# Hash unsigned images and update db for image authentication Source: [https://docs.qualcomm.com/doc/80-70014-11/topic/hash-unsigned-images-and-update-db-for-image-authentication.html](https://docs.qualcomm.com/doc/80-70014-11/topic/hash-unsigned-images-and-update-db-for-image-authentication.html) UEFI secure boot allows image authentication. This authentication is achieved through the hash of images stored in the signature database (DB), even if the images are not signed or the certificates in the images are not present in the DB. This process is reserved for content that cannot be signed or altered from its vendor-provided state. If the image hash is available in the DBX deny list, the trust of signed binaries can be removed without having to revoke the corresponding certificates or keys. This is useful, for example, when dealing with a previously signed boot loader that is vulnerable to recent exploits. It is redundant to apply a signature and create a DB hash for the same binary. Follow these steps if the image composition does not require any changes, meaning no new keys and certificates are being added or modified in the image, and no UEFI secure boot authentication is needed for the existing images. ## Generate db.auth file for unsigned images You can calculate the hash of images and generate an allowed signature DB file by following these steps: 1. Generate a hash of all images to be verified and convert the hash into an `.esl` file: hash-to-efi-sig-list Copy to clipboard 2. Sign the hash `.esl` file with the DB key: sign-efi-sig-list -k < .key file location > -c < .crt file location > Copy to clipboard 3. Copy the generated `db.auth` file into the EFI binary and provision the keys into the device. For example, on a Linux host machine: 1. Mount the `efi.bin` file to the <workspace> directory and create an efimountedbin folder in the <workspace> directory. 2. Create a testkeys folder in the <workspace> directory on the Linux machine and copy the pre-existing keys to it. 3. Sign the images: hash-to-efi-sig-list /efimountedbin/EFI/BOOT/ bootaa64.efi /efimountedbin/EFI/Linux/uki.efi mergedhash.esl sign-efi-sig-list -k keys db.key -c db.crt db mergedhash.esl db.authCopy to clipboard 4. Copy the `db.auth` file to the qckeys folder at `/efimountedbin/loader/keys/qckeys`. 5. Follow the dtb signing steps and sign the dtb images to generate a new efi.bin file. For more information, see [Sign images and copy (.Auth) key/signed files to EFI partition](https://docs.qualcomm.com/doc/80-70014-11/topic/sign-images-and-copy-auth-key-signed-files-to-efi-partition.html). 6. For a Linux host machine on target: 1. Erase any existing UEFI secure boot keys and flash the EFI binary with fastboot. 2. Provision keys with systemd-boot. For more information, see [Enable UEFI secure boot from systemd-boot menu](https://docs.qualcomm.com/doc/80-70014-11/topic/enable-uefi-secure-boot-from-systemd-boot-menu.html). Note: All unsigned files are signed with other keys and authenticated with UEFI using this method. **Parent Topic:** [Enable UEFI secure boot](https://docs.qualcomm.com/doc/80-70014-11/topic/enable-uefi-secure-boot.html) Last Published: Aug 06, 2024 [Previous Topic Enable UEFI secure boot from systemd-boot menu](https://docs.qualcomm.com/bundle/publicresource/80-70014-11/topics/enable-uefi-secure-boot-from-systemd-boot-menu.md) [Next Topic Sample OpenSSL configuration](https://docs.qualcomm.com/bundle/publicresource/80-70014-11/topics/appendix-openssl-configuration.md)