2025-03-14 21:59:59 -06:00
|
|
|
# sbctl
|
|
|
|
|
|
|
|
|
|
> A user-friendly secure boot key manager.
|
2025-05-08 12:26:01 -06:00
|
|
|
> Note: Not enrolling Microsoft's certificates can brick your system. See <https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom>.
|
2025-03-14 21:59:59 -06:00
|
|
|
> More information: <https://github.com/Foxboron/sbctl#usage>.
|
|
|
|
|
|
|
|
|
|
- Show the current secure boot status:
|
|
|
|
|
|
|
|
|
|
`sbctl status`
|
|
|
|
|
|
|
|
|
|
- Create custom secure boot keys (by default, everything is stored in `/var/lib/sbctl`):
|
|
|
|
|
|
|
|
|
|
`sbctl create-keys`
|
|
|
|
|
|
|
|
|
|
- Enroll the custom secure boot keys and Microsoft's UEFI vendor certificates:
|
|
|
|
|
|
|
|
|
|
`sbctl enroll-keys --microsoft`
|
|
|
|
|
|
|
|
|
|
- Automatically run `create-keys` and `enroll-keys` based on the settings in `/etc/sbctl/sbctl.conf`:
|
|
|
|
|
|
|
|
|
|
`sbctl setup --setup`
|
|
|
|
|
|
|
|
|
|
- Sign an EFI binary with the created key and save the file to the database:
|
|
|
|
|
|
2025-03-19 19:23:44 -06:00
|
|
|
`sbctl sign {{[-s|--save]}} {{path/to/efi_binary}}`
|
2025-03-14 21:59:59 -06:00
|
|
|
|
|
|
|
|
- Re-sign all the saved files:
|
|
|
|
|
|
|
|
|
|
`sbctl sign-all`
|
|
|
|
|
|
|
|
|
|
- Verify that all EFI executables on the EFI system partition have been signed:
|
|
|
|
|
|
|
|
|
|
`sbctl verify`
|
