3

I recently used efitools' keytool.efi to save the EFI secure boot keys from my UEFI firmware. I now have a few .esl files that contain EFI signature lists, but they are binaries, and I would like to take a look at the content in a readable format.

Apparently these signatures generally start out as X.509 certificates and get converted to .esl using a tool such as cert-to-efi-sig-list; Is there a way to go backwards?

Improve this question

2 Answers 2

Reset to default
6

The efitools package contains the sig-list-to-certs tool, which allows you to extract DER-encoded X.509 certificates from the .esl files (e.g. to extract and print out the first KEK certificate):

efi-readvar -v KEK -o 'old_kek.esl'
sig-list-to-certs 'old_kek.esl' 'oldkek'
openssl x509 -in 'oldkek-0.der' -inform der -noout -text

Repeat the openssl command with oldkek-N.der for the other certificates, if there are more than one. Pass PK, db, and dbx to v- in the efi-readvar command to read the platform key and db white- and blacklists respectively.

Improve this answer
1
  • 1
    This works for certificates. For hashes (such as in the dbx) you can pass them through xxd -p -c32 < $basefile-0.hash. The manpage for this tool is entirely unhelpful.
    – Huckle
    Commented Jan 12, 2020 at 7:29
1

Found a nice little EFI utility written by fpmurphy that prints human-readable information about the keys on a system and he wrote an informative blog post about this as well.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .