HEX
Server: Apache/2.4.58 (Ubuntu)
System: Linux ns3133907 6.8.0-86-generic #87-Ubuntu SMP PREEMPT_DYNAMIC Mon Sep 22 18:03:36 UTC 2025 x86_64
User: cssnetorguk (1024)
PHP: 8.2.28
Disabled: NONE
Upload Files
File: //proc/thread-self/root/usr/share/doc/secureboot-db/README.Debian
secureboot-db for Ubuntu
------------------------

When Secure Boot is enabled, the bootloader must be signed by an entry in the
Secure Boot DB. If the signature verifies and the entry does not appear in the
DBX blacklist, the boot process is allowed to continue. Each stage of the boot
process may also be verified against DB and DBX. DB and DBX will need to be
updated for certificate updates and additions to the blacklist, and this
package provides the mechanism do so. It works by adding signed updates to
/usr/share/secureboot/updates and then runs sbkeysync on them. Eg:

$ sudo sbkeysync --no-default-keystores \
                 --keystore /usr/share/secureboot/updates

Note that this package tries to add all keys from the keystore that are not
found in the key databases in firmware. When secure boot is enabled, updates to
DB and DBX can only be performed if they are signed by an entry in the KEK
database.

 -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 04 Dec 2012 13:22:03 -0600