{"id":27948360,"url":"https://github.com/jbock-java/mkefivardata","last_synced_at":"2025-05-07T14:57:52.992Z","repository":{"id":284325381,"uuid":"954562261","full_name":"jbock-java/mkefivardata","owner":"jbock-java","description":null,"archived":false,"fork":false,"pushed_at":"2025-05-07T05:31:08.000Z","size":375,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-07T14:57:49.237Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jbock-java.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-03-25T09:18:47.000Z","updated_at":"2025-05-07T05:31:11.000Z","dependencies_parsed_at":"2025-05-05T09:54:24.526Z","dependency_job_id":null,"html_url":"https://github.com/jbock-java/mkefivardata","commit_stats":null,"previous_names":["jbock-java/efitools","jbock-java/mkefivardata"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbock-java%2Fmkefivardata","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbock-java%2Fmkefivardata/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbock-java%2Fmkefivardata/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbock-java%2Fmkefivardata/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jbock-java","download_url":"https://codeload.github.com/jbock-java/mkefivardata/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252902627,"owners_count":21822258,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-05-07T14:57:52.404Z","updated_at":"2025-05-07T14:57:52.975Z","avatar_url":"https://github.com/jbock-java.png","language":"C","readme":"# mkefivardata\n\n* [efitools was removed from Fedora 41](https://discussion.fedoraproject.org/t/f41-secure-boot-with-only-your-own-keys/138120)\n* [efitools upstream](https://web.git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/) is unmaintained\n* sbctl can generate keys and sign, but [efi-updatevar is still needed](https://github.com/Foxboron/sbctl/issues/434)\n\nThe upstream `efi-updatevar` was modified so that it converts the `*.auth` files to intermediate `*.vardata` files (by writing to a user-specified file, rather than directly to the efivars filesystem). To avoid confusion, it was also renamed to `mkefivardata`.\n\nThe `*.vardata` files do not contain the private key used for signing. Hence it is safe to copy them onto an untrusted machine. To enroll the keys, simply copy the vardata files to the appropriate place in the efivars filesystem.\n\n### Install dependencies\n\n```sh\nsudo dnf group install c-development\nsudo dnf install gnu-efi-devel openssl-devel\n```\n\n### Build the binary\n\n```sh\nmake clean\nmake\n```\n\n### Installation\n\n```sh\n#make DESTDIR=build install\nsudo make install\n```\n\n### Enroll keys\n\nInstall sbctl:\n\n```sh\nsudo dnf copr enable chenxiaolong/sbctl\nsudo dnf install sbctl\n```\n\nGenerate keys and auth files:\n\n```sh\nsudo sbctl create-keys\nsudo sbctl enroll-keys --microsoft --export auth\n```\n\nConvert auth files to vardata files:\n\n```sh\nmkefivardata db.auth db.vardata db\nmkefivardata KEK.auth KEK.vardata KEK\nmkefivardata PK.auth PK.vardata PK\n```\n\nThe remaining steps may only work in setup mode.\n\nTo verify that the system is in setup mode, run `mokutil --sb-state` or `sbctl status`.\n\nCopy each vardata file to its correct destination in the efivars filesystem:\n\n```sh\nsudo chattr -i /sys/firmware/efi/efivars/*\nsudo cp db.vardata /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f\nsudo cp KEK.vardata /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c\nsudo cp PK.vardata /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c\n```\n\nCongratulations, the keys are now enrolled.\n\nNotes:\n\n* `cp \u003cvar\u003e.vardata /sys/...` is equivalent to `efi-updatevar -f \u003cvar\u003e.auth \u003cvar\u003e`.\n* The destination filenames in the efivars filesystem may look random, but they are always the same.\n* After copying `PK.vardata`, the system should not be in setup mode anymore.\n* Make a backup of `/var/lib/sbctl`.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjbock-java%2Fmkefivardata","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjbock-java%2Fmkefivardata","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjbock-java%2Fmkefivardata/lists"}