rename the binary to mkefivardata

Author: h908714124

.gitignore

@@ -1,35 +1,7 @@
 *.o
-*.so
-*.a
-*.efi
-*.key
-*.crt
-*.csr
-*.cer
 *.auth
-*.esl
-*.1
-PK.h
-KEK.h
-DB.h
-hashlist.h
-*.hash
+*.vardata
 *~
 *.swp
-*.orig
-*.pvk
-*.p12
-*.der
-*.pk7
-*.cab
-hash-to-efi-sig-list
-cert-to-efi-sig-list
-cert-to-efi-hash-list
-sig-list-to-certs
-sign-efi-sig-list
-efi-keytool
-efi-readvar
-efi-updatevar
-flash-var
-/build
+/mkefivardata
 /tags

Make.rules

@@ -1,4 +1,4 @@
-BINARY = efi-updatevar
+BINARY = mkefivardata
 
 CFLAGS = 
 CFLAGS += -Iinclude

Makefile

@@ -1,34 +1,28 @@
-# efi-updatevar
+# mkefivardata
 
 * [efitools was removed from Fedora 41](https://discussion.fedoraproject.org/t/f41-secure-boot-with-only-your-own-keys/138120)
 * [efitools upstream](https://web.git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/) is unmaintained
 * sbctl can generate keys and sign, but [efi-updatevar is still needed](https://github.com/Foxboron/sbctl/issues/434)
 
-The upstream efi-updatevar was modified so that it doesn't write to the efivars filesystem directly, but converts the "auth" files to intermediate "vardata" files instead.
+The upstream `efi-updatevar` was modified so that it doesn't write to the efivars filesystem directly, but converts the `*.auth` files to intermediate `*.vardata` files instead. To avoid confusion, it was also renamed to `mkefivardata`.
 
-It is safe to copy the vardata files onto an untrusted machine as they do not contain the private key. To enroll the secureboot keys they contain, simply copy the vardata files to the appropriate file in the efivars filesystem.
+It is safe to copy the `*.vardata` files onto an untrusted machine, since they do not contain the private key. To enroll keys, it is enough to copy the vardata files to the appropriate place in the efivars filesystem.
 
-### dependencies
+### Install dependencies
 
 ```sh
 sudo dnf group install c-development
 sudo dnf install gnu-efi-devel openssl-devel
 ```
 
-### Building efi-updatevar
+### Build the binary
 
 ```sh
 make clean
 make
 ```
 
-### create ctags
-
-```sh
-ctags -R --exclude .git
-```
-
-### Testing
+### Enroll keys
 
 Install sbctl:
 
@@ -37,36 +31,38 @@ sudo dnf copr enable chenxiaolong/sbctl
 sudo dnf install sbctl
 ```
 
-Generate auth files:
+Generate keys and auth files:
 
 ```sh
 sudo sbctl create-keys
 sudo sbctl enroll-keys --microsoft --export auth
 ```
 
-Convert auth to vardata.
+Convert auth files to vardata files:
 
 ```sh
-./efi-updatevar db.auth /tmp/db.vardata db
-./efi-updatevar KEK.auth /tmp/KEK.vardata KEK
-./efi-updatevar PK.auth /tmp/PK.vardata PK
+./mkefivardata db.auth db.vardata db
+./mkefivardata KEK.auth KEK.vardata KEK
+./mkefivardata PK.auth PK.vardata PK
 ```
 
-Next, we update the efivars filesystem.
-This may only work in setup mode.
+The remaining steps may only work in setup mode.
 
 To verify that the system is in setup mode, run `mokutil --sb-state` or `sbctl status`.
 
-Now copy each vardata file to its correct destination in the efivars filesystem:
+Copy each vardata file to its correct destination in the efivars filesystem:
 
 ```sh
 sudo chattr -i /sys/firmware/efi/efivars/*
-sudo cp /tmp/db.vardata /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
-sudo cp /tmp/KEK.vardata /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
-sudo cp /tmp/PK.vardata /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
+sudo cp db.vardata /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
+sudo cp KEK.vardata /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
+sudo cp PK.vardata /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
 ```
 
+Congratulations, the keys are now enrolled.
+
 Notes:
 
-* The destination filenames in the efivars filesystem look random, but they are always the same.
+* `cp <var>.vardata /sys/...` is equivalent to `efi-updatevar -f <var>.auth <var>`.
+* The destination filenames in the efivars filesystem may look random, but they are always the same.
 * After copying `PK.vardata`, the system should not be in setup mode anymore.