tldr/pages/linux/sbctl.md

# sbctl

> A user-friendly secure boot key manager.
> Note: not enrolling Microsoft's certificates can brick your system. See <https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom>.
> More information: <https://github.com/Foxboron/sbctl#usage>.

- Show the current secure boot status:

`sbctl status`

- Create custom secure boot keys (everything is stored in `/usr/share/secureboot`):

`sbctl create-keys`

- Enroll the custom secure boot keys and Microsoft's UEFI vendor certificates:

`sbctl enroll-keys --microsoft`

- Sign an EFI binary with the created key and save the file to the database:

`sbctl sign {{-s|--save}} {{path/to/efi_binary}}`

- Re-sign all the saved files:

`sbctl sign-all`

- Verify that all EFI executables on the EFI system partition have been signed:

`sbctl verify`
sbctl: add page (#13275) 2024-07-17 22:56:56 +01:00			`# sbctl`

			`> A user-friendly secure boot key manager.`
			`> Note: not enrolling Microsoft's certificates can brick your system. See <https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom>.`
			`> More information: <https://github.com/Foxboron/sbctl#usage>.`

			`- Show the current secure boot status:`

			`sbctl status`

			- Create custom secure boot keys (everything is stored in `/usr/share/secureboot`):

			`sbctl create-keys`

			`- Enroll the custom secure boot keys and Microsoft's UEFI vendor certificates:`

			`sbctl enroll-keys --microsoft`

			`- Sign an EFI binary with the created key and save the file to the database:`

			`sbctl sign {{-s\|--save}} {{path/to/efi_binary}}`

			`- Re-sign all the saved files:`

			`sbctl sign-all`

			`- Verify that all EFI executables on the EFI system partition have been signed:`

			`sbctl verify`