2024-11-05 00:36:32 +01:00
<?xml version='1.0'?> <!-- * - nxml - * -->
< !DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX - License - Identifier: LGPL - 2.1 - or - later -->
<refentry id= "systemd-sbsign"
xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo >
<title > systemd-sbsign</title>
<productname > systemd</productname>
</refentryinfo>
<refmeta >
<refentrytitle > systemd-sbsign</refentrytitle>
<manvolnum > 1</manvolnum>
</refmeta>
<refnamediv >
<refname > systemd-sbsign</refname>
<refpurpose > Sign PE binaries for EFI Secure Boot</refpurpose>
</refnamediv>
<refsynopsisdiv >
<cmdsynopsis >
<command > systemd-sbsign</command>
<arg choice= "opt" rep= "repeat" > OPTIONS</arg>
<arg choice= "req" > COMMAND</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 >
<title > Description</title>
<para > <command > systemd-sbsign</command> can be used to sign PE binaries for EFI Secure Boot.</para>
</refsect1>
<refsect1 >
<title > Commands</title>
<variablelist >
<varlistentry >
<term > <option > sign</option> </term>
<listitem > <para > Signs the given PE binary for EFI Secure Boot. Takes a path to a PE binary as its
argument. If the PE binary already has a certificate table, the new signature will be added to it.
Otherwise a new certificate table will be created. The signed PE binary will be written to the path
specified with <option > --output=</option> .</para>
<xi:include href= "version-info.xml" xpointer= "v257" />
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 >
<title > Options</title>
<para > The following options are understood:</para>
<variablelist >
<varlistentry >
<term > <option > --output=<replaceable > PATH</replaceable> </option> </term>
<listitem > <para > Specifies the path where to write the signed PE binary.</para>
<xi:include href= "version-info.xml" xpointer= "v257" /> </listitem>
</varlistentry>
<varlistentry >
<term > <option > --private-key=<replaceable > PATH/URI</replaceable> </option> </term>
2024-11-06 19:18:15 +00:00
<term > <option > --private-key-source=<replaceable > TYPE</replaceable> [:<replaceable > NAME</replaceable> ]</option> </term>
2024-11-05 00:36:32 +01:00
<term > <option > --certificate=<replaceable > PATH</replaceable> </option> </term>
2024-11-06 18:08:26 +01:00
<term > <option > --certificate-source=<replaceable > TYPE</replaceable> [:<replaceable > NAME</replaceable> ]</option> </term>
2024-11-05 00:36:32 +01:00
<listitem > <para > Set the Secure Boot private key and certificate for use with the
<command > sign</command> . The <option > --certificate=</option> option takes a path to a PEM encoded
2024-11-06 18:08:26 +01:00
X.509 certificate or a URI that's passed to the OpenSSL provider configured with
<option > --certificate-source</option> . The <option > --certificate-source</option> takes one of
<literal > file</literal> or <literal > provider</literal> , with the latter being followed by a specific
provider identifier, separated with a colon, e.g. <literal > provider:pkcs11</literal> . The
<option > --private-key=</option> option can take a path or a URI that will be passed to the OpenSSL
engine or provider, as specified by <option > --private-key-source=</option> as a
2024-11-05 00:36:32 +01:00
<literal > type:name</literal> tuple, such as <literal > engine:pkcs11</literal> . The specified OpenSSL
signing engine or provider will be used to sign the PE binary.</para>
<xi:include href= "version-info.xml" xpointer= "v257" /> </listitem>
</varlistentry>
<xi:include href= "standard-options.xml" xpointer= "help" />
<xi:include href= "standard-options.xml" xpointer= "version" />
</variablelist>
</refsect1>
<refsect1 >
<title > See Also</title>
<para > <simplelist type= "inline" >
<member > <citerefentry > <refentrytitle > bootctl</refentrytitle> <manvolnum > 1</manvolnum> </citerefentry> </member>
</simplelist> </para>
</refsect1>
</refentry>