011,2023,all}
choose microsoft KEK keys to enroll
--distro-keys DISTRO
add ca keys for DISTRO
--distro-list
list known distros
--sb, --secure-boot
enable secure boot mode
Print options:
-p, --print
print varstore
-v, --verbose
print varstore verbosely
--hashes
print signature db sha256 hashes
-x, --hexdump
print variable hexdumps
Output options:
-o, --output FILE
write edk2 or aws vars to FILE, using the same format the --input FILE has.
--output-aws FILE
write aws vars to FILE
--output-json FILE
write json dump to FILE
EXAMPLES
Print variable store.
virt-fw-vars --input ${guest}_VARS.fd \
--print --verbose
Enroll default (microsoft) secure boot certificates
virt-fw-vars --input OVMF_VARS.fd \
--output OVMF_VARS.secboot.fd \
--enroll-redhat \
--secure-boot
AUTHOR
Gerd Hoffmann <kraxel@redhat.com>
virt-fw-vars 25.4 April 2025 VIRT-FW-VARS(1)