EFI variables #

UEFI systems can store configuration in NVRAM as EFI variables. An EFI variable has a name (string), a 16-byte identifier to avoid naming collisions (GUID), and data (opaque).

This page outlines EFI variables that the System Transparency components use.

Specified by the System Transparency Project #

System Transparency variables start with “ST” and use GUID “f401f2c1-b005-4be0-8cee-f2e5945bcbe7”.

Variable Name	Variable GUID	Variable Data
STHostConfig	f401f2c1-b005-4be0-8cee-f2e5945bcbe7	Host configuration
STHostName	f401f2c1-b005-4be0-8cee-f2e5945bcbe7	Arbitrary string
STHostKey	f401f2c1-b005-4be0-8cee-f2e5945bcbe7	Unencrypted Ed25519 key in OpenSSH private-key format

Specified by the UEFI specification (Secure Boot) #

The UEFI specification defines names, GUIDs, and data formats for variables related to Secure Boot. A few relevant entry points are referenced below.

Variable Name	Variable GUID	Variable Data
SetupMode	8be4df61-93ca-11d2-aa0d-00e098032b8c	1 byte, indicates if the platform can be provisioned (0x01) or not (0x00)
SecureBoot	8be4df61-93ca-11d2-aa0d-00e098032b8c	1 byte, indicates if the platform has secure boot on (0x01) or off (0x00)
OSIndications	8be4df61-93ca-11d2-aa0d-00e098032b8c	8 bytes in little endian, used to exchange information between OS and firmware
PK	8be4df61-93ca-11d2-aa0d-00e098032b8c	EFI signature list, typically a single X.509 certificate with an RSA key
KEK	8be4df61-93ca-11d2-aa0d-00e098032b8c	EFI signature list, typically one or more X.509 certificates with RSA keys
db	d719b2cb-3d3a-4596-a3bc-dad00e67656f	EFI signature list, typically one or more X.509 certificates with RSA keys or SHA256 hashes of EFI applications
dbx	d719b2cb-3d3a-4596-a3bc-dad00e67656f	EFI signature list, typically zero or more SHA256 hashes of X.509 certificates or EFI applications

For signed updates to PK, KEK, db, and dbx via UEFI runtime services, the System Transparency components use the authentication_v2 descriptor.