Multiple keys

Multiple keys #

This guide shows how to create an EFI signature list with multiple authorized signature database ( db) keys. The created db.esl can be signed in the same way as if it contained a single key.

Prerequisites #

Create two db keys and associated certificates, see generate keys.

Name the generated db certificates db-1.crt and db-2.crt.

Install cert-to-efi-sig-list.

sudo apt install efitools

Create separate EFI signature lists # 

cert-to-efi-sig-list db-1.crt db-1.esl
cert-to-efi-sig-list db-2.crt db-2.esl

Merge into a unified EFI signature list # 

cat db-1.esl > db.esl
cat db-2.esl >> db.esl

Debrief #

To form an EFI signature list with two entries, you concatenated two individual lists each containing one entry. Any two valid EFI signature lists can be concatenated to form a single larger EFI signature list.

The same technique can be used for KEK and dbx, but not for PK which requires a single entry.

Edit Edit this page