Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

eficheck(8) [mojave man page]

EFICHECK(8)						    BSD System Manager's Manual 					       EFICHECK(8)

NAME

     eficheck -- check the integrity of the x86 flash chip firmware.

SYNOPSIS

     eficheck --integrity-check [-h EFI-hash-input-file] [-b EFI-binary-input-file]
     eficheck --show-hashes [-h EFI-hash-input-file] [-b EFI-binary-input-file]
     eficheck --generate-hashes [-h EFI-hash-output-file] [-p output-path]
     eficheck --save [-b EFI-binary-output-file]
     eficheck --cleanup [-b EFI-binary-input-and-output-file>]
     eficheck --version
     eficheck --help

DESCRIPTION

     eficheck is a tool to check the x86 flash chip firmware.

     The following commands can be used with eficheck:

     --integrity-check hashes portion of the firmware and compares against known-good hashes

     --generate-hashes outputs hashes for a given firmware to be used as known-good hashes

     --show-hashes shows the hashes for the sub-sections of the firmware which are measured

     --save saves the full flash chip contents to a binary file. Requires root privileges.

     --cleanup zeros any privacy-sensitive data (such as nvram), enabling the file to be shared for analysis.

     --version print out eficheck version number.

     --help display a short help.

EXAMPLES

	    'eficheck --save -b firmware.bin'

		Save this system's EFI firmware as firmware.bin

	    'eficheck --cleanup -b firmware.bin'

		Overwrite the EFI variables portion of the firmware.bin, in place

	    'eficheck --generate-hashes'

		Analyze the current system's installed EFI firmware, and store the hashes into hash file(s) in current folder

		File name(s) will be selected according to image's EFI version(s)

	    'eficheck --generate-hashes -b firmware.bin'

		Analyze the firmware.bin, and store the hashes into hash file(s) in current folder. Filename will be based on the detected
     firmware version.

	    'eficheck --generate-hashes -p /usr/local/allowlists'

		Analyze the current system's installed EFI firmware, and store the hashes into hash file(s) in /usr/local/allowlists folder

	    'eficheck --integrity-check'

		Attempt to automatically determine which firmware you are running, and integrity check against the appropriate file, and report
     any differences

	    'eficheck --integrity-check -h /usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bun-
     dle/allowlists/IM171.88Z.0105.B08.1604111319.0.ealf'

		Compare the current system's EFI firmware against the Apple-provided expected measurements for an "iMac17,1" at firmware revision
     B08, and report any differences

	    'eficheck --integrity-check -h hash.ealf -b firmware.bin'

		Compare the given hash file against against the given firmware image and report any differences

	    'eficheck --show-hashes'

		Print the hashes for the current system's installed EFI firmware to stdout

	    'eficheck --show-hashes -b firmware.bin'

		Print the hashes for the given firmware.bin to stdout

	    'eficheck --show-hashes -h IM171.88Z.0105.B08.1604111319.0.ealf'

		Print the hashes for the given allowlist to stdout

								   May 25, 2017

Check Out this Related Man Page

BOOTCTL(1)							      bootctl								BOOTCTL(1)

NAME

       bootctl - Control the firmware and boot manager settings

SYNOPSIS

       bootctl [OPTIONS...] status

       bootctl [OPTIONS...] list

       bootctl [OPTIONS...] update

       bootctl [OPTIONS...] install

       bootctl [OPTIONS...] remove

DESCRIPTION

       bootctl checks, updates, installs or removes the boot loader from the current system.

       bootctl status checks and prints the currently installed versions of the boot loader binaries and all current EFI boot variables.

       bootctl list displays all configured boot loader entries.

       bootctl update updates all installed versions of systemd-boot, if the current version is newer than the version installed in the EFI system
       partition. This also includes the EFI default/fallback loader at /EFI/BOOT/BOOT*.EFI. A systemd-boot entry in the EFI boot variables is
       created if there is no current entry. The created entry will be added to the end of the boot order list.

       bootctl install installs systemd-boot into the EFI system partition. A copy of systemd-boot will be stored as the EFI default/fallback
       loader at /EFI/BOOT/BOOT*.EFI. A systemd-boot entry in the EFI boot variables is created and added to the top of the boot order list.

       bootctl remove removes all installed versions of systemd-boot from the EFI system partition, and removes systemd-boot from the EFI boot
       variables.

       If no command is passed, status is implied.

OPTIONS

       The following options are understood:

       -h, --help
	   Print a short help text and exit.

       --version
	   Print a short version string and exit.

       --path=
	   Path to the EFI System Partition (ESP). If not specified, /efi, /boot, and /boot/efi are checked in turn. It is recommended to mount
	   the ESP to /boot, if possible.

       -p, --print-path
	   This option modifies the behaviour of status. Just print the path to the EFI System Partition (ESP) to standard output and exit.

       --no-variables
	   Do not touch the EFI boot variables.

EXIT STATUS

       On success, 0 is returned, a non-zero failure code otherwise.

SEE ALSO

       Boot loader specification[1] systemd boot loader interface[2]

NOTES

	1. Boot loader specification
	   https://www.freedesktop.org/wiki/Specifications/BootLoaderSpec

	2. systemd boot loader interface
	   https://www.freedesktop.org/wiki/Software/systemd/BootLoaderInterface

systemd 237																BOOTCTL(1)
Man Page