From d88e5780924fa873e7ebb11080a60ad623f13cbe Mon Sep 17 00:00:00 2001
From: 43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
 <36488804+iadgovuser34@users.noreply.github.com>
Date: Tue, 14 Mar 2023 17:03:17 -0400
Subject: [PATCH] Update Linux.md

Section 2.5 updated to change commands related to hashing EFI binaries. A sha256sum or OpenSSL digest covers the entire executable file. Secure Boot's checks look at executable portions of the EFI file -- a different hash. Therefore, pehash and hash-to-efi-sig-list are necessary Linux commands instead of sha256sum and openssl.
---
 secureboot/Linux.md | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/secureboot/Linux.md b/secureboot/Linux.md
index 4d05f3d..65e9a1f 100644
--- a/secureboot/Linux.md
+++ b/secureboot/Linux.md
@@ -188,13 +188,12 @@ Some drivers and installation packages have their own signing mechanism. A menti
 ### 2\.5. Create Hashes
 There are multiple ways to create SHA-256 hashes in Linux. Hexadecimal hashes are useful for use when creating ESL files. The following commands demonstrate two different ways to create a hex hash for the GRUB bootloader:
 ```
-openssl dgst -sha256 -hex -out grubosl.txt grubx64.efi
-
-pesign -h -i grubx64.efi | awk 'NF{print $NF}' > grubs2s.txt
+pesign -h -i grubx64.efi | cut -d " " -f 2 > grubs2s.txt
 ```
 Binary hashes may also be created. Some UEFI Configuration implementations expect binary hashes. Use the following commands to create a binary hash of the GRUB bootloader:
 ```
-openssl dgst -sha256 -binary -out grubosl.hsh grubx64.efi
+hash-to-efi-sig-list grubx64.efi grubx64.esl | cut -d " " -f 3 > grubx64.txt
+tail -c 32 grubx64.efi > grubx64.hsh
 ```
 Finally, hashes of EFI binaries can be immediately converted into single-hash ESL files. See the following section for details.