# uefivars
This is a set of Python modules and a helper application "uefivars" to
introspect and modify UEFI variable stores.
## Why do I need this?
UEFI variable stores are typically opaque to users. You access them using
UEFI runtime services as function calls. However, the data is then stored
in a binary data format. When running virtual machines or extracting UEFI
variable stores directly from Flash storage, you can receive and write that
binary data and thus modify variables directly.
This is useful in situations where you have incorrect UEFI variable data
and need to modify variables without runtime service access. It can also
be useful to analyze and introspect the variable store and check what data
is stored inside.
## How do I use it?
You can convert a variable store into human readable format by setting the
output type to json. This will show you all variables that are currently
present in the variable store.
```console
$ uefivars -i edk2 -o json -I OVMF_VARS.secboot.fd
[
{
"name": "SecureBootEnable",
"data": "AQ==",
"guid": "f0a30bc7-af08-4556-99c4-001009c93a44",
"attr": 3
},
[...]
]
```
In addition, you can convert from the human readable json representation back
into edk2 format:
```console
$ uefivars -i json -o edk2 -I vars.json -O OVMF_VARS.fd
```
Given any variable store (including an empty one) the `--PK` , `--KEK` , `--db` and `--dbx`
switches can be used to (over-)write the four SecureBoot variables from input files.
(Usually .esl files). For a general rundown of the key generation process the [ArchLinux](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Creating_keys) wiki has proven itself
as a first point of guidance.
You can also use the tool to convert between the AWS EC2 uefi-data format
and edk2 to import and export UEFI variable stores between an EC2 instance
and QEMU:
```console
$ uefivars -i edk2 -o aws -I OVMF_VARS.fd -O uefi-data.aws
```
```console
$ uefivars -i aws -o edk2 -I uefi-data.aws -O OVMF_VARS.fd
```
## How can I take a snapshot of my current UEFI variable store?
If you are running on a live UEFI system, the variable store that gets exposed
to the Operating System is incomplete: It does not contain UEFI variables that
are only present at boot time and it does not get access to variable
authentication data.
If you don't need either - for example because you're only interested in saving
the boot order - you can use the efivarfs backend to convert the local variable
store into a file:
```console
$ uefivars -i efivarfs -o aws -I /sys/firmware/efi/efivars -O uefi-data.aws
```
## What formats are supported?
This package currently supports the following formats:
**aws** - File format used in [AWS EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/uefi-secure-boot.html) \
**edk2** - File format used for flash storage in [OVMF](https://github.com/tianocore/edk2/blob/918288ab5a7c3abe9c58d576ccc0ae32e2c7dea0/OvmfPkg/README#L123) \
**efivarfs** - Ingests all non-authenticated variables from an [efivarfs](https://docs.kernel.org/filesystems/efivarfs.html) mount point (read only)
Raw data
{
"_id": null,
"home_page": "https://github.com/awslabs/python-uefivars",
"name": "python-uefivars",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "",
"author": "Amazon Web Services",
"author_email": "graf@amazon.com",
"download_url": "https://files.pythonhosted.org/packages/f5/ff/6d27f7d075dd3c5b8ea233c24d7b015cf26ced754651bd3006a32594c4ba/python-uefivars-0.1.tar.gz",
"platform": null,
"description": "# uefivars\n\nThis is a set of Python modules and a helper application \"uefivars\" to\nintrospect and modify UEFI variable stores.\n\n## Why do I need this?\n\nUEFI variable stores are typically opaque to users. You access them using\nUEFI runtime services as function calls. However, the data is then stored\nin a binary data format. When running virtual machines or extracting UEFI\nvariable stores directly from Flash storage, you can receive and write that\nbinary data and thus modify variables directly.\n\nThis is useful in situations where you have incorrect UEFI variable data\nand need to modify variables without runtime service access. It can also\nbe useful to analyze and introspect the variable store and check what data\nis stored inside.\n\n## How do I use it?\n\nYou can convert a variable store into human readable format by setting the\noutput type to json. This will show you all variables that are currently\npresent in the variable store.\n\n```console\n$ uefivars -i edk2 -o json -I OVMF_VARS.secboot.fd\n[\n {\n \"name\": \"SecureBootEnable\",\n \"data\": \"AQ==\",\n \"guid\": \"f0a30bc7-af08-4556-99c4-001009c93a44\",\n \"attr\": 3\n },\n [...]\n]\n```\n\nIn addition, you can convert from the human readable json representation back\ninto edk2 format:\n\n```console\n$ uefivars -i json -o edk2 -I vars.json -O OVMF_VARS.fd\n```\n\nGiven any variable store (including an empty one) the `--PK` , `--KEK` , `--db` and `--dbx`\nswitches can be used to (over-)write the four SecureBoot variables from input files.\n(Usually .esl files). For a general rundown of the key generation process the [ArchLinux](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Creating_keys) wiki has proven itself\nas a first point of guidance.\n\nYou can also use the tool to convert between the AWS EC2 uefi-data format\nand edk2 to import and export UEFI variable stores between an EC2 instance\nand QEMU:\n\n```console\n$ uefivars -i edk2 -o aws -I OVMF_VARS.fd -O uefi-data.aws\n```\n\n```console\n$ uefivars -i aws -o edk2 -I uefi-data.aws -O OVMF_VARS.fd\n```\n\n## How can I take a snapshot of my current UEFI variable store?\n\nIf you are running on a live UEFI system, the variable store that gets exposed\nto the Operating System is incomplete: It does not contain UEFI variables that\nare only present at boot time and it does not get access to variable\nauthentication data.\n\nIf you don't need either - for example because you're only interested in saving\nthe boot order - you can use the efivarfs backend to convert the local variable\nstore into a file:\n\n```console\n$ uefivars -i efivarfs -o aws -I /sys/firmware/efi/efivars -O uefi-data.aws\n```\n\n## What formats are supported?\n\nThis package currently supports the following formats:\n\n**aws** - File format used in [AWS EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/uefi-secure-boot.html) \\\n**edk2** - File format used for flash storage in [OVMF](https://github.com/tianocore/edk2/blob/918288ab5a7c3abe9c58d576ccc0ae32e2c7dea0/OvmfPkg/README#L123) \\\n**efivarfs** - Ingests all non-authenticated variables from an [efivarfs](https://docs.kernel.org/filesystems/efivarfs.html) mount point (read only)\n",
"bugtrack_url": null,
"license": "",
"summary": "UEFI variable store tools",
"version": "0.1",
"project_urls": {
"Homepage": "https://github.com/awslabs/python-uefivars"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "829cd943412fe300ca7609df04059bca111c44d002aa436ff2790d159bc0bee5",
"md5": "58806c4ee6614818d6e5882d066e9abd",
"sha256": "20a30287bc9de48c92349221a52e1b3b8a0f563938e8b9048d9303afee8ee82b"
},
"downloads": -1,
"filename": "python_uefivars-0.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "58806c4ee6614818d6e5882d066e9abd",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 26830,
"upload_time": "2024-03-06T09:25:36",
"upload_time_iso_8601": "2024-03-06T09:25:36.994832Z",
"url": "https://files.pythonhosted.org/packages/82/9c/d943412fe300ca7609df04059bca111c44d002aa436ff2790d159bc0bee5/python_uefivars-0.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "f5ff6d27f7d075dd3c5b8ea233c24d7b015cf26ced754651bd3006a32594c4ba",
"md5": "d2258c621fac1a3638bcc744b81826fc",
"sha256": "e34082360d41fb82b43cf5b824f835ff8a6ffab8406cf43c81ec901a5e932ef3"
},
"downloads": -1,
"filename": "python-uefivars-0.1.tar.gz",
"has_sig": false,
"md5_digest": "d2258c621fac1a3638bcc744b81826fc",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 24547,
"upload_time": "2024-03-06T09:25:38",
"upload_time_iso_8601": "2024-03-06T09:25:38.417388Z",
"url": "https://files.pythonhosted.org/packages/f5/ff/6d27f7d075dd3c5b8ea233c24d7b015cf26ced754651bd3006a32594c4ba/python-uefivars-0.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-03-06 09:25:38",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "awslabs",
"github_project": "python-uefivars",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [],
"lcname": "python-uefivars"
}