Parse UEFI variables db and dbx that contain signatures, certificates and hashes. On a Linux system using UEFI, these variables are readable from /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f, /sys/firmware/efi/efivars/dbDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c, /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f and /sys/firmware/efi/efivars/dbxDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c. ("d719b2cb-3d3a-4596-a3bc-dad00e67656f" is defined as EFI_IMAGE_SECURITY_DATABASE_GUID and "8be4df61-93ca-11d2-aa0d-00e098032b8c" as EFI_GLOBAL_VARIABLE). Each file contains an EFI attribute (32-bit integer) followed by a list of EFI_SIGNATURE_LIST structures.
This page hosts a formal specification of UEFI Variable with Signature List using Kaitai Struct. This specification can be automatically translated into a variety of programming languages to get a parsing library.
digraph {
rankdir=LR;
node [shape=plaintext];
subgraph cluster__efivar_signature_list {
label="EfivarSignatureList";
graph[style=dotted];
efivar_signature_list__seq [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
<TR><TD BGCOLOR="#E0FFE0">pos</TD><TD BGCOLOR="#E0FFE0">size</TD><TD BGCOLOR="#E0FFE0">type</TD><TD BGCOLOR="#E0FFE0">id</TD></TR>
<TR><TD PORT="var_attributes_pos">0</TD><TD PORT="var_attributes_size">4</TD><TD>EfiVarAttr</TD><TD PORT="var_attributes_type">var_attributes</TD></TR>
<TR><TD PORT="signatures_pos">4</TD><TD PORT="signatures_size">...</TD><TD>SignatureList</TD><TD PORT="signatures_type">signatures</TD></TR>
<TR><TD COLSPAN="4" PORT="signatures__repeat">repeat to end of stream</TD></TR>
</TABLE>>];
subgraph cluster__signature_list {
label="EfivarSignatureList::SignatureList";
graph[style=dotted];
signature_list__seq [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
<TR><TD BGCOLOR="#E0FFE0">pos</TD><TD BGCOLOR="#E0FFE0">size</TD><TD BGCOLOR="#E0FFE0">type</TD><TD BGCOLOR="#E0FFE0">id</TD></TR>
<TR><TD PORT="signature_type_pos">0</TD><TD PORT="signature_type_size">16</TD><TD></TD><TD PORT="signature_type_type">signature_type</TD></TR>
<TR><TD PORT="len_signature_list_pos">16</TD><TD PORT="len_signature_list_size">4</TD><TD>u4le</TD><TD PORT="len_signature_list_type">len_signature_list</TD></TR>
<TR><TD PORT="len_signature_header_pos">20</TD><TD PORT="len_signature_header_size">4</TD><TD>u4le</TD><TD PORT="len_signature_header_type">len_signature_header</TD></TR>
<TR><TD PORT="len_signature_pos">24</TD><TD PORT="len_signature_size">4</TD><TD>u4le</TD><TD PORT="len_signature_type">len_signature</TD></TR>
<TR><TD PORT="header_pos">28</TD><TD PORT="header_size">len_signature_header</TD><TD></TD><TD PORT="header_type">header</TD></TR>
<TR><TD PORT="signatures_pos">...</TD><TD PORT="signatures_size">len_signature</TD><TD>SignatureData</TD><TD PORT="signatures_type">signatures</TD></TR>
<TR><TD COLSPAN="4" PORT="signatures__repeat">repeat (((len_signature_list - len_signature_header) - 28) / len_signature) times</TD></TR>
</TABLE>>];
signature_list__inst__is_cert_sha512_x509 [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
<TR><TD BGCOLOR="#E0FFE0">id</TD><TD BGCOLOR="#E0FFE0">value</TD></TR>
<TR><TD>is_cert_sha512_x509</TD><TD>signature_type == [99, 191, 109, 68, 2, 37, 218, 76, 188, 250, 36, 101, 210, 176, 254, 157].pack('C*')</TD></TR>
</TABLE>>];
signature_list__inst__is_cert_sha224 [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
<TR><TD BGCOLOR="#E0FFE0">id</TD><TD BGCOLOR="#E0FFE0">value</TD></TR>
<TR><TD>is_cert_sha224</TD><TD>signature_type == [51, 82, 110, 11, 92, 166, 201, 68, 148, 7, 217, 171, 131, 191, 200, 189].pack('C*')</TD></TR>
</TABLE>>];
signature_list__inst__is_cert_x509 [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
<TR><TD BGCOLOR="#E0FFE0">id</TD><TD BGCOLOR="#E0FFE0">value</TD></TR>
<TR><TD>is_cert_x509</TD><TD>signature_type == [161, 89, 192, 165, 228, 148, 167, 74, 135, 181, 171, 21, 92, 43, 240, 114].pack('C*')</TD></TR>
</TABLE>>];
signature_list__inst__is_cert_sha256_x509 [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
<TR><TD BGCOLOR="#E0FFE0">id</TD><TD BGCOLOR="#E0FFE0">value</TD></TR>
<TR><TD>is_cert_sha256_x509</TD><TD>signature_type == [146, 164, 210, 59, 192, 150, 121, 64, 180, 32, 252, 249, 142, 241, 3, 237].pack('C*')</TD></TR>
</TABLE>>];
signature_list__inst__is_cert_rsa2048_key [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
<TR><TD BGCOLOR="#E0FFE0">id</TD><TD BGCOLOR="#E0FFE0">value</TD></TR>
<TR><TD>is_cert_rsa2048_key</TD><TD>signature_type == [232, 102, 87, 60, 156, 38, 52, 78, 170, 20, 237, 119, 110, 133, 179, 182].pack('C*')</TD></TR>
</TABLE>>];
signature_list__inst__is_cert_sha512 [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
<TR><TD BGCOLOR="#E0FFE0">id</TD><TD BGCOLOR="#E0FFE0">value</TD></TR>
<TR><TD>is_cert_sha512</TD><TD>signature_type == [174, 15, 62, 9, 196, 166, 80, 79, 159, 27, 212, 30, 43, 137, 193, 154].pack('C*')</TD></TR>
</TABLE>>];
signature_list__inst__is_cert_sha384 [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
<TR><TD BGCOLOR="#E0FFE0">id</TD><TD BGCOLOR="#E0FFE0">value</TD></TR>
<TR><TD>is_cert_sha384</TD><TD>signature_type == [7, 83, 62, 255, 208, 159, 201, 72, 133, 241, 138, 213, 108, 112, 30, 1].pack('C*')</TD></TR>
</TABLE>>];
signature_list__inst__is_cert_sha1 [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
<TR><TD BGCOLOR="#E0FFE0">id</TD><TD BGCOLOR="#E0FFE0">value</TD></TR>
<TR><TD>is_cert_sha1</TD><TD>signature_type == [18, 165, 108, 130, 16, 207, 201, 74, 177, 135, 190, 1, 73, 102, 49, 189].pack('C*')</TD></TR>
</TABLE>>];
signature_list__inst__is_cert_rsa2048_sha1 [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
<TR><TD BGCOLOR="#E0FFE0">id</TD><TD BGCOLOR="#E0FFE0">value</TD></TR>
<TR><TD>is_cert_rsa2048_sha1</TD><TD>signature_type == [79, 68, 248, 103, 67, 135, 241, 72, 163, 40, 30, 170, 184, 115, 96, 128].pack('C*')</TD></TR>
</TABLE>>];
signature_list__inst__is_cert_sha256 [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
<TR><TD BGCOLOR="#E0FFE0">id</TD><TD BGCOLOR="#E0FFE0">value</TD></TR>
<TR><TD>is_cert_sha256</TD><TD>signature_type == [38, 22, 196, 193, 76, 80, 146, 64, 172, 169, 65, 249, 54, 147, 67, 40].pack('C*')</TD></TR>
</TABLE>>];
signature_list__inst__is_cert_sha384_x509 [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
<TR><TD BGCOLOR="#E0FFE0">id</TD><TD BGCOLOR="#E0FFE0">value</TD></TR>
<TR><TD>is_cert_sha384_x509</TD><TD>signature_type == [110, 135, 118, 112, 194, 128, 230, 78, 170, 210, 40, 179, 73, 166, 134, 91].pack('C*')</TD></TR>
</TABLE>>];
signature_list__inst__is_cert_rsa2048_sha256 [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
<TR><TD BGCOLOR="#E0FFE0">id</TD><TD BGCOLOR="#E0FFE0">value</TD></TR>
<TR><TD>is_cert_rsa2048_sha256</TD><TD>signature_type == [144, 97, 179, 226, 155, 135, 61, 74, 173, 141, 242, 231, 187, 163, 39, 132].pack('C*')</TD></TR>
</TABLE>>];
signature_list__inst__is_cert_der_pkcs7 [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
<TR><TD BGCOLOR="#E0FFE0">id</TD><TD BGCOLOR="#E0FFE0">value</TD></TR>
<TR><TD>is_cert_der_pkcs7</TD><TD>signature_type == [157, 210, 175, 74, 223, 104, 238, 73, 138, 169, 52, 125, 55, 86, 101, 167].pack('C*')</TD></TR>
</TABLE>>];
}
subgraph cluster__signature_data {
label="EfivarSignatureList::SignatureData";
graph[style=dotted];
signature_data__seq [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
<TR><TD BGCOLOR="#E0FFE0">pos</TD><TD BGCOLOR="#E0FFE0">size</TD><TD BGCOLOR="#E0FFE0">type</TD><TD BGCOLOR="#E0FFE0">id</TD></TR>
<TR><TD PORT="owner_pos">0</TD><TD PORT="owner_size">16</TD><TD></TD><TD PORT="owner_type">owner</TD></TR>
<TR><TD PORT="data_pos">16</TD><TD PORT="data_size">⇲</TD><TD></TD><TD PORT="data_type">data</TD></TR>
</TABLE>>];
}
subgraph cluster__efi_var_attr {
label="EfivarSignatureList::EfiVarAttr";
graph[style=dotted];
efi_var_attr__seq [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
<TR><TD BGCOLOR="#E0FFE0">pos</TD><TD BGCOLOR="#E0FFE0">size</TD><TD BGCOLOR="#E0FFE0">type</TD><TD BGCOLOR="#E0FFE0">id</TD></TR>
<TR><TD PORT="enhanced_authenticated_access_pos">0</TD><TD PORT="enhanced_authenticated_access_size">1b</TD><TD>BitsType1(BigBitEndian)</TD><TD PORT="enhanced_authenticated_access_type">enhanced_authenticated_access</TD></TR>
<TR><TD PORT="append_write_pos">0:1</TD><TD PORT="append_write_size">1b</TD><TD>BitsType1(BigBitEndian)</TD><TD PORT="append_write_type">append_write</TD></TR>
<TR><TD PORT="time_based_authenticated_write_access_pos">0:2</TD><TD PORT="time_based_authenticated_write_access_size">1b</TD><TD>BitsType1(BigBitEndian)</TD><TD PORT="time_based_authenticated_write_access_type">time_based_authenticated_write_access</TD></TR>
<TR><TD PORT="authenticated_write_access_pos">0:3</TD><TD PORT="authenticated_write_access_size">1b</TD><TD>BitsType1(BigBitEndian)</TD><TD PORT="authenticated_write_access_type">authenticated_write_access</TD></TR>
<TR><TD PORT="hardware_error_record_pos">0:4</TD><TD PORT="hardware_error_record_size">1b</TD><TD>BitsType1(BigBitEndian)</TD><TD PORT="hardware_error_record_type">hardware_error_record</TD></TR>
<TR><TD PORT="runtime_access_pos">0:5</TD><TD PORT="runtime_access_size">1b</TD><TD>BitsType1(BigBitEndian)</TD><TD PORT="runtime_access_type">runtime_access</TD></TR>
<TR><TD PORT="bootservice_access_pos">0:6</TD><TD PORT="bootservice_access_size">1b</TD><TD>BitsType1(BigBitEndian)</TD><TD PORT="bootservice_access_type">bootservice_access</TD></TR>
<TR><TD PORT="non_volatile_pos">0:7</TD><TD PORT="non_volatile_size">1b</TD><TD>BitsType1(BigBitEndian)</TD><TD PORT="non_volatile_type">non_volatile</TD></TR>
<TR><TD PORT="reserved1_pos">1</TD><TD PORT="reserved1_size">3</TD><TD>b24</TD><TD PORT="reserved1_type">reserved1</TD></TR>
</TABLE>>];
}
}
efivar_signature_list__seq:var_attributes_type -> efi_var_attr__seq [style=bold];
efivar_signature_list__seq:signatures_type -> signature_list__seq [style=bold];
signature_list__seq:len_signature_header_type -> signature_list__seq:header_size [color="#404040"];
signature_list__seq:len_signature_type -> signature_list__seq:signatures_size [color="#404040"];
signature_list__seq:signatures_type -> signature_data__seq [style=bold];
signature_list__seq:len_signature_list_type -> signature_list__seq:signatures__repeat [color="#404040"];
signature_list__seq:len_signature_header_type -> signature_list__seq:signatures__repeat [color="#404040"];
signature_list__seq:len_signature_type -> signature_list__seq:signatures__repeat [color="#404040"];
signature_list__seq:signature_type_type -> signature_list__inst__is_cert_sha512_x509 [color="#404040"];
signature_list__seq:signature_type_type -> signature_list__inst__is_cert_sha224 [color="#404040"];
signature_list__seq:signature_type_type -> signature_list__inst__is_cert_x509 [color="#404040"];
signature_list__seq:signature_type_type -> signature_list__inst__is_cert_sha256_x509 [color="#404040"];
signature_list__seq:signature_type_type -> signature_list__inst__is_cert_rsa2048_key [color="#404040"];
signature_list__seq:signature_type_type -> signature_list__inst__is_cert_sha512 [color="#404040"];
signature_list__seq:signature_type_type -> signature_list__inst__is_cert_sha384 [color="#404040"];
signature_list__seq:signature_type_type -> signature_list__inst__is_cert_sha1 [color="#404040"];
signature_list__seq:signature_type_type -> signature_list__inst__is_cert_rsa2048_sha1 [color="#404040"];
signature_list__seq:signature_type_type -> signature_list__inst__is_cert_sha256 [color="#404040"];
signature_list__seq:signature_type_type -> signature_list__inst__is_cert_sha384_x509 [color="#404040"];
signature_list__seq:signature_type_type -> signature_list__inst__is_cert_rsa2048_sha256 [color="#404040"];
signature_list__seq:signature_type_type -> signature_list__inst__is_cert_der_pkcs7 [color="#404040"];
}