2024-07-17 23:56:56 +02:00
|
|
|
# sbctl
|
|
|
|
|
|
|
|
|
|
> A user-friendly secure boot key manager.
|
|
|
|
|
> Note: not enrolling Microsoft's certificates can brick your system. See <https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom>.
|
|
|
|
|
> More information: <https://github.com/Foxboron/sbctl#usage>.
|
|
|
|
|
|
|
|
|
|
- Show the current secure boot status:
|
|
|
|
|
|
|
|
|
|
`sbctl status`
|
|
|
|
|
|
2024-08-09 11:20:36 +02:00
|
|
|
- Create custom secure boot keys (by default, everything is stored in `/var/lib/sbctl`):
|
2024-07-17 23:56:56 +02:00
|
|
|
|
|
|
|
|
`sbctl create-keys`
|
|
|
|
|
|
|
|
|
|
- Enroll the custom secure boot keys and Microsoft's UEFI vendor certificates:
|
|
|
|
|
|
|
|
|
|
`sbctl enroll-keys --microsoft`
|
|
|
|
|
|
2024-08-09 11:20:36 +02:00
|
|
|
- Automatically run `create-keys` and `enroll-keys` based on the settings in `/etc/sbctl/sbctl.conf`:
|
|
|
|
|
|
|
|
|
|
`sbctl setup --setup`
|
|
|
|
|
|
2024-07-17 23:56:56 +02:00
|
|
|
- Sign an EFI binary with the created key and save the file to the database:
|
|
|
|
|
|
2025-03-09 01:35:31 +02:00
|
|
|
`sbctl sign {{[-s|--save]}} {{path/to/efi_binary}}`
|
2024-07-17 23:56:56 +02:00
|
|
|
|
|
|
|
|
- Re-sign all the saved files:
|
|
|
|
|
|
|
|
|
|
`sbctl sign-all`
|
|
|
|
|
|
|
|
|
|
- Verify that all EFI executables on the EFI system partition have been signed:
|
|
|
|
|
|
|
|
|
|
`sbctl verify`
|
