{"id":13681494,"url":"https://github.com/eaut/efistub","last_synced_at":"2026-01-18T18:02:44.268Z","repository":{"id":145831340,"uuid":"66737431","full_name":"eaut/efistub","owner":"eaut","description":"Manage UEFI (secure) boot configurations","archived":false,"fork":false,"pushed_at":"2019-12-18T08:49:59.000Z","size":32,"stargazers_count":23,"open_issues_count":0,"forks_count":3,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-11-12T00:36:45.190Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eaut.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-08-27T22:01:25.000Z","updated_at":"2024-05-12T23:10:06.000Z","dependencies_parsed_at":"2024-01-14T15:25:58.057Z","dependency_job_id":"a1112b6f-ff5f-4d44-ba96-e627126f8d76","html_url":"https://github.com/eaut/efistub","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eaut%2Fefistub","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eaut%2Fefistub/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eaut%2Fefistub/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eaut%2Fefistub/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eaut","download_url":"https://codeload.github.com/eaut/efistub/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251635345,"owners_count":21619206,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T13:01:31.528Z","updated_at":"2026-01-18T18:02:44.260Z","avatar_url":"https://github.com/eaut.png","language":"Shell","funding_links":[],"categories":["Shell"],"sub_categories":[],"readme":"# EFISTUB\n## Description\n\nA script to manage UEFI boot configurations for Linux EFISTUB kernels. By using \"efistub\"\nthe management of plain EFISTUB boot configurations is greatly simplified. The config file\nsyntax is similar to systemd-boot.\n\nThe management of all aspects of UEFI secure boot configurations is directly supported.\nGenerated signed boot images contain the Linux kernel as well as the thereafter used\ninitial ramdisks in one file to ensure the verfication of the entire intial boot process.\n\nAre you using a boot loader like grub or systemd-boot simply because you consider\nusing plain EFISTUB too cumbersome? Would you like to use secure boot, but hesitated so\nfar because the setup is complicated? Then efistub should solve your problem.\n\nKey features\n  - configuration based UEFI boot menu entry creation\n  - automated creation of signed secure boot EFI files\n  - easy management of personal secure boot keys\n  - short and simple bash script does it all\n\n## Usage\n\nThe script efistub has subcommands. They are \"bootctl\", \"keys\", \"uefi\".\n```\nUsage: efistub command [ARGS]\n```\n\n### BOOT MANAGEMENT COMMANDS\n\n```\nbootctl install [\u003cconfig-file\u003e]\n    Install all boot configurations\n\nbootctl update [\u003cconfig-file\u003e]\n    Update all boot images\n\nbootctl rm-entry \u003ctitle\u003e\n    Manually remove UEFI boot menu entry with the name \u003ctitle\u003e\n```\n\n### KEY MANAGEMENT COMMANDS\n\n```\nkeys create [more]\n    Create personal UEFI secure boot keys (PK,KEK,DB)\n\n    The optional argument \"more\" converts personal keys to '.esl' format\n    for use with KeyTool and '.cer' format for use with many built-in\n    UEFI key managers\n\nkeys install\n    install secure boot keys into UEFI databases (DB,KEK)\n\nkeys activate [usermode|setupmode]\n    Usermode: activate usermode by installing the personal PK key\n    Setupmode: activate setupmode by removing the personal PK key\n```\n\n### UEFI COMMANDS\n\n```\nuefi status\n    show current secure boot status\n\nuefi boot2setup\n    start UEFI setup after next boot\n```\n\n## Installation\n\nCreate your own package with `cd arch-pkg ; makepkg`\n\nInstall it with `pacman -U efistub-git`\n\n## Setting up efistub configurations\n\nAll example configurations assume your linux kernel files are located in `/boot`\nand your EFI system partition is mounted in `/boot/efi` if not mentioned otherwise.\nThey are located in `/usr/share/doc/efistub/config-examples`\n\n### Basic boot example\n\nFor a standard boot configuration all you need to add is the following:\n\n```\n#/etc/efistub/config.d/10_arch.conf\n#\n# Don't forget to insert your specific UUIDs!\n#\nTITLE=\"ArchLinux\"\nESPDIR=\"/boot/efi/EFI/arch\"\nKERNEL=\"/boot/vmlinuz-linux\"\nINITRD=\"/boot/intel-ucode.img /boot/initramfs-linux.img\"\nOPTIONS=\"resume=UUID=\u003cyour-swap-uuid\u003e root=UUID=\u003cyour-rootfs-uuid\u003e ro quiet splash\"\n```\nNow you can install this configuration by executing\n```\nefistub bootctl install\n```\nTo verify the successful installation list all UEFI boot entries with\n```\nefibootmgr -v\n```\nand check that the files `vmlinuz-linux, intel-ucode.img and initramfs-linux.img`\nreside on the ESP with\n```\nls -l /boot/efi/EFI/arch\n```\n### Secure boot example\n\nTo add a secure boot configuration you need the following:\n```\n#/etc/efistub/config.d/20_arch-signed.conf\n#\n# Don't forget to insert your specific UUIDs!\n#\nTITLE=\"ArchSec\"\nEFISIGNED=\"/boot/efi/EFI/arch/linux-boot-signed.efi\"\nKERNEL=\"/boot/vmlinuz-linux\"\nINITRD=\"/boot/intel-ucode.img /boot/initramfs-linux.img\"\nOPTIONS=\"quiet splash resume=UUID=\u003cyour-swapfs-uuid\u003e root=UUID=\u003cyour-rootfs-uuid\u003e ro\"\n```\nThis setup requires your own secure boot keys. You can generate them with\nthe following command:\n```\nefistub keys create\n```\nYour system must be in UEFI setup mode to load the keys to the UEFI key databases.\nUsually you switch to UEFI setup mode by clearing all secure boot keys in your\nmotherboard setup. On many systems you can insert the keys directly with\n```\nefistub keys install\n```\nIf that fails you can insert them with KeyTool or the built-in UEFI keymanager.\nIn this case your need more key formats. You create those files with\n```\nefistub keys create more\n```\nThe keys are stored in /etc/efistub/keys.\nNow you can install this configuration by executing\n```\nefistub bootctl install\n```\nTo verify the successful installation list all UEFI boot entries with\n```\nefibootmgr -v\n```\nand check that the file `linux-boot-signed.efi` resides on the ESP with\n```\nls -l /boot/efi/EFI/arch\n```\nFinally activate secure boot with\n```\nefistub keys activate usermode\n```\nReboot and verify that your system booted in secure boot mode\n```\nefistub uefi status\n```\n\n### Automatic update of boot images when a new initramfs is generated\n\nYou manualy update all boot images after a new kernel was installed with\n```\nefistub bootctl update\n```\n\nThis can be automated by using the provided systemd files. Just enable them with\n```\nsystemctl enable efistub-update.path\n```\n\n## Used directories and configuration files\n\n```\n/etc/efistub/config.d/  location of boot configuration files\n/etc/efistub/keys/      location of personal secure boot keys\n```\n\nAutomatic boot image updates\n\n```\n/usr/lib/systemd/system/efistub-update.path\t    trigger automatic boot file generation\n/usr/lib/systemd/system/efistub-update.service  run 'efistub bootctl update'\n```\n\n## References\n\nA very good summary of all the information fragments you can find on the Internet\nregarding EFISTUB based UEFI secure boot was recently written\nby [Matthew Bentley](https://bentley.link/secureboot).\n\nOther:\n- [Secure Boot](https://wiki.archlinux.org/index.php/Secure_Boot)\n- [EFISTUB](https://wiki.archlinux.org/index.php/EFISTUB)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feaut%2Fefistub","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feaut%2Fefistub","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feaut%2Fefistub/lists"}