Including hashes #

This guide shows how to allowlist the hash of en EFI application in the authorized signature database ( db). The db.esl you will create can be combined with other .esl files before signing and updating db.

Prerequisites #

Install hash-to-efi-sig-list.

sudo apt install efitools

Locate an EFI application. This guide assumes the file is named stboot.uki.

Create EFI signature list #

hash-to-efi-sig-list stboot.uki db.esl

Debrief #

You prepared an EFI signature list db.esl that contains the hash of stboot.uki. Secure Boot would consider any EFI application that matches this hash valid, i.e., similar to if stboot.uki was signed by a key in db.

The same process can be used to revoke an EFI application by hash in the forbidden signature database dbx. It is also possible to revoke certificates by hash in dbx, see cert-to-efi-hash-list in the efitools package.