# Hash unsigned images and update DB for image authentication

UEFI secure boot allows image authentication. This authentication is
achieved through the hash of images stored in the signature database
(DB), even if the images are not signed or the certificates in the
images are not present in the DB.

This process is reserved for content that cannot be signed or altered
from its vendor-provided state. If the image hash is available in the
database deny (DBX) list, the trust of signed binaries can be removed
without having to revoke the corresponding certificates or keys. This is
useful, for example, when dealing with a previously signed boot loader
that is vulnerable to recent exploits.

It is redundant to apply a signature and create a DB hash for the same
binary. Follow these steps if the image composition does not require any
changes, meaning no new keys and certificates are being added or
modified in the image, and no UEFI secure boot authentication is needed
for the existing images.

## Generate db.auth file for unsigned images

You can calculate the hash of images and generate an allowed signature
DB file by following these steps:

1. Generate a hash of all images to be verified and convert the hash
into an `.esl` file:

-to-efi-sig-list  <list of efis to be hashed>  <output file name with .esl extension>
        Copy to clipboard
2. Sign the `.esl` hash file with the DB key:

sign-efi-sig-list -k < .key file location > -c < .crt file location > <secure variable name> <Above generated .esl file> <o/p .auth file>
        Copy to clipboard
3. Copy the generated `db.auth` file into the EFI binary and provision
the keys into the device.

For example, on a Linux host machine:

1. Mount the `efi.bin` file to the `<workspace>` directory and create an
`efimountedbin` folder in the `<workspace>` directory.
2. Create a `testkeys` folder in the `<workspace>` directory on the Linux
machine and copy the pre-existing keys to it.
3. Sign the images:

hash-to-efi-sig-list <workspace>/efimountedbin/EFI/BOOT/ bootaa64.efi <workspace>/efimountedbin/EFI/Linux/uki.efi mergedhash.esl
        sign-efi-sig-list -k keys db.key -c db.crt db mergedhash.esl db.auth
        Copy to clipboard
4. Copy the `db.auth` file to the `qckeys` folder at `<workspace>/efimountedbin/loader/keys/qckeys`.
5. Follow the dtb signing steps and sign the dtb images to generate a
new `efi.bin` file. For more information, see [Sign images and copy (.auth) key/signed files to EFI partition](https://docs.qualcomm.com/doc/80-70017-11/topic/sign-images-and-copy-auth-key-signed-files-to-efi-partition.html#sign-images-and-copy-auth-key-signed-files-to-efi-partition).
6. For a Linux host machine on the target:

    1. Erase any existing UEFI secure boot keys and flash the EFI binary
with fastboot.
    2. Provision keys with systemd-boot. For more information,
see [Enable UEFI secure boot from systemd-boot menu](https://docs.qualcomm.com/doc/80-70017-11/topic/enable-uefi-secure-boot-from-systemd-boot-menu.html#enable-uefi-secure-boot-from-systemd-boot-menu).

Note

All unsigned files are signed with other keys and authenticated with UEFI using this method.

Last Published: Jan 30, 2025

[Previous Topic
Enable UEFI secure boot from systemd-boot menu](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/enable-uefi-secure-boot-from-systemd-boot-menu.md) [Next Topic
Sample OpenSSL configuration](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/appendix-openssl-configuration.md)