tldr/pages/linux/sbctl.md

797 B

sbctl

A user-friendly secure boot key manager. Note: not enrolling Microsoft's certificates can brick your system. See https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom. More information: https://github.com/Foxboron/sbctl#usage.

  • Show the current secure boot status:

sbctl status

  • Create custom secure boot keys (everything is stored in /usr/share/secureboot):

sbctl create-keys

  • Enroll the custom secure boot keys and Microsoft's UEFI vendor certificates:

sbctl enroll-keys --microsoft

  • Sign an EFI binary with the created key and save the file to the database:

sbctl sign {{-s|--save}} {{path/to/efi_binary}}

  • Re-sign all the saved files:

sbctl sign-all

  • Verify that all EFI executables on the EFI system partition have been signed:

sbctl verify