limine-enroll-config

Embed a config file's BLAKE2B hash into the Limine EFI executable

$ limine-enroll-config [path/to/BOOTX64.EFI] [blake2b_hash]

$ limine-enroll-config --reset [path/to/BOOTX64.EFI]

$ limine-enroll-config --help

limine-enroll-config [--reset] EFIFILE [HASH_]

limine-enroll-config embeds or resets the BLAKE2B hash of a Limine configuration file (limine.conf) into the Limine EFI executable. This ensures the bootloader configuration has not been tampered with when Secure Boot is enabled.
When Secure Boot validates the signed Limine executable, the embedded hash is used to verify the configuration file's integrity before applying boot settings. If the hash doesn't match, Limine will refuse to load the configuration.

--reset

Remove the enrolled configuration hash from the EFI executable

Display help information

Path to the Limine UEFI executable (e.g., BOOTX64.EFI)

The BLAKE2B hash of the limine.conf configuration file

The configuration hash must be regenerated and re-enrolled whenever limine.conf is modified. This tool is only relevant for UEFI Secure Boot environments; BIOS systems do not support this verification mechanism.

limine(1), limine-entry-tool(1), sbsign(1)