Introducing ovmfctl
New project: Tools for for ovmf (and armvirt) firmware volumes.
It's written in python and can be installed with a simple pip3
install ovmfctl
. The project is hosted
at gitlab.
ovmfdump
Usage: ovmfctl --input file.fd
.
It's a debugging tool which just prints the structure and content of firmware volumes.
ovmfctl
This is a tool to print and modify variable store volumes. Main focus has been on certificate handling so far.
Enrolling certificates for secure boot support in virtual machines has been a rather painfull process. It's handled by EnrollDefaultKeys.efi which needs to be started inside a virtual machine to enroll the certificates and enable secure boot mode.
With ovmfctl it is dead simple:
This enrolls the Red Hat Secure Boot certificate which is used by
Fedora, CentOS and RHEL as platform key. The usual Microsoft
certificates are added to the certificate database too, so windows
guests and shim.efi
work as expected.
If you want more fine-grained control you can use
the --set-pk
, --add-kek
, --add-db
and --add-mok
switches instead.
The --enroll-redhat
switch above is actually just a shortcut for:
If you just want the variable store be printed use ovmfctl
--input file.fd --print
. Add --hexdump
for more details.
Extract all certificates: ovmfctl --input file.fd
--extract-certs
.
Try ovmfctl --help
for a complete list of command line
switches. Note that Input and output file can be indentical for
inplace updates.
That's it. Enjoy!