Including hashes #
This guide shows how to allowlist the hash of en EFI application in the
authorized signature database (
db). The db.esl
you will create can be
combined with other .esl
files before signing and updating
db.
Prerequisites #
Install hash-to-efi-sig-list
.
sudo apt install efitools
Locate an EFI application. This guide assumes the file is named stboot.uki
.
Create EFI signature list #
hash-to-efi-sig-list stboot.uki db.esl
Debrief #
You prepared an EFI signature list db.esl
that contains the hash of
stboot.uki
. Secure Boot would consider any EFI application that matches this
hash valid, i.e., similar to if stboot.uki
was signed by a key in
db.
The same process can be used to revoke an EFI application by hash in the
forbidden signature database
dbx. It is also possible to revoke
certificates by hash in
dbx, see cert-to-efi-hash-list
in the efitools
package.