LinuxCommandLibrary

sbctl

Manage UEFI Secure Boot keys and signing

TLDR

Show current secure boot status

$ sbctl status
copy
Create custom secure boot keys
$ sbctl create-keys
copy
Enroll keys with Microsoft certificates
$ sbctl enroll-keys -m
copy
Auto-setup based on configuration
$ sbctl setup --setup
copy
Sign an EFI binary and save to database
$ sbctl sign -s path/to/efi_binary
copy
Re-sign all saved files
$ sbctl sign-all
copy
Verify all EFI executables are signed
$ sbctl verify
copy

SYNOPSIS

sbctl command [options]

DESCRIPTION

sbctl is a user-friendly secure boot key manager. It simplifies creating, enrolling, and managing custom secure boot keys and signing EFI binaries.
Custom keys allow booting only signed kernels and bootloaders, enhancing system security.

PARAMETERS

status

Show secure boot status
create-keys
Generate custom secure boot keys
enroll-keys
Enroll keys into UEFI firmware
-m, --microsoft
Include Microsoft UEFI vendor certificates
sign
Sign EFI binary
-s, --save
Save file to database for re-signing
sign-all
Re-sign all saved files
verify
Verify EFI executables are signed

CONFIGURATION

/var/lib/sbctl/

Default directory storing generated secure boot keys (PK, KEK, db) and the database of signed files.

CAVEATS

Not enrolling Microsoft certificates can brick some systems with Option ROMs. Keys are stored in /var/lib/sbctl by default.

HISTORY

Developed as a user-friendly alternative to manual secure boot key management tools.

SEE ALSO

mokutil(1), efibootmgr(8)

> TERMINAL_GEAR

Curated for the Linux community

Copied to clipboard

> TERMINAL_GEAR

Curated for the Linux community