Sign variables #
This guide shows how to sign keys such that UEFI runtime services will accept
them as valid in the Secure Boot key hierarchy (
PK,
KEK,
db,
and
dbx). You will create PK.auth, KEK.auth, and db.auth containing
one key each.
There is a complementary guide on how to prepare a Secure Boot variable with multiple keys. This is only applicable for KEK, db and dbx.
There is a complementary guide on how to prepare a Secure Boot variable with hashes. This is useful for allowlisting ( db) or revoking ( dbx) a particular EFI application.
For signing, you can choose between soft keys and keys on a YubiKey 5.